Chapter-8: Wireless LAN Security

This chapter introduces the security threats and security requirements of wireless LANs (WLANs), and the mechanisms for implementing WLAN security protection.

• WLAN and its security requirements
• Wired Equivalent Privacy protocol WEP
• WLAN Authentication and Privacy Infrastructure WAPI

Chapter-9: Network Security Technology

This chapter mainly covers security prevention technologies in network environments.

• Common network security technologies and methods
• Role and implementation of network scanning technology
• Role and working mechanism of network firewalls
• Intrusion detection: IDS and honeypot fundamentals

Chapter-10: Information Hiding and Digital Watermarking Technology

This chapter mainly covers information hiding technology and digital watermarking technology, introducing related concepts, applications, and implementation methods.

• Working principles and implementation methods of information hiding
• Applications and implementation methods of digital watermarking +++

Wireless LAN Security

WLAN and Its Security Requirements

WLAN = Wireless Local Area Network

• Basic characteristics of WLAN
  • Uses radio frequency wireless signals for transmission; communication links are open
  • Susceptible to eavesdropping and attacks; network security issues are prominent.
• WLAN technical specifications
  • IEEE802.11 series standards: Physical layer, data link layer
    • IEEE802.11 defines WEP (Wired Equivalent Privacy)
  • IEEE802.11i: WLAN security protection specification, published in 2004
• WLAN operating modes
  • Ad Hoc mode: Wireless network terminals (STA) communicate point-to-point, self-organizing to build wireless communication networks
  • Infrastructure mode: Wireless network terminals communicate with each other through Access Points (AP), and connect to wired networks
• WLAN security issues
  • Access control: Only legitimate entities should be able to access the WLAN and related resources
  • Link secure communication: Wireless link communication should ensure data confidentiality, integrity, and data source authentication
• WLAN security mechanisms
  • Entity authentication, link encryption, integrity protection, data source authentication...
• WLAN security protection methods classification
  • Non-cryptographic access control mechanisms
  • Cryptography-based security mechanisms

Examples of Non-Cryptographic Access Control Mechanisms

• Service Set Identifier (SSID) authentication
  • Each AP has an SSID, which can serve as a shared network domain identification code for a group of WLAN subsystem devices
• Address filtering mechanism
  • Such as MAC address filtering mechanism, configuring MAC address Access Control Lists (ACL)
• Directional antenna or transmission power control

Using shared keys to implement WLAN security relies on WEP below

Wired Equivalent Privacy Protocol WEP

WEP Overview

Wired Equivalent Privacy WEP

• Attempts to provide data confidentiality equivalent to wired networks
• Uses the stream cipher algorithm RC4, implementing entity authentication and confidential data communication based on shared keys

WEP defines two authentication mechanisms:

• Open System Authentication: Effectively null authentication
• Shared Key Authentication: Implements a shared-key-based challenge-response handshake protocol.

WEP Security

• As a stream cipher, RC4's security level depends on the randomness of the key stream
  • The randomness of the stream cipher key stream is not very high, posing certain security risks
• The 802.11 frame format also easily leaks information about specific bytes of the key.

RSN skipped...

WLAN Authentication and WAPI Privacy Infrastructure

GB15629.11 defines the WLAN Authentication and Privacy Infrastructure WAPI, consisting of two parts:

• WLAN Authentication Infrastructure WAI (WLAN Authentication Infrastructure)
• WLAN Privacy Infrastructure WPI (WLAN Privacy Infrastructure)

WAPI uses Elliptic Curve Cryptography (ECC) public key algorithms and commercial symmetric cipher algorithms designated by the national cryptography office, respectively implementing authentication of WLAN entities and encryption protection of transmitted data.

WAI

WAI uses public key cryptography, redefining the digital certificate structure to bind entity identity with public keys, implementing inter-entity authentication and key agreement. The certificate format is incompatible with X.509.

Network Security Technology

Common Network Security Technologies and Methods

Due to the existence of networks, attackers can more easily illegally intrude into others' network and computer systems, illegally access network resources, and illegally steal data from terminal systems.

