Wireless Local Area Network (WLAN) Security

The 802.11i Solution

Research Paper

CS4235A Fall 2004

Group Members: Ted Choc Tracey Diamond Maleika C. Holder Mahesh Palekar

Abstract: Wireless Networks are growing at an explosive rate. Along with the growth, come the security problems. Wireless networks are easy to break into due to the

broadcast nature of the medium. IEEE 802.11 standard has made significant steps in providing a comprehensive solution to make the security of wireless networks comparable to wired networks. Current IEEE 802.11a, b, g standards use WEP protocol which has a lot of known flaws and even the interim security solution, WPA, does not meet the requirements for some users. Hence IEEE is has developed a new standard, IEEE 802.11.i that includes the WPA and RSN protocols. This paper describes the WEP & WPA protocols and different vulnerabilities of these standards. It then gives an overview of IEEE 802.11i standard, showing how the new 802.11 addendum plans to solve the wireless network security problem.

1. Introduction A computer network is an interconnection of multiple devices. This connection brings about improved communications by fostering improved productivity and allowing for the collaboration and exchange of information and resources between devices on the network and other networks. A network can be public or private, providing network services locally and via the Internet. Based on media transmission type, there are two categories of networks, wired and wireless. Today wired networks are the more commonly deployed networks because more security solutions are readily available, but wireless networks are becoming more popular. This popularity has led to the need for more security solutions for wireless networks. Currently there are two security protocols being implemented in wireless networks, WEP and WPA. Though both have major strengths, their flaws have lead industry leaders to develop the IEEE 802.11i standard to provide the ultimate wireless network security. Section 2 gives a brief overview of the different WLAN standards. Section 3 covers the WEP protocol in detail while section 4 explains WPA. In section 5, different security issues are discussed. Section 6 describes the future of WLAN security, which includes the IEEE 802.11i standard along with the protocols for discovery, authentication, key management and data transfer. Section 7 gives the summary of the paper.

2. Overview Standards activities by IEEE have made significant strides in making wireless networks a viable alternative to wired networks. The IEEE 802 Standards Committee is a leader in LAN and WAN standards. The committee creates and maintains standards at the physical (PHY) layer and the medium access control (MAC) sub-layer. This

standardizes the lowest layers of the OSI model for data networks, while leaving the remaining upper layers open for vendor development. The area of major development within IEEE is to work on the Wireless Local Area Network (WLAN) 802.11 standards. Initially published in 1997, the standard gives requirements for a LAN implementation using both infrared and spread spectrum radio frequency communicationsfor unlicensed operations [26]. Wireless LAN 802.11 allows the extension of wired LANs into the wireless arena. 802.11 addresses both radio transmission and Ethernet data transmission over wireless in the unlicensed frequency band. The specification concentrates on access method, protocol, framing, security, and QoS, while providing minimal security. The original 802.11 standard describes implementation using infrared and spread spectrum radio frequency communications for the licensed-exempt spectrum. Once the base 802.11 standard was authorized, a group of communications industry leaders joined together in order to take the 802.11 standard beyond the standards committee. The group is called the Wireless Fidelity (Wi-Fi) Alliance. The Wi-Fi Alliance is a nonprofit international association formed in 1999 to certify interoperability of wireless Local Area Network products based on the IEEE 802.11 specification. The Alliance strives to involve carriers and vendors in order to both educate the industry and to get information from them to create functional requirements that can be included in the standard [27]. The goal of the Wi-Fi Alliance's members is to enhance the user experience through product interoperability. Today the IEEE 802.11 standard has a number of different addendums or supplements to the originally ratified standard. The most widely known supplements are denoted as 802.11a 802.11i. A brief description of each follows:

802.11a 5GHz OFDM PHY Layer o Modulation Orthogonal Frequency Division Multiplexing (OFDM) o 20 MHz channels, multi-carrier o RF: UNI-II and ISM bands 802.11b 2.4 GHz CCK PHY Layer o Modulation Complementary Code Keying (CCK) o 22 MHz channels, single-carrier o RF: ISM bands (2.4 GHz) 802.11c bridging tables 802.11d international roaming 802.11e quality of service 802.11f inter-access point protocols 802.11g 2.4 GHz PHY Layer o Modulation - CCK and OFDM o 22 MHz channels, single-carrier and multi-carrier o RF: ISM bands (2.4 GHz) 802.11h European regulatory extensions 802.11i enhanced security [28]

