[ieee 2009 first asian himalayas international conference on internet (ah-ici) - kathmundu, nepal...
TRANSCRIPT
Challenges in 802.11 encryption algorithms: the
need for an adaptive scheme for improved
performance
Binod Bhattarai Bibek PaudelB Tech Electronics (2009), NIT Surat, India B Tech CSE (2008), NIT Durgapur, India
[email protected] Diyaalo Enterprises, Kathmandu, Nepal
Abstract: Wireless LAN (WLAN), despite its popularity, is subject to various security threats. Encrypting the data being transmitted is one of the approaches to address such risks. However, encryption algorithms are known to be computationally intensive and the relation between the strength of encryption and computational intensity is inversely proportional. In this paper, we discuss the challenges in the implementation of encryption algorithm in WLAN. We then compare and analyze the results of experiments to compare these algorithms vis-a-vis their energy consumption. It will be seen that different encryption schemes are fit for different types of messages. We propose an intelligent encryption scheme for optimal security.
I. INTRODUCTION:
In part because of the 802.11 family of standards
developed by the IEEE, the demand for wireless LANs has
increased so much that we are now in the midst of what is
called "the wireless tornado". Opportunities and risks are
closely related and wireless communication is not an
exception. The 802.11 has been suffering various security
problems and because of air being the transmission medium,
a lot of these problems are unique as well as challenging in
their own right. Wireless LANs are easy to find and easy to
deploy. "Rogue" access points could be deployed by end
users [1], since not all users are security experts. Possibilities
of unauthorized access, MAC spoofing and session hijacking
[2], traffic analysis and eavesdropping [1] and other higher
level attacks [3] exist in wireless communication.
Protecting the confidentiality, integrity and
authenticity of a message are some of the most important
issues that need to be addressed vis-a-vis guaranteeing
security in 802.11 [1]. In this paper, we delve only into the
protection of the confidentiality of messages, which can be
achieved through encryption. We discuss the different
encryption algorithms in practice and analyze their
performance. Findings of an experiment that show that RC4
is more suitable for large packets and AES is suitable for
smaller packets will be discussed followed by a suggestion of
the need for an intelligent and adaptive algorithm for
improved security of communication. There are different
cases where encryption only might not be able to achieve its
desired results as sometimes an adversary can obtain
unencrypted information without directly undoing the
encryption viz traffic analysis, trojan horses and such like.
Following are the characteristics which can be ideal for the
wireless encryption:
•higher throughput
•less number of computation so that it can be implemented
in lesser memory space and with less energy usage.
•impossible to crack
Most encryption algorithms can be categorized
under two broad encryption schemes: symmetric-key and
asymmetric-key. Symmetric cryptography algorithm is more
suitable in sensor/wireless networks because it requires only
one key and lower time complexity for encryption and
decryption in one secret channel; it can reduce the usage of
the resources (RAM, ROM) and improve the cipher
performance in a sensor node. Wireless/sensor network lack
sufficient memory space because its network units such as
access points, mote are required to be small so that physical
attacks can be reduced [4].
II. ENCRYPTION: A REVIEW OF THE MAJOR PRACTICES IN
WIRELESS LAN FOR SECURITY
Wired Equivalent Protocol (WEP) and Wi-Fi
Protected Access (WPA/WPA2) algorithms are the ones that
are so far implemented for securing the wireless network
from different foreign attacks [5]:
A. WEP and WPA/WPA2
978-1-4244-4570-7/09/$25.00 ©2009 IEEE
Both WEP and WPA algorithms use RC4 stream
cipher algorithm. WEP uses RC4 algorithm based on a 40-
bit “pre-shared” secret key and a 24-bit IV (Initialization
Vector). An ICV (Integrity Check Value) is included in every
packet to ensure data integrity. [6] The working of the RC4
algorithm has been explained in Fig. 1. The three main
services provided by this protocol are:
•Authentication:
802.11 specifies two authentication modes: OSA (Opens
Systems Authentication), which basically means null
authentication, and Shared Key Authentication, where the
Access Point (AP) uses a “pre-shared” key based challenge-
response system similar to HIPERLAN to authenticate the
Mobile Terminal (MT). After the AP authenticates the MT,
the data packets exchanged between the AP and MT are
encrypted and signed using WEP.
•Integrity:
To ensure that a packet has not been modified in transit,
802.11 use an IC (Integrity Check) field in the packet. This
IC is implemented as a CRC-32 checksum, which is part of
the WEP encrypted payload. The problem with CRC-32 is
that it is linear, which means that it is possible to compute
the bit difference of two CRCs based on bit difference of the
message over which they are taken [7] .
