WLAN Security Mustafa Hibic, Panteleimon Cheropoulos and Altan Koray Aydemir

Chapters

1. Introductions2. Modes of Unauthorized Access3. Security Measures4. Wired Equivalent Privacy (WEP)5. Wi-Fi Protected Access v1 (WPAv1)6. Wi-Fi Protected Access v2 (WPAv2)7. Security Issues WPAv1/WPAv28. Wi-Fi Protected Setup (WPS)9. 802.1x Security

10. Sources

1. Introduction

● What is WLAN ?

● What is WLAN Security ?

● Most common Types of WLAN Security○ Wired Equivalent Privacy (WEP)

○ Wi-Fi Protected Access (WPAv1 and WPAv2)

● Why is WLAN Security Important ?

● Wireless Intrusion Prevention System (WIPS)

● Wireless Intrusion Detection System (WIDS)

2. Modes of Unauthorized Access

● Accidental association● Malicious association● Ad hoc networks● Identity Theft (MAC spoofing)● Man-in-the-middle attacks● Denial of Service● Network Injection● Caffe Latte attack

3. Security Measures

● SSID hiding● MAC ID filtering● Static IP addressing● 802.1x security● Regular WEP● WPAv1● WPAv2● End-to-end encryption (E2EE)

4. Wired Equivalent Privacy (WEP)

● Authentication

Two methods of authentication can be used :

● Method 1 : Open system authentication

● Method 2 : Shared Key authentication

○ challenge-response authentication ( example : password )

● WEP-Compontents○ Cyclic redudancy check (CRC)○ Rivest Cipher Number 4 (RC-4)○ Initialization vector○ Shared key

4. WEP-Authentication

1.1:Source:http://www.elektronik-kompendium.de/sites/net/0905251.htm

4. Wired Equivalent Privacy (WEP)

● WEP encryption○ Message M -> cipher text C○ P:= M || CRC( M )○ Z:= RC4 ( IV || SK )○ C:= P XOR Z

● Transmission○ IV || C

● WEP decryption○ cipher text C -> Message M○ Z = RC4( IV || SK)○ C XOR Z = P XOR Z XOR Z = P○ P=M || CRC(M)

4. Wired Equivalent Privacy (WEP)

● WEP Encryption(cont)

○ Secret key with 40 or 104 bit length

○ Integrity check value

1.1Basic WEP encryption: RC4 keystream XORed with plaintext

4. Wired Equivalent Privacy (WEP)

● Security details○ Authentication , encryption and integrity check are using the same key

○ Several ways to attack

● Security Issues○ Key distribution

○ 40-bit keysize is insufficient

○ Man-in-the-midle attacks

○ Shared key authentification can be observed

● Security Measures○ No Shared key authenification , delete SSID

○ Commonly changing of wep key

5. Wi-Fi Protected Access v1 (WPAv1)

● Temporal Key Integrity Protocol (TKIP) - On October 31, 2002 , the Wi-Fi Alliance

endorsed TKIP under the name Wi-Fi Protected Access ( WPA )

● Functionality and the difference between WEP○ Based on WEP but with many differences

○ It’ s based on RC4 protocol ( default algorithm, but can be configured to use AES-CCMP

instead of RC4 )

○ Wireless security through a password

○ Authentication through the use of a 64 digit hexadecimal key or an passcode.

5. Wi-Fi Protected Access v1 (WPAv1)

● Target users

○ WPA-Personal (WPA-PSK) : a common method to secure wireless networks, and it is suitable

for most home networks

○ WPA-Enterprise : provides the security needed for wireless networks in business

environments where a RADIUS server is deployed

5. WPAv1 - Encryption/Decryption

● Encryption○ Message P -> Cipher_text C○ P:= M || MIC(M || CRC( M || MIC( M )))○ Z:= RC4( IV || K)○ C:= P XOR Z

● Transmition○ IV || C

● Decryption○ Cipher_text C -> Message M○ Z = RC4 (IV || K)○ C XOR Z = P XOR Z XOR Z = P○ P = M || MIC ( M ) || CRC ( M || MIC ( M ))

5. WPAv1 - Security problems and Measures

● Security problems○ “Brute force” attack ○ Man in the middle attack○ Pre Shared Keys (PSKs)

● Measures○ Select a secure pass phrase○ Firmware updates○ Minimization of the Wlan range○ Change wireless password frequently

5. Wi-Fi Protected Access v2 (WPAv2)

Functionality

○ Described in the picture 1.3

○ Access point is the authenticator and the client the supplicant

○ 802.1x/Radius-Server or Pre-Shared-Key (PSK)

5. WPAv2 - Functionality

1.3:Source:http://www.elektronik-kompendium.de/sites/net/0907111.htm

6. Wi-Fi Protected Access v2 (WPAv2)

● Advanced Encryption Standard (AES)○ Substitution-permutation-network (SPN)

● Counter Mode CBC-MAC Protocol (CCMP)

● IEEE 802.1x / Radius○ Secure authentication method○ Access control○ Authorization and accounting (AAA)○ Bandwidth allocation (QoS)○ Single Sign-on (SSO)

● Weak password

● WPA packet spoofing and decryption ○ TKIP vulnerabilities

● WPS PIN recovery - Security flaw that allows a remote attacker to recover the WPS PIN

and, with it, the router's WPA/WPA2 password in a few hours.

7. Security Issues WPAv1/WPAv2

7. Security Issues WPAv1/WPAv2

● MS-CHAPv2 - In 2012 the complexity of breaking MS-CHAPv2 was reduced to that of

breaking a single DES key

● Hole196 - is vulnerability in the WPA2 protocol that abuses the shared Group Temporal Key

(GTK)

Summary

* with a random password that has at least 12 characters

WEP WPAv1 WPAv2

Cipher RC4 RC4 AES

Key static dynamic dynamic

Key Size 40 Bit 128 Bit 128 Bit

IV Size 24 Bit 48 Bit 48 Bit

Data Integrity CRC32 MIC CBC-MAC

Authentication PSK PSK/Radius PSK/Radius

broken partially broken secure*

8. Wi-Fi Protected Setup (WPS)

● Modes○ Pin-method

○ Push-button method

○ Near field comunication method

○ USB-method

● Vulnerabilities ○ Online brute-force attack

○ Offline brute-force attack

○ Physical security issues

8. Wi-Fi Protected Setup (WPS)

● Technical architecture

○ Access point (AP) with integrated registrar capabilities configures an Enrollee Station

(STA)

○ Registrar STA configures the Access point (AP) as an enrollee

○ Registrar STA configures enrollee STA

● Protocol

○ Extensible Authentication Protocol (EAP) mesage exchanges

○ Information is transferred through a new Information Element (IE)

○ Stream of messages may change when configuring different kinds of devices (AP or

STA)

9. 802.1x security

● Extensible Authentication Protocol (EAP)

● EAP over LAN --> EAPOL

● Port entities

● Typical authentication progression

○ Initialization

○ Initiation

○ Negotiation

○ Authentication

● Vulnerabilities in 802.1X-2001 and 802.1X-2004

○ To achieve high security is EAP-TLS needed

How to crack WEP password?

● Target: Cracking wireless password that uses WEP encryption.● OS: Linux Kali● Tool: aircrack-ng

Thank you for your attention!

10. Sources

● http://www.elektronik-kompendium.de/sites/net/1801211.htm● https://en.wikipedia.org/wiki/Wireless_access_point● https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup● http://www.diffen.com/difference/WPA_vs_WPA2 ● http://www.packetnexus.com/docs/kb/981419493_14249.php

● http://www.dummies.com/how-to/content/understanding-wep-

weaknesses.html