Wireless Security

Analysis and Improvement for IEEE 802.11 WLAN Standard

Thanavit Cheevaprabhanant Boston University Metropolitan College Abstract Wireless technology is more prevalent in today. As technology is keeping developed, vulnerabilities could also be introduced and exposed to the threats. Having a secure environment becomes mandatory, not only in wired network but also in wireless networks. This paper will firstly describe background and characteristics of wireless network, and then introduces those security mechanisms, security services, and vulnerabilities in the original wireless network protocol, followed with addition of threats and attacks over wireless networks. In the later part, this paper will analyze later technology and protocols that address underlining issues and vulnerabilities to mitigate risks that may occur from them and provide stronger secure wireless network environment. Historical Background, Development, and Characteristics of IEEE 802.11 WLAN Standard IEEE 802.11 is a set of standards for implementing wireless local area network (WLAN) computer communication by utilizing electromagnetic (EM) waves (radio waves) in in the 2.4, 3.6 and 5 GHz radio frequency bands. The original version was released in 1997 as 802.11-1997 (802.11 legacy). In 1999, IEEE ratified two amendments to the 802.11 standard 802.11a and 802.11b which superseded and made 802.11 (legacy mode) obsolete. There are many amendments in later time. Each of them utilizes within three radio frequency bands mentioned earlier, provides different data rate, and has different coverage range depending on indoor, outdoor, and obstruction materials. Each of amendments supports various combinations among three transmission methods (modulations): direct-sequence spread spectrum (DSSS), frequency-hopping spread spectrum (FHSS), and orthogonal frequency-division multiplexing (OFDM). The following table compares the basic characteristics of IEEE 802.11, 802.11a, 802.11b, 802.11g, 802.11n. 802.11 wireless networking is also known as Wi-Fi . Note that all of them are official releases. Pending amendments or drafts are not included here.

IEEE Standard or Amendment 802.11 802.11a 802.11b

Maximum Typical Range Data Rate 2 Mbps 50-100 meters 54 Mbps 50-100 meters

802.11g 802.11n

Frequency Comments Band 2.4 GHz 5 GHz Not compatible with 802.11b 11 Mbps 50-100 meters 2.4 GHz Equipment based on 802.11b has been the dominant WLAN technology 54 Mbps 50-100 meters 2.4 GHz Backward compatible with 802.11b 54 Mbps / 70-230 meters 2.4 GHz / Adding Multiple Input 600 Mbps 5 GHz Multiple Output (MIMO) architecture, a smart antenna technology that significantly improves data transfer speeds. Backward compatible with earlier standards. (Frankel, Eydt, Owens, & Scarfone, 2007) (Phatak, 2011)

The IEEE 802.11 standard has two basic modes of operation: ad hoc mode and infrastructure mode. In ad hoc mode, wireless devices transmit to each other directly as a peer-to-peer (P2P) network. In infrastructure mode, wireless devices communicate through fixed access points (AP) that serve as a bridge to a wired network infrastructure extending the range of the wired LAN to wireless cells. Security Mechanisms, Security Services, Issues and Vulnerabilities The IEEE 802.11 specification provides three security services that allow wireless communication in a secure operating environment. Three security services authentication, confidentiality, and integrity are implemented via Wired Equivalent Privacy (WEP) protocol. Although WEP protects link-level data during wireless transmission between clients and access points, it does not provide end-to-end security. Authentication The IEEE 802.11 specification provides two authentication methods to validate wireless devices attempting to access a wired network via a fixed access point: opensystem authentication and shared-key authentication. Please see the illustration below.

(Karygiannis & Owens, 2002) The open-system authentication is actually not an authentication. There is no authentication. This mean, in this open-system authentication method, wireless devices do not provide credentials and they are permitted to connect and communicate with an access point automatically. The shared-key authentication utilizes challenge-response scheme with knowledge of shared secret based on cryptography and provides, if effective, Data-Origin Authentication security service. It is worth noting that this is the one-way authentication that mobile stations or wireless devices are authenticated. The access points are not authenticated.

