IY5511 – Network Security

M.Sc. in Information Security

Royal Holloway, University of London

1
IY5511 – Network Security

Lecture 8
Wireless LAN Security

2
 Objectives of Lecture

• Understand basics of physical layer options

available for wireless transmission.
• Study the security issues arising in wireless
LANs, in particular, those conforming to the
IEEE 802.11a, b and g standards.
• Discuss the continuing development of IEEE
security standards for wireless LANs, in
particular WPA and WPA2 in IEEE 802.11i.
• Understand countermeasures available to
further reduce threats in wireless LANs.
3
CINS/F1-01
Contents

8.1 Wireless LAN physical layer technologies

8.2 IEEE 802.11 standards
8.3 Security of IEEE 802.11 Wireless LANs
8.4 Security issues specific to IEEE 802.11a, b
and g.
8.5 Recent developments in IEEE 802.11
security: IEEE 802.11i
8.6 Securing wireless LANs

4
8.1 WLAN Technologies

• It is often desirable to transmit more than one

signal through a medium.
• Multiplexing is the term used to describe
multiple transmitters sharing a medium.
• Three different approaches to multiplexing:
– Frequency division multiplexing (FDM)
– Time division multiplexing (TDM).
– Code division multiplexing (CDM).
• All widely used in wireless networking.

5
Frequency Division Multiplexing (FDM)
• Available frequency range of the medium is
divided into non-overlapping frequency bands.
• Each transmitter is assigned a frequency band
which can be used continuously.
• When using optical fiber, FDM is referred to as
wavelength division multiplexing (WDM).
• When frequencies are selected in a particular
way, we refer to Orthogonal FDM (OFDM).

S ig nal
Frequenc A
S ig nal
y B
S ig nal
C Time 6
Time Division Multiplexing (TDM)

• Time is divided into a number of recurring slots.

• Each transmitter is assigned a time slot in
which the whole frequency range can be used.
• TDM used in GSM mobile phone standard.

Frequenc
S ig nal

S ig nal

S ig nal
S ig nal

S ig nal

S ig nal
y
A

A
C

C
B

Time
7
Code Division Multiplexing (CDM)
• All transmitters are allowed to transmit in the whole
frequency range all the time.
• Separation is achieved by encoding each signal with a
special code that is designed to minimise interference
between transmitters.
• A receiver can extract the signal for each transmitter
from the combined signal of all transmitters.

S ig nal C
S ig nal B
S ig nal A
Frequenc
y

Time 8
Spread Spectrum

• In environments where interference is a large

problem (e.g. wireless LANs), spread spectrum
techniques are often used.
• Spread spectrum techniques use a larger
bandwidth than the original signal to protect
against:
– Narrow band interference,
– Frequency selective fading,
– Multi-path interference.

9
Spread Spectrum

• Frequency hopping spread spectrum (FHSS)

– Divides frequency range into channels and time into
slots.
– A combination of TDM and FDM.
– Used in the Bluetooth standard.
• Direct sequence spread spectrum (DSSS)
– Uses a special “code” (bit sequence) to spread signal
to whole frequency range.
– Essentially same as CDM, also known as Code
Division Multiple Access (CDMA).
– Used in IEEE802.11b.

10
Spread Spectrum Properties
• Spread spectrum signals can share frequency with
existing services.
– Prime example is unregulated ISM band.
• The wide bandwidth of the signals provides
protection against a variety of noise types.
• The data rate may be varied to adapt gracefully to
changing load conditions.
• May offer some form of inherent security.
– Signals involve low energy across a wide spectrum.
– Anti-jamming.
– Widely used in military applications prior to adoption in
civilian applications.
– But needs careful design of hopping sequences/CDMA
code sequences.
11
8.2 IEEE 802.11 Standards
• IEEE 802 is a dominant collection of networking
standards developed by IEEE.
– E.g. IEEE 802.3 specifies the physical and data link layer
properties of Ethernet.
• IEEE 802.11 is a family of standards for wireless LANs.
– Provides protocols at Layer 1 & Layer 2 of OSI model.
– Baseline IEEE Std 802.11-1997 was approved in June 1997.
• Offering 1 Mbps and 2Mbps rates.
• Typical indoor range of 20m.
– Current standard is IEEE Std 802.11-2007.
• Includes various enhancements and extensions developed by
IEEE 802.11 working groups (a,b,d,e,g,h,i,j).
• Supports various operating frequencies (2.4GHz, 5GHz), national
operating requirements, data transfer speeds,…

