Wired Equivalent Privacy Protocol _WEP_ by bestt571

VIEWS: 54 PAGES: 34

More Info
									Wireless Local Area Network (WLAN) Security



            The 802.11i Solution



                Research Paper



                  CS4235A

                  Fall 2004



                                   Group Members:


                                   Ted Choc


                                   Tracey Diamond


                                   Maleika C. Holder

                                   Mahesh Palekar
Abstract:

Wireless Networks are growing at an explosive rate. Along with the growth, come

the security problems.   Wireless networks are easy to break into due to the

broadcast nature of the medium. IEEE 802.11 standard has made significant steps

in providing a comprehensive solution to make the security of wireless networks

comparable to wired networks. Current IEEE 802.11a, b, g standards use WEP

protocol which has a lot of known flaws and even the interim security solution,

WPA, does not meet the requirements for some users. Hence IEEE is has developed

a new standard, IEEE 802.11.i that includes the WPA and RSN protocols. This

paper describes the WEP & WPA protocols and different vulnerabilities of these

standards. It then gives an overview of IEEE 802.11i standard, showing how the

new 802.11 addendum plans to solve the wireless network security problem.
1. Introduction

A computer network is an interconnection of multiple devices. This connection brings

about improved communications by fostering improved productivity and allowing for the

collaboration and exchange of information and resources between devices on the network

and other networks. A network can be public or private, providing network services

locally and via the Internet. Based on media transmission type, there are two categories

of networks, wired and wireless. Today wired networks are the more commonly

deployed networks because more security solutions are readily available, but wireless

networks are becoming more popular. This popularity has led to the need for more

security solutions for wireless networks. Currently there are two security protocols being

implemented in wireless networks, WEP and WPA. Though both have major strengths,

their flaws have lead industry leaders to develop the IEEE 802.11i standard to provide the

ultimate wireless network security. Section 2 gives a brief overview of the different

WLAN standards. Section 3 covers the WEP protocol in detail while section 4 explains

WPA. In section 5, different security issues are discussed. Section 6 describes the future

of WLAN security, which includes the IEEE 802.11i standard along with the protocols

for discovery, authentication, key management and data transfer. Section 7 gives the

summary of the paper.



2. Overview

       Standards activities by IEEE have made significant strides in making wireless

networks a viable alternative to wired networks. The IEEE 802 Standards Committee is a

leader in LAN and WAN standards. The committee creates and maintains standards at

the physical (PHY) layer and the medium access control (MAC) sub-layer. This
standardizes the lowest layers of the OSI model for data networks, while leaving the

remaining upper layers open for vendor development.

       The area of major development within IEEE is to work on the Wireless Local

Area Network (WLAN) 802.11 standards. Initially published in 1997, the standard gives

“requirements for a LAN implementation using both infrared and spread spectrum radio

frequency communications…for unlicensed operations” [26]. Wireless LAN 802.11

allows the extension of wired LANs into the wireless arena. 802.11 addresses both radio

transmission and Ethernet data transmission over wireless in the unlicensed frequency

band. The specification concentrates on access method, protocol, framing, security, and

QoS, while providing minimal security.

       The original 802.11 standard describes implementation using infrared and spread

spectrum radio frequency communications for the licensed-exempt spectrum. Once the

base 802.11 standard was authorized, a group of communications industry leaders joined

together in order to take the 802.11 standard beyond the standards committee. The group

is called the Wireless Fidelity (Wi-Fi) Alliance. The Wi-Fi Alliance is a nonprofit

international association formed in 1999 to certify interoperability of wireless Local Area

Network products based on the IEEE 802.11 specification. The Alliance strives to involve

carriers and vendors in order to both educate the industry and to get information from

them to create functional requirements that can be included in the standard [27]. The goal

of the Wi-Fi Alliance's members is to enhance the user experience through product

interoperability.

       Today the IEEE 802.11 standard has a number of different addendums or

supplements to the originally ratified standard. The most widely known supplements are

denoted as 802.11a – 802.11i. A brief description of each follows:
   •   802.11a – 5GHz OFDM PHY Layer
          o Modulation – Orthogonal Frequency Division Multiplexing (OFDM)
          o 20 MHz channels, multi-carrier
          o RF: UNI-II and ISM bands
   •   802.11b – 2.4 GHz CCK PHY Layer
          o Modulation – Complementary Code Keying (CCK)
          o 22 MHz channels, single-carrier
          o RF: ISM bands (2.4 GHz)
   •   802.11c – bridging tables
   •   802.11d – international roaming
   •   802.11e – quality of service
   •   802.11f – inter-access point protocols
   •   802.11g – 2.4 GHz PHY Layer
          o Modulation - CCK and OFDM
          o 22 MHz channels, single-carrier and multi-carrier
          o RF: ISM bands (2.4 GHz)
   •   802.11h – European regulatory extensions
   •   802.11i – enhanced security
                                                                                      [28]


The supplements of importance here are 802.11a, 802.11b, 802.11g, and 802.11i.

