csci5939 Wireless Security Study List

Wireless Applications and Security

- Summer 2002 Study Group with Dr. T. A. Yang

Meeting time & place

Time: 9-11am Saturdays (see the schedule below for specific dates)

Place: Delta 105

Objectives

The theories underlying wireless networks and wireless security (including those acronyms...)
The implementation of wireless protocols, and duplication of security problems and solutions, using one or two development environments.

Tutorials, Dictionary & on-line resources

A Wireless Networking Tutorial (Make sure you check out the link to 'What does wireless mean?', especialy the four types of wireless networks)
On-line wireless dictionary
Wireless LANs, Interlink Networks Radius servers, and Cisco EAP-LEAP
(A good introduction to wireless LAN security, concerns, and alternative solutions)
Wireless Network Index
WiFiDirect's Virtual Designer

IEEE 802.11 Wireless Standards

Study list & Schedule


Date	Assigned study list (or tasks) for the week	Due
6/8	IEEE 802.11 William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan. Your 802.11 Wireless Network has No Clothes. Department of Computer Science. University of Maryland, College Park, Maryland. March 30, 2001. Get 802.1x Wireless LAN Security The Security Implications of Wireless LANs Tips for Securing Wi-Fi Networks Ed Sutherland, The Chaotic State of the Wireless Security (an article discussing the problems of wireless network, esp. 802.11b wireless LAN standard, and WEP ) (9/26/01) Michael Sutton. Wi-Fi's Achilles heel . C/NET News.com (7/24/2002) + Go visit the RSA archives site (Sign-up and login are required) and review the webinar "Securing the New Wireless World".	NOTE: Study the articles for the week before the meeting. All projects are due before the meeting. Send the projects as attachments to yang@uhcl.edu . Use self-explanatory subject line.
6/15	Decompilation, Obfuscation & Watermarking Collberg, Christian and Clark Thomborson (2000). Watermarking, Tamper-Proofing, and Obfuscation – Tools for Software Protection . University of Arizona Technical Report 2000-03 , Department of Computer Science, University of Arizona. Feb. 2000. Low, Douglas (2001). Protecting Java Code Via Code Obfuscation . ACM Crossroads Student Magazine . + Mahmoud, Qusay H. Protect your bytecodes from reverse engineering / decompilation. Java World. + Dyer, Dave (1997). Java decompilers compared . Java World. July 1997.	Project 1 A. (20 pts) Write a one page report explaining what security problems are associated with IEEE 802.11 protocol. Summarize alternative solutions for the problems. B. (20 pts) Compare wireless LAN and wireless WAN in terms of their applications, existing protocols, and security issues. Try to highlight their differences and similarities. C. (20 pts) Conduct a survey of at least three existing wireless development environments (J2ME, CodeWarrior, Borland, Microsoft, et. al.). Compare their features, especially emulation or simulation provided, supported languages, and supported deployment platforms.
6/22	News articles about wireless security Lee Schlesinger, The best way to secure wireless access (2/7/02) Lee Schlesinger, Why the wireless world's not ready for you (1/7/02) Intermec Technologies Corporation, Wireless LAN Security (a white paper; registration is required to access the document) ( 1/1/02) Chris Kozup, Secure your WLAN now ( 12/28/01) Steven Vaughan-Nichols, Don't buy that wireless LAN—yet (11/13/01) + Fowler, Dennis (2001). NetNews: Growing Pains. netWorker, Volume 5 Issue 2. June 2001. + Held, Gilbert (2001). Considering wireless LANs: proceed with caution . International Journal of Network Management, Volume 11, Issue 4, July–August 2001, page 205.	Project 2 A. (30 pts) Decompilation versus Obfuscation a. Download the Mocha decompiler from http://www.brouhaha.com/~eric/computers/mocha.html . Try to decompile a bytecode using the decompiler. Hand in the Java source and the decompiled version. b. Download the Marvin Obfuscator from http://drjava.de/obfuscator/ . Install and test the obfuscator by obfuscating the sample Java bytecode that you used in part a. Now try to decompile the obfuscated bytecode to see if it would work. Explain the result you get. B. Find five news articles that discuss 'wireless security' issues. The articles must be published after April 1, 2002. a. (15 pts) Create a list of URL's for the articles. b. (15 pts) Compare the content of the articles you found against those articles listed as last week's study list (6/15). Write a summary paragraph explaining at least three major changes in the 'wireless security' field since Feb. 2002.