12
802.11b, 802.11g, 802.11n
• 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
– DSSS as physical layer.
– Dynamic rate shifting.
– Maximum specified range 100 metres.
– Average throughput of ~4Mbps, range of 30-40m (indoor).
• 802.11g ratified in 2002.
– Supports up to 54Mbps in 2.4Ghz range.
– Backwards-compatible with 802.11b.
– Average throughput of ~20 Mbps, range of 30-40m (indoor).
• 802.11n aiming for final approval in late 2009.
– Aiming for typical 75Mbps and maximum of 300Mbps.
– Range of 70m (indoor).
– Products already appearing, based on draft standard.
13
Wi-Fi Alliance

• WECA (Wireless Ethernet Compatibility

Alliance).
– Renamed Wi-Fi Alliance in 2000.
– Promotion of interoperability for 802.11 products.
– 300+ members.
– Runs certification programme for Wi-Fi products.

14
802.11 Components

• Two pieces of equipment defined:

– Wireless station
• A desktop or laptop PC or PDA with a wireless NIC.
– Access point
• A bridge between wireless and wired networks
• Composed of
– Radio
– Wired network interface (usually 802.3)
– Bridging software
• Aggregates access for multiple wireless stations to wired
network.

15
802.11 Modes
• Infrastructure mode
– Basic Service Set
• One access point
– Extended Service Set
• Two or more BSSs forming a single subnet.
– Corporate WLANs operate in this mode.
• Ad-hoc mode
– Also called peer-to-peer.
– Independent Basic Service Set.
– Set of 802.11 wireless stations that communicate
directly without an access point.
• Useful for quick & easy wireless networks.

16
Infrastructure Mode

Access Point

Basic Service Set (BSS) –

Station
Single cell

Extended Service Set (ESS) –

Multiple cells

17
Ad-hoc Mode

Independent Basic Service Set (IBSS)

18
802.11 Physical Layers
• Original standard 802.11-1997 standardised
three alternative physical layers.
– Two spread-spectrum methods in 2.4Ghz Industrial-
Scientific-Medical (ISM) band
• Frequency Hopping Spread Spectrum (FHSS) on 75
channels.
• Direct Sequence Spread Spectrum (DSSS) using up to 14
channels.
– One infrared physical layer.
• 802.11a standard defined a physical layer for
the 5GHz band.
– Using OFDM as the modulation technique.
– OFDM also later adopted in 802.11g.
19
802.11 Data Link Layer
• Layer 2 split into:
– Logical Link Control (LLC).
– Media Access Control (MAC).
• LLC – uses same 48-bit addresses as 802.3 (Ethernet).
• MAC – CSMA/CD not possible.
– Can’t listen for collision while transmitting.
• Instead use CSMA/CA – Collision Avoidance.
– Sender waits for clear air, waits random time, then sends data.
– Receiver sends explicit ACK when data arrives intact.
– Also handles interference.
– But adds significant communications overhead.
– Hence 802.11 always slower than equivalent 802.3 network.

20
Hidden nodes

21
RTS/CTS

To handle hidden nodes:

• Sending station sends “Request to Send”.
• Access point responds with “Clear to Send”.
• All other stations hear this and delay any
transmissions.
• Only used for larger pieces of data.
– When retransmission may waste significant time.