• Confidentiality and RC4:
For confidentiality WEP, WPA/WPA-2 uses RC4 algorithm .
RC4 algorithm has following properties:
a) it is a symmetric key algorithm
b) It is a stream cipher algorithm.
c) 24 bit IV (Initialization Vector) is appended in 40 bit key.
d) Key stream, XORed with the plain text, gives cipher text.
One significant design flaw concerns the length of
the initialization vector (IV). The IV is 24-bit long; therefore,
there are 224 different IVs. This may seem like a large
number, but a simple analysis reveals that even if a different
IV is used for each successive packet, the entire IV space
will be used up extremely quickly.
RC4 (SharedKey + IV) = KeyStream for a packet. -------- (1) LengthOf (KeyStream) = LengthOf (DataPacket+CRC) - (2)
WEP's IV size of 24 bits provides for 16,777,216
different RC4 cipher streams for a given WEP key, for any
key size [6]. Remember that the RC4 cipher stream is XOR-
ed with the original packet to give the encrypted packet that
is transmitted, and the IV is sent in the clear with each
packet. The problem is IV reuse. If the RC4 cipher stream for
a given IV is found, an attacker can decrypt subsequent
Fig. 1. Encryption/Decryption Using RC4 algorithm [7]
Fig. 2. RC4 Packet Structure.
packets that were encrypted with the same IV or can forge
packets. Fig. 2 gives the structure of RC4 packet structure.
RC4 cipher uses the combination of the shared key and the
IV to produce a key stream for each packet.
One of the most important requirements of RC4 is
that the same key should never be reused. Therefore, the key
space for the RC4 is 2^N where N is the length of the IV.
802.11 specified the IV length 24.
To put things in perspective, if we have a 24 bit IV
(=> 2^24 keys in the key- space), a busy base station which
is sending 1500 byte-packets at the rate of 11Mbps will
exhaust all keys in the key space in (1500*8)/(11*106*224)
seconds or approximately 5 hours. On the other hand RC4 in
SSL would use the same key space for 224 (=107) sessions.
Even if the application has 10,000 sessions per day, the key
space would last for 3 years. In other words, an 802.11 BS
using RC4 has to reuse the same key in approximately 5
hours whereas an application using SSL RC4 can avoid key
reuse for approximately 3 years. This shows clearly that the
fault lies not in the cipher but in the way it is being used.
Going beyond an example, analyses of WEP has shown that
there is a 50% chance of key-reuse after 4823 packets and
there is 99% chance of collision after 12,430 packets. These
are dangerous numbers for a cryptographic algorithm. [7]
It is so important to avoid key reuse in RC4 for
reusing the same key means allowing different packets to use
the same keystream to produce the respective cipher-text,
which is dangerous. Let ki (i = 1,2,3, ….) be the key stream
produced for a specific packet and pi be the packet data in
plain-text. Then RC4 produces cipher text ci = pi xor ki.
Now, because the medium is wireless, an intruder has easy
access to ci, the cipher-text. If the intruder knows the plain
text part of a certain message, he can calculate the key
stream used to encrypt this certain packet since ki = pi xor ci.
Once ki is known, any future packets encrypted with the
same ki can be easily decrypted as pi = ci xor ki [1]. This is
the reason why RC4 warns against key re-use, which
unfortunately 802.11 ignores. Note that since the variable
part of the RC4 key (the IV) is attached to each packet in
plain-text; it is trivial to find out that two packets have been
encrypted with the same-key.
In synchronous stream ciphers (like RC4 used in
802.11), the loss of a single bit of a data stream encrypted
under the cipher causes the loss of all data following the lost
bit. Since data loss is widespread in the wireless medium, it
is infeasible to use a synchronous stream cipher across
802.11 frame boundaries. This is the basic problem of WEP,
note here that the problem is not the RC4 algorithm but that
a stream cipher is not suitable for wireless medium where
packet loss is widespread [5].
B. AES (Advanced Encryption Standard)
The weaknesses in RC4 and loopholes in the WEP
protocol have resulted in a new standard for security in
WLANs (IEEE 802.11i). The nre protocol based on the
Advanced Encryption Standard (AES) [5] (previously called
Rijndael) is a symmetric block cipher designed by Joan
Daemen and Vincent Rijmen [6] that has a variable key
length of 128, 192, or 256 bits to encrypt data blocks of 128,
192, or 256 bits long. Both block and key length are
extensible to multiples of 32 bits. AES encryption is fast and
flexible, and it can be implemented on various platforms
especially in small devices and smart card. Also, AES has
been rigorously tested for security loopholes for a few years
before it was standardized by NIST [1].