       Since the initial standard was published three key addendums of the 802.11

standard have been published to define physical layer issues, 802.11a, 802.11b, and

802.11g. The 802.11a standard solves the indoor radio frequency problem of delay

spread in the 2.4-GHz, single-carrier, delay-spread system. It does so by introducing the

use of the modulation technique called Coded Orthogonal Frequency Division

Multiplexing (COFDM). Intended to retain the error-correction, security, power-

management and other advantages of the slower, original standard, 802.11b simply adds a

technique for increasing bandwidth to 11 Mbit/sec. The IEEE's 802.11g standard is

designed as a higher-bandwidth – 54 Mbit/sec - successor to 802.11b. 802.11g also has

lower power consumption, longer range and better penetration than 802.11b. Currently

802.11b is the most widely used of the 802.11 standards. Once 802.11g has been

properly tested and given the Wi-Fi stamp, it will probably become the 802.11 standard
of choice. A major advantage of 802.11g over 802.11a is that it is backward compatible

with 802.11b.

       The security measures included within the 802.11a, b, and g standards aim to

provide the end user with the same level of security as the wired network. The initial

wireless security solution was the Wired Equivalent Privacy (WEP) encryption protocol.

This protocol proved to be inadequate, providing minimal security from the casual

eavesdroppers, “[delaying] widespread adoption of wireless LANs” [22].        In 2000, the

IEEE began work on a more robust security solution (802.11i). Work on the 802.11i

supplement involved a great deal of time and research to institute a complete solution. In

order to address the immediate need for a WEP fix, the Wi-Fi Alliance used a subset of

the “in progress” 802.11i addendum to create the Wi-Fi Protected Access (WPA)

protocol. WPA “fixes all of WEP’s problems…and allows full backwards compatibility

for most 802.11a and 802.11b devices” [24].     Only a subset of 802.11i, WPA still does

not provide optimal security. The completion of the 802.11i supplement promises to

provide the security solution required to address the flaws of earlier protocols.



3. Wired Equivalent Privacy Protocol (WEP)

   The original 802.11 standard defined the Wired Equivalent Privacy (WEP) protocol to

protect communication at the Data-link layer for WLAN users. The aim of this protocol is

to make the security of wireless networks comparable to that of wired networks. WEP is

a symmetric, private key algorithm. The security of the protocol lies in the secret key

shared between the communicating parties. The main goal of WEP is to provide

   •   Confidentiality

   •   Access Control
   •   Data Integrity

Confidentiality of the network is achieved by employing the RC4 cipher. Access control

to the network is achieved by discarding packets not properly encrypted by the WEP

protocol, and data integrity is provided by a checksum. See figure 1 below.




                                                                                        [1]

The encryption process involves three steps

   1. Checksum of the message is calculated and appended to the message to obtain

       plaintext. The checksum does not depend on the key. It is implemented as a CRC-

       32 checksum. Plain text is input to the next stage, Encryption.

   2. Plaintext is encrypted using the RC4 algorithm. An IV, Initialization vector is

       chosen. RC4 generates a long sequence of pseudo random bytes called the key

       stream, as a function of IV and secret key K. Key stream is then XORed with the

       plain text to obtain Cipher text

           •   Ciphertext = Plaintext     RC4 (IV,K)



   3. IV is transmitted along with ciphertext over the channel

                                                                                        [1]

The decryption process is exactly reverse of the encryption process.
   1. Plaintext is obtained by XOR ing ciphertext with RC4(IV,K).

       Decrypted Plaintext           =        Ciphertext        RC4 (IV,K)

                                 =       Plaintext        RC4 (IV,K)     RC4 (IV,K)

                                 =       Plaintext

   2. Decrypted Plaintext is separated into decrypted message and the checksum.

       Checksum of the decrypted message is computed and compared with the

       checksum obtained from the plaintext. If checksums are not equal then the frame

       is discarded. Thus only the frames with valid checksum are accepted.

                                                                                         [1]

The RC4 encryption algorithm is stream cipher. Developed in 1987 by Ron Rivest, for

RSA Data Security, it can use variable length keys [2]. The keystream for the algorithm

is completely independent of the plaintext used. It uses an 8 * 8 S-Box (S0 S255), in which

each entry is a permutation of the numbers 0 to 255. The permutation is a function of the

variable length key. The S-Box is generated as follows

   •   Fill S1 to S255 linearly (i.e. S0 = 0; S1 = 1 ... S255 = 255)

   •   Another 256 byte array is then filled with the key K, the key is repeated as

       necessary to fill the entire array.

   •   j =0

   •   for (i = 0 to i = 255)
          j = (j + Si + Ki) MOD 256
          Swap Si and Sj

                                                                                         [2]

Once the S-Box values are obtained, the keystream is generated as follows.

   •   i = (i + 1) MOD 256
   •   j = (j + Si) MOD 256

   •   Swap Si and Sj

   •   t = (Si + Sj) MOD 256

   •   Keystream = St

                                                                                       [2]

The keystream is then XORed with the plaintext to produce the ciphertext, or the

ciphertext to produce the plaintext.

There are 2 ways in which WEP is implemented: Classic WEP and 128-bit version WEP.

The classic WEP implementation is based on the documented WEP standard. It uses a

key length of 40bits. Key length was chosen due to the US government restriction on the

export technology containing cryptography. 128-bit version extends the key length of the

WEP protocol [1]. Some manufacturers provide a key length of 104-bits. This method is

not as easy to crack as the classic WEP method.



