1

Last class Ethernet Hubs and Switches Mobile and wireless networks, CDMA

Today CDMA and IEEE 802.11 wireless LANs Network security

2

10BaseT and 100BaseT Ethernet Uses CSMA/CD 10/100 Mbps rate; latter called “fast ethernet” T stands for Twisted Pair Nodes connect to a hub: “star topology”; 100

m max distance between nodes and hub

twisted pair

hub

3

Interconnecting with hubs

Pros: Enables

interdepartmental communication

Extends max distance btw. nodes

If a hub malfunctions, the backbone hub can disconnect it

Cons: Collision domains are

transferred into one large, common domain

Cannot interconnect 10BaseT and 100BaseT hubs

hub

hubhub

hub

4

Switch: traffic isolation switch installation breaks subnet into LAN

segments switch filters packets:

same-LAN-segment frames not usually forwarded onto other LAN segments

segments become separate collision domains

hub hub hub

switch

collision domain collision domain

collision domain

5

Wireless network characteristicsMultiple wireless senders and receivers create

additional problems (beyond multiple access):

AB

C

Hidden terminal problem B, A hear each other B, C hear each other A, C can not hear each

othermeans A, C unaware of their

interference at B

A B C

A’s signalstrength

space

C’s signalstrength

Signal fading: B, A hear each other B, C hear each other A, C can not hear each other

interferring at B

6

Overview

CDMA and IEEE 802.11 wireless LANs Network security

7

Code Division Multiple Access (CDMA) used in several wireless broadcast channels

(cellular, satellite, etc) standards unique “code” assigned to each user; i.e., code

set partitioning all users share same frequency, but each user

has own “chipping” sequence (i.e., code) to encode data

encoded signal = (original data) X (chipping sequence)

decoding: inner-product of encoded signal and chipping sequence

allows multiple users to “coexist” and transmit simultaneously with minimal interference (if codes are “orthogonal”)

8

CDMA Encode/Decode

slot 1 slot 0

d1 = -1

1 1 1 1

1- 1- 1- 1-

Zi,m= di.cmd0 = 1

1 1 1 1

1- 1- 1- 1-

1 1 1 1

1- 1- 1- 1-

1 1 11

1-1- 1- 1-

slot 0channeloutput

slot 1channeloutput

channel output Zi,m

sendercode

databits

slot 1 slot 0

d1 = -1d0 = 1

1 1 1 1

1- 1- 1- 1-

1 1 1 1

1- 1- 1- 1-

1 1 1 1

1- 1- 1- 1-

1 1 11

1-1- 1- 1-

slot 0channeloutput

slot 1channeloutputreceiver

code

receivedinput

Di = Zi,m.cmm=1

M

M

9

CDMA: two-sender interference

10

Overview

CDMA and IEEE 802.11 wireless LANs Network security

11

IEEE 802.11 Wireless LAN

802.11b 2.4-5 GHz unlicensed

radio spectrum up to 11 Mbps direct sequence

spread spectrum (DSSS) in physical layer

• all hosts use same chipping code

widely deployed, using base stations

802.11a 5-6 GHz range up to 54 Mbps

802.11g 2.4-5 GHz range up to 54 Mbps

All use CSMA/CA for multiple access

All have base-station and ad-hoc network versions

12

802.11 LAN architecture

wireless host communicates with base station base station = access

point (AP) Basic Service Set (BSS)

(aka “cell”) in infrastructure mode contains: wireless hosts access point (AP): base

station ad hoc mode: hosts

only

BSS 1

BSS 2

Internet

hub, switchor routerAP

AP

13

802.11: Channels, association 802.11b: 2.4GHz-2.485GHz spectrum divided

into 11 channels at different frequencies AP admin chooses frequency for AP interference possible: channel can be same as

that chosen by neighboring AP! host: must associate with an AP

scans channels, listening for beacon frames containing AP’s name (SSID) and MAC address

selects AP to associate with may perform authentication [Chapter 8] will typically run DHCP to get IP address in

AP’s subnet

14

IEEE 802.11: multiple access avoid collisions: 2+ nodes transmitting at same

time 802.11: CSMA - sense before transmitting

don’t collide with ongoing transmission by other node

802.11: no collision detection! difficult to receive (sense collisions) when transmitting

due to weak received signals (fading) can’t sense all collisions in any case: hidden terminal,

fading goal: avoid collisions: CSMA/C(ollision)A(voidance)

AB

CA B C

A’s signalstrength

space

C’s signalstrength

15

IEEE 802.11 MAC Protocol: CSMA/CA

802.11 sender1 if sense channel idle for DIFS then

transmit entire frame (no CD)2 if sense channel busy then

- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK, increase random backoff

interval, repeat 2

802.11 receiver- if frame received OK

return ACK after SIFS (ACK needed due to hidden terminal problem)

sender receiver

DIFS

data

SIFS

ACK

16

Avoiding collisions (more)

idea: allow sender to “reserve” channel rather than random access of data frames: avoid collisions of long data frames

sender first transmits small request-to-send (RTS) packets to BS using CSMA RTSs may still collide with each other (but they’re

short) BS broadcasts clear-to-send CTS in response to RTS RTS heard by all nodes

sender transmits data frame other stations defer transmissions

Avoid data frame collisions completely using small reservation packets!