6/29	Protocols and Software Paradigms of Mobile Networks Nigel Davies, Adrian Friday, Stephen P. Wade, and Gordon S. Blair (1998). L2imbo: a distributed systems platform for mobile computing . Mobile Networks and Applications (Special issue on protocols and software paradigms of mobile networks ), Volume 3 , Issue 2 (August 1998). Pages: 143 - 156 Thomas F. La Porta, Thomas Woo, Krishan K. Sabnani, and Ramachandran Ramjee (1998). Experiences with network-based user agents for mobile applications . Mobile Networks and Applications (Special issue on protocols and software paradigms of mobile networks ), Volume 3, Issue 2 (August 1998). Pages: 123 - 141. Gupta, Vipul, and Gabriel Montenegro (1998). Secure and mobile networking . Mobile Networks and Applications, Volume 3 Issue 4 (December 1998).	Project 3 A. (40 pts) Download the Java 2 Platform Micro Edition, Wireless Toolkit, from http://java.sun.com/products/j2mewtoolkit/index.html . Set up the development environments, especially the emulator, on a computer and try out a sample wireless application. Check out the J2ME Development Tutorial , and the Secure Java MIDP Programming Using HTTPS with MIDP . B. (20 pts) Write a readme.txt file to outline the steps a new user needs to take in order to download, install, and test the J2ME Wireless Toolkit.
7/6	SSL / TLS Rolf Oppliger, Internet security . Communications of the ACM, Volume 40 Issue 5 , May 1997. Lawrence C. Paulson, Inductive analysis of the Internet protocol TLS . ACM Transactions on Information and System Security (TISSEC), Volume 2 Issue 3, August 1999. Eran Gabber , Phillip B. Gibbons , David M. Kristol , Yossi Matias , Alain Mayer, On secure and pseudonymous client-relationships with multiple servers . ACM Transactions on Information and System Security (TISSEC), Volume 2 Issue 4, November 1999. The Open SSL Project (SDKs for free download) http://www.openssl.org/	Design of the final project due
7/13	Security for mobile applications Harbitter, Alan, and Daniel A. Menascé (2001). The performance of public key-enabled kerberos authentication in mobile computing applications . Proceedings of the 8th ACM conference on Computer and Communications Security, November 2001. EAP, LEAP, and related protocols PPP Extensible Authentication Protocol (EAP) The Point-to-Point Protocol (PPP) PPP EAP TLS Authentication Protocol PPP Challenge Handshake Authentication Protocol (CHAP) Microsoft PPP CHAP Extensions Cisco LEAP protocol description (Lightweight Extensible Authentication Protocol) Wireless LANs, Interlink Networks Radius servers, and Cisco EAP-LEAP Cisco LEAP Cisco LEAP RADIUS	Check the FAQ at http://www.apple.com/airport/faq/ to find introductory information about LEAP, RADIUS , et. al. Check out IEEE 802.1X Overview: Port Based Network Access Control to see how EAP is encapsulated in 802.1X. + IEEE 802.11 Security and 802.1X (Summary of Vulnerabilities in 802.11 and 802.1X)
7/20	RADIUS and related protocols RFC2865 Remote Authentication Dial In User Service (RADIUS) RFC2618 RADIUS Authentication Client MIB RFC2619 RADIUS Authentication Server MIB RFC3162 RADIUS and IPv6 RFC2809 Implementation of L2TP Compulsory Tunneling via RADIUS RFC2868 RADIUS Attributes for Tunnel Protocol Support
7/27	Wireless Application Protocol (WAP) et. al. WAP 2.0 Technical White Paper WAP JAVA site: http://wireless.java.sun.com/enterprise/articles/wap/intro/ Wireless Application Protocol Architecture Specification Wireless Transport Layer Security Specification WAP Public Key Infrastructure Specification Collections of WAP 2.0 Technical Specifications WAP-enabled Devices (a Network Computing Buyer's Guide, 4/16/2002) Data-Enabled Cell Phone (a Network Computing Buyer's Guide, 3/18/2002)	Final project demonstration & discussions (New due date)
8/3	Mobile Messaging and the Lightweight & Efficient Application Protocols (LEAP) The Lightweight & Efficient Application Protocols (LEAP) Manifesto (or as a single HTML page ) Comparison of LEAP to WAP (Question: Is the comparison fair? Justify your answer.)	Final report (New due date)