The supplements of importance here are 802.11a, 802.11b, 802.11g, and 802.11i. Since the initial standard was published three key addendums of the 802.11 standard have been published to define physical layer issues, 802.11a, 802.11b, and 802.11g. The 802.11a standard solves the indoor radio frequency problem of delay spread in the 2.4-GHz, single-carrier, delay-spread system. It does so by introducing the use of the modulation technique called Coded Orthogonal Frequency Division Multiplexing (COFDM). Intended to retain the error-correction, security, powermanagement and other advantages of the slower, original standard, 802.11b simply adds a technique for increasing bandwidth to 11 Mbit/sec. The IEEE's 802.11g standard is designed as a higher-bandwidth 54 Mbit/sec - successor to 802.11b. 802.11g also has lower power consumption, longer range and better penetration than 802.11b. Currently 802.11b is the most widely used of the 802.11 standards. Once 802.11g has been properly tested and given the Wi-Fi stamp, it will probably become the 802.11 standard

of choice. A major advantage of 802.11g over 802.11a is that it is backward compatible with 802.11b. The security measures included within the 802.11a, b, and g standards aim to provide the end user with the same level of security as the wired network. The initial wireless security solution was the Wired Equivalent Privacy (WEP) encryption protocol. This protocol proved to be inadequate, providing minimal security from the casual eavesdroppers, [delaying] widespread adoption of wireless LANs [22]. In 2000, the

IEEE began work on a more robust security solution (802.11i). Work on the 802.11i supplement involved a great deal of time and research to institute a complete solution. In order to address the immediate need for a WEP fix, the Wi-Fi Alliance used a subset of the in progress 802.11i addendum to create the Wi-Fi Protected Access (WPA) protocol. WPA fixes all of WEPs problemsand allows full backwards compatibility for most 802.11a and 802.11b devices [24]. Only a subset of 802.11i, WPA still does

not provide optimal security. The completion of the 802.11i supplement promises to provide the security solution required to address the flaws of earlier protocols.

3. Wired Equivalent Privacy Protocol (WEP) The original 802.11 standard defined the Wired Equivalent Privacy (WEP) protocol to protect communication at the Data-link layer for WLAN users. The aim of this protocol is to make the security of wireless networks comparable to that of wired networks. WEP is a symmetric, private key algorithm. The security of the protocol lies in the secret key shared between the communicating parties. The main goal of WEP is to provide

Confidentiality Access Control

Data Integrity

Confidentiality of the network is achieved by employing the RC4 cipher. Access control to the network is achieved by discarding packets not properly encrypted by the WEP protocol, and data integrity is provided by a checksum. See figure 1 below.

[1] The encryption process involves three steps 1. Checksum of the message is calculated and appended to the message to obtain plaintext. The checksum does not depend on the key. It is implemented as a CRC32 checksum. Plain text is input to the next stage, Encryption. 2. Plaintext is encrypted using the RC4 algorithm. An IV, Initialization vector is chosen. RC4 generates a long sequence of pseudo random bytes called the key stream, as a function of IV and secret key K. Key stream is then XORed with the plain text to obtain Cipher text

Ciphertext = Plaintext

RC4 (IV,K)

3. IV is transmitted along with ciphertext over the channel [1] The decryption process is exactly reverse of the encryption process.

1. Plaintext is obtained by XOR ing ciphertext with RC4(IV,K). Decrypted Plaintext = = = Ciphertext Plaintext Plaintext RC4 (IV,K) RC4 (IV,K)

RC4 (IV,K)

2. Decrypted Plaintext is separated into decrypted message and the checksum. Checksum of the decrypted message is computed and compared with the checksum obtained from the plaintext. If checksums are not equal then the frame is discarded. Thus only the frames with valid checksum are accepted. [1] The RC4 encryption algorithm is stream cipher. Developed in 1987 by Ron Rivest, for RSA Data Security, it can use variable length keys [2]. The keystream for the algorithm is completely independent of the plaintext used. It uses an 8 * 8 S-Box (S0 S255), in which each entry is a permutation of the numbers 0 to 255. The permutation is a function of the variable length key. The S-Box is generated as follows

Fill S1 to S255 linearly (i.e. S0 = 0; S1 = 1 ... S255 = 255) Another 256 byte array is then filled with the key K, the key is repeated as necessary to fill the entire array.

j =0 for (i = 0 to i = 255) j = (j + Si + Ki) MOD 256 Swap Si and Sj [2]

Once the S-Box values are obtained, the keystream is generated as follows.

i = (i + 1) MOD 256

j = (j + Si) MOD 256 Swap Si and Sj t = (Si + Sj) MOD 256 Keystream = St [2]

The keystream is then XORed with the plaintext to produce the ciphertext, or the ciphertext to produce the plaintext. There are 2 ways in which WEP is implemented: Classic WEP and 128-bit version WEP. The classic WEP implementation is based on the documented WEP standard. It uses a key length of 40bits. Key length was chosen due to the US government restriction on the export technology containing cryptography. 128-bit version extends the key length of the WEP protocol [1]. Some manufacturers provide a key length of 104-bits. This method is not as easy to crack as the classic WEP method.