22
Joining a BSS

• When 802.11 client enters range of one or

more APs:
– APs send beacons.
– AP beacon can include SSID.
– AP chosen on signal strength and observed error
rates.
– After AP accepts client.
• Client tunes to AP channel.
• Periodically, all channels surveyed.
– To check for stronger or more reliable APs.
– If found, may reassociate with new AP.

23
Access Point Roaming

Channel 1

Channel 4
Channel 9

Channel 7

24
Roaming and Channels

• Reassociation with APs:

– Moving out of range.
– High error rates.
– High network traffic.
• Allows load balancing.
• Each AP has a channel.
– Up to 14 partially overlapping channels.
– Only three channels have no mutual overlap.
• Best for multicell coverage.

25
8.3 Security of IEEE 802.11 Wireless LANs

Open System Authentication:

• Relies on Service Set Identifier (SSID).
• Station must specify SSID to Access Point
when requesting association.
• Multiple APs with same SSID form Extended
Service Set.
• APs can broadcast their SSID as a beacon.
• Some clients allow * as SSID.
– Associates with strongest AP regardless of SSID.

26
SSID Hiding

• AP can choose not to transmit SSID in its

beacons.
• Can still attack APs that don’t transmit SSID:
– Send deauthenticate frames to client.
– SSID then captured when client sends
reauthenticate frames containing SSID.
– Implemented in essid_jack tool.
• Open System Authentication only provides
trivial level of security.
– Even with SSID hiding.
– c.f. SNMPv1 community string mechanism.
27
MAC ACLs

• Access points may have Access Control Lists

(ACLs).
• ACL is a list of allowed MAC addresses.
– E.g. only allow access to:
• 00:01:42:0E:12:1F
• 00:01:42:F1:72:AE
• 00:01:42:4F:E2:01
• But MAC addresses are sniffable and
spoofable.
• Hence MAC ACLs are of limited value.
– Will not prevent determined attacker.
28
Interception Range

Station outside
building perimeter.

tres
100 me

Basic Service Set (BSS) –

Single cell

29
Interception

• Wireless LAN uses radio signal.

• Not limited to physical building.
• Signal is weakened by:
– Walls;
– Floors;
– Interference.
• Directional antenna allows interception over
longer distances.
– Record is 124 miles for an unamplified 802.11b
signal (using a 4 metre dish).

30
Directional Antennae

• Directional antenna provides focused reception.

• DIY plans available, using:
– Aluminium cake tins;
– Chinese cooking sieves.

– http://www.saunalahti.fi/~elepal/antennie.html
– http://www.usbwifi.orcon.net.nz/

31
WarDriving
• Software:
– e.g. NetStumbler, Kismet, Kismac.
• Laptop with appropriate 802.11 card.
• Optional Global Positioning System receiver.
• Logging of MAC address, network name, SSID,
manufacturer, channel, signal strength, noise (GPS –
location).
• Legality?
– Detecting presence and configuration of APs not an offence.
– Attempting to connect to someone else’s AP may be.
– Using someone else’s AP to obtain network access is an
offence (in many legal jurisdictions).

32
WarDriving Results

• San Francisco, 2001

– Maximum 55 miles per hour.
– 1500 Access Points
– 60% in default configuration.
– Most connected to internal backbones.
– 85% use Open System Authentication.
• Commercial directional antenna
– 25 mile range from hilltops.

33
WarDriving Map

Source: www.dis.org/wl/maps/ 34
Worldwide War Drive 2004

• Fourth and last worldwide war drive

– www.worldwidewardrive.org no longer operational.
• 228,537 Access points.
• 82,755 (35%) with default SSID.
• 140,890 (60%) with Open System Authentication.
• 62,859 (27%) with both, probably default
configuration.

• (My street: 10 access points, none using Open

System Authentication, some default SSIDs.)

35
War Driving Prosecutions

• February 2004, Texas, Stefan Puffer acquitted

of wrongful access after showing an
unprotected county WLAN to officials.
– http://www.theregister.co.uk/2003/02/24/ethical_wire
less_hacker_is_innocent/
• June 2004, Michigan, Lowes DIY store
– Salcedo convicted for stealing credit card numbers
via unprotected WLAN, received 9 year sentence.
– Botbyl convicted for checking email & web browsing
via unprotected WLAN, received 26 month
sentence.