Additional References:

Books

Beaulieu, Mark (2002). Wireless Internet Applications and Architecture: Building Professional Wireless Applications Worldwide . Addison Wesley. 2002. ISBN: 0-201-73354-4.
Deitel, Harvey M., Paul J. Deitel, Tem R. Nieto, and Kate Steinbuhler (2002). Wireless Internet and Mobile Business How to Program, 1/e. Prentice Hall. 2002. ISBN 0-13-009288-6.
Feng, Yu and Jun Zhu (2001). Wireless Java Programming with Java 2 Micro Edition, 1/e . Prentice Hall. 2001. ISBN 0-672-32135-1.
Forsberg, Christian and Andreas Sjostrom (2002). Pocket PC Development in the Enterprise: Mobile Solutions with Visual Basic and .NET . Addison Wesley. 2002. ISBN: 0-201-75079-1.
Knudsen, Jonathan (2001). Wireless Java: Developing with Java 2, Micro Edition . Apress. 2001. ISBN: 189311550X.
Kroll, Michael and Stefan Haustein (2002). Java 2 Micro Edition (J2ME) Application Development, 1/e . Prentice Hall. 2002. ISBN 0-672-32095-9.
O'Hara, Bob & Al Petrick. The IEEE 802.11 Handbook: A Designer's Companion, IEEE, 1999.
Rischpater, Ray (2001). Wireless Web Development with PHP and WAP . Apress. 2001. ISBN: 1893115933.
Swaminatha, Tara M. and Charles R. Elden (2003). Wireless Security and Privacy: Best Practices and Design Techniques . Addison Wesley. 2003 (yet to be published). ISBN: 0-201-76034-7.

CDMA

CDMA2000 Wireless Data Requirements for AAA . RFC 3141 (informational). June 2001.

Cisco

John S. McCright. "Network Giants Address Security". eWEEK. (September 27, 2002)
Cisco Aironet Security Solution Provides Dynamic WEP to Address Researchers' Concerns. http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.htm
Cisco Security for Next Generation Wireless LANs
Cisco Networking Professionals Connection
Cisco Technology Solutions: Wireless and Mobile Office
Cisco IOS Software Feature: Network Layer Encryption
Cisco SAFE Blueprint (Secure Enterprise Networks) white papers.
Cisco Security Technical Tips

HP/Compaq wireless information

http://wireless.hp-at-home.com/home.html (Several links to wireless technology and white papers on wireless networks, Bluetooth, Wi-Fi, and Wi-Fi and Bluetooth co-existence)
http://www.compaq.com/services/security/ (Collection of links to various topics related to security)

IPSec

RFC2401 Security Architecture for the Internet Protocol (Nov. 1998)
RFC2410 The NULL Encryption Algorithm and Its Use With IPsec (Nov. 1998)
RFC3193 Securing L2TP using IPsec (Nov. 2001)
Cisco Security Tips on IPSec

J2ME

Download the Java 2 Platform Micro Edition, Wireless Toolkit
J2ME Development Tutorial
Secure Java MIDP Programming Using HTTPS with MIDP
The JXTA for J2ME (JXME) Project
Jonathan Knudsen. Getting Started with JXTA for J2ME. July 2002.
Qusay H. Mahmoud. J2ME MIDP and WAP: Complementary Technologies. February 2002.

Microsoft Wireless Networking

Microsoft Developer Network (2002). IEEE 802.11b Wireless Networking Overview. The Cable Guy - March 2002.

Microsoft Developer Network (2002). IEEE 802.1X Authentication for Wireless Connections. The Cable Guy - April 2002.
Microsoft Wi-Fi Web site. http://www.microsoft.com/windows2000/technologies/communications/wifi/default.asp .