(Karygiannis & Owens, 2002) The shared-key authentication process consists of a shared cryptographic WEP key and a four-step challenge-response handshake (see the above illustration), starts with a wireless station sends authentication request to an AP, AP generates a random number and sends this number as its reply back to a wireless station in in form of clear-text challenge, the wireless station then will encrypt this clear-text challenge (nounce) with RC4 algorithm using shared WEP key and returns the result to the AP, then the AP will decrypt response to recover challenge, verify if the decrypted value is the same as the random challenge transmitted then allow client access. There are three problems related with authentication that the IEEE 802.11 exposes vulnerabilities to Authentication security service. Since the open-system authentication method does not require any authentication, it is highly vulnerable to attack and practically invites unauthorized access. In the shared-key authentication method, at the second step of handshake, that AP replies challenge back to the wireless station in cleartext, this is also vulnerable to eavesdropping. In addition, WEP itself provides only oneway authentication to wireless station. The way that AP is not required to be authenticate allows both man-in-the-middle attack and rogue access point. Confidentiality and Integrity The WEP in IEEE 802.11 uses the stream cipher RC4 algorithm that provide Confidentiality security service and the CRC-32 checksum that provides Data Integrity security service. There are many components in cryptography used in WEP, for example, a Shared Key between wireless station and AP, Initialization Vector (IV) that is generated at a wireless station and shared to AP, RC Cryptographic Algorithm, CRC Generation Algorithm, and Exclusive-OR module on both wireless station side and AP side, and so on. Please see the diagram below.

(Karygiannis & Owens, 2002) Note that the RC4 key used with RC4 algorithm is the result from concatenation between the 24-bit Initialization Vector (IV) and a WEP shared secret key. The IEEE 802.11 standard originally supports the shared WEP key with only a 40-bit cryptographic key size (WEP-40), which will create concatenation result with 24bit IV for 64-bit RC4 key. Many vendors offer nonstandard extensions of WEP that support WEP key length to 104 bits (WEP-104), which will create concatenation result with 24-bit IV for 128-bit RC4 key. The IEEE 802.11 specification also provides usage of CRC-32, for example, as a simple encrypted Cyclic Redundancy Check (CRC) that provides 32-bit polynomial checksum for data integrity verification. In encryption process, a wireless station will calculate CRC from a Payload and concatenate them together as a Packet, which will be Plaintext Input for XOR module and will be exclusive-ORed operation with Keystream from RC4 Algorithm to generate Ciphertext. In decryption process, AP receives Ciphertext as input into XOR module with the same Keystream generated and concatenated by its own side. The result from exclusiveORed operation will be Plaintext Output as a Packet, and then AP will calculate CRC from Payload portion and compare with decrypted value of CRC. If CRC value from decryption matches with CRC that AP calculates, this mean there is no error on received message otherwise received with error.

At this point, you may have seen many flaws and vulnerabilities on those schemes, mechanisms, and also weaknesses on the key itself that affect Confidentiality and Integrity security services. WEP-40 uses 40-bit WEP key. When this WEP-40 decoded with 10 hexadecimal (base 16) characters (0-9 and A-F), it requires 10 digits. If WEP-40 decoded with 8-bit ASCII, it requires only 5 ASCII characters. This is considered a major flaw that is vulnerable to dictionary attack, brute-force attack, and cryptanalysis. Moreover, the use of static WEP keys for long periods of time is also a wellknown security vulnerability. Due to the lack of key management provisions in the WEP protocol, if wireless station is stolen, its WEP key will be compromised. In case two or more wireless stations share the same WEP key, traffic that go back and forth will allow an eavesdropper for analytic attacks. In addition, using the same IV as a part of RC4 encryption key will have possibility to repeat keystream that generated by RC4 algorithm while sending IV in clear-text from wireless station to AP will help weaken the RC4 key by reducing eavesdroppers effort to do cryptanalysis. Eventually, if confidentiality is compromised, the integrity security service that WEP is also compromised. The attacker in man-in-the-middle attack may intercept the ciphertext, decrypt ciphertext, modify message, calculate CRC, generate false ciphertext, and pass it to the other receiver. The receiver will calculate CRC based on modified message and misunderstand that it is not modified. Threats and Attacks on Wireless Local Area Networks Before discussing with the improvement and measures, we need to those threats around wireless LAN technology that may also affect confidentiality, integrity, and availability aspects of the information security. There are several methods specific to wireless networking technologies that attackers may use to facilitate their wireless attacks, for example wardriving, warflying, and warchalking. All of them are techniques that attackers use to locate insecure wireless networks by mean of driving around with car, flying around in an aircraft, and walking and chalking on a sidewalk or surface to indicate a nearby wireless network that offers Internet access, respectively (EC-Council, 2010). The attacks on wireless networks can be categorized into two broad classes, consisting of subclasses of attacks as depicted in the following chart.

