1

Wireless SecurityBy

Neeraj PoddarAdvanced Cryptography

04/14/2011

2

The IEEE 802.11 wireless LAN standard was established in 1989 and was originally intended to seek a wireless equivalent to Ethernet.

Wide spread popularity in recent years.

Major difference between wired and wireless networks is access to the transmitted data.

From the initial development stages of wireless technologies experts knew that security would be a major issue that needed to be solved in order for this technology to be able to overtake the place of wired networks.

A Little Background

3

Wireless security is a major demand in the secure data transferring services.

Accidental association Malicious association Non-traditional networks Identity theft (MAC spoofing) Man-in-the-middle attacks Denial of service Network injection

Security Concerns

4

In WLANs, privacy is achieved by data contents protection with encryption.

There have been three major generations of security approaches, which is mentioned below:

• WEP (Wired Equivalent Privacy)• WPA (Wi-Fi Protected Access)• WPA2/802.11i (Wi-Fa Protection Access, Version 2)

Each of these protocols has two generations named as personal and enterprise.

Security Measures

5

OSI Model View

6

WEP’s security goals are :-

• Access control: protecting the wireless network from unauthorized access.

• Confidentiality: to prevent eavesdropping.

• Data integrity: to prevent tampering with transmitted messages.

WEP

7

WEP uses RC4 algorithm for encryption and key stream generation.

Sender side:• The secret key used in WEP algorithm is 40-bit long is concatenated with a

24-bit Initialization Vector (IV) for acting as the encryption/decryption key.

• The resulting key acts as the seed for a Pseudo-Random Number Generator (PRNG).

• The plaintext input in a integrity algorithm and concatenate by the plaintext again.

• The result of key sequence and ICV will go to RC4 algorithm. • A final encrypted message is made by attaching the IV in front of the Cipher

text.

WEP Algorithm

8

Contd..

9

WEP uses five operations to decrypt the received (IV + Cipher text).

• The Pre-Shared Key and IV concatenated to make a secret key.

• The Cipher text and Secret Key go to in CR4 algorithm and a plaintext come as a result.

• The ICV and plaintext will separate.

• The plaintext goes to Integrity Algorithm to make a new ICV (ICV’).

• Finally the new ICV (ICV‘)compare with original ICV.

Recipient Side

10

Contd..

11

Random bits whose size depends on the encryption algorithm and is normally as large as the block size of the cipher or as large as the Secret key.

The IV must be known to the recipient of the encrypted information to be able to decrypt it.

WEP algorithm does this by transmitting the IV along with the packet.

In WEP for two different lengths (64, 128 bit) of keys IV is 24-bit.

Initialization Vector (IV)

12

Simple 5- or 13-character password that is shared between the access point and all wireless network users.

For the 64-bit key the length of secret key is 40 bits and for 128-bit key the length is 104 bits.

Pre-Shared Key

13

WEP defines a method to create a unique secret key for each packet using the 5- or 13-characters of the pre-shared key and three more pseudo-randomly selected characters picked by the wireless hardware (IV).

For example, our Pre-shared key is "ARASH". This word would then be merged with "AHL" as IV to create a secret key of "AHLARASH", which would be used in encryption operations of packet.

The next packet would still use "ARASH", but concatenate it this time with "ARA" to create a new secret key of "ARAARASH".

This process would randomly continue during the transmission of data.

PRNG

14

Is one of hashing algorithm and it is abbreviation of "Cyclic Redundancy Code".

The "CRC" term is reserved for algorithms that are based on the "polynomial" division idea.

Take the data as a VERY long binary number and divide it by a constant divisor.

ICV & Integrity Algorithm (CRC-32):

15

RC4 is not specific to WEP; it is a random generator, also known as a key stream generator or a stream cipher.

RC4:

16

Size of IV is short and will be reused.

• Regardless of the key size, 24-bit long of WEP’s IV can only provide 16,777,216 different RC4 cipher streams for a given WEP key.

