Link-Layer Protection in 802.11i WLANs With Dummy Authentication

Will Mooney, Robin Jha

WLAN Overview

Basic securityVulnerabilityWPA & WPA-PSKWEP802.11 standardsIssues with 802.11iDummy AuthenticationPerformanceConclusion

Wireless LAN components Access point (AP) = bridge between wireless(802.11) and wired (802.3) networksWireless station (STA) = PC or other device with a wireless network interface card (NIC) RADIUS = Authentication Server EAP= Extensible Authentication Protocol CCMP= Encryption based on AES counter mode with CBC-MAC

WLANs

WLANs are vulnerable to specialized attacks.

Many of these attacks exploit technology weaknesses since 802.11 WLAN security is relatively new.

There are also many configuration weaknesses since some companies are not using the security features of WLANs on all their equipment.

VulnerabilitySome of the known wireless attack methods : Access attack Denial of Service (DoS) - logical attacks with spoofed signaling, signal jammingSSID(network name) sniffingWEP encryption key recovery attacksMAC address spoofingRogue AP attacks- unauthorized ingress routes

may bypass firewall

Open-Access Network

Open to everyone

Requires no authentication

Provides no protection

Vulnerable to fingerprinting, traffic analysis and eavesdropping

WEPWEP is “Wired Equivalent Privacy” or

“Wireless Encryption Protocol”It is the original wireless security protocol for

the 802.11 standard Based on the use of the same shared private

encryption key (or limited set of rotating keys) among all stations on a WLAN.Discovered recently that it is easy to decrypt if part of the key is known

WPA

The Wi-Fi Alliance released WPA (Wi-Fi Protected Access) intended to address some of the flaws.

The WPA solution addressed two critical shortfalls of the original WEP-based security standard:

Design weakness in the WEP protocol Lack of an effective key distribution method

WPA

Uses 802.1x (EAP) for authentication

Adds MIC (Message integrity check) and frame counter

Two modes: PSK and EnterprisePSK (Pre-Shared Key) suffers from similar key-management difficulties to WEPEnterprise Mode requires a RADIUS server

What is 802.11?

Refers to the family of specifications developed by the IEEE for wireless LAN technology.

It specifies an interface between a wireless client and a base station or between two clients connected wirelessly.

Dummy Authentication

1. The STA sends a request with its MAC address

2. The AP creates a ticket containing the STA's MAC address, a time stamp, a validity period, and a hash of those three things using its private key. This is sent with the AP's MAC address, a status code, and certificate.

Dummy Authentication (Cont.)

3. The computer validates the certificate and stores the ticket with AP's public key. Computer generates a random number and pre-session key, encrypts with AP's public key, and sends the AP its MAC address, ticket, random number, and the pre-session key encrypted with the random number.

4. AP verifies the ticket by the MAC address and checks that it is still in the validity period. If so, it sends back its MAC address, status code, and an encrypted pre-session key.

Dummy Authentication (Concluded)

5. If successful, then the pre-session key is used in communications. Otherwise, the process begins again.

Purpose of the Ticket

Reusable within validity period

Does not require storage resources of AP

Allows for a symmetric operation

Binds to the MAC address and prevents replay attacks

Results

There seemed to be a lack of testing

The “quantifiable” results:

Spoke of different attacks (flooding the AP at different points) and said they “believed our method can resist this attack”

What We Learned

Link layer protection in wireless networks

Basic information on wireless security we often use

How different attacks are performed on a wireless network

How NOT to test your project

Sources

Yang, Zhimin, Adam C. Champion, Boxuan Gu, Xiaole Bai, and Dong Xuan. "Link-Layer Protection in 802.11i WLANs with Dummy Authentication." WiSEC (2009): 1-8. Print.