Challenges in 802.11 encryption algorithms: the

need for an adaptive scheme for improved

performance

Binod Bhattarai Bibek PaudelB Tech Electronics (2009), NIT Surat, India B Tech CSE (2008), NIT Durgapur, India

bhattarai.binod@gmail.com Diyaalo Enterprises, Kathmandu, Nepal

bibek@diyaalo.com

Abstract: Wireless LAN (WLAN), despite its popularity, is subject to various security threats. Encrypting the data being transmitted is one of the approaches to address such risks. However, encryption algorithms are known to be computationally intensive and the relation between the strength of encryption and computational intensity is inversely proportional. In this paper, we discuss the challenges in the implementation of encryption algorithm in WLAN. We then compare and analyze the results of experiments to compare these algorithms vis-a-vis their energy consumption. It will be seen that different encryption schemes are fit for different types of messages. We propose an intelligent encryption scheme for optimal security.

I. INTRODUCTION:

In part because of the 802.11 family of standards

developed by the IEEE, the demand for wireless LANs has

increased so much that we are now in the midst of what is

called "the wireless tornado". Opportunities and risks are

closely related and wireless communication is not an

exception. The 802.11 has been suffering various security

problems and because of air being the transmission medium,

a lot of these problems are unique as well as challenging in

their own right. Wireless LANs are easy to find and easy to

deploy. "Rogue" access points could be deployed by end

users [1], since not all users are security experts. Possibilities

of unauthorized access, MAC spoofing and session hijacking

[2], traffic analysis and eavesdropping [1] and other higher

level attacks [3] exist in wireless communication.

Protecting the confidentiality, integrity and

authenticity of a message are some of the most important

issues that need to be addressed vis-a-vis guaranteeing

security in 802.11 [1]. In this paper, we delve only into the

protection of the confidentiality of messages, which can be

achieved through encryption. We discuss the different

encryption algorithms in practice and analyze their

performance. Findings of an experiment that show that RC4

is more suitable for large packets and AES is suitable for

smaller packets will be discussed followed by a suggestion of

the need for an intelligent and adaptive algorithm for

improved security of communication. There are different

cases where encryption only might not be able to achieve its

desired results as sometimes an adversary can obtain

unencrypted information without directly undoing the

encryption viz traffic analysis, trojan horses and such like.

Following are the characteristics which can be ideal for the

wireless encryption:

•higher throughput

•less number of computation so that it can be implemented

in lesser memory space and with less energy usage.

•impossible to crack

Most encryption algorithms can be categorized

under two broad encryption schemes: symmetric-key and

asymmetric-key. Symmetric cryptography algorithm is more

suitable in sensor/wireless networks because it requires only

one key and lower time complexity for encryption and

decryption in one secret channel; it can reduce the usage of

the resources (RAM, ROM) and improve the cipher

performance in a sensor node. Wireless/sensor network lack

sufficient memory space because its network units such as

access points, mote are required to be small so that physical

attacks can be reduced [4].

II. ENCRYPTION: A REVIEW OF THE MAJOR PRACTICES IN

WIRELESS LAN FOR SECURITY

Wired Equivalent Protocol (WEP) and Wi-Fi

Protected Access (WPA/WPA2) algorithms are the ones that

are so far implemented for securing the wireless network

from different foreign attacks [5]:

A. WEP and WPA/WPA2

978-1-4244-4570-7/09/$25.00 ©2009 IEEE

Both WEP and WPA algorithms use RC4 stream

cipher algorithm. WEP uses RC4 algorithm based on a 40-

bit “pre-shared” secret key and a 24-bit IV (Initialization

Vector). An ICV (Integrity Check Value) is included in every

packet to ensure data integrity. [6] The working of the RC4

algorithm has been explained in Fig. 1. The three main

services provided by this protocol are:

•Authentication:

802.11 specifies two authentication modes: OSA (Opens

Systems Authentication), which basically means null

authentication, and Shared Key Authentication, where the

Access Point (AP) uses a “pre-shared” key based challenge-

response system similar to HIPERLAN to authenticate the

Mobile Terminal (MT). After the AP authenticates the MT,

the data packets exchanged between the AP and MT are

encrypted and signed using WEP.

•Integrity:

To ensure that a packet has not been modified in transit,

802.11 use an IC (Integrity Check) field in the packet. This

IC is implemented as a CRC-32 checksum, which is part of

the WEP encrypted payload. The problem with CRC-32 is

that it is linear, which means that it is possible to compute

the bit difference of two CRCs based on bit difference of the

message over which they are taken [7] .