The differences between key with a length of 128, 192,
or 256 bits is the number of rounds the cryptography process
has to be run in order to increase the security capacity. These
are shown in Table I. AES operates on a 4×4 array of bytes,
TABLE I
NUMBER OF ROUNDS ON THE BASIS OF KEY LENGTH
Key Length
(No. of words)
Block size
(No. of words)
Number of
Rounds
AES-128 4 4 10
AES-192 6 4 12
AES-256 8 4 14
termed the state. For an encryption process, each round of
AES (except the last round) consists of four stages SubByte,
ShiftRows, MixColumns, and AddRoundKey. The final
round omits the MixColumn stage. For a decryption process,
each of the steps ByteSub, ShiftRow, MixColumn, and
AddRoundKey is inverted. AES has the following characters
tics [8]:
• General Security: no known security attacks and appears
to have an adequate security margin
• Software Implementation: performs encryption and
decryption very well across a variety of platforms [8].
However, performance decreases with increasing key
sizes. Rijndaels’s high inherent parallelism facilitates
the efficient use of processor resources. It's key setup time is
also fast.
• Restricted Space Environments: very well suited for
restricted-space environments where either encryption
or decryption is implemented (but not both). It has very
low RAM and ROM requirements. The key schedule for
decryption is separate from encryption [8].
• Hardware Implementations: Rijndael has the highest
throughput of any of the finalist for feedback modes and
second highest for non-feedback modes.
• Attacks on Implementations: The operations used by
Rijndael are among the easiest to defend against power
and timing attacks.
• Encryption Vs Decryption: One FPGA study reports
that the implementations of both encryption and
decryption take about 60% more space than the
implementation of encryption alone [8]. Rijndael’s
speed does not vary significantly between encryption
and decryption, although the key setup performance is
slower for decryption than for encryption.
• Key Agility: Rijndael supports on-the fly subkey
computation for encryption.
• Versatility and flexibility: Rijndael fully supports block
sizes and key sizes of 128 bits, 192 bits and 256 bits, in
any combination.
III. PERFORMANCE ANALYSIS OF RC4 AND AES
ALGORITHMS IN WIRELESS LANS
In terms of the choice of algorithms in WLANs,
both RC4 and AES have different trade-offs. Owing to the
higher complexity of computation in AES as compared to
RC4, we can expect much higher security in AES than RC4.
This also means a higher consumption of energy. Power can
be the main constraint in the implementation of AES. The
detailed performance analysis of RC4 and AES algorithm is
done in the following sections.
A wireless device, usually with very limited
resources, especially battery power, is subject to the problem
of high energy consumption due to encryption algorithms.
Designing energy efficient security protocols first requires
an understanding of and data related to the energy
consumption of common encryption schemes. RC4 and AES
are the two algorithms that are used in WEP (WPA/WPA2)
and EAP (Extensible Authentication Protocol) respectively.
It has been experimentally found that RC4 is more suitable
for large packets and AES is suitable for smaller packets [5].
For sufficient security strength today, it is
recommended that key sizes of at least 80 bits be employed.
Usually, a longer key implies more operations and the battery
can be drained even more quickly. In order to investigate
approaches to designing energy efficient security protocols,
there is first a need to understand the energy consumption of
different encryption schemes.
For the experimentation, a laptop with a mobile
Pentium III 700 MHz CPU was used and performance data
were collected. In the experiments, the laptop encrypted a
5.5 MB file using RC4 and AES encryption algorithms using
OpenSSL version 0.9.7a. In the experiment, the parameters
taken for energy analysis were: encryption time, CPU
process time, and CPU clock cycles [4].
A basic cost of encryption is represented by the
product of the total number of clock cycles taken by the
encryption and the average current drawn by each CPU clock
cycle. The basic encryption cost is in unit of ampere-cycle.
To calculate the total energy cost, the ampere-cycles is
divided by the clock frequency in cycles/second of a
processor; then the energy cost of encryption in ampere-
seconds is obtained. Then, multiplying the ampere-seconds
with the processor’s operating voltage gives the energy cost
in Joule. To calculate the energy cost, one has to measure
the clock cycles by using an instruction set to set and read
the total number of cycles taken by encryption from a
register. By using the cycles, the operating voltage of the
CPU, and the average current drawn for each cycle, it can
calculate the energy consumption of cryptographic functions.
