WIFI by zhouwenjuan



 Beth Sicker
 David Farley
Katie Delgado
         What we’ll cover
• WIFI background
• WIFI security - today
• The future of WIFI
• Definition: Wi-Fi (now known as wireless
  fidelity) is a wireless technology brand owned
  by the Wi-Fi Alliance intended to improve the
  interoperability of wireless local area network
  products based on the IEEE 802.11
 How does a wireless network
• A wireless network uses radio waves to
• A computer’s wireless adapter
  translates data into a radio signal and
  transmits that to a wireless router, which
  receives and decodes it. Then the
  router sends the message to the
  Internet using an Ethernet connection.
              Basic info
• 1985 FCC decided to open up several
  bands of wireless spectrum for general
  use (no gvt license req’d)
• 1990 decided a standard was needed
• 1997 was when the new standard was
            The OSI Model
• Open Systems Interconnection
  Reference Model is a description for a
  common set of rules used to exchange
  data across networks.       Application
  – Format                    Presentation
  – Speed
  – Errors
  – Data loss
                               Data Link
What makes WIFI different from
   radio communication?
• Wireless LAN communications are
  transmitted at frequencies of 2.4, 3.6
  and 5 GHz.
• These frequencies are higher than the
  frequencies used for mobile phones,
  walkie-talkies and televisions.
• This allows the signal to carry more
      The flavors of 802.11
• 802.11a - 5 GHz, 54 mb/s, OFDM
• 802.11b - slowest, 2.4 GHz, 11 mb/s
• 802.11g - 2.4 GHz, 54 mb/s, OFDM

• 802.11n - newest, 140 mb/s (draft)

                                       QuickTime™ a nd a
                                   TIFF (LZW) de compressor
                                are need ed to see this picture.
  How to increase throughput
• MIMO (smart antenna)
• SDM - spatial division multiplexing
            802.11 Security
•   Background on 802.11 Security
•   MAC Filtering
•   WEP
•   802.11i and WPA / WPA2
Background on 802.11 Security
• Security implications for WIFI
• History of 802.11 Security
  Security implications for WIFI
• Over the Air Transmission
  – Any and All Data Transmitted Data is done so
    in full view of the public
  – All data can be intercepted without detection
  – Data is not authenticated – easily spoofed
  – This is the driving reason a separate security
    scheme was needed
    History of 802.11 Security
• 1997 - Wired Equivalent Security (WEP)
  built into 802.11-1997 standard
• 2001 – 802.1x Authentication Standard
• 2003 – WPA Implemented as Draft
  Version of 802.11i Specification
• 2004 – 802.11i Specification Ratified
  – WPA2 as its implementation
                 MAC Filtering
• Though WEP was part of the original 802.11-
  1997 specification, some vendors didn’t initially
  implement it.
• Implementing a MAC Address based whitelist
  was easier than implementing WEP security
• This was obviously insecure.
   – Spoofing a MAC address is a trivial task
   – This did nothing for confidentiality, snooping was easy
     Wired Equivalent Privacy
• WEP utilizes the stream cipher RC4 for
  confidentiality and CRC-32 for integrity
  between an access point and a client.
• As the name implies, the idea was to
  provide the same level of security inherent
  to wired networks on wireless networks.
         WEP Authentication
            Clent sends authentication request