• Confidentiality and RC4:

For confidentiality WEP, WPA/WPA-2 uses RC4 algorithm .

RC4 algorithm has following properties:

a) it is a symmetric key algorithm

b) It is a stream cipher algorithm.

c) 24 bit IV (Initialization Vector) is appended in 40 bit key.

d) Key stream, XORed with the plain text, gives cipher text.

One significant design flaw concerns the length of

the initialization vector (IV). The IV is 24-bit long; therefore,

there are 224 different IVs. This may seem like a large

number, but a simple analysis reveals that even if a different

IV is used for each successive packet, the entire IV space

will be used up extremely quickly.

RC4 (SharedKey + IV) = KeyStream for a packet. -------- (1) LengthOf (KeyStream) = LengthOf (DataPacket+CRC) - (2)

WEP's IV size of 24 bits provides for 16,777,216

different RC4 cipher streams for a given WEP key, for any

key size [6]. Remember that the RC4 cipher stream is XOR-

ed with the original packet to give the encrypted packet that

is transmitted, and the IV is sent in the clear with each

packet. The problem is IV reuse. If the RC4 cipher stream for

a given IV is found, an attacker can decrypt subsequent

Fig. 1. Encryption/Decryption Using RC4 algorithm [7]

Fig. 2. RC4 Packet Structure.

packets that were encrypted with the same IV or can forge

packets. Fig. 2 gives the structure of RC4 packet structure.

RC4 cipher uses the combination of the shared key and the

IV to produce a key stream for each packet.

One of the most important requirements of RC4 is

that the same key should never be reused. Therefore, the key

space for the RC4 is 2^N where N is the length of the IV.

802.11 specified the IV length 24.

To put things in perspective, if we have a 24 bit IV

(=> 2^24 keys in the key- space), a busy base station which

is sending 1500 byte-packets at the rate of 11Mbps will

exhaust all keys in the key space in (1500*8)/(11*106*224)

seconds or approximately 5 hours. On the other hand RC4 in

SSL would use the same key space for 224 (=107) sessions.

Even if the application has 10,000 sessions per day, the key

space would last for 3 years. In other words, an 802.11 BS

using RC4 has to reuse the same key in approximately 5

hours whereas an application using SSL RC4 can avoid key

reuse for approximately 3 years. This shows clearly that the

fault lies not in the cipher but in the way it is being used.

Going beyond an example, analyses of WEP has shown that

there is a 50% chance of key-reuse after 4823 packets and

there is 99% chance of collision after 12,430 packets. These

are dangerous numbers for a cryptographic algorithm. [7]

It is so important to avoid key reuse in RC4 for

reusing the same key means allowing different packets to use

the same keystream to produce the respective cipher-text,

which is dangerous. Let ki (i = 1,2,3, ….) be the key stream

produced for a specific packet and pi be the packet data in

plain-text. Then RC4 produces cipher text ci = pi xor ki.

Now, because the medium is wireless, an intruder has easy

access to ci, the cipher-text. If the intruder knows the plain

text part of a certain message, he can calculate the key

stream used to encrypt this certain packet since ki = pi xor ci.

Once ki is known, any future packets encrypted with the

same ki can be easily decrypted as pi = ci xor ki [1]. This is

the reason why RC4 warns against key re-use, which

unfortunately 802.11 ignores. Note that since the variable

part of the RC4 key (the IV) is attached to each packet in

plain-text; it is trivial to find out that two packets have been

encrypted with the same-key.

In synchronous stream ciphers (like RC4 used in

802.11), the loss of a single bit of a data stream encrypted

under the cipher causes the loss of all data following the lost

bit. Since data loss is widespread in the wireless medium, it

is infeasible to use a synchronous stream cipher across

802.11 frame boundaries. This is the basic problem of WEP,

note here that the problem is not the RC4 algorithm but that

a stream cipher is not suitable for wireless medium where

packet loss is widespread [5].

B. AES (Advanced Encryption Standard)

The weaknesses in RC4 and loopholes in the WEP

protocol have resulted in a new standard for security in

WLANs (IEEE 802.11i). The nre protocol based on the

Advanced Encryption Standard (AES) [5] (previously called

Rijndael) is a symmetric block cipher designed by Joan

Daemen and Vincent Rijmen [6] that has a variable key

length of 128, 192, or 256 bits to encrypt data blocks of 128,

192, or 256 bits long. Both block and key length are

extensible to multiples of 32 bits. AES encryption is fast and

flexible, and it can be implemented on various platforms

especially in small devices and smart card. Also, AES has

been rigorously tested for security loopholes for a few years

before it was standardized by NIST [1].