17

Collision Avoidance: RTS-CTS exchange

APA B

time

RTS(A)RTS(B)

RTS(A)

CTS(A) CTS(A)

DATA (A)

ACK(A) ACK(A)

reservation collision

defer

18

framecontrol

durationaddress

1address

2address

4address

3payload CRC

2 2 6 6 6 2 6 0 - 2312 4

seqcontrol

802.11 frame: addressing

Address 2: MAC addressof wireless host or AP transmitting this frame

Address 1: MAC addressof wireless host or AP to receive this frame

Address 3: MAC addressof router interface to which AP is attached

Address 4: used only in ad hoc mode

19

Internetrouter

AP

H1 R1

AP MAC addr H1 MAC addr R1 MAC addr

address 1 address 2 address 3

802.11 frame

R1 MAC addr AP MAC addr

dest. address source address

802.3 frame

802.11 frame: addressing

20

hub or switch

AP 2

AP 1

H1 BBS 2

BBS 1

802.11: mobility within same subnet

router H1 remains in same

IP subnet: IP address can remain same

switch: which AP is associated with H1? self-learning (Ch. 5):

switch will see frame from H1 and “remember” which switch port can be used to reach H1

21

Network Security

What is network security?Principles of cryptographyAuthenticationAccess control: firewallsAttacks and counter measures

22

What is network security?

Confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message

Authentication: sender, receiver want to confirm identity of each other

Message Integrity: sender, receiver want to ensure message content not altered (in transit, or afterwards) without detection

Access and Availability: services must be accessible and available to users

23

Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages

securesender

securereceiver

channel data, control messages

data data

Alice Bob

Trudy

24

Who might Bob, Alice be?

… well, real-life Bobs and Alices! Web browser/server for electronic

transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?

25

There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!

eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source

address in packet (or any field in packet) hijacking: “take over” ongoing connection

by removing sender or receiver, inserting himself in place

denial of service: prevent service from being used by others (e.g., by overloading resources)

more on this later ……

26

Overview

What is network security?Principles of cryptographyAuthenticationAccess control: firewallsAttacks and counter measures

27

The language of cryptography

symmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption

key secret (private)

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’s encryptionkey

Bob’s decryptionkey

KB

28

Symmetric key cryptography

substitution cipher: substituting one thing for another monoalphabetic cipher: substitute one letter for another

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

Plaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbc

E.g.:

Q: How hard to break this simple cipher?: brute force (how hard?) other?

29

Symmetric key cryptography

symmetric key crypto: Bob and Alice share know same (symmetric) key: K

e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

Q: how do Bob and Alice agree on key value?

plaintextciphertext

KA-B

encryptionalgorithm

decryption algorithm

A-B

KA-B

plaintextmessage, m

K (m)A-B

K (m)A-Bm = K ( )

A-B

30

Symmetric key crypto: DES

DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64-bit plaintext input How secure is DES?

DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months

no known “backdoor” decryption approach making DES more secure:

use three keys sequentially (3-DES) on each datum use cipher-block chaining

31

Symmetric key crypto: DES

initial permutation 16 identical “rounds” of

function application, each using different 48 bits of key

final permutation

DES operation

32

AES: Advanced Encryption Standard

new (Nov. 2001) symmetric-key NIST standard, replacing DES

processes data in 128 bit blocks 128, 192, or 256 bit keys brute force decryption (try each key)

taking 1 sec on DES, takes 149 trillion years for AES

33

Public Key Cryptography

symmetric key crypto requires sender,

receiver know shared secret key

Q: how to agree on key in first place (particularly if never “met”)?

public key cryptography

radically different approach [Diffie-Hellman76, RSA78]

sender, receiver do not share secret key

public encryption key known to all

private decryption key known only to receiver

34

Public key cryptography

plaintextmessage, m

ciphertextencryptionalgorithm

decryption algorithm

Bob’s public key

plaintextmessageK (m)

B+

K B+

Bob’s privatekey

K B-

m = K (K (m))B+

B-

35

Public key encryption algorithms

need K ( ) and K ( ) such thatB B. .

given public key K , it should be impossible to compute private key K

B

B

Requirements:

1

2

RSA: Rivest, Shamir, Adelson algorithm

+ -

K (K (m)) = m BB

- +

+

-