(Karygiannis & Owens, 2002) A passive attack is a type of attack that where an unauthorized party monitor communication and gather information without modifying information or destroying asset availability. An example is eavesdropping that attackers monitor for message content. Once attackers gather enough information, they may be able to do Traffic Analysis as the next step of attack that uses adequate information gained in eavesdropping. Another attack in this category is when attackers intercept electronic emanations, which are electronic waves of radiation that electronic devices emit during their operation. Active attacks on wireless networks are similar to those attacks on wired networks where attackers try to alter or corrupt data or services on a network. Examples of this type of attacks are masquerading or spoofing, replay, message modification, and denialof-service. Masquerading is when attackers impersonate authorized users and thereby gain unauthorized privileges. Replay is an attack that attackers utilize information monitored during passive attack and retransmit messages, as they were legitimate users. Message modification is an unauthorized modification on a legitimate message that attackers may add, change, or reorder it. Man-in-the-Middle (MITM) attacks consist of various attacks that attackers have unauthorized access as from eavesdropping and manipulate information as in masquerading or replay. Denial-of-service (DoS) attacks are attacks that make a computer or network resources unavailable to legitimate users. DoS may be achieved by various means, for example, flooding garbage information to consume bandwidth or use up memory for processing, alteration configuration of the machine to prevent a user from using it, or physically destroy network elements. All those above attacks on wireless network result in compromising confidentiality, integrity, and availability aspects of information security.

Risk Mitigation, Solution, and Countermeasures There are a large number of techniques and countermeasures that provide more security to wireless network. Those techniques are categorized into three groups: management countermeasures, operational countermeasures, and technical countermeasures, according to NIST (Frankel, Eydt, Owens, & Scarfone, 2007). This paper will focus on technical countermeasures and will discuss on implementation and improvement specifically to wireless network protocol. Wi-Fi Protected Access (WPA) and IEEE 802.11i (WPA2) Wireless Robust Security Network (RSN) In response to major and serious flaws in WEP that affect to all aspects of information security, WiFi Alliance created WiFi Protected Access (WPA) in 2003 as an intermediate measure that implements a subset of 802.11i based on 802.11i draft.

(Frankel, Eydt, Owens, & Scarfone, 2007) As discussed earlier, two vulnerabilities on WEP key are the key size is too short and the key is static, not dynamically changed. WPA attempts to solve these issues by encrypting data with RC4 encryption algorithm with a 128-bit secret key and adding a Temporal Key Integrity Protocol (TKIP), which dynamically change the shared key per packet. These mitigate well-known key recovery attacks on WEP.

In addition, WPA replaces CRC in WEP with Michael Message Integrity Code (MIC), which is a message digest algorithm that used to calculate and verify the integrity of the packets. WPA also includes a special countermeasure mechanism to detect any attempt to break TKIP and provide capability to temporarily block communications (Jacobs, 2011). In 2004, IEEE 802.11i received IEEE ratification and supersedes WEP as the standard security mechanism for WLANs (Jacobs, 2011). IEEE 802.11i also has alias referred by WiFi Alliance as WPA2, which is also called Robust Security Network (RSN). By making use of AES encryption algorithm in place of RC4, 802.11i solves authentication issues with two critical components: 802.1x for peer-entity authentication, which implements via Extensible Authentication Protocol (EAP), and AES-based encryption for confidentiality, data integrity, and data-origin authentication. Moreover, 802.11i overcome the lack of key distribution mechanism in WEP by with the key distribution accomplished using a four-message handshake process. The use of 802.1x provides for the authentication of the wireless client but does not address the authentication of the access point (AP), and keys to encrypt the traffic need to be derived. The 802.1x EAP exchange has provided a shared secret key called the pairwise master key (PMK) designed to last the entire session and should be exposed as little as possible. The four-way handshake is used to establish another key called the pairwise transient key (PTK) generated by concatenating the following attributes: PMK, AP nounce (ANounce), STA nounce (SNounce), AP MAC address, and STA MAC address. The product is then put through a cryptographic hash function. The handshake also yields the group temporal key (GTK), used to decrypt multicast and broadcast traffic (Jacobs, 2011). The IEEE 802.11i addresses authentication issues on WEP by adopting IEEE 802.1X standard that was developed for wired network and implement with different types of Extensible Authentication Protocol (EAP). In addition, 802.1X enables 802.11i to implement on authentication, authorization, and accounting (AAA) mechanism (e.g. RADIUS). The IEEE 802.11i also addresses data confidentiality and integrity issues on WEP by deploying key management via Temporal Key Integrity Protocol (TKIP) and Counter Mode with Cipher Block Chaining MAC Protocol (CCMP).

