CSA 585 Wireless Security

WLAN Security
Doc.dr.sc. Sabina Barakovi

Topics

Introduction to WLAN

Basics on WLANs

Wired Equivalent Privacy WEP

Attacks Targeting WLANs

WiFi Protected Access

Sarajevo, 2015

INTRODUCTION TO WLAN

Sarajevo, 2015

Introduction to WLAN

WLAN is a network designed as an enhancement to wired LAN using

the radio technology

WLAN combines data connectivity with user mobility, while offering

cost advantages over wired networks

A WLAN offers important advantages with respect to wired networks

A WLAN allows the mobile terminals to be fully mobile as long as

they remain within the radio range

The setting of a WLAN network is an easy and fast process

A WLAN avoids the load of having cables between the mobile

terminals

Sarajevo, 2015

Introduction to WLAN

A WLAN includes drawbacks

The power of the radio signal goes weaker with the distance to the WLAN
access point
The functioning of the network is highly influenced by the environment it
is expected to work in (absorption, reflection and interference of radio
waves)
The data rate is often lower than the rate provided by the wired
networks, because of the limitation of the radio range, the possibility of
interference occurrences, and the quasi omnipresence of packet
collisions
A WLAN does not allow transmitting and listening on the same channel
and at the same time (limitations of the medium)
The mobile terminals attached to a WLAN have limited batteries and
Sarajevo, 2015computation power, which can generate high communication latency
5
WLANs are inherently less secure as data is transmitted over radio links

Security in WLAN

Security mechanisms implemented for WLAN systems are

deployed at layer two and three

The mechanisms implemented at layer two aims to provide the

wire equivalent privacy

Several protocols have been developed; they differ sensibly from

one WLAN technology to another

The security services provided at layer three include support for

secure IP mobility, roaming between different domains, and
users authentication

Sarajevo, 2015

Security in WLAN
Security mechanisms are required to avoid threats in a cost
effective way
The most important security services that can be considered for
WLAN networks include confidentiality, authentication of users,
authentication of access points, data integrity, non-repudiation of
origin, non-repudiation of delivery, auditing and logging, denial of
service prevention, and traffic flow analysis prevention
This set of services can be complemented by mechanisms for host
security, data driven attack prevention, and organizational
security policies

Sarajevo, 2015

BASICS OF WLANs

Sarajevo, 2015

802.11

802.11 is standard for wireless networking

Extensions to 802.11

802.11d adds additional regulatory domains for other countries

802.11e adds QoS enhancements for multimedia and VoIP

802.11f Internet-Access Point Protocol for roaming between base

stations

802.11h adds dynamic frequency selection for Europe

802.11i adds security enhancements

802.11j same as 802.11h, but for Japan

Sarajevo, 2015

WLAN Basic Infrastructure

Sarajevo, 2015

10

DCF Basic Access Mechanisms

Sarajevo, 2015

11

Sarajevo, 2015

12

WIRED EQUIVALENT PRIVACY - WEP

Sarajevo, 2015

13

Wired Equivalent Privacy - WEP

WEP is the security solution adopted by the early versions of

802.11 standards

Provides a security level equivalent to the one provided by the

wired LAN in terms of protection of network access

WLAN present two major security vulnerabilities:

Wireless signals are broadcasted and may be easily eavesdropped

Connecting to a WLAN does not require a physical access; Malicious users may easily
connect to APs

In order to address the WLAN vulnerabilities, WEP protocol

encrypts the transmitted messages and authenticates the mobile
users before giving them access to the wireless LAN

Sarajevo, 2015

14

WEP Vulnerabilities
WEP considers only the authentication of mobile stations without
requiring the authentication of the AP
The authentication procedure is vulnerable to message injection attacks,
thus enabling identity spoofing attacks
WEP does not define how to securely maintain a key base and renew the
keys for a better security (the same key is used for authentication and
confidentiality services)
Complicated administration of keys at the AP
The integrity of the WEP encrypted messages is easily compromised
WEP architecture does not integrate a mechanism for replayed messages
detection
The confidentiality of WEP encrypted messages can be easily
Sarajevo, 2015
15
compromised

ATTACKS TARGETING WLANs

Sarajevo, 2015

16

Denial of Service Attacks

WLAN is vulnerable to network-level DoS attacks since allows any client to

associate

802.11 network is a shared medium and a malicious user can flood the network
with traffic, denying access to other devices associated to the targeted access
point