Internal networks, external networks, and security boundaries:

• Networks are typically divided into internal networks and external networks (also called public networks, such as the Internet)
• Connection devices between internal and external networks (routers) become security boundaries
• Monitoring security boundaries is an important part of network security

Building a network security defense system, in addition to necessary personnel, rules, mechanisms, and management assurance, also depends on various network security technologies:

• Scanning technology: Discovering internal network security weaknesses for improved protection
• Firewall technology: At the junction of internal and external networks, blocking external access to internal networks and limiting internal access to external networks
• Intrusion detection systems: Detecting abnormal external intrusion behavior into the internal network, alerting and preventing further spread of intrusion behavior and impact
• Network gap isolation technology: Secure data exchange between two physically isolated networks

Role and Implementation of Network Scanning Technology

How to detect network topology and security weaknesses in network systems? This requires network scanning technology.

Network scanning technology aims to discover whether devices and systems in the network have security vulnerabilities. Typical network scanning includes host scanning and port scanning.

Host scanning:

• Purpose: To determine whether hosts on the target network are reachable
• Common scanning methods include ICMP Echo scanning, Broadcast ICMP scanning, etc.
• Firewalls and network filtering devices often render traditional detection methods ineffective
  • To overcome this limitation, attackers typically exploit the error message mechanism provided by the ICMP protocol, such as sending abnormal IP packet headers, setting invalid field values in IP headers, incorrect data fragmentation, and detecting internal routers through oversized packets and reverse mapping probing

Port scanning:

• Purpose: To discover open ports on the target host, including network protocols and ports that various applications listen on
• Port scanning techniques include open scanning, stealth scanning, and half-open scanning.
• Typical port scanning methods (just for reference):
  • TCP Connect scanning and TCP reverse ident scanning
  • TCP Xmas and TCP Null scanning are two variants of FIN scanning. TCP FTP proxy scanning
  • Fragment scanning, splitting packets into two smaller IP segments
  • TCP SYN scanning and TCP indirect scanning, two types of half-open scanning

Role and Working Mechanism of Network Firewalls

How to isolate internal and external networks? This requires network firewalls!

A network firewall is a security gateway established between the internal network (Intranet) and external network (Extranet).

Firewall Concepts and Functions

• All network data traffic between internal and external networks must pass through the firewall
• Only data flows that comply with security policies are allowed through the firewall
• The firewall itself should have very strong attack immunity

Firewall functions:

• Firewalls are barriers for network security
• Firewalls can enforce network security policies
• Monitor and audit network access
• Prevent internal information leakage
• Integrate other network application functions, such as VPN, NAT, etc.

Firewall Working Principles

Packet Filtering Technology

• Packet filtering firewalls work at the network layer of the OSI architecture
• Inspect the header, protocol, address, port, type, and other information of each IP packet passing through the firewall, matching them against predefined firewall filtering rules
• Once a packet's one or more parts match a filtering rule with a block condition, the packet is dropped
• From "static packet filtering" to "dynamic packet filtering"
• Packet filtering firewalls typically check the following fields of passing packets:
  • Source IP address and destination IP address
  • TCP, UDP, ICMP and other protocol types
  • Source TCP port and destination TCP port
  • Source UDP port and destination UDP port
  • ICMP message types
  • Output packet network interface
• Packet filtering rule matching results fall into three cases:
  • If a packet matches a deny forwarding rule, the packet is prohibited from passing
  • If a packet matches an allow forwarding rule, the packet is allowed to pass
  • If a packet does not match any rule, the packet is prohibited from passing

    This follows the principle of "everything not explicitly permitted is prohibited"

Application Proxy Technology

• Firewalls with Application Protocol Analysis capability
• "Application Protocol Analysis" technology works at the highest layer of the OSI model -- the application layer, where the firewall can see the final form of application data, enabling higher-level and more comprehensive data inspection
• Uses a proxy mechanism, where all communication between internal and external networks must first be reviewed by the proxy server and cannot directly establish sessions, thus avoiding attackers from using "data-driven" network attacks
• The proxy mechanism limits firewall performance to some extent