4. Wi-Fi Protected Access (WPA):

       Another security measure in place for wireless networks is WPA. The Wi-Fi

Alliance developed WPA, as a replacement to the WEP. It is a subset of technologies

taken from the upcoming 802.11i standards and is designed to secure all versions of

802.11 devices, including 802.11b, 802.11a, and 802.11g, multi-band and multi-mode

[4]. WAP addresses all known vulnerabilities in WEP in order to ensure data authenticity

on the WLAN without much affect to network performance. It uses Temporal Key

Integrity Protocol (TKIP). Together with 802.1X / EAP authentication, TKIP employs a

key hierarchy that greatly enhances protection. It also adds a Message Integrity Check for

Integrity check. The formula for WPA is:
       WPA = 802.1X + EAP + TKIP + MIC

                                                                                           [5]

   WPA employs three security mechanisms:

   1. Authentication

   2. Encryption

   3. Security through “Pre-Shared Key” (PSK)

WPA uses 802.1X authentication with the Extensible Authentication Protocol (EAP) as a

basis of the authentication. 802.1X is a LAN port access control mechanism for wired, as

well as wireless, networks. EAP handles the presentation of user credentials, in the form

of digital certificates unique usernames and passwords, smart cards, and secure IDs.

802.1X defines Extensible Authentication Protocol (EAP) over LANs (EAPOL). It also

defines EAPOL messages that convey the shared key information critical for wireless

security [6]. With EAP, 802.1X creates a framework in which client workstations

mutually authenticate with the authentication server.

       When a user wants access to the network, the client sends the user’s credentials to

the authentication server via the access point. If the server accepts the user’s credentials,

the master TKIP key is sent to both the client and to the access point. Then a four-way

handshake process takes place, in which the client and access point acknowledge each

other and install the keys [4]. See Figure 2 below.
                         Figure 2: Enterprise Authentication [4]

   Encryption involves TKIP increasing the key size from 40 bits to 128 bits. In TKIP,

keys are dynamically generated and distributed by the authentication server. It removes

the predictability used by an attacker to exploit the WEP key, by employing key hierarchy

and Key management methodologies. Authentication server after checking the user’s

credentials generates a master key and sends it to the client as well as access point. Client

and the access point use this key to generate unique data encryption keys. The Message

Integrity Check (MIC) is incorporated to prevent and detect modification of the data

packets. [4]
       WPA has a solution for users in small offices and homes as well. This solution is

WPA with Pre-Shared Key (PSK). WPA with PSK does not require an authentication

server. The encryption mechanism used in WPA and WPA with PSK is the same.

Authentication is done using simple common pass phrase instead of user specific

credentials. Below is a table specifying the key differences between WEP and WPA.

                       WEP                             WPA
     Encryption        Defective, cracked .            Correct most WEP defects
                       40 bit key                      128 bit key
                       Static Key. Same key is used    Keys       are   generated
                       by every one on the network     dynamically
                       Manual Distribution of Keys     Automatic Key Distribution

     Authentication    Use WEP Key                     Use   802.1X       +    EAP
                                                       framework

                        Difference between WEP and WPA [4]
                                       Table 2
5. Security Issues in IEEE 802.11
There are a number of security issues present in wireless networks today. There are

vulnerabilities outside of the security protocols mentioned above and both WEP and

WPA have vulnerabilities that allow attackers to penetrate a wireless network. Below we

enumerate some of the more common security issues. Insertion attacks are when devices

are attached to a wireless network without authority by bypassing the security and review

process [7]. One example of this type of threat would be logging onto an open or

unsecured wireless network using a laptop or other wireless device. An attacker who has

successfully inserted a device into a wireless network, which uses a hub, can monitor the

messages flowing across the network. This is because a hub unlike a switch broadcasts

messages to all nodes. The attacker can simply put his client in promiscuous mode and

gather passwords and other sensitive information as it passes through the network. The

other type of insertion attack is the insertion of a rogue access point. It requires someone

to physically add a wireless access point onto the network. An employee or someone

with temporary access to the physical network can make this addition. [7]. A laptop with

specialized software may be configured to run as a rogue wireless access point. With a

rogue wireless access point, the attacker can trick users into using his WAP because the

current 802.11 standard does not include WAP authentication. The authentication is from

the client to the WAP. The real Service Set Identifier (SSID) can be transmitted by the

rogue WAP. If it emits a stronger signal than the legitimate WAP, the rogue can steal the

traffic. [9] This can be used to perpetrate a man in the middle attack by which the attacker

reads the data sent by the user and then forwards it on to the proper destination. The users

are unaware that anything improper is taking place. Sensitive data can be compromised.

In addition, if the rogue is a laptop acting as a WAP, the victim’s machine may be

compromised in a number of ways such as Trojan horse or other malicious code.
To help prevent this type of security risk, SSID broadcast should be disabled. The SSID

will still be sent as part of communications but will not be broadcast. In addition, the

factory default name of the SSID should be changed, since attackers know the ones

commonly used by manufacturers [9].

Broadcast of the WAP’s beacon should be set at the maximum interval so anyone

scanning for a wireless access point will have less chance of finding it [9]. Jamming

takes place when a WAP becomes overwhelmed by the amount of signals it is receiving

and the result is denial of service. This can be caused by a malicious attacker or

unintentionally by a user consuming excessive amounts of bandwidth.

MAC addresses can be used to aid in the prevention of unauthorized use of wireless

networks. The WAP can be configured to allow access to only those MAC addresses

given. However, an attacker can use MAC spoofing to get around this security technique.

In MAC spoofing, the unauthorized client’s MAC address is changed to that of an

authorized device. These MAC address can be obtained by using freely available

software. For examples see Appendix A.

Software is also available to sniff a wireless network that is in close physical proximity.

Antenna can boost the range at which sniffing may be done. Sniffing can allow username

and passwords to be stolen allowing someone to log onto the network as the victim.