4. Wi-Fi Protected Access (WPA): Another security measure in place for wireless networks is WPA. The Wi-Fi Alliance developed WPA, as a replacement to the WEP. It is a subset of technologies taken from the upcoming 802.11i standards and is designed to secure all versions of 802.11 devices, including 802.11b, 802.11a, and 802.11g, multi-band and multi-mode [4]. WAP addresses all known vulnerabilities in WEP in order to ensure data authenticity on the WLAN without much affect to network performance. It uses Temporal Key Integrity Protocol (TKIP). Together with 802.1X / EAP authentication, TKIP employs a key hierarchy that greatly enhances protection. It also adds a Message Integrity Check for Integrity check. The formula for WPA is:

WPA = 802.1X + EAP + TKIP + MIC [5] WPA employs three security mechanisms: 1. Authentication 2. Encryption 3. Security through Pre-Shared Key (PSK) WPA uses 802.1X authentication with the Extensible Authentication Protocol (EAP) as a basis of the authentication. 802.1X is a LAN port access control mechanism for wired, as well as wireless, networks. EAP handles the presentation of user credentials, in the form of digital certificates unique usernames and passwords, smart cards, and secure IDs. 802.1X defines Extensible Authentication Protocol (EAP) over LANs (EAPOL). It also defines EAPOL messages that convey the shared key information critical for wireless security [6]. With EAP, 802.1X creates a framework in which client workstations mutually authenticate with the authentication server. When a user wants access to the network, the client sends the users credentials to the authentication server via the access point. If the server accepts the users credentials, the master TKIP key is sent to both the client and to the access point. Then a four-way handshake process takes place, in which the client and access point acknowledge each other and install the keys [4]. See Figure 2 below.

Figure 2: Enterprise Authentication [4] Encryption involves TKIP increasing the key size from 40 bits to 128 bits. In TKIP, keys are dynamically generated and distributed by the authentication server. It removes the predictability used by an attacker to exploit the WEP key, by employing key hierarchy and Key management methodologies. Authentication server after checking the users credentials generates a master key and sends it to the client as well as access point. Client and the access point use this key to generate unique data encryption keys. The Message Integrity Check (MIC) is incorporated to prevent and detect modification of the data packets. [4]

WPA has a solution for users in small offices and homes as well. This solution is WPA with Pre-Shared Key (PSK). WPA with PSK does not require an authentication server. The encryption mechanism used in WPA and WPA with PSK is the same. Authentication is done using simple common pass phrase instead of user specific credentials. Below is a table specifying the key differences between WEP and WPA. Encryption WEP Defective, cracked . 40 bit key Static Key. Same key is used by every one on the network Manual Distribution of Keys Use WEP Key WPA Correct most WEP defects 128 bit key Keys are generated dynamically Automatic Key Distribution Use 802.1X framework + EAP

Authentication

Difference between WEP and WPA [4] Table 2

5. Security Issues in IEEE 802.11

There are a number of security issues present in wireless networks today. There are vulnerabilities outside of the security protocols mentioned above and both WEP and WPA have vulnerabilities that allow attackers to penetrate a wireless network. Below we enumerate some of the more common security issues. Insertion attacks are when devices are attached to a wireless network without authority by bypassing the security and review process [7]. One example of this type of threat would be logging onto an open or unsecured wireless network using a laptop or other wireless device. An attacker who has successfully inserted a device into a wireless network, which uses a hub, can monitor the messages flowing across the network. This is because a hub unlike a switch broadcasts messages to all nodes. The attacker can simply put his client in promiscuous mode and gather passwords and other sensitive information as it passes through the network. The other type of insertion attack is the insertion of a rogue access point. It requires someone to physically add a wireless access point onto the network. An employee or someone with temporary access to the physical network can make this addition. [7]. A laptop with specialized software may be configured to run as a rogue wireless access point. With a rogue wireless access point, the attacker can trick users into using his WAP because the current 802.11 standard does not include WAP authentication. The authentication is from the client to the WAP. The real Service Set Identifier (SSID) can be transmitted by the rogue WAP. If it emits a stronger signal than the legitimate WAP, the rogue can steal the traffic. [9] This can be used to perpetrate a man in the middle attack by which the attacker reads the data sent by the user and then forwards it on to the proper destination. The users are unaware that anything improper is taking place. Sensitive data can be compromised. In addition, if the rogue is a laptop acting as a WAP, the victims machine may be compromised in a number of ways such as Trojan horse or other malicious code.

To help prevent this type of security risk, SSID broadcast should be disabled. The SSID will still be sent as part of communications but will not be broadcast. In addition, the factory default name of the SSID should be changed, since attackers know the ones commonly used by manufacturers [9]. Broadcast of the WAPs beacon should be set at the maximum interval so anyone scanning for a wireless access point will have less chance of finding it [9]. Jamming takes place when a WAP becomes overwhelmed by the amount of signals it is receiving and the result is denial of service. This can be caused by a malicious attacker or unintentionally by a user consuming excessive amounts of bandwidth. MAC addresses can be used to aid in the prevention of unauthorized use of wireless networks. The WAP can be configured to allow access to only those MAC addresses given. However, an attacker can use MAC spoofing to get around this security technique. In MAC spoofing, the unauthorized clients MAC address is changed to that of an authorized device. These MAC address can be obtained by using freely available software. For examples see Appendix A. Software is also available to sniff a wireless network that is in close physical proximity. Antenna can boost the range at which sniffing may be done. Sniffing can allow username and passwords to be stolen allowing someone to log onto the network as the victim. Additionally, fake packets can be interjected into the communication stream[7] This occurs post-authentication, after the WAP and client have established communication, the hacker can insert a packet that appears to come from the WAP disconnecting the client. The hacker then can spoof packets to appear to come from the original client and send those to the WAP. This process is known as session-hijacking. [17]