Stateful Inspection Technology

Stateful Inspection

• A firewall technology developed on the basis of dynamic packet filtering technology
• Can monitor all layers of network communication and make decisions based on various filtering rules
• Stateful inspection technology, in addition to supporting analysis of each packet's header, protocol, address, port type, and other information, further develops "Session Filtering" functionality
• When each connection is established, the firewall constructs a session state for that connection, containing all information about the connection's packets
• Subsequently analyzes and monitors the content of each packet based on connection state information
• Stateful inspection technology combines packet filtering and application proxy technologies, is more complex to implement, and consumes more resources

Intrusion Detection: IDS and Honeypot Fundamentals

How to detect illegal network intrusion behavior? IDS!

• Intrusion detection: Collecting and analyzing information at several key points in computer networks or systems, checking whether there are behaviors violating security policies and signs of being attacked in the network or system
• The combination of software and hardware implementing this function constitutes an Intrusion Detection System IDS (Intrusion Detection System)
• Divided into IDS and IPS (Intrusion Prevention System)

Classification of intrusion detection systems:

• Host-based IDS: Software installed on servers or PCs, monitoring network information flow arriving at the host
• Network-based IDS: Generally configured at network entry points (routers) or network core switching points (core switching routers), monitoring information flow on the network through bypass technology

Main Functions and Components of IDS

Main functions of intrusion detection systems:

• Monitor, record, and analyze user and system activities
• Audit system configuration and vulnerabilities
• Assess the integrity of critical system resources and data files
• Identify known attack behaviors
• Statistical analysis of abnormal behaviors
• Manage operating system logs, identifying user activities that violate security policies

The data that IDS needs to analyze is called events. Events can be data packets in the network or information obtained from system logs and other sources.

IDS generally includes the following components:

• Event generators
• Event analyzers
• Response units
• Event databases

Basic Principles of Network IDS and Host IDS

Network IDS is a monitoring device on the network that monitors packets transmitted over the network, analyzes packets according to protocols, and reports potentially existing intrusions or illegal user information on the network. It can also automatically respond to intrusion behaviors.

Network IDS working principles: Classification by event analysis method

• Knowledge-based data pattern matching:
  • Analyze and build data models of the working methods of illegal users (intruders) on the network
  • During real-time network traffic detection, compare data read from the network against data models; successful matches trigger event reports.
• Behavior-based behavioral pattern matching:
  • Statistical behavior determination: Based on events from pattern matching above, during post-hoc statistical analysis, determine illegal behaviors based on known illegal behavior rules.
  • Anomaly behavior determination: Based on various information collected during normal times, derive normal network behavior criteria. When events violating these criteria occur, report illegal behavior events.

Host IDS basic principle: Using host system logs, application logs, and other data sources, which can also include other resources (such as network, files, processes), to collect information from the host and analyze it. By querying and monitoring the usage and operational status of various resources on the current system, discover events of illegal use or modification of system resources, and report and handle them.

Honeypot Technology

How to more effectively detect illegal network intrusion behavior? Through honeypot technology.

Honeypot technology, as the name suggests, can be seen as a luring technology aimed at discovering malicious attacks and intrusions.

By setting up a system that is "expected to be probed, attacked, and even compromised," simulating a normal computer system or network environment, luring attackers to intrude into the honeypot system. This enables discovering and even locating intruders, discovering attack patterns, methods, and techniques, and thereby finding configuration defects and vulnerabilities to improve security configuration management and eliminate security risks.

Honeypots can be classified into high-interaction honeypots and low-interaction honeypots. Based on different system carriers, they can be classified into physical honeypots and virtual honeypots.

High-Interaction Honeypots

A high-interaction honeypot is a regular computer system, such as a standard computer, router, etc.

• High-interaction honeypots are actually systems configured with real operating systems and services, providing attackers with a real system to interact with
• These systems have no regular tasks in the network and no fixed active users
• Only normal daemon processes or services run on the system; there should be no abnormal processes, and no network traffic is generated

High-interaction honeypots can be fully compromised. They run real operating systems that may contain all known and unknown security vulnerabilities. Attackers interact with real systems and real services, enabling us to capture extensive threat information.