36
War Driving Prosecutions
• June 2004, Connecticut, Myron Tereshchuk
guilty of drive-by extortion via unprotected
WLANs.
– “Make the check payable to Myron Tereshchuk”.
– 63 month prison sentence.

• July 2005, London, Gregory Straszkiewicz

found guilty of dishonestly obtaining a
communications service.
– Warwalking in Ealing, West London
– £500 fine and 12 month suspended sentence under
Communications Act (2003).
– http://news.bbc.co.uk/1/hi/technology/4721723.stm
37
Further Issues

• Access Point configuration.

– Mixtures of SNMP, web, serial, telnet.
• Default community strings, default passwords.
• Evil Twin Access Points.
– Stronger signal, capture user authentication.
• Renegade Access Points.
– Unauthorised wireless LANs.

38
8.4 Security Issues Specific to IEEE
802.11a, b and g
IEEE 802.11a, b and g provide two main
security services:

• Encryption
– Wired Equivalence Privacy (WEP).

• Entity Authentication
– Shared Key Authentication, based on challenge-
response protocol building on WEP algorithm.

39
Wired Equivalence Privacy (WEP)

• Shared key between stations and an Access

Point.
– All Access Points will have same shared key in ESS.
• Key used in stream cipher to encrypt WLAN
traffic.
• No key management.
– Shared key entered manually into wireless stations
and Access points.
– Key never expires.
– Key management problems in large wireless LANs.
– Hence many WLANs do not enable WEP.
40
WEP Stream Cipher

• WEP uses RC4 stream cipher

– Proprietary to RSA Security Inc.
– Designed in 1987 by Ron Rivest.
– Trade secret until reverse-engineered in 1994.
• RC4 can use key sizes from 1 bit to 2048 bits.
– WEP typically uses 40-bit key.
• RC4 algorithm generates a stream of pseudo-
random bits.
– Using key and Initialisation Vector (IV) as input.
– Called the key-stream.
– Key-stream is XORed bit-by-bit with frame data.
41
WEP – Sending
• Compute Integrity Check Vector (ICV).
– 32-bit Cyclic Redundancy Check (CRC).
– Keyless algorithm, specified in IEEE standard.
– Appended to message to create plaintext for encryption.
• Plaintext then encrypted using RC4 stream cipher.
– RC4 is initialised with
• 40-bit secret key
• 24-bit initialisation vector (IV)
– RC4 generates the key-stream as function of these 64 bits.
– Key-stream XORed with plaintext to generate ciphertext.
• Ciphertext is transmitted along with IV.

42
WEP Encryption

IV
Initialisation
Vector (IV) Key-stream
|| RC4
Cipher
Secret key
⊕ text
Plaintext
||
32-bit CRC

43
WEP – Receiving
• Ciphertext is received.
• Ciphertext decrypted using RC4 stream cipher.
– RC4 initialised with:
• 40-bit secret key;
• 24-bit initialisation vector (IV) from start of ciphertext.
– RC4 generates key-stream as function of these 64 bits.
– Key-stream XORed with ciphertext to recover plaintext.
• Check ICV
– Separate plaintext to obtain ICV and message.
– Compute expected ICV for message.
– Compare with received ICV.

44
Shared Key Authentication

• Station requests association with AP.

• AP sends challenge to station.
• Station encrypts challenge using WEP to
produce response.
– Uses RC4, 40-bit shared secret key & 24-bit IV
selected by station.
• Response received by AP, decrypted by AP
and result compared to initial challenge.
• Challenge-response protocol of type discussed
in Lecture 3.