Additionally, fake packets can be interjected into the communication stream[7] This

occurs post-authentication, after the WAP and client have established communication, the

hacker can insert a packet that appears to come from the WAP disconnecting the client.

The hacker then can spoof packets to appear to come from the original client and send

those to the WAP. This process is known as session-hijacking. [17]
Misconfiguring a wireless network will lead to a false sense of security in a wireless

LAN. Wired Equivalent Privacy, WEP, (explained in the section above) provides a

limited amount of protection but if configured incorrectly, even this limited protection

will be diminished. There is no key management policy in the WEP protocol [9]. Some

users leave the pass phrase as the factory default key or choose weak pass phrases based

on easily guessed words.

   The Security of WEP lies in difficulty of discovering the secret key through a brute

force attack. Some shortcut attacks on the system do not require brute force attack on the

key making WEP vulnerable. This includes:

   •   Keystream Reuse

   •   Message Authentication

   •   Message Modification

   •   Message Injection

WEP provides data confidentiality using stream cipher RC4. A major drawback of the

stream ciphers is that 2 messages encrypted using the same key stream reveal the

information about both the messages. Suppose messages P1 and P2 are encrypted using

same IV and secret key K. Then

       Ciphertext C1 = P1        RC4 (IV,K)

            Ciphertext C2 = P2      RC4 (IV,K)

       C1     C2 = P1        RC4 (IV,K)     P2       RC4 (IV,K)

                  = P1      P2

Thus if one plaintext is known then other plaintext can be easily computed. This type of

attack succeeds only if the keystream is reused and the attacker has some knowledge of
the plaintext. To prevent this type of attack, WEP uses different IV for each packet.

Thereby producing different keystreams, but the length of the IV field used by WEP is

just 24 bits. Hence if a sender is transmitting packets of size 1500 bytes at a rate of

5Mbps, IV’s will start duplicating in a half a day [1]. For Message authentication, WEP

protocol uses the checksum field to ensure data integrity. The checksum is implemented

as CRC -32. CRC 32 is useful to detect random errors in a message but is not enough to

detect careful modification of the message [1].

       Message modification involves replacing the message with another message

without affecting the checksum. Let C1 be the cipher text of message M2 intercepted by


the attacker. Now the attacker has to find C2 that decrypts to M2 such that M2 = M1

E, where E is any arbitrary modification done by the attacker.

       So C2 = C1        (E,checksum(E))

               = (M1,checksum(M1))         RC4 (IV,K)      (E,checksum(E))

Checksum is a linear function. Hence

          C2 = RC4( IV,K)       (M1     E, checksum(M1)        checksum(E))

              = RC4( IV,K)      (M1     E, checksum(M1        E))

              = RC4( IV,K)      (M2, checksum(M2))

                                                                                          [1]

Thus the attacker can easily modify the message arbitrarily without the recipient knowing

about it. WEP checksum thus fails to provide data integrity.

       For message injection, checksum of the message is independent of the key. Hence

an attacker can compute the checksum of the message. If the attacker gets hold of the
plaintext and corresponding ciphertext then he can compute the keystream. Using the

keystream, one can create a new packet using same IV. As IV’s are reused, repetition of

the IV will not trigger any alarm at the receiver. Suppose the attacker has a cipher text,

C, and corresponding plain text, P, then he can calculate keystream as follows.

        C    P =P       RC4 (IV,K)      P

                = RC4(IV,K)

                                                                                             [1]

Let M1 be the message the attacker wants to inject into the system. Then he computes the

checksum of the message. And then XOR’s it with the keystream RC4 (IV,K).

C1 = (M1, checksum (M1))        RC4 (IV,K)

       The 40 bit standard WEP keys are used they can be broken by brute-force attacks,

but non-standard WEPs of at least 80 bits are very resistant to these types of attacks.

       Research has shown that key sizes of greater than 80-bits, for robust designs and
       implementations, make brute-force cryptanalysis (code breaking) an impossible
       task. For 80-bit keys, the number of possible keys – a keyspace of more than
       1026 – exceeds contemporary computing power. [9]


Although, even when proper care is taken in the generation of a WEP key, “hackers use

tools such as WEPwedgie, WEPCrack, WEPAttack, BSD-Airtools, and AirSnort to break

the Wired Equivalent Privacy (WEP) encryption standard. These tools exploit

vulnerabilities in the WEP encryption algorithm by passively observing wireless LAN

traffic until they collect enough data to recognize the pattern” [11]. Once enough data has

been obtained, WEP keys may be broken stripping away what little security they

provided.
        WEP keys use an initialization vector (IV) to vary the key between packets.

However, the IV is sent unencrypted in the message. Therefore the attacker can collect

messages and wait for two with the same IV. These can be used to recover the plaintext

using the aforementioned statistical analysis. Some manufacturers even use the same IV

each time or a small pool of frequently used IVs used by many manufactures, resulting

poor encryption.

        WPA is said to be a step-above WEP in terms of security. It is based on WEP

encryption techniques. So although it is not as vulnerable as WEP, WPA will suffer

some of the same security issues as WEP. Some generic problems with WPA are

    •   It requires a hardware upgrade, and devices enabled with WPA are only recently,

        widely available.

    •   The design of WPA causes an increase in transmission overhead.

    •   There is difficulty inherent in setting WPA up on a network, causing it to be

        undesirable for the novel user.

Another major concern that is not addressed in either WEP or WPA is handling denial-of-

service (DOS) attacks. This type of attack can be committed by sending multiple packets

each second, using the wrong key. The access point will assume a hacker is attempting to

access the network and will shut off all connections, causing the network to be down

indefinitely.