When attackers gain unauthorized access to the honeypot, we can capture their exploitation of vulnerabilities, monitor their operations, find their tools, and understand their motivations.

Even if attackers use unknown vulnerabilities that we don't yet know about, by analyzing their intrusion process and behavior, we can discover the methods and techniques they use -- the so-called discovery of "zero-day attacks".

Low-Interaction Honeypots

Low-interaction honeypots use specific software tools to simulate part of the functionality of operating systems, network stacks, or certain specialized applications, such as providing a network stack, TCP connections, and simulated HTTP services.

• Low-interaction honeypots allow attackers to interact with the target system in a limited way, enabling administrators to understand key quantitative information about attacks
• Advantages: Simple, easy to install, and easy to maintain -- only requires installing and configuring one software tool
• Typical low-interaction honeypot software tools include Tiny Honeypot, Honeyd, Nepenthes, as well as GHH (Google Hack Honeypot) and PHP.HoP for web deception
• Since low-interaction honeypots only provide attackers with a simulated interaction system, this system will not be fully compromised. Therefore, low-interaction honeypots construct a controllable environment with limited risk.
• Since honeypots have no production value, any attempt to connect to a honeypot is considered suspicious

Physical Honeypots and Virtual Honeypots

Physical honeypots run on a physical computer.

• Physical honeypots typically imply high interaction, allowing the system to be fully compromised
• Physical honeypots are expensive to install and maintain. Deploying a physical honeypot for each idle IP address (idle meaning used for monitoring intrusions) is impractical.

Virtual honeypots deploy multiple virtual machines as honeypots on a single physical computer.

• Can be low-interaction or high-interaction honeypots
• Virtual honeypots require fewer resources, are lower cost, and easier to maintain
• Typically use virtual machine software such as VMware, Virtual PC.

Information Hiding and Digital Watermarking Technology

Working Principles and Implementation Methods of Information Hiding

Cryptographic technology is essentially a data transformation that converts data from one encoding to another, with the transformation process controlled by keys.

Information hiding technology:

• Utilizes the redundant portions with random characteristics in specific carriers, embedding particularly meaningful or important information to conceal its existence
• The embedded secret information is called hidden information, and the carrier with embedded secret information is called the hiding carrier
• Information hiding and "Steganography"

Basic Characteristics of Information Hiding

• Concealment: Also called transparency or invisibility. After embedding secret information in a specific carrier, without causing quality degradation of the embedded information, the external characteristics of the hiding carrier are not significantly changed.
• Undetectability: The carrier with embedded secret information has consistent characteristics with the original carrier.
• Robustness: The hidden information is not lost due to certain modifications of the hiding carrier (such as images).
  • "Modifications" include general signal processing during transmission (filtering, enhancement, resampling, lossy compression, etc.), general geometric transformations (translation, rotation, scaling, segmentation, etc.), and malicious attacks
• Self-recovery: After certain operations and transformations, the hiding carrier may suffer significant damage. If only partial data remains, the characteristic of being able to recover hidden information without the original host signal is called self-recovery.
• Security: The hiding algorithm has strong attack resistance capability. The hiding algorithm must be able to withstand a certain degree of deliberate attacks to ensure that hidden information is not compromised.

Basic Methods of Information Hiding

Methods for embedding information in images are generally divided into spatial (or time) domain substitution methods and transform domain methods.

Spatial Domain Substitution Method

Spatial domain substitution methods replace the redundant portions of the carrier information with hidden information.

• A simple substitution method replaces the Least Significant Bit (LSB) of the carrier, converting secret data into a 0/1 bit stream, then hiding it in the least significant bits of the image's spatial domain data.
• For example, changing a grayscale image pixel's grayscale value from 190 to 191 is imperceptible to the human eye.
• The information embedding process involves selecting a subset of carrier elements (e.g., each element representing a pixel's grayscale value), then performing substitution operations on the subset -- replacing the least significant bit of subset elements with hidden information bits. The extraction process directly extracts the corresponding bits from the hiding carrier set elements.