45
WEP Safeguards
• Shared secret key required for:
– Associating with an access point.
– Sending data.
– Receiving data.
• Messages are encrypted.
– Confidentiality.
• Messages have checksum.
– Intended to provide integrity.
• But management traffic still broadcast in clear
containing SSID.
• And other critical vulnerabilities….
46
Insecurity of Shared Key Authentication

• Rogue station records run of authentication protocol.

• Uses known plaintext (challenge) to compute portion of
key-stream for the (known) IV.
– Recall that C = P XOR key-stream.
• Rogue station can now respond to any future
authentication challenge from AP.
– Rogue receives fresh challenge.
– Wireless station gets to choose IV in protocol.
– But same IV (and same secret key) means that RC4 produces
the same key-stream bits.
– Hence rogue who repeats IV can reuse old key-stream portion
to encrypt, producing correct response.
• A stream cipher is a very poor choice as an encryption
primitive in an authentication protocol.
47
Initialisation Vector

• IV should be different for every message

transmitted.
• But 802.11 standard doesn’t specify how IV is
calculated.
• Wireless cards use several methods:
– Some use a simple ascending counter for each
message.
– Some switch between alternate ascending and
descending counters.
– Some use a pseudo-random IV generator.

48
Passive WEP Attack

• If 24-bit IV is an ascending counter, and if

Access Point transmits at 11 Mbps, then all IVs
are exhausted in roughly 5 hours.
• Passive attack:
– Attacker collects all traffic.
– Attacker will eventually collect two messages
encrypted with same key and same IV.
– Statistical attacks may then reveal plaintext:
XOR of ciphertexts = XOR of plaintexts.
– Very hard to extract plaintexts this way in reality.
– Much better attacks are available against WEP…
49
Active WEP Attacks

• If attacker knows plaintext/ciphertext pair and

IV:
– Corresponding key-stream is then known.
– (This was the basis of attack on authentication
protocol.)
– Now attacker can create correctly encrypted
messages by repeating IV.
– Access Point is deceived into accepting messages.
– And short key-streams are obtained for free by
observing runs of the authentication protocol!

50
Active WEP Attacks
• Bit-flipping:
– Flip a bit in ciphertext.
– Either changes 0 to 1 or 1 to 0 in plaintext.
• As with all stream ciphers.
– What about CRC-32?
– Bits of CRC-32 are linear functions of the message
bits.
• Consequence is that change needed to correct CRC-32
field after flipping bits in ciphertext/plaintext can be easily
computed.
– So can “repair” ICV after bit-flipping.
– ICV does not provide any cryptographic integrity
protection.
• Encrypting it doesn’t help in this case.
51
Limited WEP Keys

• Some vendors allow limited WEP keys.

– User types in a pass-phrase.
– WEP key is generated from pass-phrase.
– Pass-phrases creates as few as 21 bits of entropy in
40-bit key.
• Reduces key strength to 21 bits; 221 = 2,097,152.
• 21-bit key can be brute forced in minutes.
– www.lava.net/~newsham/wlan/WEP_password_crac
ker.ppt

52
Brute Force Key Attack

• Capture ciphertext.
– IV is included in message.
• Search all 240 possible secret keys.
– A few days on a modern laptop.
• Select key that decrypts ciphertext to a
meaningful plaintext.
– WLAN logical link control layer frames have well-
defined format.
– E.g. first two bytes are always AA, AA (hex).
– Automated recognition of correct key is possible.
• 40-bit keys do not provide adequate security.
53
128-bit WEP

• Vendors have extended WEP to 128-bit keys.

– 104-bit secret key.
– 24-bit IV.
• Brute force now infeasible.
• Effectively safeguards against brute force
attacks.
• But …

54
The FMS Attack
Paper from Fluhrer, Mantin, Shamir, 2001.
• http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
• Detailed analysis of several features of RC4 key
scheduling algorithm.
• Main result of interest to us:
– If the RC4 key is composed from a known IV and an unknown
secret part by concatenation;
– And if the attacker knows the first byte of key-stream for
enough different IVs;
– Then the whole RC4 key can be determined in a statistical
attack.
– Attack only makes use of some of the IVs – so-called “weak”
IVs.