6. The Future of Wireless Security


        The 802.11i is the future of wireless network security. The collaboration of IETF

and IEEE has a standard that defines several new protocols to support the following

features:
   •   Discovery

   •   Authentication

   •   Key Management

   •   Data Transfer

                                                                                           [14]

Below 802.11i’s impact on these features is explored.

6.1 Discovery

       The 802.11i standard supports many different types of encryption. A system that

wishes to connect to the wireless network must be able to first determine what encryption

types are available and then have the ability to select one. The IEEE created a new

protocol specifically to handle this task, which is called Robust Secure Network (RSN).

The RSN protocol uses a three step process of send-response messages for a complete

communication cycle. The protocol is as follows (What is RSN?):

   1. The end-point user sends a probe request to a wireless access point.

   2. The WAP sends a probe response with a RSN Information Exchange (IE) frame.

       The information contained within the IE frame determines the type of

       authentication, unicast (broadcast to a single destination) cipher, and multicast

       (broadcast to any number of destinations) cipher suites the AP implements. The

       IE frame contains the following information.
Element Element       Version Group      Pairwise Pairwise Authentic Authentic Capabil
ID      Length                Key        suite    Suite list ation   ation      ities
                              Suite      count               Suite   Suite List
                                                             Count
1 Octet 1 Octet       2       4 Octets 2 Octets 4 Octets 2 Octets         4 Octets      2
                      Octets,                   per suite                 per suite     Octets
                      Default
                      =1



   3. The end-point user sends a 802.11 open system authentication message.

   4. The WAP sends a success response to the open authentication message.

   5. The end-point user sends an association request with an IE frame, which is

       populated with the type of authentication, uni-cast cipher, and multicast cipher

       suite the user wishes to use during this communication.

   6. The WAP sends a successful association response to the end-user, which

       acknowledges the creation of a 802.11 communication channel.

                                                                                           [14]

Both the end-user and the WAP have the ability to terminate this process if the WAP does

not support the encryption techniques the end-user is looking for, or if the end-user

selects an encryption technique the WAP does not implement. Once the communication

defined in this protocol has been completed successfully by an end-user and a WAP, a

wireless communication channel has been established between the end-user and the

access point, and both parties are now ready for the authentication portion of the 802.11i

standard. [14]

6.2 Authentication

       Once the wireless enabled end-user has discovered the available encryption

techniques, the user must authenticate their identity with the wireless network. In this
process, the end-user communicates with the AP, which in turn communicates with the

authentication server (AS) in an attempt to validate the user's credentials and privileges

for further communication. The authentication portion of the 802.11i standard must meet

the following requirements:

   •   Create a session between the end-user and the authentication server

   •   Create a mutually authenticated session key, which is stored by the end-user and

       authentication server

   •   Defend against man-in-the-middle attacks, eavesdropping, forgeries, replays, and

       dictionary attacks against any involved party.

   •   Identity protection is not required

                                                                                        [14]

Because the IEEE wanted to design the standard as modular as possible, the 802.11i

specification only requires the use of the Extensible Authentication Protocol (EAP) and

802.1X, which specifies the communication between the end-user and the access point

but does not denote how the access point and authentication server are to communicate.

EAP is designed only to transport the authentication messages and is not intended to act

as the authentication method for 802.11i. Instead, the authentication relies on other

techniques being plugged into EAP, which allows for new authentication methods to be

introduced without modifying the underlying protocol. 802.1X is simply defined as the

way to transport EAP messages from the end-user to the AP. Although not defined in the

specification, EAP-TLS (Extensible Authentication Protocol – Transport Layer Security)

is the standard authentication method for 802.11i, and RADIUS is the standard for

handling the communication between the AP and the authentication server. The flow of
messages between the three components (end-user, AP, and authentication server)

necessary to authenticate a user is shown below:

   1. AP sends an identity request to the end-user

   2. End-user sends an identity response to the AP with their user ID

   3. AP sends a access request to the authentication server with the identity specified

   4. EAP specific validation occurs during this step (EAP-TLS by default)

           •   EAP-TLS authenticates the user by having the end-user and authentication

               server generate random numbers, which are used in combination with

               private keys and certificates to generate a shared key for the

               communication.

           •   Once this step has been completed, both the end-user and authentication

               server have generated a new key to be used specifically during the

               remainder of this session.

   5. Authentication server sends an accept message to the AP with the master key.

   6. AP sends an EAP success message to the end-user, which means they were

       properly authenticated by the server.

                                                                                         [14]

Unfortunately, the decision to make RADIUS the standard for server-AP communication

has given rise to some problems. The major problem associated with RADIUS is that it

uses a static key between the AP and the authentication server, which requires a great deal

of care to ensure that the key does not get leaked. In addition, the protocol assumes the

connection between the server and the AP is secure, which allows someone to inject false

request packets into that connection and receive valid responses. Therefore, there has

been a push to move from RADIUS to DIAMETER, which uses Cryptographic Message
Syntax (CMS) for key distribution. Unfortunately, the conversion to DIAMETER does

not seem to be a high priority, which could result in the degradation of the security in

802.11i [14]. None the less, this problem is not a result of the 802.11i standard because it

does not specify the protocol to be used between the authentication server and AP, which

shows the good design discussions chosen when decided exactly what the standard should

encompass. Once the authentication process is complete, the end-user, authentication

server, and AP all have a pairwise master key, which will be used in the remaining two

components of the 802.11i standard [14].