Misconfiguring a wireless network will lead to a false sense of security in a wireless LAN. Wired Equivalent Privacy, WEP, (explained in the section above) provides a limited amount of protection but if configured incorrectly, even this limited protection will be diminished. There is no key management policy in the WEP protocol [9]. Some users leave the pass phrase as the factory default key or choose weak pass phrases based on easily guessed words. The Security of WEP lies in difficulty of discovering the secret key through a brute force attack. Some shortcut attacks on the system do not require brute force attack on the key making WEP vulnerable. This includes:

Keystream Reuse Message Authentication Message Modification Message Injection

WEP provides data confidentiality using stream cipher RC4. A major drawback of the stream ciphers is that 2 messages encrypted using the same key stream reveal the information about both the messages. Suppose messages P1 and P2 are encrypted using same IV and secret key K. Then Ciphertext C1 = P1 Ciphertext C2 = P2 C1 C2 = P1 = P1 RC4 (IV,K) RC4 (IV,K) P2 RC4 (IV,K)

RC4 (IV,K) P2

Thus if one plaintext is known then other plaintext can be easily computed. This type of attack succeeds only if the keystream is reused and the attacker has some knowledge of

the plaintext. To prevent this type of attack, WEP uses different IV for each packet. Thereby producing different keystreams, but the length of the IV field used by WEP is just 24 bits. Hence if a sender is transmitting packets of size 1500 bytes at a rate of 5Mbps, IVs will start duplicating in a half a day [1]. For Message authentication, WEP protocol uses the checksum field to ensure data integrity. The checksum is implemented as CRC -32. CRC 32 is useful to detect random errors in a message but is not enough to detect careful modification of the message [1]. Message modification involves replacing the message with another message without affecting the checksum. Let C1 be the cipher text of message M2 intercepted by the attacker. Now the attacker has to find C2 that decrypts to M2 such that M2 = M1 E, where E is any arbitrary modification done by the attacker. So C2 = C1 (E,checksum(E)) RC4 (IV,K) (E,checksum(E))

= (M1,checksum(M1)) Checksum is a linear function. Hence C2 = RC4( IV,K) = RC4( IV,K) = RC4( IV,K) (M1 (M1

E, checksum(M1) E, checksum(M1

checksum(E)) E))

(M2, checksum(M2)) [1]

Thus the attacker can easily modify the message arbitrarily without the recipient knowing about it. WEP checksum thus fails to provide data integrity. For message injection, checksum of the message is independent of the key. Hence an attacker can compute the checksum of the message. If the attacker gets hold of the

plaintext and corresponding ciphertext then he can compute the keystream. Using the keystream, one can create a new packet using same IV. As IVs are reused, repetition of the IV will not trigger any alarm at the receiver. Suppose the attacker has a cipher text, C, and corresponding plain text, P, then he can calculate keystream as follows. C P =P RC4 (IV,K) P

= RC4(IV,K) [1] Let M1 be the message the attacker wants to inject into the system. Then he computes the checksum of the message. And then XORs it with the keystream RC4 (IV,K). C1 = (M1, checksum (M1)) RC4 (IV,K)

The 40 bit standard WEP keys are used they can be broken by brute-force attacks, but non-standard WEPs of at least 80 bits are very resistant to these types of attacks. Research has shown that key sizes of greater than 80-bits, for robust designs and implementations, make brute-force cryptanalysis (code breaking) an impossible task. For 80-bit keys, the number of possible keys a keyspace of more than 1026 exceeds contemporary computing power. [9] Although, even when proper care is taken in the generation of a WEP key, hackers use tools such as WEPwedgie, WEPCrack, WEPAttack, BSD-Airtools, and AirSnort to break the Wired Equivalent Privacy (WEP) encryption standard. These tools exploit vulnerabilities in the WEP encryption algorithm by passively observing wireless LAN traffic until they collect enough data to recognize the pattern [11]. Once enough data has been obtained, WEP keys may be broken stripping away what little security they provided.

WEP keys use an initialization vector (IV) to vary the key between packets. However, the IV is sent unencrypted in the message. Therefore the attacker can collect messages and wait for two with the same IV. These can be used to recover the plaintext using the aforementioned statistical analysis. Some manufacturers even use the same IV each time or a small pool of frequently used IVs used by many manufactures, resulting poor encryption. WPA is said to be a step-above WEP in terms of security. It is based on WEP encryption techniques. So although it is not as vulnerable as WEP, WPA will suffer some of the same security issues as WEP. Some generic problems with WPA are

It requires a hardware upgrade, and devices enabled with WPA are only recently, widely available.

The design of WPA causes an increase in transmission overhead. There is difficulty inherent in setting WPA up on a network, causing it to be undesirable for the novel user.