55
The FMS Attack (2)
• In WEP, RC4 key material is composed by combining
known IV with 40/104-bit secret key.
• And initial byte of key-stream is known because of fixed
802.11 frame format.
• So the FMS method is applicable to RC4 as used in
WEP.
• The FMS attack is practical for 40-bit and 128-bit keys.
– Complexity of attack grows only linearly with key size rather
than exponentially.
• The attack is passive.
– Non-intrusive.
– No warning that it is being conducted.

56
Wepcrack

• First tool to demonstrate FMS attack using IV

weakness.
– Open source, Anton Rager.
• Three components
– Weaker IV generator.
– Search sniffer output for weaker IVs & record 1st
byte.
– Cracker to combine weaker IVs and selected 1st
bytes.
• Cumbersome.

57
Airsnort

• Automated tool for mounting FMS attack

– Cypher42, Minnesota, USA.
– Sniffs, searches for weaker IVs, records encrypted
data,…
– Until key is derived.
• Needs 5-10 million packets.
• Perhaps 3 to 4 hours on a very busy WLAN.

• See also: Aircrack.

58
The FMS Attack (3)
• FMS attack uses a particular class of IVs.
– Most IV values are not useful in the FMS analysis.
– Many manufacturers avoided the “weak” IVs after 2002.
– Therefore attack tools using basic FMS may not work on
recent hardware.
• However David Hulton (aka h1kari), KoreK, Tews-
Weinmann-Pyshkin and others have extended the FMS
attacks:
– Extended sets of weak/weakish IVs.
• e.g. leaking RC4 key into second byte of key-stream.
– And new cryptanalytic techniques.
– Much faster key recovery than the original FMS attack is now
possible.
• As little as 60s of traffic and 220 RC4 key setups.
• See, e.g., http://eprint.iacr.org/2007/120.pdf for details.

59
Generating WEP Traffic

• Not capturing enough traffic for FMS attack?

– Capture encrypted ARP request packets.
– Anecdotally lengths of 68, 118 and 368 bytes appear
appropriate.
– Replay encrypted ARP packets to generate
encrypted ARP replies.
– These replies provide more traffic, potentially with
IVs indicating weak keys.
– Aireplay implements this.

60
WEP – Last Words

• The WEP authentication protocol is trivially

breakable.
• The WEP encryption method is severely
weakened by FMS and related attacks.
• Yet WEP is still very widely used.
– Recent survey of 490 APs by Tews et al. (March
2007) showed 22% of WLANs using no encryption,
and 46% using WEP.
• Legacy hardware.
• Ignorance? Lack of incentive to change?

61
8.5 Recent Developments
• The IEEE 802.11 community has responded to the
many security problems identified in WEP.
• Intermediate solution: Wi-Fi Protected Access (WPA).
• Longer-term solution: WPA2.
• WPA and WPA2 are standardised in IEEE 802.11i
– The output of a working group tasked with improving the
security of 802.11 family.
– First published in 2004, but drafts available much earlier.
• IEEE 802.11i specification itself is now incorporated
into 802.11-2007 standard.
• WPA widely implemented, WPA2 becoming more
common.
– E.g. in survey of Tews et al., 32% of networks using WPA or
WPA2.
62
WPA
• Wi-Fi Protected Access (WPA)
– Works with 802.11b, a and g.
– An intermediate solution to address WEP’s problems.
– Existing hardware can still be used; only firmware upgrade
needed.

• WPA introduced new authentication protocol, improved

integrity protection measure and per-packet keys.
– To provide stronger authentication than in WEP.
– To prevent spoofing attacks (recall bit flipping on WEP CRC).
– To prevent FMS-style attacks.

63
WPA – TKIP

• WPA introduced TKIP: Temporal Key Integrity

Protocol.
– TKIP uses a 128-bit per packet encryption key.
• Derived from: Pairwise Transient Key (PTK), MAC
addresses, 48-bit TKIP sequence counter (TSC).
• PTK itself is derived from PMK, MAC addresses and
nonces exchanged during authentication protocol.
• PMK is either a fixed key or is obtained via 802.1X
authentication framework (see later).