6.3 Key Management

       The purpose of the key management component of 802.11i is to ensure that both

the AP and the end-user have shared temporal keys for both unicast and broadcast

communication. The communication method used in this process is EAPoL (Extensible

Authentication Protocol over LAN), which is actually the same as 802.1X mentioned

above. With the pairwise master key created in the authentication process, a new key is

created to ensure greater security for the remainder of the communication cycle. In the

authentication process the master key, is passed between the AP and the end-user, but the

temporary key created in this step is generated locally on both hardware devices and is

never transmitted. The process for generating the unicast key is as follows:

   1. The AP generates a random number and passes it to the end-user

   2. First, the end-user generates its own random number. The temporary key is

       generated using this random number, the number generated by the AP, the

       pairwise master key created in the authentication process, the MAC address of the

       end-user, and the MAC address of the AP.

   3. The end-user sends the access point the random number it generated.
   4. The AP now generates the same temporary key using the same information.

   5. The AP sends a message to the end-user telling it to install and use the temporary

       key from now on.

   6. The end-user sends a response, which informs the AP to start using the temporary

       key as well.

                                                                                       [14]

All messages after the initial message from the AP to the end-user contain a message

integrity code, which can be validated against the temporary key generated. This integrity

code prevents a man in the middle attack because only a device with the proper keys

could generate a valid integrity code. Once this initial communication is complete, both

devices have a shared unicast temporary key. With this key, a broadcast (group) key will

now be generated in the following way:

   1. The AP generates a random group temporary key.

   2. Using the 128-255th bits of the unicast temporary key, the AP encrypts the group

       temporary key and sends it to the end-user.

   3. The end-user decrypts the group temporary key using the same portion of the

       unicast temporary key.

                                                                                       [14]

Now, both the end-user and the AP have mutually validated keys for communicating to a

single second party (unicast key) and to any number of users at the same time

(broadcast/group key). With these keys, the communication between the two parties can

now be encrypted. [14]
6.4 Data Transfer/Encryption

       The last major component of the 802.11i standard is the process by which data is

transferred between devices. The standard defines three separate means for encrypting

data, which are CCMP, WRAP, and TKIP. All of these protocols were designed to meet

the following requirements:

   1. Never send or receive unprotected packets

   2. Authenticate the origin of messages to prevent forgeries

   3. Detect replayed packets by using sequence numbers. A sequence number

       determines the ordering of the packets transmitted. By not allowing several

       packets with the same sequence number, you are preventing replayed packets.

   4. Avoid having to rekey (re-generate keys) by using a 48 bit sequence number

   5. Protect the source and destination addresses

   6. To ensure confidentiality and integrity, use one strong cryptographic primitive.

                                                                                         [14]

       One portion of this security component is the filtering of packets. To prevent

problems during the initial establishment of the connection, the AP and end-user drop all

none 802.1X traffic,. Once both devices have the temporary unicast and broadcast keys,

they begin to drop all traffic that is not protected with those keys. By filtering the

packets, both the end-user and the AP are able to (missing piece) . The filtering allows

for more protection from forged and replayed packets, but the bulk of the complexity

regarding this security component is the encryption of data. [14]

       Of the three encryption techniques mentioned earlier, only CCMP is required to

be implemented in all 802.11i compliant devices. The CCMP technique is based on the

AES encryption algorithm in CCM mode (Counter Mode with CBC-MAC), which is a
128 bit block cipher. The data is encrypted in the following format using the temporary

keys generated previously:

   1. A checksum (MIC – Message Integrity Check) is computed over the plaintext

       header, the length of the header, and the payload. The checksum is calculated

       using the CBC-MAC portion of the AES algorithm.

   2. The checksum is appended to the end of the payload.

   3. The checksum and the payload are then encrypted using the Counter Mode of

       AES.

                                                                                            [14]

Performing these three steps, ensures that only those who hold the temporary key

generated early are able to decrypt the plaintext. In addition if a malicious third party

attempted to modify any portion of the packet, the checksum generated would not match

the one appended to the payload. This ensures the privacy and authenticity of the

communication. Although the CCMP encryption technique is provably strong, the basis

of the security is that only the intended parties have the temporary key generated in the

previous processes. For CCMP to be truly effective you must generate a new key for

every new communication established and the key must be properly based between the

end-user and the AP, which is done using the 802.1X protocol discussed above. The only

major drawback associated with CCMP is that all new hardware must be acquired

because the process is too complicated to just modify the existing technology. So this

would make the process not backward compatible [14].

       In the initial proposal of 802.11i, the IEEE proposed the use of the WRAP

encryption technique, which is based on AES in the OCM mode. Due to legal issues,

WRAP was replaced with CCMP. Since three companies have filed for patents relating
to WRAP, problems with the acceptance of this standard by those who do not hold the

patent are likely to occur. WRAP still remains in the 802.11i specification, but that is

only because some manufacturers had already produced hardware that implemented it.

WRAP will most likely not be implemented in future revisions [14]

       The final encryption technique discussed in the standard is TKIP (Temporal Key

Integrity Protocol), which is in essence a wrapper for the existing WEP security protocol.

The major benefit for TKIP is that it can be implemented entirely in software, which

allows it to run on existing hardware running WEP security. Instead of using a static key

for encryption, TKIP uses the temporary key to perform the WEP security.

