1

Wi-Fi and Some Of Its Security Issues

CS 426 ProjectInstructor: Vicky Hsu

Mahesh Kumar DonthulaStudent ID A1371

Wi-Fi Definition

No Standard definition Short for wireless fidelity. It is a wireless technology that

uses radio frequency to transmit data through the air

2

Brief History IEEE (Institute of Electrical and Electronics

Engineers) established the 802.11 Group in 1990. Specifications for standard ratified in 1997.

Initial speeds were 1 and 2 Mbps. IEEE modified the standard in 1999 to include:

802.11b 802.11a 802.11g was added in 2003.

IEEE Created standard, but Wi-Fi Alliance certifies products

Networking standards used by Wi-Fi (802.11 series) 802.11 is primarily concerned with the

lower layers of the OSI model. Data Link Layer

Logical Link Control (LLC). Medium Access Control (MAC).

Physical Layer Physical Layer Convergence Procedure

(PLCP). Physical Medium Dependent (PMD).

Wi-fi security issues Wireless networks are more

vulnerable to security attacks because of openness.

Threats of wired networks and additional threats because of its openness.

broadcast nature requires user authentication and data integrity.

6

Wireless Attacks - 1

Session Hijacking attack

Social Engineering – Pretend as Comcast service tech (network admin) and steal the key.

Dictionary attacks – Compute keys for all possible words in the dictionary, good technique to crack weak passwords.

client

Attacker

AP

1 authenticate

2 die 3 Pretend

7

Wireless Attacks - 2 Replay attacks

Attackers eavesdrop into the network, listen to the packets in the network

Replay the packets at a later time pretending as trusted client.

Attacker is authenticated and provided with all access to the network.

DoS attacks Jamming the signal by continuing to send malicious

signal, so that the no other device operating at the frequency can send a frame.

Sending corrupt or malframed EAP frames to association point.

8

Wireless Attacks - 3Plain text attacks

Cipher Text CT1 = PT1 XOR RC4 (KEY+IV)Cipher Text CT2 = PT2 XOR RC4 (KEY+IV)

A little manipulation would show that,

CT1 XOR CT2 = PT1 XOR PT2. (Borisov, Goldberg, & Wagner, 2001)

Attackers makes the client send a cipher text for an intended plain text

9

WiFi Protocols used WEP – Wired Equivalent privacy Protocol(Not

Wireless encryption Protocol). Stream Cipher, 64 bit key, IV 24 bit

WEP2 Enhanced WEP, 128 bit key, no change to IV

WPA Standard that replaces WEP and eliminates

most of the vulnerabilities.

10

Resisting Wireless Attacks Mac Filtering. Disabling the SSID broadcast. Frequently change keys. Increase the key length, intialization vector

and make the IV random. Use stronger encryption algorithm. Use block cipher to increase diffusion and

enhance randomness. Use strong keys/passphrases.

Wired Equivalent Privacy (WEP)

WEP is a security algorithm used for providing wireless security in 802.11 WLAN.

Security against eavesdropping.

Prevents intruders from accessing the information on the wireless networks.

Security Goals of WEP

Access Control Ensure authorized access to

wireless infrastructure. Data Integrity Data should not be tampered. Confidentiality Data should not be read by

intruder.

WEP Protocol

Uses 40/104 bit secret key preshared between the sender and receiver.

Uses 24 bit Initialization vector.

Uses RC4 stream cipher for encryption/decryption.

WEP Encryption40/104 bit key 24-bit IV+

64/128 bit stream sequence

RC4

Plain Text Data

XOR

CRC

Cipher text 24-bit IV

+

+

input

output

15

WEP Vulnerabilities Initial Vector length 24 bit (small)

Subject to session hijacking, collision attacks.

Same key used for authentication and encryption Social engineering attacks

Stream ciphering Replay attacks

Wi-Fi Protected Access (WPA) Wi-Fi Protected Access is an interim standard

created by the Wi-Fi alliance.

WPA is based on a subset of the 802.11i standard:

802.1x based mutual authentication

Temporal Key Integrity Protocol (TKIP) on existing RC4 to impose strong data encryption

Use Michael Message Integrity Check for message integrity

Uses 48 bit IV

WPA modes

WPA-PSKThis mode is used where

there is no 802.11x authentication. It uses pre-shared key as a pass code. The configuration of this mode is similar to WEP, but there is option of one pre-shared key for each station tied to the stations MAC

WPA modes 2WPA using 802.1x

This mode has three main Components

Client An authenticator(AP) Authentication server(RADIUS)

Wi-Fi-Protected Access 2 (802.11i)

IntroductionWPA2 or 802.11i is the latest

wireless security protocol designed to provide secure communication over wireless networking devices. WPA2 was designed by the IETF and certified by Wi-Fi Alliance. The main purposes of designing this protocol was to overcome the weaknesses found in WEP (Wired Equivalent Protocol) and further enhance the security provided by WPA

Working of WPA 2

WPA 2 has two versions:WPA2- Personal: Provides

authorized access to the wireless networks based on a set-up password.