The differences between key with a length of 128, 192,

or 256 bits is the number of rounds the cryptography process

has to be run in order to increase the security capacity. These

are shown in Table I. AES operates on a 4×4 array of bytes,

TABLE I

NUMBER OF ROUNDS ON THE BASIS OF KEY LENGTH

Key Length

(No. of words)

Block size

(No. of words)

Number of

Rounds

AES-128 4 4 10

AES-192 6 4 12

AES-256 8 4 14

termed the state. For an encryption process, each round of

AES (except the last round) consists of four stages SubByte,

ShiftRows, MixColumns, and AddRoundKey. The final

round omits the MixColumn stage. For a decryption process,

each of the steps ByteSub, ShiftRow, MixColumn, and

AddRoundKey is inverted. AES has the following characters

tics [8]:

• General Security: no known security attacks and appears

to have an adequate security margin

• Software Implementation: performs encryption and

decryption very well across a variety of platforms [8].

However, performance decreases with increasing key

sizes. Rijndaels’s high inherent parallelism facilitates

the efficient use of processor resources. It's key setup time is

also fast.

• Restricted Space Environments: very well suited for

restricted-space environments where either encryption

or decryption is implemented (but not both). It has very

low RAM and ROM requirements. The key schedule for

decryption is separate from encryption [8].

• Hardware Implementations: Rijndael has the highest

throughput of any of the finalist for feedback modes and

second highest for non-feedback modes.

• Attacks on Implementations: The operations used by

Rijndael are among the easiest to defend against power

and timing attacks.

• Encryption Vs Decryption: One FPGA study reports

that the implementations of both encryption and

decryption take about 60% more space than the

implementation of encryption alone [8]. Rijndael’s

speed does not vary significantly between encryption

and decryption, although the key setup performance is

slower for decryption than for encryption.

• Key Agility: Rijndael supports on-the fly subkey

computation for encryption.

• Versatility and flexibility: Rijndael fully supports block

sizes and key sizes of 128 bits, 192 bits and 256 bits, in

any combination.

III. PERFORMANCE ANALYSIS OF RC4 AND AES

ALGORITHMS IN WIRELESS LANS

In terms of the choice of algorithms in WLANs,

both RC4 and AES have different trade-offs. Owing to the

higher complexity of computation in AES as compared to

RC4, we can expect much higher security in AES than RC4.

This also means a higher consumption of energy. Power can

be the main constraint in the implementation of AES. The

detailed performance analysis of RC4 and AES algorithm is

done in the following sections.

A wireless device, usually with very limited

resources, especially battery power, is subject to the problem

of high energy consumption due to encryption algorithms.

Designing energy efficient security protocols first requires

an understanding of and data related to the energy

consumption of common encryption schemes. RC4 and AES

are the two algorithms that are used in WEP (WPA/WPA2)

and EAP (Extensible Authentication Protocol) respectively.

It has been experimentally found that RC4 is more suitable

for large packets and AES is suitable for smaller packets [5].

For sufficient security strength today, it is

recommended that key sizes of at least 80 bits be employed.

Usually, a longer key implies more operations and the battery

can be drained even more quickly. In order to investigate

approaches to designing energy efficient security protocols,

there is first a need to understand the energy consumption of

different encryption schemes.

For the experimentation, a laptop with a mobile

Pentium III 700 MHz CPU was used and performance data

were collected. In the experiments, the laptop encrypted a

5.5 MB file using RC4 and AES encryption algorithms using

OpenSSL version 0.9.7a. In the experiment, the parameters

taken for energy analysis were: encryption time, CPU

process time, and CPU clock cycles [4].

A basic cost of encryption is represented by the

product of the total number of clock cycles taken by the

encryption and the average current drawn by each CPU clock

cycle. The basic encryption cost is in unit of ampere-cycle.

To calculate the total energy cost, the ampere-cycles is

divided by the clock frequency in cycles/second of a

processor; then the energy cost of encryption in ampere-

seconds is obtained. Then, multiplying the ampere-seconds

with the processor’s operating voltage gives the energy cost

in Joule. To calculate the energy cost, one has to measure

the clock cycles by using an instruction set to set and read

the total number of cycles taken by encryption from a

register. By using the cycles, the operating voltage of the

CPU, and the average current drawn for each cycle, it can

calculate the energy consumption of cryptographic functions.