Unfortunately, this is still plagued by the same problems as the original WEP because the

encryption technique is not strong enough, and a brute force attack can break the key in

several hours. The security of TKIP is an improvement over WEP because the key is

dynamically generated for each connection, but TKIP was not designed to be the optimal

solution. TKIP's main purpose is to ease the transition to 802.11i. [14]



7. Summary

       The 802.11i standard is the future of wireless security. It establishes a framework

to ensure the security of wireless communication providing network protection

comparable to that of wired networks. A major benefit of the design of 802.11i is the

extensibility allowed because if a flaw is discovered in the encryption techniques used,

the standard easily allows the addition of the new technique without replacing the

hardware. Now that many manufacturers are beginning to produce devices that

implement 802.11i, it will not be too long before the new technology is deployed and a
secure wireless infrastructure is available. In “WPA Plugs Holes in WEP”, Jim Geier

sums up wireless network security’s evolution best:

Name                           WEP                    WPA                    802.11i
A.K.A                  Won’t Even Protect     Will Protect Alright    Will Prove Airtight
Feature                Weak encryption        Same underlying         Strong AES
                       keys based on RC4      RC4-based encryp-       encryption based on
                       algorithm; static      tion as WEP; TKIP       Rijndael algorithm;
                       keys that make easy    added so that keys      adds two strong
                       targets for hackers    are rotated and en-     authentication
                                              cryption is strength-   features: wireless
                                              ened                    robust
                                                                      authentication
                                                                      protocol (WRAP)
                                                                      and counter with
                                                                      cipher block
                                                                      chaining message
                                                                      authentication code
                                                                      protocol (CCMP)



Basically, 802.11i is taking WEP a step further than simply patching WEP by proving

wireless networks the ultimate security solution of stronger encryption, authentication,

and key management strategies.
Reference:

   [1]   Borisov, Nikita, Ian Goldberg, and David Wagner. "Intercepting Mobile
         Communications: The Insecurity of 802.11.", 27 Oct. 2004
         <http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf>.

   [2]   RC4 Encryption. 31 Oct. 2004
         <http://www.cebrasoft.co.uk/encryption/rc4.htm>.

   [3]   Geier, Jim . "802.11 WEP: Concepts and Vulnerability." Wi-Fi Planet 20
         June 2002. 27 Oct. 2004 <http://www.wi-
         fiplanet.com/tutorials/article.php/1368661>.

   [4]   Wi-Fi Protected Access: Strong, standards-based, interoperable security for
         today’s Wi-Fi networks." W- Fi Alliance April 2003. 31 Oct. 2004
         http://www.wifialliance.com/OpenSection/pdf/Whitepaper_Wi-Fi_Security4-
         29-03.pdf

   [5]   Higgins, Tim. "Wi-Fi Protected Access (WPA) NeedToKnow - Part II." Toms
         Networking 25 June 2003. 30 Oct. 2004
         <http://www.smallnetbuilder.com/Sections-article50-page1.php>.

   [6]   Goransson, Paul. "802.1X provides user authentication." Network World
         Fusion 25 Mar. 2002. 1 Nov. 2004
         <http://www.nwfusion.com/news/tech/2002/0325tech.html>.

   [7]   Klaus, Christopher W. Wireless LAN Security FAQ. 6 Oct. 2002. 14 Oct. 2004
         <http://www.iss.net/wireless/WLAN_FAQ.php>.

   [8]   Arbaugh, William A., Narendar Shankar, and Y.C. J. Wan. "Your 802.11
         Wireless Network has No Clothes*." (2001). 15 Oct. 2004
         <http://www.cs.umd.edu/~waa/wireless.pdf>.

   [9]   Karygiannis, Tom, and Les Owens. National Institute of Standards and
         Technology. Wireless Network Security. Nov. 2002. 14 Oct. 2004
         <http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf>.

   [10] Gast, Matthew. “Seven Security Problems of 802.11 Wireless”. 14 Oct. 2004
        <http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html>.

   [11] Wireless LAN Security: What Hackers Know That You Don’t. 14 Oct. 2004
        <http://www.airdefense.net/whitepapers/hackers_request2.php4>.

   [12] Neudoerffer, Dave. “5 steps to secure mobile data.” 7 Nov. 2002. 14 Oct. 2004
        <http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2897010-
        1,00.html>
[13] What is a rogue wireless access point? 31 Oct. 2004
     < http://www.tech-faq.com/wireless-networks/rogue-access-point.shtml>

[14] Cam-Winget, Namcy, Moore, Tim, Stanley, Dorothy, Walker, Jesse. “IEEE
     802.11i

[15] What is 802.11i. Tech FAQ. Oct 14, 2004.
     <http://www.tech-faq.com/wireless-networks/802.11i.shtml>

[16] What is RSN (Robust Secure Network)?. Tech FAQ. Oct 14, 2004.
     <http://www.tech-faq.com/wireless-networks/rsn-robust-secure-network.shtml>

[17] Netstumbler. 03 Nov. 2004
     <http://www.netstumbler.com/2002/02/15/researchers_crack_new_wireless_sec
     urity_spec/>

[18] Solectek. A tutorial: Wireless ISP. White Paper

[19] Overview” NIST. Oct 10, 2004.
     <http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf>

[20] Cambridge Broadband. Single Carrier and OFDM Modulation.
     <http://www.cambridgebroadband.com/pub/papers/sc_and_ofdm.pdf>