DoS at WLAN can occur due to large file transfers or bandwidth-intense

applications

At the data-link layer, ubiquitous access to the medium again creates new
opportunities for DoS attacks

With wired equivalent privacy (WEP) turned on, an attacker has access to the link layer
information and can perform some DoS attacks
Without WEP, the attacker has full access to manipulate associations between the 17
MS and AP

Sarajevo,
2015

If the user is not using WEP, he/she is vulnerable to DoS attacks from spoofed APs

Man-in-the-Middle Attacks

Two main forms:

Eavesdropping occurs when an attacker receives a data communication

stream

Manipulation an attacker has the ability to receive the victims data and
to retransmit the data after changing it

Sarajevo, 2015

18

Message Modification and Injection

Messages encrypted by WEP can be modified without detection

Defense against the attack is to disallow the reuse of an initial

vector in multiple packets and require that all receivers enforce
this interdiction

802.11 does not do this although it recommends it

Sarajevo, 2015

19

Message Decryption

An attacker can decrypt messages sent over the air

The idea is to mislead the AP into decrypting some cipher-text for the attacker

IP redirection

Sarajevo, 2015

The attack can be used when the WEP access point acts as an IP router with Internet connectivity

The idea is to sniff an encrypted packet off the air and use an attack to modify it so that it has a new
destination address that the attacker can control

The AP will decrypt the packet and send it to its new destination

The modified packet will flow from the WLAN to the Internet without being stopped by a firewall

Once it reaches the destination, the attacker can read the packet in the clear

The easiest way to modify the destination IP address is to figure out the original destination IP
address is and modify it

The attacker needs to ensure that the IP checksum in the modified packet is still correct

20

Message Decryption
Reaction
Are
Do

attacks

performed when WEP is used to protect TCP/IP traffic

not require connection to the Internet

The

attacker monitors the reaction of a recipient of TCP packet

and uses what he/she collects to infer information about the
unknown plaintext

The

attack relies on the fact that a TCP packet is accepted only if

the TCP checksum is correct, and when it is accepted, an
acknowledgment packet is sent in response

The

acknowledgment packets are easily identified by their size,

without requiring any effort of decryption

Sarajevo, 2015

The

reaction of the recipient will disclose whether the TCP21

checksum was valid when the packet was decrypted

WiFi PROTECTED ACCESS

Sarajevo, 2015

22

WiFi Protected Access

WiFi alliance used ready portions of 802.11i standard to define WPA
to overcome the design weaknesses of the WEP architecture while
proposing an effective key distribution method
WPA introduces Temporal Key Integrity Protocol (TKIP) which
introduces message integrity check as it provided a good integrity
level without requiring a lot of computing resources

Uses 128-bit keys and implements a key management method

Provides confidentiality and integrity services

Two versions of WPA:

WPA per-user based security designed for enterprises

WPA pre-shared key mode designed for consumers

Sarajevo, 2015

23

Extensible Authentication Protocol - EAP

EAP defines the messages to exchange at the data link layer level in order
to authenticate users
Involves:
Lower layer - monitors the transmission and the reception of the data
frames in the correct order between the peer and the authenticator
EAP layer - guarantees a reliable transmission of the EAP packets via the
lower layer and delivers and receives EAP messages to and from the EAP
peer and authenticator layers
EAP peer and authenticator layers receive EAP packets and EAP response
EAP method layer implements the authentication algorithms and receive and
transmit EAP messages via EAP peer and authentication layers; implements the
authentication logic and determines whether the supplicant is a legitimate user

Sarajevo, 2015

24

Comparison between WEP and WPA

Sarajevo, 2015

25

IEEE 802.11i and WPA2

In addition to TKIP encryption and 802.1x/EAP authentications

supports Advanced Encryption Standard (AES) which will secure the
communication between mobile users operating in the ad hoc mode

May secure the devices implementing the IEEE 802.11b, IEEE 802.11a
and IEEE 802.11g versions but requires hardware upgrade

Sarajevo, 2015

26

WPA and WPA2 Vulnerabilities

Weak password

WPA packet spoofing and decryption

WPS PIN recovery

MS-CHAPv2

Hole196

Sarajevo, 2015

27

THANK YOU FOR ATTENTION!

Sarajevo, 2015

28