Characteristics:

• Good hiding effect, and blind extraction is possible.
• Poor robustness: Easily loses secret data due to image compression, cropping, and other image processing
• Low security: The parts of the image with embedded information and those without have different statistical properties, making them vulnerable to attacks

Transform Domain Technique

Using transform domain techniques, information can be hidden in significant regions of carrier images.

• In camouflage systems, embedding information in the frequency domain of signals is more robust than embedding in the spatial domain, providing better resistance to attacks such as compression, cropping, and some image processing.
• Typical transform methods include using Discrete Cosine Transform (DCT), wavelet transforms, and other methods to embed information in images. Transforms can be applied to the entire image or on a block-by-block basis.
• Of course, there is a contradiction between the amount of information that can be hidden in an image and the robustness that can be achieved.

Applications and Implementation Methods of Digital Watermarking

Digital products have the characteristics of being easy to modify, easy to copy, and easy to steal. Digital intellectual property protection has become an urgent practical problem in network-based digital product applications.

Basic Concepts of Digital Watermarking

• A Digital Watermark is a digital signal embedded in digital products that is invisible and difficult to remove. It can be images, symbols, numbers, or any information that can serve as identification and marking.
• Its purposes include copyright protection, ownership verification, fingerprinting (tracking distribution of multiple copies), and integrity protection.
• Copyright protection digital watermarks contain the source of the digital product and copyright owner identification, providing proof of copyright.

Basic Characteristics of Digital Watermarking

• Robustness: After the media with embedded digital watermark is subjected to unintentional damage or deliberate attack, the digital watermark information can still be extracted
  • For example, watermarks added to images must be able to withstand transformation operations applied to the image without being lost; watermark information should be clearly identifiable after extraction and verification
• Invisibility (Transparency): Digital watermarks do not affect the subjective quality of the host media
  • For example, images with embedded watermarks should not have reduced visual quality; it should be difficult to distinguish differences when compared with the original image
• Security: Digital watermarks should be able to resist various attacks and must be able to uniquely identify information related to the original image; no third party should be able to forge another's watermark information

Digital Watermark Classification

Based on whether the original host is required during the watermark extraction process, watermarks can be classified as secret watermarks, semi-secret watermarks, and public watermarks:

• Secret watermarks: Watermark detection requires input of original data or original watermark
• Semi-secret watermarks (semi-blind watermarks): Use a watermark copy to detect watermarks without using original data
• Public watermarks (blind watermarks): Watermark detection requires neither original data nor original watermark

Based on different purposes, they can be classified as text watermarks, image watermarks, audio watermarks, and video watermarks.

Based on the type of digital watermark itself, they can be classified as meaningful digital watermarks and meaningless watermarks:

• Meaningful digital watermarks: Such as the digital watermark being a meaningful image
• Meaningless digital watermarks: Such as the digital watermark being a sequence.

In the copyright protection domain, meaningful digital watermarks have stronger copyright proving capability.

Digital Watermark Algorithm Classification

• Spatial domain algorithms
  • Applicable to images, video, text, 3D models, and other carriers
  • Directly embed watermark information into image pixels, video frames, text character features and character spacing, and 3D model spatial dimensions
• Time domain algorithms
  • Mainly applicable to audio digital watermarking
  • Embed watermark information into audio time-domain samples. If the time series is viewed as an ordinary dimension, time domain algorithms can be equivalent to one-dimensional spatial domain algorithms
• Transform domain algorithms
  • Applicable to audio, image, video, and other digital carriers
  • Embed watermark information into the transform domain coefficients of the carrier
  • First perform a specific mathematical transform on the carrier, then add the watermark to the transformed domain coefficients, and finally apply the corresponding inverse transform to convert the watermarked transform domain carrier back to the original domain
  • Transform domain algorithms have the advantages of invisibility, good robustness, and strong attack resistance
• Compression domain algorithms
  • Mainly targeting audio, image, video, and other digital carriers
  • Utilize the structure and characteristics of image and video compression technologies such as JPEG and MPEG to embed watermarks into the variable value domains of the compression process.