[21] IEEE 802.11 Wireless Fidelity (Wi-Fi). <http://www.wi-fi.org>

[22] Cohen, Alan and Bob O’Hara. “802.11i shores up wireless security”, Network
     World Fusion. May 26, 2003.
     <http://www.nwfusion.com/news/tech/2003/0526techupdate.html>

[23] Geier, Jim. “WPA plugs holes in WEP”, Network World Fusion. March 31,
     2003. <http://www.nwfusion.com/research/2003/0331wpa.html>

[24] Fleishman, Glenn. “The Path to 802.11i”. Wi-Fi Networking News. 2003.
     <http://wifinetnews.com/archives/002594.html>

[25] “802.11i Security Specifications Finalized”. June 25, 2004.
   <http://www.wi-fiplanet.com/news/print.php/3373441>

[26] Marks, Roger B., Gifford, Ian C., and O’Hara, Bob. Standards in IEEE 802.
     Unleash the Wireless Internet

[27] Telephony’s Complete Guide to WiMAX: The Business Case for Service
     Provider Deployment. www.TelephonyONLINE.com, June 2, 2004

[28] Georgia Tech 8813 Broadband Access Networks. Lecture Notes
Appendix A: Some Common Freeware Hacker’s tools. [11]

1. NetStumbler: Freeware wireless access point identifier that listens for SSIDs and

   sends beacons as probes that search for access points. http://www.netstumbler.com

2. Kismet: Freeware wireless sniffer and monitor that passively monitors wireless traffic

   and sorts data to identify SSIDs, MAC addresses, channels, and connection speeds.

   http://www.kismetwireless.net

3. THC-RUT: Freeware wireless LAN discovery tool that uses “brute force” to identify

   low traffic access points. (“Your first knife on a foreign network.”).

   http://www.thehackerschoice.com

4. Ethereal: Freeware wireless LAN analyzer that interactively browses captured data,

   viewing summary and detail information for all observed wireless traffic.

   http://www.ethereal.com

5. AirSnort: Freeware encryption breaker that passively monitors transmissions,

   computing the encryption key when enough packets have been gathered.

   http://airsnort.shmoo.com

6. HostAP: Toolkit that converts a wireless LAN user station to function as an access

   point. (Available for wireless LAN cards that are based on Intersil's Prism2/2.5/3

   chipset.) http://hostap.epitest.fi

7. WEPWedgie: Toolkit for determining 802.11 WEP keystreams and injecting traffic

   with known keystreams. The toolkit also includes logic for firewall rule mapping,

   pingscanning, and portscanning via the injection channel.

   http://sourceforge.net/projects/wepwedgie/
8. WEPCrack: Freeware encryption breaker that cracks 802.11 WEP encryption keys

   using the latest discovered weakness of RC4 key scheduling

   http://sourceforge.net/projects/wepcrack/

9. AirSnarf: Soft AP setup utility that is designed to steal usernames and passwords

   from public wireless hotspots by confusing users with DNS and HTTP redirects from

   a competing AP. http://airsnarf.shmoo.com/

10. SMAC: Windows MAC Address Modifying Utility that allows users to change MAC

   address Network Interface Cards (NICs) on Windows 2000, XP, and 2003 Server

   systems, regardless of whether or not the manufacturer allows this option.

   http://www.klcconsulting.net/smac

11. Airjack: Denial-of-Service tool kit that sends spoofed authentication frames to an AP

   with inappropriate authentication algorithm and status codes. AP then drops

   connections with stations. Includes WLAN_JACK, Monkey_JACK, and

   hunter_killer. http://sourceforge.net/projects/airjack

12. IRPAS: Internet Routing Protocol Attack Suite designed to attack common routing

   protocols including CDP, DHCP, IGRP and HSRP http://www.phenoelit.de/irpas/

13. Ettercap: Suite for Man-in-the-Middle attacks. It features sniffing of live connections

   and content filtering on the fly. Additionally, it supports active and passive dissection

   of many protocols and includes many features for network and host analysis.

   http://ettercap.sourceforge.net

14. Cain&Abel: Password recovery tool that allows easy recovery of various kinds of

   passwords by sniffing the network and cracking encrypted passwords using

   Dictionary, Brute-Force, and Cryptanalysis attacks. Decodes scrambled passwords

   and analyzes routing protocols. http://www.oxid.it.
15. Hotspotter: Passively monitors the network for probe request frames to identify the

   preferred networks of clients. Acts as an access point to allow the client to

   authenticate and associate. www.remote-exploit.org/codes.html

16. WEP Attack: Brute-Force WEP cracker that uses Dictionary attacks against WEP

   keys. Is usually very effective against residential gateways.

   http://sourceforge.net/projects/wepattack/

17. ASLEAP: Toolkit that can recovers weak LEAP passwords, read captured files, or

   sniff the air. Can also actively de-authenticate users on LEAP networks, forcing them

   to re-authenticate. http://asleap.sourceforge.net/

18. THCLeapCracker: Toolkit that can break the Cisco LEAP authentication protocol and

   can also spoof challenge-packets from access points, allowing the hacker to perform

   Dictionary attacks against all users. http://www.thc.org

19. DSNIFF: Collection of tools for network auditing and penetration testing. Can

   passively spy and perform Man-in-the-Middle attacks.

   http://naughty.monkey.org/~dugsong/dsniff

20. IKEcrack: Authentication crack tool that can use Brute-Force or a Dictionary attack

   against key/password used with Pre-Shared-Key IKE authentication.

   http://ikecrack.sourceforge.net/

21. Nessus: Remote security scanner. http://www.nessus.org

								
To top