Documente Academic
Documente Profesional
Documente Cultură
Timo Hassinen
Helsinki University of Technology
thassine@cc.hut.fi
Abstract
WEP uses a pre-shared key for encryption and user authentication. WEP was developed to protect link-level data
Wireless networks are on the cutting edge of modern tech- during wireless transmission and it was accompanied by
nology and are fast becoming ubiquitous. As a result in- three main security goals. These goals are presented below
creasing interest surrounding possible security problems has in priority order:
arisen. This paper offers a general overview of various se Confidentiality: Prevent eavesdropping
curity schemes designed to protect wireless networks. For
each respective scheme, advantages and disadvantages are
Access control: Protect access to a wireless network
examined.
infrastructure
KEYWORDS: WLAN Security, WEP, WPA, WPA2
Introduction
2.1
WEP in detail
WEP
2.2
2.2.1
2006-12-11/12
the keystream by exclusive-oring the challenges. Although
the 802.11 standard discourages stations to reuse the IV from
this handshake, the attacker is left with the possibility to
transmit and authenticate indefinitely with this keystream
(replay attack). .
The possibility to forge packets was implemented by exploiting the linear CRC checksum, which was only designed
to protect against random errors. As a result the attacker may
modify and redirect the packets from the network to himself
(IP redirection). Its also possible for an attacker to modify
and release the packet and to gather information about packet
by observing, if the ACK is received or not (TCP Reaction
attack). These mechanisms clearly demonstrated the defeat
of two of the WEPs security goals mentioned earlier, i.e.
Access Control and Data Integrity.
Shortcomings of WEP
An Inductive Chosen Plaintext Attack
A field survey [9] on WEP security conducted in 2003, deduced two new weaknesses in WEP. First the WEP was optional in installation programs resulting in the fact that in
most cases WEP wasnt activated after the installation. Second the absence of key management protocol in WEP forced
users to rely on a single shared key. If this key was exposed,
the security of wireless network could be compromised.
2.2.5
Fragmentation Attack
2006-12-11/12
lem of short IV by expanding the IV key space to 128 bits.
As a result, the repetition of IV was decreased, making the
attacks exploiting the weak keys, slow down considerably.
Yet, due to the fact that the reuse of IV was still permitted,
WEP could still be compromised.
The second extension, WEPPlus (or WEP+) [14], provided the methods for hardware to avoid weak IVs. This
made the attacks based on use of weak IVs practically impossible, but the fragmentation attack was still possible. The
other disadvantage of this security scheme was that it had to
be employed at both ends of the wireless connection, which
was difficult to enforce. As a result, the need for a completely new and better security scheme continued to grow.
2.4
3 WPA
Wi-Fi Protected Access (WPA), the successor of WEP,
is a security protocol that implements majority of IEEE
802.11i[15] standard. WPA was created by the Wi-Fi Alliance [16] as an interim solution to replace WEP before
802.11i standard was ready. WPA vastly improves WEPs
encrypting process and adds a concrete user authentication mechanism. In WPA users can be either authenticated
through an IEEE 802.1X [17] Authenticate Server (often
a RADIUS server [18]) or through an access point with a
passphrase in Pre-shared key (PSK) mode. WPA also provides software upgrades to accomplish interoperability with
the older network cards and access points.
3.1
3.1.1
WPA in detail
Key security
WPA uses the RC4 stream cipher with the 128-bit keys and
48-bit IV in encryption. RC4 is still used, because its com2.3 Solutions
patible with the old hardware. In addition, WPA introduces a
WEP protocol was extended to counteract the uncovered new key security protocol, Temporal Key Integrity Protocol
flaws. The first extension, WEP2 [13], addressed the prob- (TKIP) [19], which dynamically changes the keys during the
2006-12-11/12
tication mechanism but rather an authentication framework,
which provides some common functions and a negotiation
of the desired authentication mechanism. The Authentication server works with the following principle:
1. Authentication Server accepts users credentials
2. Authentication Server uses 802.1X framework and EAP
to generate unique master key
3. 802.1X distributes the key to the AP and the client
4. TKIP sets up a key hierarchy and management system
using the master key. In other words unique data encryption keys to encrypt every data packet are generated
from the master key.
