Wireless Networks

Lecture 29
Security in IEEE 802.11
Dr. Ghalib A. Shah

1


Outlines







Types of Attack
Goals of 802.11 Security
WEP Protocol
WEP Authentication
Security flaws in original 802.11
802.1x Security
► AKM Operations with AS
► AKM operations with PSK

 IBSS Security model
2


Last Lecture

 Introduction
► What is Ad hoc networks?
► Characteristic (Heterogeneous, Self-creating, self-organizing,
self-adminstrating, on-the-fly)
► Ad hoc vs. cellular networks
► Challenges (Spectrum allocation, Self-configuration, Medium
access control (MAC), Energy efficiency, TCP Performance,
Mobility management, Security & privacy, Routing protocols,
Multicasting, QoS, Service Location, Provision, Access)

 Routing Protocol
► Expected Properties of Ad-hoc Routing Protocols
► A taxonomy for routing protocols in Mobile ad
► Some common protocols (DSDV, AODV, DSR, ZRP, TORA)
3


Types of Attacks
 Passive attacks
► to decrypt traffic based on statistical analysis

 Active attacks
► To inject new traffic from authorized mobile stations,
based on known plaintext

 Active attacks
► To decrypt traffic, based on tricking the access point

 Dictionary building attacks
► Allows real-time automated decryption of all traffic

4


802.11 Security
 Goals of 802.11 security
► Ac c e s s  Co ntro l

• Ensure that your wireless infrastructure is not used.

► Data Inte g rity

• Ensure that your data packets are not modified in transit.

► Co nfide ntiality

• Ensure that the contents of your wireless traffic is not
learned

 802.11 security consists of two subsystems
► A data encapsulation technique called Wired
Equivalent Privacy (WEP)
► An authentication algorithm called Shared Key
Authentication
5


WEP
 Wireless connections has important security
issues to keep the intruders from accessing,
reading and modifying the network traffic.

 But mobile systems need to be connected.
 We need an algorithm which provides the same
level of security that physical wire does.
 WEP is used to
► Pro te c t wire le s s  c o mmunic atio n fro m 
e ave s dro pping .
► Pre ve nt unautho rize d ac c e s s  to  wire le s s  ne two rk 
(feature of WEP, but not an explicit goal in the
802.11 standard)
6


 WEP relies on a s e c re t ke y which is shared between
the sender and the receiver.
► SENDER: Mobile station (e.g. Labtop with a wireless ethernet
card)
► RECEIVER: Access Point (eg. base station)

 S e c re t Ke y is used to encrypt packets before they are
transmitted
 Inte g rity Che c k is used to ensure packets are not
modified in transit.
► The standard does not discuss how shared key is established
► In practice, most installations use a s ing le  ke y which is shared
between all mobile stations and access points.
7


WEP Protocol
 To send a message M:

►
►
►
►

Compute a checksum c(M) (is not depend on secret key k)
Pick an IV v and generate a keystream RC4(v,k)
XOR <M, c(M)>with the keystream to get the ciphertext
Transmit v and ciphertext over a radio link

 When received a message M
► Use transmitted v and the shared key k to generate the
keystream RC4(v,k)
► XOR the ciphertext with RC4(v,k) to get <M’,c’>
► Check is c’=c (M’)
► If it is, accept M’ as the message transmitted

8


WEP Encapsulation
802.11 Hdr

Encapsulate
802.11 Hdr

IV

Data


Decapsulate
Data

ICV

WEP Encapsulation Summary:
• Encryption Algorithm = RC4
• Per­packet encryption key = 24­bit IV concatenated to a pre­shared key
• WEP allows IV to be reused with any frame
• Data integrity provided by CRC­32 of the plaintext data (the “ICV”)
• Data and ICV are encrypted under the per­packet encryption key
9


Defense of WEP
 Integrity Check(IC) field
► Used to ensure that packet has not been modified in
transit

 Initialization Vector(IV)
► Used to avoid encrypting two ciphertexts with the
same key stream
► Used to argument the shared key and produce a
different RC4 key for each packet to avoid statistical
attacks

10


11



WEP Authentication
AP

STA
Shared secret distributed out of band
Challenge (Nonce)
Response (Nonce RC4 encrypted under shared 
key)
Decrypted nonce OK?