• If the RC4 cipher stream for a given IV is found, an attacker can decrypt subsequent packets that were encrypted with the same IV or can forge packets.

• If a hacker collects enough frames based on the same IV, the individual can determine the shared values among them, i.e., the key stream or the shared secret key.

WEP Problems

17

Is a major issue and key updating mechanism is poor.

Most wireless networks that use WEP have one single WEP key shared between every node on the network.

Since synchronizing the change of keys is difficult, network administrators must personally visit each wireless device in use and manually enter the appropriate WEP key.

Result is key rarely changed by the system administrators.

Key management

18

Weak keys, meaning that there is more correlation between the key and the output.

The first three bytes of the key are taken from the IV that is sent unencrypted in each packet which can be used to find weak keys.

Out of the 16 million IV values available, about 9,000 are interesting.

The attacker captures "interesting packets" filtering for IVs that suggest weak keys.

Because all original IP packets start with a known value, it’s easy to know when he/she has the right key.

To determine a 104-bit WEP key, he/she has to capture between 2,000 and 4,000 interesting packets.

Issues with RC-4 Algorithm

19

Two types of authentication: Open System and Shared Key authentication.

Turning on authentication with WEP reduced the security.

Shared Key authentication involves demonstrating the knowledge of the shared WEP key by encrypting a challenge.

Any monitoring attacker can observe the challenge and the encrypted response.

From those, then can determine the RC4 stream used to encrypt the response.

The attacker can later forge an authentication.

Forging of Authentication Messages

20

WEP does not prevent replay attacks.

An attacker can simply record and replay packets as desired and they will be accepted as legitimate.

WEP allows an attacker to undetectably modify a message without knowing the encryption key. (Weakness in CRC)

Other security concerns in WEP

21

Improved data encryption (TKIP)

Temporal Key Integrity Protocol (TKIP) using a hashing algorithm and, by adding an integrity-checking feature, ensures that the keys haven’t been tampered with.

It is an alternative to WEP that fixes all the security problems and does not require new hardware.

Enhancements over WEP

22

Like WEP, TKIP uses the RC4 stream cipher as the encryption and decryption processes and all involved parties must share the same secret key.

This secret key must be 128 bits and is called the "Temporal Key" (TK).

TKIP also uses an Initialization Vector (IV) of 48-bit and uses it as a counter.

Even if the TK is shared, all involved parties generate a different RC4 key stream.

Since the communication participants perform a 2-phase generation of a unique "Per-Packet Key" (PPK) that is used as the key for the RC4 key stream.

TKIP

23

TKIP adds four new algorithms to WEP:

• A cryptographic message integrity code, or MIC, called Michael, to defeat forgeries

• A new IV sequencing discipline, to remove replay attacks from the attacker’s arsenal.

• A per-packet key mixing function, to de-correlate the public IVs from weak keys

• A re-keying mechanism, to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse.

TKIP New Features

24

TKIP

25

Michael is the name of the TKIP message integrity code.

New MIC designed that has 64-bits length and represented as two 32-bit little- Endian words (K0,K1)

The Michael function first pads a message with the hexadecimal value 0x5a and enough zero

pad to bring the total message length to a multiple of 32-bits.

Then partitions the result into a sequence of 32-bit words M1 M2… Mn, and finally computes the tag from the key and the message words using a simple iterative structure:

MIC or Michael

26

(L,R) ← (K0,K1) do i from 1 to n L←L XOR Mi (L,R)← Swap(L,R) return (L,R) as the tag

MIC Contd..

27

To defeat replays, TKIP reuses the WEP IV field as a packet sequence number.

Both transmitter and receiver initialize the packet sequence space to zero whenever new TKIP keys are set.

Transmitter increments the sequence number with each packet it sends.

TKIP requires the receiver to enforce proper IV sequencing of arriving packets.