Another major concern that is not addressed in either WEP or WPA is handling denial-ofservice (DOS) attacks. This type of attack can be committed by sending multiple packets each second, using the wrong key. The access point will assume a hacker is attempting to access the network and will shut off all connections, causing the network to be down indefinitely. 6. The Future of Wireless Security The 802.11i is the future of wireless network security. The collaboration of IETF and IEEE has a standard that defines several new protocols to support the following features:

Discovery Authentication Key Management Data Transfer [14]

Below 802.11is impact on these features is explored. 6.1 Discovery The 802.11i standard supports many different types of encryption. A system that wishes to connect to the wireless network must be able to first determine what encryption types are available and then have the ability to select one. The IEEE created a new protocol specifically to handle this task, which is called Robust Secure Network (RSN). The RSN protocol uses a three step process of send-response messages for a complete communication cycle. The protocol is as follows (What is RSN?): 1. The end-point user sends a probe request to a wireless access point. 2. The WAP sends a probe response with a RSN Information Exchange (IE) frame. The information contained within the IE frame determines the type of authentication, unicast (broadcast to a single destination) cipher, and multicast (broadcast to any number of destinations) cipher suites the AP implements. The IE frame contains the following information.

Element Element ID Length

Version Group Key Suite

Pairwise Pairwise Authentic Authentic Capabil suite Suite list ation ation ities count Suite Suite List Count 4 Octets per suite 2 Octets

1 Octet 1 Octet

2 4 Octets 2 Octets 4 Octets 2 Octets Octets, per suite Default =1

3. The end-point user sends a 802.11 open system authentication message. 4. The WAP sends a success response to the open authentication message. 5. The end-point user sends an association request with an IE frame, which is populated with the type of authentication, uni-cast cipher, and multicast cipher suite the user wishes to use during this communication. 6. The WAP sends a successful association response to the end-user, which acknowledges the creation of a 802.11 communication channel. [14] Both the end-user and the WAP have the ability to terminate this process if the WAP does not support the encryption techniques the end-user is looking for, or if the end-user selects an encryption technique the WAP does not implement. Once the communication defined in this protocol has been completed successfully by an end-user and a WAP, a wireless communication channel has been established between the end-user and the access point, and both parties are now ready for the authentication portion of the 802.11i standard. [14] 6.2 Authentication Once the wireless enabled end-user has discovered the available encryption techniques, the user must authenticate their identity with the wireless network. In this

process, the end-user communicates with the AP, which in turn communicates with the authentication server (AS) in an attempt to validate the user's credentials and privileges for further communication. The authentication portion of the 802.11i standard must meet the following requirements:

Create a session between the end-user and the authentication server Create a mutually authenticated session key, which is stored by the end-user and authentication server

Defend against man-in-the-middle attacks, eavesdropping, forgeries, replays, and dictionary attacks against any involved party.

Identity protection is not required [14]

Because the IEEE wanted to design the standard as modular as possible, the 802.11i specification only requires the use of the Extensible Authentication Protocol (EAP) and 802.1X, which specifies the communication between the end-user and the access point but does not denote how the access point and authentication server are to communicate. EAP is designed only to transport the authentication messages and is not intended to act as the authentication method for 802.11i. Instead, the authentication relies on other techniques being plugged into EAP, which allows for new authentication methods to be introduced without modifying the underlying protocol. 802.1X is simply defined as the way to transport EAP messages from the end-user to the AP. Although not defined in the specification, EAP-TLS (Extensible Authentication Protocol Transport Layer Security) is the standard authentication method for 802.11i, and RADIUS is the standard for handling the communication between the AP and the authentication server. The flow of

messages between the three components (end-user, AP, and authentication server) necessary to authenticate a user is shown below: 1. AP sends an identity request to the end-user 2. End-user sends an identity response to the AP with their user ID 3. AP sends a access request to the authentication server with the identity specified 4. EAP specific validation occurs during this step (EAP-TLS by default)

EAP-TLS authenticates the user by having the end-user and authentication server generate random numbers, which are used in combination with private keys and certificates to generate a shared key for the communication.

Once this step has been completed, both the end-user and authentication server have generated a new key to be used specifically during the remainder of this session.

5. Authentication server sends an accept message to the AP with the master key. 6. AP sends an EAP success message to the end-user, which means they were properly authenticated by the server. [14] Unfortunately, the decision to make RADIUS the standard for server-AP communication has given rise to some problems. The major problem associated with RADIUS is that it uses a static key between the AP and the authentication server, which requires a great deal of care to ensure that the key does not get leaked. In addition, the protocol assumes the connection between the server and the AP is secure, which allows someone to inject false request packets into that connection and receive valid responses. Therefore, there has been a push to move from RADIUS to DIAMETER, which uses Cryptographic Message