                 AP sends challenge text

         Client sends challenge text encrypted with
                         WEP key

                 AP Authenticates Client
WEP Encryption
WEP Decryption
         WEP Vulnerabilities
• IV only 20 bits
  – Ensures keystream is reuse
• Network password used to encrypt data
  rather than negotiating for a session key
  – Any authenticated user can eavesdrop on any
    other user
• Key and IV used without hashing allows
  for key-recovery attacks
            Breaking WEP
• Aircrack-ng
  – Capture IV’s transmitted in plaintext
    • More IV’s needed for larger keys
  – Optionally, spoof messages to generate
    extra IV’s for capture
  – Aircrack-ng
    • Uses a combination of statistics and brute
      force to crack the secret key
  – Very fast
        WEP Improvements
• Newer versions of WEP were developed,
  but suffer from most of the same flaws as
  the original
  – WEP2 – 128 bit IV
  – This only increases the number of IV’s to
    capture for the preceding attack
• The shortcomings of WEP made it clear a
  replacement was needed – 802.11i
• Two implementations by the WIFI Alliance
  – WPA – a bridge between WEP and 802.11
  – WPA2
• Pre-Shared Key
• 802.1x – uses external authentication
  – Extensible Authentication Protocol (EAP)
• This was created to replace the flawed
• This was instituted before 802.11 was
  standardized BUT was designed to be
  compatible with the draft version
• A bridge between WEP and WPA2
  – WEP hardware supported with firmware
           WPA Encryption
• Temporal Key Integrity Protocol
  – Designed to maintain compatibility with WEP
  – Also uses RC4 for encryption
• Counter Mode with Cipher Block Chaining
  Message Authentication Code Protocol
  – AES based
  – Optional under WPA
• Wrapper around WEP encryption
• Differences
  – IV is not simply pre-pended to the secret key
    (bypasses IV-based key attack)
  – Utilizes a counter to prevent replay attacks
  – Replaced CRC with 64 bit integrity check
                WPA 2
• 802.11i implementation
• The primary difference between WPA and
  WPA 2 is the mandatory implementation of
• TKIP is optionally supported
• Based on AES
  – Unlike RC4, AES is a block cipher
     • Integrity and Confidentiality both covered by
  – 128 bit keysize
  – 128 bit block size
Future of 802.11
          802.11n - MIMO
• multiple-input multiple-output (MIMO)
• A technique for boosting wireless
  bandwidth and range by taking
  advantage of multiplexing.
    Release date - Jan 2010 (speculated)
    Op. Frequency - 5 GHz and/or 2.4 GHz
    Throughput (Typ) - 108Mbits
    Net bit rate (Max) - 600 Mbit/s
    Range (Indoor) - ~up to 300 m
MIMO-assisted channel-based
   authentication scheme
• The use of multiple receive antennas
  improves the detection of spoofing attacks.

• Distinguish channel responses of different
  paths to enhance authentication.
• L. Xiao, L. Greenstein, N. Mandayam, W.
  Trappe WINLAB, Dept. ECE, Rutgers
Eve Tries to Spoof Alice
     Security Gains - MIMO
• Eve must use the same number of
  transmit antennas to spoof Alice
• If she doesn’t have the same number of
  Transmit Antennas or guesses the
  wrong amount, Bob will be able to
  determine that and know she is not
   Detecting Response from
• Bob can determine that the message is sent
  from Alice
• “Fingerprints in the Ether:”
  – In typical indoor environments, the
    wireless channel decorrelates rapidly
    in space
  – The channel response is hard to
    predict and to spoof
• IEEE 802.11w is a proposed
  amendment to the IEEE 802.11
  standard to increase the security of its
  management frames.
• 802.11i covers security of the data, but
  not the management frames.
     Why do we care about
     management frames?
• Handshake frames for connection.
• Network related information and handoff
  related information flows on the
  management frames.
• Denial of Service attacks concentrate
  on management frames, use the
  connection information.
  Management Frames Tasks

• Client-to-access point (AP) association and
  disassociation requests.
• AP-generated de-authentication frames
  indicating that a client is no longer valid and
  resulting in it being kicked off the network.
• Probe responses.
    Attacks on Management
• Hacker can pretend to be an AP
  – send disassociation requests to clients that deny
    service to the user.
  – Once the client is disconnected, the malicious
    system might watch and see if it tries to
  – If weak Wi-Fi security, such as Wired Equivalent
    Privacy (WEP), is in use, and the client does
    attempt to reconnect, the malicious system might
    grab authentication credentials during this
           Cisco Solution
• Management Frame Protection (MFP)
• Cisco WLAN systems insert a digital
  signature into the management frame (a
  field with an encrypted hash), such that
  only a legitimate AP can create it.
• A legitimate receiver will have the ability
  to validate the signature.
  Management Frames after
        802.11 w
• Will have a reason code
• Information Element 18 bytes will be
  added that will be encrypted with IGTK
  (integrity Group Temporal Key)
• 4 way handshake to authenticate AP
  and user.
           802.11w Conclusion

• 802.11w promises to patch security problems created by the
  flow of new and detailed information over management frames.
• By protecting the contents of most frames from eavesdropping,
  and of certain crucial frames from forging, 802.11w will stop the
  information leakage and reduce some basic DoS attacks.
• Control Frames and certain management frames will remain
  unprotected so jamming attacks and physical attacks are still
• But.. A little more secure…

• How did the OSI Model help standardize ?
   –   Format, Speed, Errors, Data loss

• Name one or more vulnerabilities in WEP
   –   small iv size all but guarantees keystream reuse
   –   the fact that the IV and key are passed into RC4 unaltered allows for key recovery attacks

• What are the advantages to WPA?
   –   it allows use of WEP-compliant equipment without the security failings of WEP

• What new security features does 802.11w promise?
   –   patch security problems
   –   stop the information leakage
   –   reduce some basic DoS attacks

• Can MIMO increase security?
   –   Yes, more antennae increase security

To top