For example, on average, each cycle consumes

approximately 270 mA on an Intel 486DX2 processor or 180

mA on Intel Strong ARM. Energy consumption benchmark

for an Intel Pentium III 800 MHz which is used in

measurements; it is assumed close to 200 mA. For a sample

calculation, with a 700 MHz CPU operating at 1.35 Volt, an

encryption with 20,000 cycles would consume about 5.71 x

10-3 mA-second or 7.7 Joule.

A. Analysis

From the result obtained from the experimentation done

as mentioned above, the following parameters have been

analyzed:

• Encryption throughput:

According to the Fig. 3, RC4 is more efficient than AES in

encrypting large data blocks [3]. It is also seen that RC4

performance is likely independent of the key size. Thus, it is

preferable to use a long key size to provide data

confidentiality without trading off the encryption

throughput.

• CPU workload:

Fig. 4 shows that RC4 is operates using less CPU

processing time and reducing the work load on the CPU

when it encrypts large data blocks while AES is suitable for

devices with processing power to encrypt small size packets.

• Energy cost:

From Fig. 5, it can be observed that AES consumes as

little as three times less energy than RC4 when encrypting

small data blocks. In contrast, the RC4 consumes less energy

than AES for larger data blocks. Thus RC4 algorithm can be

used for the encryption of data with smaller data packets.

Fig. 3. Energy throughputs Vs. Packet Size.

Fig. 4. CPU process time Vs. Packet size.

Fig. 5. Energy Consumption Vs. Packet Size.

Encryption in smaller packet size increases security at the

cost of speed.

IV. CONCLUSION AND SUGGESTION:

It can been concluded from these results that in

802.11 WLANs, we can save energy by using AES to encrypt

small packets such as an 802.11 ACK which is about 14 bytes

long, beacon packets which are about 72 bytes long, and

other short 802.11 management packets. To provide strong

security and save energy, we could fragment a long packet

into smaller packets and use AES to encrypt them. Smaller

packets are often less susceptible to wireless channel errors,

and hence, we can save much more energy. Of course, the

fragmentation would give significant energy efficiency, but it

will lower transmission throughput. It is preferable to use

RC4 to encrypt data packets whose sizes are about 100 bytes

or more on average before transmitting them. In addition,

AES would also be appropriate for short probe packets for

estimating the channel conditions. For instance, if both RC4

and AES used the same key, if RC4 was broken and the key

compromised, AES would also be broken.

Thus there is need to optimize the relationship

between security levels, protocols and energy consumption

which can provide higher transmission, higher security and

consume lower energy. An adaptive and intelligent

encryption scheme that automatically decides on the factors

like fragmentation of messages and use of appropriate

algorithm with the aim of increasing security and reducing

energy consumption needs to be devised. This will be the

subject of our further research.

REFERENCES

[1] Miodrag J. Mihaljevi´c and Ryuji Kohno (Advanced

Telecommunication Laboratory), “On Wireless Communications Privacy

and Security Evaluation of Encryption Techniques”, SONY Computer

Science Laboratories, proceedings of IEEE, vol. 94, No. 2, 2006.

[2] Binod Bhattarai, Ashish Raj Sharma, Jhanak Parajuli, Jigisha N. Patel

“Wireless LAN: Security Threats, Issues and Best Practices”, International

Conference on Systematics, Cybernatics and Informatics (ICSCI), Jan 7-10,

Hyderabad India, vol. 1, pp 376-382, 2009.

[3] James Goodman, and Anantha P. Chandrakasan (MIT, USA) “Low

power Scalable Encryption for wireless systems”, Science Publishers,

Wireless Networks Volume 4, pp. 55-70, 1998.

[4] P. Prasithsangaree, and P. Krishnamurthy (Telecommunications

Program University of Pittsburgh ,Pittsburgh, PA) “Analysis of Energy

Consumption of RC4 and AES algorithms in wireless LANs”, IEEE

proceedings publication, pp. 1445-1449, Globecom 2003.

[5] Scott Fluhrer, and Itsik Mantin “Weakness in Key Scheduling

Algorithm of RC4”, (Cisco Systems Inc. USA), SAC, LNSC 2259, pp. 1-24,

2001.

[6] Joan Daemen and Vincent Rijmen, "The Design of Rijndael: AES - The

Advanced Encryption Standard." Springer-Verlag, 2002.

[7] Nikita Borisov, Ian Goldberg, and David Wagner, “Intercepting

Mobile Communications: The Insecurity of 802.11”, Proceedings of the

Seventh Annual International Conference on Mobile Computing And

Networking, July 16–21, 2001.

[8] William Stallings, “Cryptography and Network Security”, 4th Edition,

Prentice Hall Publication, pp. 232-314, 2006.