Syntax (CMS) for key distribution. Unfortunately, the conversion to DIAMETER does not seem to be a high priority, which could result in the degradation of the security in 802.11i [14]. None the less, this problem is not a result of the 802.11i standard because it does not specify the protocol to be used between the authentication server and AP, which shows the good design discussions chosen when decided exactly what the standard should encompass. Once the authentication process is complete, the end-user, authentication server, and AP all have a pairwise master key, which will be used in the remaining two components of the 802.11i standard [14]. 6.3 Key Management The purpose of the key management component of 802.11i is to ensure that both the AP and the end-user have shared temporal keys for both unicast and broadcast communication. The communication method used in this process is EAPoL (Extensible Authentication Protocol over LAN), which is actually the same as 802.1X mentioned above. With the pairwise master key created in the authentication process, a new key is created to ensure greater security for the remainder of the communication cycle. In the authentication process the master key, is passed between the AP and the end-user, but the temporary key created in this step is generated locally on both hardware devices and is never transmitted. The process for generating the unicast key is as follows: 1. The AP generates a random number and passes it to the end-user 2. First, the end-user generates its own random number. The temporary key is generated using this random number, the number generated by the AP, the pairwise master key created in the authentication process, the MAC address of the end-user, and the MAC address of the AP. 3. The end-user sends the access point the random number it generated.

4. The AP now generates the same temporary key using the same information. 5. The AP sends a message to the end-user telling it to install and use the temporary key from now on. 6. The end-user sends a response, which informs the AP to start using the temporary key as well. [14] All messages after the initial message from the AP to the end-user contain a message integrity code, which can be validated against the temporary key generated. This integrity code prevents a man in the middle attack because only a device with the proper keys could generate a valid integrity code. Once this initial communication is complete, both devices have a shared unicast temporary key. With this key, a broadcast (group) key will now be generated in the following way: 1. The AP generates a random group temporary key. 2. Using the 128-255th bits of the unicast temporary key, the AP encrypts the group temporary key and sends it to the end-user. 3. The end-user decrypts the group temporary key using the same portion of the unicast temporary key. [14] Now, both the end-user and the AP have mutually validated keys for communicating to a single second party (unicast key) and to any number of users at the same time (broadcast/group key). With these keys, the communication between the two parties can now be encrypted. [14]

6.4 Data Transfer/Encryption The last major component of the 802.11i standard is the process by which data is transferred between devices. The standard defines three separate means for encrypting data, which are CCMP, WRAP, and TKIP. All of these protocols were designed to meet the following requirements: 1. Never send or receive unprotected packets 2. Authenticate the origin of messages to prevent forgeries 3. Detect replayed packets by using sequence numbers. A sequence number determines the ordering of the packets transmitted. By not allowing several packets with the same sequence number, you are preventing replayed packets. 4. Avoid having to rekey (re-generate keys) by using a 48 bit sequence number 5. Protect the source and destination addresses 6. To ensure confidentiality and integrity, use one strong cryptographic primitive. [14] One portion of this security component is the filtering of packets. To prevent problems during the initial establishment of the connection, the AP and end-user drop all none 802.1X traffic,. Once both devices have the temporary unicast and broadcast keys, they begin to drop all traffic that is not protected with those keys. By filtering the packets, both the end-user and the AP are able to (missing piece) . The filtering allows for more protection from forged and replayed packets, but the bulk of the complexity regarding this security component is the encryption of data. [14] Of the three encryption techniques mentioned earlier, only CCMP is required to be implemented in all 802.11i compliant devices. The CCMP technique is based on the AES encryption algorithm in CCM mode (Counter Mode with CBC-MAC), which is a

128 bit block cipher. The data is encrypted in the following format using the temporary keys generated previously: 1. A checksum (MIC Message Integrity Check) is computed over the plaintext header, the length of the header, and the payload. The checksum is calculated using the CBC-MAC portion of the AES algorithm. 2. The checksum is appended to the end of the payload. 3. The checksum and the payload are then encrypted using the Counter Mode of AES. [14] Performing these three steps, ensures that only those who hold the temporary key generated early are able to decrypt the plaintext. In addition if a malicious third party attempted to modify any portion of the packet, the checksum generated would not match the one appended to the payload. This ensures the privacy and authenticity of the communication. Although the CCMP encryption technique is provably strong, the basis of the security is that only the intended parties have the temporary key generated in the previous processes. For CCMP to be truly effective you must generate a new key for every new communication established and the key must be properly based between the end-user and the AP, which is done using the 802.1X protocol discussed above. The only major drawback associated with CCMP is that all new hardware must be acquired because the process is too complicated to just modify the existing technology. So this would make the process not backward compatible [14]. In the initial proposal of 802.11i, the IEEE proposed the use of the WRAP encryption technique, which is based on AES in the OCM mode. Due to legal issues, WRAP was replaced with CCMP. Since three companies have filed for patents relating

to WRAP, problems with the acceptance of this standard by those who do not hold the patent are likely to occur. WRAP still remains in the 802.11i specification, but that is only because some manufacturers had already produced hardware that implemented it. WRAP will most likely not be implemented in future revisions [14] The final encryption technique discussed in the standard is TKIP (Temporal Key Integrity Protocol), which is in essence a wrapper for the existing WEP security protocol. The major benefit for TKIP is that it can be implemented entirely in software, which allows it to run on existing hardware running WEP security. Instead of using a static key for encryption, TKIP uses the temporary key to perform the WEP security. Unfortunately, this is still plagued by the same problems as the original WEP because the encryption technique is not strong enough, and a brute force attack can break the key in several hours. The security of TKIP is an improvement over WEP because the key is dynamically generated for each connection, but TKIP was not designed to be the optimal solution. TKIP's main purpose is to ease the transition to 802.11i. [14]