New IV sequencing

28

WEP constructs a per-packet RC4 key by concatenating a base key and the packet IV.

The new per-packet key is called the TKIP key mixing function.

It substitutes a temporal key for the WEP base key and constructs the WEP per-packet key in a novel fashion.

The mixing function operates in two phases.

Key Mixing

29

It eliminates the same key from use by all links.

It combines the 802 MAC addresses of the local wireless interface and the temporal key by iteratively XORing each of their bytes to index into an S-box, to produce an intermediate key.

The Phase 1 intermediate key must be computed only when the temporal key is updated.

Most implementations cache its value as a performance optimization.

Phase 1

30

It de-correlates the public IV from known the per-packet key.

Uses a tiny cipher to encrypt the packet sequence number under the intermediate key, producing a 128-bit per-packet key.

This design accomplishes the second mixing function design goal.

Making it difficult for a rival to be connected to IVs and per-packet keys.

Phase 2

31

Rekeying delivers the fresh keys consumed by the various TKIP algorithms.

There are three key types: temporal keys, encryption keys and master keys.

Occupying the lowest level of the hierarchy are the temporal keys consumed by the TKIP privacy and authentication algorithms proper.

TKIP employs a pair of temporal key types: a 128-bit encryption key, and a second 64-bit key for data integrity.

TKIP uses a separate pair of temporal keys in each direction of an association.

Each association has two pairs of keys, for a total of four temporal keys

Rekeying or Defeating key collision attacks:

32

TKIP Detailed Block Diagram

33

Personal WPA or WPA-PSK (Key Pre-Shared) that use for small office and home for domestic use authentication which does not use an authentication server and the data cryptography key can go up to 256 bits.

Enterprise WPA or Commercial that the authentication is made by an authentication server 802.1x, generating an excellent control and security in the users' traffic of the wireless network.

WPA

34

WPA uses 802.1X+EAP for authentication.

Replaces WEP with the more advanced TKIP encryption

No preshared key is used here, but you will need a RADIUS server.

Remote Authentication Dial In User Service (RADIUS)

WPA Enterprise

35

WPA2 was designed as a future-proof solution based on lessons learned by WEP implementers.

One of the most significant improvement is encryption algorithm which uses Advanced Encryption Standard (AES).

In particular it uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol.

WPA2

36

Security vs. Bandwidth

37

Throughput with single wireless Client

38

Throughput with three wireless clients

39

Wireless Security issues WEP algorithm WEP Weakness WEP Improvements TKIP WPA WPA2 Security impact on bandwidth

Conclusion

40

Lashkari, A.H.; Towhidi, F.; Hosseini, R.S.; , "Wired Equivalent Privacy (WEP)," Future Computer and Communication, 2009. ICFCC 2009. International Conference on , vol., no., pp.492-495, 3-5 April 2009

Arash Habibi Lashkari, Mir Mohammad Seyed Danesh, Behrang Samadi, "A survey on wireless security protocols (WEP, WPA and WPA2/802.11i)," iccsit, pp.48-52, 2009 2nd IEEE International Conference on Computer Science and Information Technology, 200

Ying Wang; Zhigang Jin; Ximan Zhao; , "Practical Defense against WEP and WPA-PSK Attack for WLAN," Wireless Communications Networking and Mobile Computing (WiCOM), 2010 6th International Conference on , vol., no., pp.1-4, 23-25 Sept. 2010

Boland, H.; Mousavi, H.; "Security issues of the IEEE 802.11b wireless LAN," Electrical and Computer Engineering, 2004. Canadian Conference on , vol.1, no., pp. 333- 336

Emilio J.M. Arruda Filho , Paulo N. L. Fonseca Jr.%, Mairio J. S. Leitdo and Paulo S. F. De: “Security versus Bandwidth: The Support of Mechanisms WEP e WPA in 802.11g Network”

References

41

Thank You