64
WPA – TKIP
• TKIP introduces a special-purpose 8-byte MAC
algorithm called “Michael” to replace WEP’s CRC.
– A MAC algorithm with 64-bit keys derived from PTK.
– Uses different keys in each direction (S to AP, AP to S).
– With packet serial number, prevents packet replays.
– Constrained design to work with existing hardware
• 5 instructions per byte.
– Known to have several security weaknesses, but raises bar
considerably compared to WEP.
• Hence 802.11i standard dictates counter-measures to handle
active attacks against Michael.
• Essentially block traffic if 2 MAC failures seen in 60s period.
• These in turn lead to DoS attacks against WPA…

65
 WPA – TKIP

Encrypted

Integrity Protected

802.11 Header IV / KeyID Extended IV Data MIC ICV

4 bytes 4 bytes >0 bytes 8 bytes 4 bytes

WEP
TSC1 TSC0 Reserved Ext IV Key ID TSC2 TSC3 TSC4 TSC5
Seed[1]

b0 b4 b5 b6 b7

“WEPSeed[1] is not used to construct the TSC, but is set to (TSC1 | 0x20) & 0x7f”

66
WPA – Authentication Protocol
• WPA also introduced a new authentication protocol to
replace the one used in WEP.
– Called the 4-way handshake.
– Protected negotiation of capabilities (WEP, WPA, WPA2, …)
– Exchange of nonces and MACs on nonces to provide mutual
authentication.
• MACs computed using key derived from PMK.
• PMK is fixed across BSS/ESS or obtained from 802.1X protocol
execution before 4-way handshake.
– PTK used in WPA is then derived from PMK, nonces and MAC
addresses of protocol participants.
• Using a PRF based on HMAC-SHA-1.
– Variants of this approach are used to handle group keying and
peer-to-peer keying.

67
Practical WPA attacks

• Dictionary attack on pre-shared key mode

– Attack first proposed by Robert Moskowitz.
– Works if PMK has low entropy (e.g. derived from
pass-phrase).
– Implemented in CoWPAtty (Joshua Wright).
• Denial of service attack
– If WPA equipment sees two packets with invalid
MICs in 1 second, then:
• All clients are disassociated.
• All activity stopped for one minute.
• So two malicious packets per minute is enough to stop a
wireless network.

68
WPA2

• Supersedes WPA’s interim solution to WEP

issues but does require new hardware.
• Main features:
– Use of 128-bit AES-CCMP (AES Counter Mode with
Cipher Block Chaining Message Authentication
Code) for confidentiality and integrity.
– Pre-shared mode and 802.1X for key management
(as in WPA).
• And pre-shared mode has same dictionary attack issue as
WPA.
– Use of 4-way handshake for distributing AES-CCMP
keys.
69
WPA2 – AES-CCMP
• Basically, counter-mode encryption of AES combined
with CBC-MAC, also using AES.
– Careful design to allow integrity protection of associated
(header) data.
– 128-bit keys derived from 4-way handshake protocol.
– Uses 48-bit sequence number to detect and reject replays.
• CCMP is relatively expensive to implement, but not
patent-encumbered.
– Unlike earlier proposal OCB considered by 802.11i.
– CCMP is a two-pass construction.
• CCMP defined in RFC 3610.
– Designed by Whiting, Ferguson and Housley, supported by
formal security analysis of Jonsson (Eurocrypt 2002).