Network Computing

mobile and wireless site

NetworkWorld

RSA

Securing the Wireless Internet: End-to-end security must encompass WLANs, handhelds and mobile phones. RSA Connections. Summer 2002.
RSA BSAFE® Micro Edition Boosts Wireless-Device Security . RSA Connections. Summer 2002.
Wireless Developments (collection of news and events related to wireless technology)

Security in e-commerce

Blundo, Carlo, Stelvio Cimato, Annalisa De Bonis (2002). A lightweight protocol for the generation and distribution of secure e-coupons . WWW2002. Pages: 542 - 552.
Brustoloni, José (2002). Protecting electronic commerce from distributed denial-of-service attacks . WWW2002. Pages: 553 - 561.
The Web site of the Mobile electronic Transactions (MeT) Initiative

Software Protection, Java and Obfuscation

Herzberg, Amir and Shlomit S. Pinter. Public protection of software . ACM Transactions on Computer Systems, vol. 5, no. 4 , pp. 371-393, November, 1987.
Weisfeld, Matt and Gabriel Torok (1999). Improving Java's Performance and Security while Reducing Application Size . Java Report Magazine (November, 1999).
Silverman, Micah (2002). Obfuscation: Protecting Commercial JSP Applications – Take advantage of the benefits of JSP. JAVA Developer’s Journal, 7(4) . April 2002.
Collberg, Christian, Clark Thomborson, and Douglas Low (1997). A Taxonomy of Obfuscating Transformations . Technical report #148, Dept. of Computer Science, University of Auckland, Auckland, New Zealand.

TKIP

PC World's article about 802.11b security and TKIP (Feb. 4, 2002)

VPN

Cisco Tech Notes: How Virtual Private Networks Work

Cisco VPN 3000 Concentrator Series

Cisco VPN 3002 Hardware Client

"Cisco VPN 3002: Easy LAN-to-LAN VPN Setup the Hardware Way" . Network Computing (5/28/2001).

ISP-Planet's series surveys of VPN appliances

Peitsch, Charles. Special Report: ecisions, decisions, decisions about VPN . ASP Connection (an on-line resource for application service providers). Oct. 2001.

Allen, Doug. Special Report: VPN Overlay Networks: An Answer To Network-Based IP VPNs? NetworkMagazine.Com. June 2001.

Wireless Internet and Intranet access

Bennington, Bernard J. and Charles R. Bartel (2001). Wireless Andrew: building a high speed, campus-wide wireless data network . Mobile Networks and Applications, Volume 6, Issue 1. Jan./Feb. 2001. Pages: 9 - 22.

Schläger, M., B. Rathke, A. Wolisz, and S. Bodenstein (2001). Advocating a remote socket architecture for internet access using wireless LANs . Mobile Networks and Applications, Volume 6, Issue 1. Jan./Feb. 2001. Pages: 23 - 42.

Maass, Henning (1998). Location-aware mobile applications based on directory services . Mobile Networks and Applications (Special issue on protocols and software paradigms of mobile networks ), Volume 3, Issue 2. August 1998.

Zhuge, Lei, and Victor O. K. Li (2002). Reverse-link capacity of multiband overlaid DS-CDMA systems . Mobile Networks and Applications, Volume 7, Issue 2 (April 2002). Pages: 101 - 113.

Su, William, Sung-Ju Lee, and Mario Gerla (2001). Mobility prediction and routing in ad hoc wireless networks . International Journal of Network Management, 11 (1) , pages 3-30.

WLAN security, steganography, et. al.

AirSnorf homepage

John Verry. "Wireless security: not an oxymoron". TechRepublic. (September 27, 2002)

IBM develops tool to detect rogue wireless LAN access points (June 2002)

Steganography: Hidden Data (June 2002)

WLAN Equipments & Installation

Cisco Aironet 350 Series Products Overview: http://www.cisco.com/univercd/cc/td/doc/pcat/ao350.htm (Access Points, Client Adapters, Workgroup Bridge, Wireless Bridge)

Cisco Aironet 340 Series — Client Adapters and Access Points: http://www.cisco.com/univercd/cc/td/doc/pcat/340cl.htm#CFHEICDH

Wireless PTP (Point-To-Point) Bridges . Network Computing (2/19/01)

Fixed Wireless Equipment Review: ORiNOCO SOHO Network Kit

WWAN Equipments & Installation

http://www.sierrawireless.com/ProductsOrdering/pccards.html (Sierra wireless AirCard series)

http://www.verizonwireless.com/express_network/index.html (Verizon express network service)

http://www.mobilecomms-technology.com/projects/broadband_gallery.html

HP Education station: wireless WAN

Wireless Wide Area Networks For Mobile Computing Applications

Emerging Wireless Data Networks

Wireless WAN Infrastructure and Services

Sprint Announces Industry Milestone as First U.S. Wireless Carrier to Complete Nationwide Network Upgrade to 3G 1X (8/8/02)

PCS Connection Card by Sierra Wireless Aircard® 550