WPA2-Enterprise: Provides access in the large business wireless networks through an authentication server

Phases of secure communication

A secure communication is established using 4 phases: Phase I: Security Policy Agreement

between client and the access point Phase II: 802.1x Authentication [1] Phase III: Key Distribution and

Derivation – 4 Way Handshake s[1] Phase IV: 4- Data Integrity and

Confidentiality

Phase IAgreeing on the Security Policies.

Phase II: 802.1x Authentication

Phase III: Key Derivation and Distribution

Phase IV

Phase IV Data Integrity and Data ConfidentialityAll the keys used in the phase 3 are used for the

protocols which are used in the RSNA like the TKIP, CCMP etc. The reason for implementing TKIP which is based on the RC4 stream cipher is to allow the WEP systems to be upgraded.

Weaknesses of WPA/WPA2 The major weakness with the WPA/ WPA2 is in

the use of WPA-PSK mode. WPA-PSK mode is based on PMK which is derived from pass phrase, SSID, SSID length and nonce. The concatenated string is hashed 4096 times to generate 256 bit values and combined with the nonce value. This information is broadcasted with the normal traffic. The strength of PTK which is equal to the value of PMK depends on the strength of pass phrase. WPA-PSK is vulnerable to offline dictionary and brute-force attack.

8. Conclusion

This paper compares various wireless network security protocols and brings out the vulnerabilities of WEP and WEP2 used in home routers. Industry has moved to WPA due to the security holes in WEP protocol. The paper strongly advises its readers to move to the latest wireless network security protocol (WPA2) and change the keys frequently to avoid any kind of identity theft

29

References 11 http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm2 http://netsecurity.about.com/od/hackertools/a/aa072004b.htm3 http://www.microsoft.com/windowsxp/using/networking/security/wireless.mspx4 www.findwhitepapers.com5 http://www.wkmn.com/newsite/wireless.html6 http://www.l-com.com/content/Article.aspx?Type=L&ID=210&source=gspec7 http://www.l-com.com/content/DatacommunicationsTutorial.aspx8 Security flaws in 802.11 data link protocols by Nancy Cam-Winget, Russ Housley, David Wagner and Jesse Walker. Communications of the ACM Volume 46, May

2003 pages 35-39 URL:http://portal.acm.org/citation.cfm?id=769823&jmp=cit&coll=GUIDE&dl=GUIDE&CFID=10510466&CFTOKEN=95869072

9 An Analysis of Wireless Security by Ross Hytnen and Mario Garcia, Texas A&M Corpus Christi, Corpus Christi, Texas 78412. Journal of Computing Sciences in

Colleges Volume 21 April 2006 pages 210-216 URL:http://portal.acm.org/citation.cfm?id=1127389.1127429&coll=GUIDE&dl=GUIDE&CFID=65721065&CFTOKEN=72977758

10 http://www.smartbridges.com/education/articles.asp?id=556

References 211 802.11, 802.1x, and Wireless Security by J.Philip Craiger. June 23, 2002 (GIAC Security Essentials Certification, practical assignment

Version 1.4) URL: http://www.sans.org/reading_room/whitepapers/wireless/12 Corporate Wireless LAN: Know the Risks and Best Practices to Mitigate them By Danny Neoh (GIAC Security Essential Certification Version 1.4b December 12th 2003) URL: http://www.sans.org/reading_room/whitepapers/wireless/13 An Overview of 802.11 Wireless Network Security Standards & Mechanisms by Luis Carlos

Wong (GIAC Security Essential Certification Version 1.4b October 21st 2004 Practical assignment 1.4c)

URL: http://www.sans.org/reading_room/whitepapers/wireless/14 Wi-Fi securities – WEP, WPA and WPA2 by Guillaume Lehembre. Article published in number

1/2006 (14) of hakin9, January 2006. Publication on www.hsc.fr on 28 December 2005.

URL: http://www.hsc.fr/ressources/articles/hakin9_wifi/index.html.en15 Wireless attacks from an Intrusion detective perspective by Gary Deckerd (

GCIA Gold Certification November 23rd 2006) URL: http://www.sans.org/reading_room/whitepapers/honors/16 The security mechanism for IEEE 802.11 Wireless Networks by Alicia Laing (GIAC Security

Essential Certification Version 1.2f November 24th 2001 ) URL: http://www.sans.org/reading_room/whitepapers/wireless/17. http://etutorials.org/Networking/802.11+security.+wi-fi+protected+access+and+802.11i/