7. Summary The 802.11i standard is the future of wireless security. It establishes a framework to ensure the security of wireless communication providing network protection comparable to that of wired networks. A major benefit of the design of 802.11i is the extensibility allowed because if a flaw is discovered in the encryption techniques used, the standard easily allows the addition of the new technique without replacing the hardware. Now that many manufacturers are beginning to produce devices that implement 802.11i, it will not be too long before the new technology is deployed and a

secure wireless infrastructure is available. In WPA Plugs Holes in WEP, Jim Geier sums up wireless network securitys evolution best: Name A.K.A Feature WEP Wont Even Protect Weak encryption keys based on RC4 algorithm; static keys that make easy targets for hackers WPA Will Protect Alright Same underlying RC4-based encryption as WEP; TKIP added so that keys are rotated and encryption is strengthened 802.11i Will Prove Airtight Strong AES encryption based on Rijndael algorithm; adds two strong authentication features: wireless robust authentication protocol (WRAP) and counter with cipher block chaining message authentication code protocol (CCMP)

Basically, 802.11i is taking WEP a step further than simply patching WEP by proving wireless networks the ultimate security solution of stronger encryption, authentication, and key management strategies.

Reference: [1] Borisov, Nikita, Ian Goldberg, and David Wagner. "Intercepting Mobile Communications: The Insecurity of 802.11.", 27 Oct. 2004 <http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf>. RC4 Encryption. 31 Oct. 2004 <http://www.cebrasoft.co.uk/encryption/rc4.htm>. Geier, Jim . "802.11 WEP: Concepts and Vulnerability." Wi-Fi Planet 20 June 2002. 27 Oct. 2004 <http://www.wifiplanet.com/tutorials/article.php/1368661>. Wi-Fi Protected Access: Strong, standards-based, interoperable security for todays Wi-Fi networks." W- Fi Alliance April 2003. 31 Oct. 2004 http://www.wifialliance.com/OpenSection/pdf/Whitepaper_Wi-Fi_Security429-03.pdf Higgins, Tim. "Wi-Fi Protected Access (WPA) NeedToKnow - Part II." Toms Networking 25 June 2003. 30 Oct. 2004 <http://www.smallnetbuilder.com/Sections-article50-page1.php>. Goransson, Paul. "802.1X provides user authentication." Network World Fusion 25 Mar. 2002. 1 Nov. 2004 <http://www.nwfusion.com/news/tech/2002/0325tech.html>. Klaus, Christopher W. Wireless LAN Security FAQ. 6 Oct. 2002. 14 Oct. 2004 <http://www.iss.net/wireless/WLAN_FAQ.php>. Arbaugh, William A., Narendar Shankar, and Y.C. J. Wan. "Your 802.11 Wireless Network has No Clothes*." (2001). 15 Oct. 2004 <http://www.cs.umd.edu/~waa/wireless.pdf>. Karygiannis, Tom, and Les Owens. National Institute of Standards and Technology. Wireless Network Security. Nov. 2002. 14 Oct. 2004 <http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf>.

[2] [3]

[4]

[5]

[6]

[7] [8]

[9]

[10] Gast, Matthew. Seven Security Problems of 802.11 Wireless. 14 Oct. 2004 <http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html>. [11] Wireless LAN Security: What Hackers Know That You Dont. 14 Oct. 2004 <http://www.airdefense.net/whitepapers/hackers_request2.php4>. [12] Neudoerffer, Dave. 5 steps to secure mobile data. 7 Nov. 2002. 14 Oct. 2004 <http://techupdate.zdnet.com/techupdate/stories/main/0,14179,28970101,00.html>

[13] What is a rogue wireless access point? 31 Oct. 2004 < http://www.tech-faq.com/wireless-networks/rogue-access-point.shtml> [14] Cam-Winget, Namcy, Moore, Tim, Stanley, Dorothy, Walker, Jesse. IEEE 802.11i [15] What is 802.11i. Tech FAQ. Oct 14, 2004. <http://www.tech-faq.com/wireless-networks/802.11i.shtml> [16] What is RSN (Robust Secure Network)?. Tech FAQ. Oct 14, 2004. <http://www.tech-faq.com/wireless-networks/rsn-robust-secure-network.shtml> [17] Netstumbler. 03 Nov. 2004 <http://www.netstumbler.com/2002/02/15/researchers_crack_new_wireless_sec urity_spec/> [18] Solectek. A tutorial: Wireless ISP. White Paper [19] Overview NIST. Oct 10, 2004. <http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf> [20] Cambridge Broadband. Single Carrier and OFDM Modulation. <http://www.cambridgebroadband.com/pub/papers/sc_and_ofdm.pdf> [21] IEEE 802.11 Wireless Fidelity (Wi-Fi). <http://www.wi-fi.org> [22] Cohen, Alan and Bob OHara. 802.11i shores up wireless security, Network World Fusion. May 26, 2003. <http://www.nwfusion.com/news/tech/2003/0526techupdate.html> [23] Geier, Jim. WPA plugs holes in WEP, Network World Fusion. March 31, 2003. <http://www.nwfusion.com/research/2003/0331wpa.html> [24] Fleishman, Glenn. The Path to 802.11i. Wi-Fi Networking News. 2003. <http://wifinetnews.com/archives/002594.html> [25] 802.11i Security Specifications Finalized. June 25, 2004. <http://www.wi-fiplanet.com/news/print.php/3373441> [26] Marks, Roger B., Gifford, Ian C., and OHara, Bob. Standards in IEEE 802. Unleash the Wireless Internet [27] Telephonys Complete Guide to WiMAX: The Business Case for Service Provider Deployment. www.TelephonyONLINE.com, June 2, 2004 [28] Georgia Tech 8813 Broadband Access Networks. Lecture Notes