The second option, PSK mode, is called WPA-Personal.
WPA-Personal is designed for home and small office networks, which cannot afford the luxury of Authentication
Server. In this mode users are authenticated to the Access
Point (AP) with a passphrase, which is 8-63 ASCII characters or 64 hexadecimal digits long. If the ASCII characters
are chosen, a hash function reduces it from 504 bits (63 characters * 8 bits/character) to 256 bits. The passphrase can
be stored and automatically used on the users computer in
most operating systems. PSK mode employs also PBKDF2
key derivation function [21], which uses a repeated process
of cryptographic hash and salting to the passphrase. As a result stronger and more secure password is generated. However choosing a weak passphrase can still lead to a password
cracking attack. Password cracking attack can be defeated
by choosing at least 14, but preferably 22 random letters as
a passphrase [22].
3.2
Figure 3: TKIP process
3.1.2
Integrity protection
Authentication
As mentioned earlier, there are two options for user authentication in WPA. The first option, Authentication Server, is
called WPA-Enterprise. WPA-Enterprise employs Extensible Authentication Protocol (EAP) [20] together with a mutual authentication so that the wireless user does not accidentally join a rogue network. EAP is not an actual authen-
WPA and WEP both use RC4 stream cipher for encryption.
However, instead of the standard WEPs combination of 24bit IV and 40/104-bit key, WPA employs a 48-bit IV together
with a 128-bit key.
As discussed earlier, WEPs inadequate security resulted
from IV collisions and altered packets. In WPA, these problems have been eliminated with a combination of Temporal Key Integrity Protocol (TKIP), Message Integrity check
(MIC) and extended IV space. TKIPs key hierarchy exchanges WEPs single static key for roughly 500 trillion possible keys that can be used to encrypt a packet. Combined
with a 48-bit IV, TKIP effectively makes the attacks based
on recovering the key infeasible. MIC and its cryptographic
algorithm, "Michael", put a stop to the packet forgery that
was possible in WEP due to CRCs linearity.
The 802.1X/EAP framework and PSK-mode provides
WPA a concrete user authentication mechanism, which was
largely missing in WEP. As mentioned earlier, in WEP, the
user could be authenticated with the Shared-Key Authentication mechanism (Sec. 2.2), an optional feature that involves
the use of challenges. This scheme relies on the use of the
same pre-shared WEP key that was used in encryption, and
therefore was proven to be a security risk. In WPA the encryption and the authentication are separated. After authenticating to the 802.11x server/AP with credentials/passphrase,
2006-12-11/12
the keys are distributed to the user automatically. A summary usability. In other words, when setting up a wireless netof the differences between WEP and WPA is demonstrated work, users still have to enter the keys manually, which is
in the following table (Table 1).
time consuming and can be too challenging for the beginners. Therefore the WPA/WPA2 security scheme still needs
WEP
WPA
to be developed.
Encryption
Cracked
Fixes WEP flaws
Key length
40/104 bit keys 128 bit keys
Key type
Static keys
Dynamic keys
Key distribution Manual
Automatic(TKIP)
4 Future of WLAN security - User
Authentication
WEP Key
802.1X/EAP
3.3
As mentioned in previous section, the need for a more userfriendly solution is needed. Some solutions have already
been introduced.
WPA2
WPA2 is based on IEEE 802.11i [15] standard. In addition to TKIP, MIC and Michael algorithm, it provides a new
AES-based [23] algorithm CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) to replace the old RC4 stream cipher. Like TKIP, CCMP
uses a 48-bit IV as a sequence number to provide replay detection. But instead of per packet key derivation function
CCMP uses single AES key to protect confidentiality and
message integrity.