For example, on average, each cycle consumes
approximately 270 mA on an Intel 486DX2 processor or 180
mA on Intel Strong ARM. Energy consumption benchmark
for an Intel Pentium III 800 MHz which is used in
measurements; it is assumed close to 200 mA. For a sample
calculation, with a 700 MHz CPU operating at 1.35 Volt, an
encryption with 20,000 cycles would consume about 5.71 x
10-3 mA-second or 7.7 Joule.
A. Analysis
From the result obtained from the experimentation done
as mentioned above, the following parameters have been
analyzed:
• Encryption throughput:
According to the Fig. 3, RC4 is more efficient than AES in
encrypting large data blocks [3]. It is also seen that RC4
performance is likely independent of the key size. Thus, it is
preferable to use a long key size to provide data
confidentiality without trading off the encryption
throughput.
• CPU workload:
Fig. 4 shows that RC4 is operates using less CPU
processing time and reducing the work load on the CPU
when it encrypts large data blocks while AES is suitable for
devices with processing power to encrypt small size packets.
• Energy cost:
From Fig. 5, it can be observed that AES consumes as
little as three times less energy than RC4 when encrypting
small data blocks. In contrast, the RC4 consumes less energy
than AES for larger data blocks. Thus RC4 algorithm can be
used for the encryption of data with smaller data packets.
Fig. 3. Energy throughputs Vs. Packet Size.
Fig. 4. CPU process time Vs. Packet size.
Fig. 5. Energy Consumption Vs. Packet Size.
Encryption in smaller packet size increases security at the
cost of speed.
IV. CONCLUSION AND SUGGESTION:
It can been concluded from these results that in
802.11 WLANs, we can save energy by using AES to encrypt
small packets such as an 802.11 ACK which is about 14 bytes
long, beacon packets which are about 72 bytes long, and
other short 802.11 management packets. To provide strong
security and save energy, we could fragment a long packet
into smaller packets and use AES to encrypt them. Smaller
packets are often less susceptible to wireless channel errors,
and hence, we can save much more energy. Of course, the
fragmentation would give significant energy efficiency, but it
will lower transmission throughput. It is preferable to use
RC4 to encrypt data packets whose sizes are about 100 bytes
or more on average before transmitting them. In addition,
AES would also be appropriate for short probe packets for
estimating the channel conditions. For instance, if both RC4
and AES used the same key, if RC4 was broken and the key
compromised, AES would also be broken.
Thus there is need to optimize the relationship
between security levels, protocols and energy consumption
which can provide higher transmission, higher security and
consume lower energy. An adaptive and intelligent
encryption scheme that automatically decides on the factors
like fragmentation of messages and use of appropriate
algorithm with the aim of increasing security and reducing
energy consumption needs to be devised. This will be the
subject of our further research.
REFERENCES
[1] Miodrag J. Mihaljevi´c and Ryuji Kohno (Advanced
Telecommunication Laboratory), “On Wireless Communications Privacy
and Security Evaluation of Encryption Techniques”, SONY Computer
Science Laboratories, proceedings of IEEE, vol. 94, No. 2, 2006.
[2] Binod Bhattarai, Ashish Raj Sharma, Jhanak Parajuli, Jigisha N. Patel
“Wireless LAN: Security Threats, Issues and Best Practices”, International
Conference on Systematics, Cybernatics and Informatics (ICSCI), Jan 7-10,
Hyderabad India, vol. 1, pp 376-382, 2009.
[3] James Goodman, and Anantha P. Chandrakasan (MIT, USA) “Low
power Scalable Encryption for wireless systems”, Science Publishers,
Wireless Networks Volume 4, pp. 55-70, 1998.
[4] P. Prasithsangaree, and P. Krishnamurthy (Telecommunications
Program University of Pittsburgh ,Pittsburgh, PA) “Analysis of Energy
Consumption of RC4 and AES algorithms in wireless LANs”, IEEE
proceedings publication, pp. 1445-1449, Globecom 2003.
[5] Scott Fluhrer, and Itsik Mantin “Weakness in Key Scheduling
Algorithm of RC4”, (Cisco Systems Inc. USA), SAC, LNSC 2259, pp. 1-24,
2001.
[6] Joan Daemen and Vincent Rijmen, "The Design of Rijndael: AES - The
Advanced Encryption Standard." Springer-Verlag, 2002.
[7] Nikita Borisov, Ian Goldberg, and David Wagner, “Intercepting
Mobile Communications: The Insecurity of 802.11”, Proceedings of the
Seventh Annual International Conference on Mobile Computing And
Networking, July 16–21, 2001.
[8] William Stallings, “Cryptography and Network Security”, 4th Edition,
Prentice Hall Publication, pp. 232-314, 2006.