Addressing Issues with 802.11i Authentication 802.11i and WPA provide two authentication modes: Pre-Shared Key (PSK) mode and 802.1X mode. The pre-shared key mode, also known as personal mode, is designed for home and small office networks, which doesn't require an authentication server. Each wireless network device authenticates with the access point using the same 256-bit key generated from a password or passphrase that may be from 8 to 64 printable ASCII characters or 64 hexadecimal digits (256 bits). The passphrase will then be passed to a hash function to reduce ASCII passwords to a 256-bit string, and then be later stored at users computer and in the wireless access point. The 802.1x mode, also known as enterprise mode, is designed for enterprise networks and requires various types of Extensible Authentication Protocol (EAP) to communicate with an authentication server such as RADIUS authentication server. This will provide mutual authentication to both at the wireless station and the access point with the help of authentication server. Example types of EAP are EAP-PSK as an EAP method for mutual authentication and session key derivation using a Pre-Shared Key (PSK), and EAP-TLS that uses the Transport Layer Security (TLS) protocol. Addressing Issues with 802.11i Confidentiality and Data Integrity The IEEE 802.11i amendment defines two RSNA data confidentiality and integrity protocols: Temporal Key Integrity Protocol (TKIP) and Counter Mode with Cipher Block Chaining MAC Protocol (CCMP) (Frankel, Eydt, Owens, & Scarfone, 2007). The first encryption protocol is TKIP. TKIP has been developed to address vulnerabilities in WEP while allowing it to run on legacy WEP hardware with minor upgrades TKIP provides a rekeying mechanism, which can be curtained that every data packet is sent with a unique encryption key and also implements a sequence counter to protect against replay attacks. With this approach, any packets received out of order will be rejected by the access point. TKIP adds 64-bit Michael message integrity code (MIC) into key mixing operation. Key mixing increases the complexity of decoding the keys by giving an attacker substantially less data that has been encrypted using any one key. WPA2 also implements a new message integrity code, MIC. The message integrity check prevents forged packets from being accepted. This overcomes the vulnerability in WEP that it was possible to alter a packet whose content was known even if it had not been decrypted.

The other encryption protocol is CCMP. CCMP is used by 802.11i as an AESbased encryption mechanism that is stronger than TKIP. CCMP is the second data confidentiality and integrity protocol that may be negotiated as a cipher suite for the protection of user traffic in an RSNA. Like TKIP, CCMP was developed to address all known inadequacies of WEP; however, CCMP was developed without the constraint of requiring the use of existing hardware. CCMP is considered the long-term solution for the creation of RSNs for WLANs. It is mandatory for RSN compliance. CCMP is based on CCM, a generic authenticated encryption block cipher mode of AES.43 CCM is a mode of operation defined for any block cipher with a 128-bit block size. CCM combines two well-known and proven cryptographic techniques to achieve robust security. First, CCM uses CTR for confidentiality and Cipher Block Chaining MAC (CBC-MAC) for both authentication and integrity protection. CCMP protects the integrity of both the packet data and portions of the IEEE 802.11 header. CCM for IEEE 802.11 employs a single 128-bit session key (TK) to protect the duplex data channel (Frankel, Eydt, Owens, & Scarfone, 2007). Conclusion The following table illustrates samples critical issues that are introduced in the original 802.11 corresponding with solutions that 802.11i addresses. Issue on WEP in 802.11 No authentication in open-system authentication method Solution in WPA/802.11i Mutual authentication with EAP and capability to implement with authentication server AP is not authenticated Mutual authentication with EAP and capability to implement with authentication server Sending IV in clear-text Challenge-response are encrypted with PTK (and GTK for multicast) Short WEP/RC4 keys Rekey capability Key Management Weak encryption algorithm in RC4 Option to use RC4 with longer key and key concatenation and option to use AES-based encryption Vulnerable to replay attacks Use sequence number with key mix operation

In order to mitigate the risks of attack and enhance security measures over wireless network, a business should consider appropriate implementation 802.11i on its wireless networks. To do this, 802.11i-complaint devices must be considered for deployment, appropriate protocol, algorithm, and key length must also be defined, authentication servers may also considered, and these must be in line with organizations information security policy.

References EC-Council. (2010). Computer Forensics: Investigating Wireless Networks and Devices. Clifton Park, NY, USA: Cengage Learning. Frankel, S., Eydt, B., Owens, L., & Scarfone, K. (2007, February). Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i (NIST Special Publication 800-97). Gaithersburg , MD, USA: National Institute of Standards and Technology. Jacobs, S. (2011). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. Hooken, New Jersey, USA: John Wiley & Sons, Inc. Karygiannis, T., & Owens, L. (2002, November). Wireless Network Security 802.11, Bluetooth and Handheld Devices (NIST Special Publication 800-48). Gaithersburg, MD, USA: National Institute of Standards and Technology. Phatak, O. (2011, October 11). 802.11N Vs. G. Retrieved from Buzzle: http://www.buzzle.com/articles/80211n-vs-g.html