In WPA2, AES is defined in counter cipher-block chaining
mode (CCM) and supports the Independent Basic Service
Set (IBSS), which enables security between client workstations operating in ad hoc mode. WPA2 also offers interoperability between WPA and WPA2 client workstations, which
enables an orderly transition from WPA to WPA2 without
compromising the security. Other new features in WPA2 are
reduced overhead in key derivation during the authentication
exchange, opportunistic key caching, when roaming between
access points and pre-authentication with IEEE 802.1X Authentication Exchange before roaming. The relationship between WPA2, WPA and WEP is presented in table 2.
Encryption cip.
Key sizes
IV size
Per-packet key
Data integrity
Replay detection
Key mng.
WEP
RC4
40/104 bit
24 bit
Key + IV
CRC-32
None
None
WPA
RC4
128 bit
48 bit
TKIP mix.fc.
Michael
IV seq.
802.1X
WPA2
AES
128 bit
48 bit
CCM
CCM
IV seq.
802.1X
3.4
Weaknesses of WPA/WPA2
Broadcom has developed a new protocol, SecureEasySetup (SES) [25], to make it easier for consumers to set up
wireless LANs with WPA. SES includes firmware for routers
and access points, as well as a software utility for devices
such as PC Card adapters. SES consists of two phases: device discovery triggered by a pushing button, and unauthenticated key exchange. In SES users set up a WPA protected
wireless network by simply clicking a software button in the
setup utility and pushing a physical button on routers and access points. When pressing the buttons, both devices enter
the configuration mode, in which they locate each other using some protocol to agree on Pre-Shared Key (PSK). A suitable protocol for this is an unauthenticated key agreement
protocol, such as Diffie-Hellman key exchange. However
this solution has two weaknesses. First the attacker can wait
in the configuration mode and when the user presses the buttons, the attacker generates a quicker response. As a result
the attacker gains access to the wireless network. Second the
user must have a physical access to the access point, which
can be a problem in larger organisations or homes, where the
AP is in a place that is difficult to access.
Windows Connect Now-NET [26] is the Microsoft implementation of the Wi-Fi Simple Configuration Protocol,
which provides a user-friendly and simple way to set up secure wireless networks and add devices to the them. This
solution works for both in-band wireless devices and out-ofband devices that use another channel, e.g. USB stick, for
exchanging authentication information. The architecture of
WCN-NET consists of three objects: the enrollee, the registrar and the access point. The enrollee is a new device
that doesnt have the settings for the wireless network. The
registrar provides these settings to the enrollee and the access point provides normal wireless network hosting and also
proxies messages between the enrollee and the registrar. In
this solution the authentication between the enrollee and registrar is typically done with a PIN code. PIN code is either
dynamically created to users screen or is a fixed PIN printed
to it as a sticker. After the PIN and the network settings have
been collected from the user, the Registration Protocol is
run between the registrar and the enrollee. When completed
the registrar displays a message to show that the enrollee
was successfully configured for the network. Compared to
WPA/WPA2, this solution is more user-friendly, since the
users do not need to remember the long WPA key.
Conclusions
References
[1] IEEE Computer Society. Wired Equivalent Privacy,
1999.
http://standards.ieee.org/
getieee802/download/802.11-1999.
pdf,pages61-64
[2] Wi-Fi Alliance. Wi-Fi Protected Access, 2003.
http://www.wi-fi.org/files/uploaded\
_files/wp\_8\_WPA\%20Security\
_4-29-03.pdf
[3] Wi-Fi Alliance. Wi-Fi Protected Access 2, 2004.
http://www.wi-fi.org/knowledge_
center/wpa2/
2006-12-11/12
[7] Nikita Borisov, Ian Goldberg, David Wagner,
Intercepting Mobile Communications: The Insecurity
of 802.11 , 2001.
http://www.isaac.cs.berkeley.edu/
isaac/mobicom.pdf
[8] Scott R. Fluhrer, Itsik Mantin, Adi Shamir, Weaknesses
in the Key Scheduling Algorithm of RC4 Selected Areas
[19]
[4] L. M. S. C. of the IEEE Computer Society. Wireless
LAN medium access control (MAC) and physical layer
(PHY) specifications. IEEE Standard 802.11, 1999 Edition, 1999.
[20]
2006-12-11/12