70
WPA/WPA2 and IEEE 802.1x

• IEEE 802.1x provides an authentication

framework that can be used to supplement
IEEE 802.11i.
– A general-purpose network access control and
authentication mechanism.
• Not part of 802.11i, but 802.11i designed to
inter-operate with it.
• Allows re-use of deployed RADIUS and
DIAMETER enterprise authentication systems
for wireless LAN authentication.
– And also integration with LDAP, COPS,…
71
WPA/WPA2 and IEEE 802.1x
• Uses Extensible Authentication Protocol (EAP,
RFCs 3748, 5247).
– With back-end server making the authentication
decision
– EAP is a transport for authentication, not
authentication itself.
• EAP provides no additional protection to authentication
protocol.
• Known problems with key binding attacks.
– EAP allows re-use of existing authentication
methods over a data link layer.
• E.g. EAP-TLS specified in RFC 5216.
• E.g. PEAP (PEAPv0/EAP-MSCHAPv2) from Cisco,
Microsoft and RSA Security – widely supported by vendors.
72
Further Security Issues
• IEEE 802.11i only specifies protection for data frames.
• 802.11 has many control frames that would benefit
from forgery and/or confidentiality protection as well:
– 802.11e QoS negotiations;
– 802.11k radio resource measurements;
– 802.11u control frames;
– Disassociation, deauthenticate frames.
• The lack of protection for the last of these allows trivial
DoS attacks against WPA/WPA2 networks.
• IEEE 802.11w was established to address these
problems.
– Still in early stages of its work.

73
8.6 Securing Wireless LANs

Additional counter-measures:
• Security Policy
• Treat as untrusted LAN
• Discover unauthorised use
• Access point audits
• Station protection
• Access point location
• Antenna design

74
Security Policy & Architecture

• Define use of wireless network:

– What is allowed;
– What is not allowed;
– Who can operate a WLAN;
– And consequences of breaking policy.

75
Wireless as Untrusted LAN

• Treat wireless as untrusted

– Similar to Internet.
• Firewall between WLAN and Backbone.
• Extra authentication required.
• Intrusion Detection
– at WLAN / Backbone junction.
• Vulnerability assessments.

76
Discover Unauthorised Use
• Search for unauthorised access points, ad-hoc
networks or clients.
• Port scanning
– For unknown SNMP agents.
– For unknown web or telnet interfaces.
• Warwalking!
– Sniff 802.11 packets,
– Identify IP addresses,
– Detect signal strength,
– But may sniff your neighbours…
• Wireless Intrusion Detection
– AirMagnet, AirDefense, Trapeze, Aruba,…
77
Access Point Audits

• Review security of access points.

• Are passwords and community strings secure?
• Use Firewalls & router ACLs
– Limit use of access point administration interfaces.
• Standard access point config:
– SSID,
– WEP keys,
– Community string & password policy.

78
Station Protection

• Personal firewalls
– Protect the station from attackers.
• VPN from station into Intranet
– End-to-end encryption into the trusted network.
– But consider roaming issues.
• Host intrusion detection
– Provide early warning of intrusions onto a station.
• Configuration scanning
– Check that stations are securely configured.

79
Location of Access Points

• Ideally locate access points.

– In centre of buildings.
• Try to avoid access points
– By windows,
– On external walls,
– Having line of sight to outside.
• Use directional antenna to “point” radio signal.

80
Wireless IDS/IPS
• Sensors deployed in WLAN.
• Monitoring to detect:
– Unauthorised clients by MAC address;
• Accidental
• Malicious
– Ad-hoc mode networks;
– Unauthorised access points;
– Policy violations.
• Possible to identify approximate locations.

81
Further Reading
• www.drizzle.com/~aboba/IEEE/
– Good website providing links to many articles, standards, etc,
concerning WLAN security.
• http://standards.ieee.org/getieee802/802.11.html
– Free download of IEEE 802.11-2007.
– Warning: 1200 pages!
– Chapter 8 (pp. 155-250) concerns security.
• http://standards.ieee.org/getieee802/download/802.1X-
2004.pdf
– Free download of IEEE 802.1X-2004.
• http://eprint.iacr.org/2007/471.pdf
– Diploma thesis by Tews, giving fairly exhaustive overview of
attacks against WEP (up to 2007).
• Various RFCs specifying EAP and EAP methods.
82