Security in Wireless Networks

Question 1

What is attractive most about wireless?

Answer 1

CAMP
Installation flexibility, speed, and scalability
Regions without or with limited wired infrastructure can easily establish wireless communication
Better chance of surviving disasters
802.11 wireless LANs, WiMAX, and 3G+ cellular networks promise high bandwidths, global mobility, quality of service, and seamless integration with one another

Question 2

What is the current wireless LAN standard?

Answer 2

802.11

Question 3

What is a station?

Answer 3

All components that can connect to the wireless medium in an 802.11 WLAN are called stations

• Wireless clients or Access points are stations
• All stations are equipped with wireless network interface cards

Question 4

What is a BSS

Answer 4

The basic building block of an 802.11 WLAN is called a basic service set (BSS).
It is a set of stations that can communicate with each other.
BSSs can be set up in one of two ways:
– Independent BSS: No access points. Also called ad hoc networks
– Infrastructure BSS: Access points serve as base stations for receiving and broadcasting messages

Question 5

Describe an infrastructure BSS

Answer 5

• Stations communicate via an AP
• A set of infrastructure BSSs connected together in a network is referred to as an extended service set (ESS)
• Traffic within the BSS and also from one BSS to another is via the APs
• The APs in an ESS are connected by a distribution system which facilitates communication among the APs
• The distribution system is typically a wired LAN
• Two significatn addresses: BSS ID (MAC address of the AP serving the BSS), and ESS ID (Character string assigned by the admin, also called the SSID)

Question 6

What kinds of security are in 802.11 WLANs?

Answer 6

Basic level security (SSID + MAC address filtering)
Medium level security (WEP)
High level security (WPA1, WPA2, 802.11i Security Standard, Wireless VPNs)

Question 7

Describe basic level security in WLANs

Answer 7

SSID:

• SSID is a character string programmed in the APs serving the WLAN
• It is a rudimentary authentication value, every wireless client must know the SSID in order to get connected to the WLAN
• Access points periodically broadcast SSIDs in clear text.
• If the broadcast feature is turned off, then only clients which know the SSID can get connected

MAC Address Filters:

• Access points can be programmed to accept authentication requests only from wireless clients with legitimate MAC addresses
• Work similarly to access control lists but at the MAC layer

Question 8

What are the weaknesses in Basic Level Security in WLANs?

Answer 8

• SSIDs are broadcast in plaintext
• Even if the broadcast feature is turned off, an active sniffer can extract SSID from an AP
• MAC address spoofing can penetrate MAC address filter

Question 9

Describe medium level security in WLANs

Answer 9

WEP (Wired Equivalent Privacy)

• proposed to provide link-level security in 802.11 networks.
• intended security goals were confidentiality, access-control, integrity and authentication
• Uses a shared key for encrypting and authenticating data between a client and access point
• one of the four shared keys can be manually configured in the AP, and the wireless clients
• Some wireless cards rotate the key used among the four keys periodically
• key sizes 40 bits or 104 bits

Question 10

Describe WEP encryption

Answer 10

• a 40-bit or 104-bit secret key is concatenated with a 24-bit initialization vector (IV) to give a 64-bit or 128-bit WEP key
• the WEP key is input to a pseudo-random number generator based on RC4 algo to produce a key stream
• An integrity check value (ICV) based on CRC is computed for the plaintext
• The plaintext concatenated with the ICV is XORed with the key stream to generate the ciphertext
• the transmitted message consists of IV and the cipher text

Question 11

Describe WEP Decryption

Answer 11

• the secret key is concatenated with the IV to get back the 64-bit or 128-bit WEP key
• the WEP key is input to the same pseudo-random number generator algorithm to produce the same key stream
• The ciphertext is XORed with the key stream to get back the plaintext and the ICV
• An integrity check value ICV is independently computed and checked against the received ICV

Question 12

Describe WEP Authentication

Answer 12

• the wireless client sends an authentication request to the access point
• the access point sends a random challenge text in clear
• the client encrypts the challenge text using the secret key and sends it back to the access point
• The access point authenticates the client by decrypting the challenge response

Question 13

What are the (7) weaknesses in WEP?

Answer 13

1 - shared static key
2 - IV is sent in plaintext
3 - size of the IV is only 24 bits (so IVs are repeated)
4 - Use of CRC for authentication and integrity
5 - the authentication handshake reveals a PT-CT pair
6 - One way authentication
7 - Management frames not protected

Question 14

What is Wi-Fi protected access version 1 (WPA 1)

Answer 14

• Designed to remove WEPs weaknesses and also to add a stronger authentication feature compared to WEP
• Consists of two main components (authentication and key management 802.1x, and TKIP - encryption and integrity)

Question 15

Describe the features of TKIP (Temporal Key Integrity Protocol)

Answer 15

• Per packet key mixing: change the encryption and authentication keys for every frame
• Stronger integrity check algorithm: algorithm MIC based on HMAC is used
• Sequence numbers are added to frame fragments
• Increased IV size: IV size is increased to 48 bits (from 24 bits) this avoids IV reuse

Question 16

Describe the TKIP process

Answer 16

• Two keys derived from the master key are used as input keys: a 128-bit encryption key and a 64-bit data integrity key
• Phase 1 key mixing generates an intermediate key from the encryption key and the sender’s MAC address
• MIC generates the payload plus the message digest from the data integrity key, sender and receiver’s MAC addresses and the payload
• Payload plus digest is fragmented and each fragment is assigned a sequence number
• Phase 2 key mixing uses the intermediate key and the sequence number to generate a per packet key (for each fragment)
• The per-packet key and the fragment undergo the regular WEP encapsulation process to produce the ciphertext

Question 17

What is 802.1X

Answer 17

802.1X is a protocol for authenticating wireless nodes and also for generating keys

Question 18

Describe the 802.1X process

Answer 18

• When a new wireless client requests access to the WLAN the access point asks for the indentity of the client and issues a temporary encryption key
• The client sends the user name and password to the authenticator
• The authenticator relays it to an authentication server using another secret key encryption
• The authentication server verifies the client’s credentials and sends a permit message if the verification is successful. It also issues keys for TKIP

Question 19

What are the weaknesses of 802.1X?

Answer 19

• One way authentication

- Management frames are not protected

Question 20

What is Wi-Fi Access Version 2 (WPA 2) or 802.11i

Answer 20

• improved version of WPA (June 2004)
• Provides an alternative encryption algorithm based on EAS called CCMP (cipher block chaining mode message authentication code protocol)
• 802.1X has been extended to provide bi-directional authentication between the client and the access point

Weakness: management frames are still in the open