Appendix A: Some Common Freeware Hackers tools. [11] 1. NetStumbler: Freeware wireless access point identifier that listens for SSIDs and sends beacons as probes that search for access points. http://www.netstumbler.com 2. Kismet: Freeware wireless sniffer and monitor that passively monitors wireless traffic and sorts data to identify SSIDs, MAC addresses, channels, and connection speeds. http://www.kismetwireless.net 3. THC-RUT: Freeware wireless LAN discovery tool that uses brute force to identify low traffic access points. (Your first knife on a foreign network.). http://www.thehackerschoice.com 4. Ethereal: Freeware wireless LAN analyzer that interactively browses captured data, viewing summary and detail information for all observed wireless traffic. http://www.ethereal.com 5. AirSnort: Freeware encryption breaker that passively monitors transmissions, computing the encryption key when enough packets have been gathered. http://airsnort.shmoo.com 6. HostAP: Toolkit that converts a wireless LAN user station to function as an access point. (Available for wireless LAN cards that are based on Intersil's Prism2/2.5/3 chipset.) http://hostap.epitest.fi 7. WEPWedgie: Toolkit for determining 802.11 WEP keystreams and injecting traffic with known keystreams. The toolkit also includes logic for firewall rule mapping, pingscanning, and portscanning via the injection channel. http://sourceforge.net/projects/wepwedgie/

8. WEPCrack: Freeware encryption breaker that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling http://sourceforge.net/projects/wepcrack/ 9. AirSnarf: Soft AP setup utility that is designed to steal usernames and passwords from public wireless hotspots by confusing users with DNS and HTTP redirects from a competing AP. http://airsnarf.shmoo.com/ 10. SMAC: Windows MAC Address Modifying Utility that allows users to change MAC address Network Interface Cards (NICs) on Windows 2000, XP, and 2003 Server systems, regardless of whether or not the manufacturer allows this option. http://www.klcconsulting.net/smac 11. Airjack: Denial-of-Service tool kit that sends spoofed authentication frames to an AP with inappropriate authentication algorithm and status codes. AP then drops connections with stations. Includes WLAN_JACK, Monkey_JACK, and hunter_killer. http://sourceforge.net/projects/airjack 12. IRPAS: Internet Routing Protocol Attack Suite designed to attack common routing protocols including CDP, DHCP, IGRP and HSRP http://www.phenoelit.de/irpas/ 13. Ettercap: Suite for Man-in-the-Middle attacks. It features sniffing of live connections and content filtering on the fly. Additionally, it supports active and passive dissection of many protocols and includes many features for network and host analysis. http://ettercap.sourceforge.net 14. Cain&Abel: Password recovery tool that allows easy recovery of various kinds of passwords by sniffing the network and cracking encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks. Decodes scrambled passwords and analyzes routing protocols. http://www.oxid.it.

15. Hotspotter: Passively monitors the network for probe request frames to identify the preferred networks of clients. Acts as an access point to allow the client to authenticate and associate. www.remote-exploit.org/codes.html 16. WEP Attack: Brute-Force WEP cracker that uses Dictionary attacks against WEP keys. Is usually very effective against residential gateways. http://sourceforge.net/projects/wepattack/ 17. ASLEAP: Toolkit that can recovers weak LEAP passwords, read captured files, or sniff the air. Can also actively de-authenticate users on LEAP networks, forcing them to re-authenticate. http://asleap.sourceforge.net/ 18. THCLeapCracker: Toolkit that can break the Cisco LEAP authentication protocol and can also spoof challenge-packets from access points, allowing the hacker to perform Dictionary attacks against all users. http://www.thc.org 19. DSNIFF: Collection of tools for network auditing and penetration testing. Can passively spy and perform Man-in-the-Middle attacks. http://naughty.monkey.org/~dugsong/dsniff 20. IKEcrack: Authentication crack tool that can use Brute-Force or a Dictionary attack against key/password used with Pre-Shared-Key IKE authentication. http://ikecrack.sourceforge.net/ 21. Nessus: Remote security scanner. http://www.nessus.org