802.11 Authentication Summary:
• Authentication key distributed out­of­band
• Access Point generates a “randomly generated” challenge
• Station encrypts challenge using pre­shared secret

12


Security Flaws
 Physical threat: user loses 802.11 NIC, doesn’t
report it
► Attacker with physical possession of NIC may be
capable of accessing the network

 Impersonation: User Identification
► 802.11 does not identify users, only NICs
► Problems
• MAC may represent more than one user

• Multi-user machines becoming common; which user is
logged on with which MAC?
• Users may move between machines
• Machine may allow logins by other users within the domain
13




Mutual Authentication
►

802.11 shared authentication not mutual
•
•
•

►

Solution
•



Client authenticates to Access Point but Access Point does not
authenticate to client
Enables rogue access points
Denial of service attacks possible
Mutual authentication: Require both sides to demonstrate knowledge of
key


Known Plaintext Attack
►
►
►
►
►

WEP supports per-packet encryption, integrity, but not per-packet
authentication
Given a known packet (ARP, DHCP, TCP ACK, etc.), possible to
recover RC4 stream
Enables spoofing of packets until IV changes
Can insert a packet, calculate ICV, encrypt with known RC4 stream
Solution
•
•

Add a keyed message integrity check
Change the IV every packet

14


 Denial of Service: Disassociation Attacks
► 802.11 associate/disassociate messages
unencrypted and unauthenticated
• Enables forging of disassociation messages
• Creates vulnerability to denial of service attacks


 Dictionary Attacks
► WEP keys are derived from passwords that makes it
much easier to break keys by brute force
► Attacker uses a large list of words to try to guess a
password and derive the key
15


How to address these issues
 Addition of new 802.11 authentication methods
► Hardware changes needed for each new method
• Creates incentive to limit number of authentication methods
supported, make new methods optional

► Result: No upgrade path to extended authentication
► “Hard coding” authentication methods makes it
difficult to respond to security vulnerabilities

 The solution: a flexible security framework
► Implement security framework in upper layers
► Enable plug-in of new authentication, key
management methods without changing NIC or
Access Point
16


How 802.1x Address Security Issues of 802.11








EAP Framework
User Identification & Strong authentication
Dynamic key derivation
Mutual authentication
Per-packet authentication
Dictionary attack precautions

17


 system setup and operation of an RSN, in two
cases: when an IEEE 802.1X AS is used and
when a PSK is used
 For an ESS, the AP includes an Authenticator,
and each associated STA includes a
Supplicant.

18


IEEE 802.1X Terminology

Supplicant

Authentication 
Server


Authenticator
Uncontrolled port

Controlled port

802.1X
• created to control access to any 802 LAN
• used as a transport for Extensible Authentication Protocol 
(EAP, RFC 2284)
19


AKM Operation with AS
 Prior to any use of IEEE 802.1X, IEEE 802.11 assumes
that the Authenticator and AS have established a
secure channel.
 A STA discovers the AP’s security policy through
passively monitoring Beacon frames or through active
probing
► If IEEE 802.1X authentication is used, the EAP authentication
process starts when the AP’s Authenticator sends the EAPRequest or the STA’s Supplicant sends the EAPOL-Start
message.
► EAP authentication frames pass between the Supplicant and
AS via the Authenticator and Supplicant’s Uncontrolled Ports.
► The Supplicant and AS authenticate each other and generate a
PMK. The PMK is sent from the AS to the Authenticator over
the secure channel.
20



21


 A 4-Way Handshake utilizing EAPOL-Key frames is
initiated by the Authenticator to do the following:
►
►
►
►

Confirm that a live peer holds the PMK.
Confirm that the PMK is current.
Derive a fresh pairwise transient key (PTK) from the PMK.
Install the pairwise encryption and integrity keys into IEEE
802.11.
► Transport the group temporal key (GTK) and GTK sequence
number from Authenticator to Supplicant and install the GTK
and GTK sequence number in the STA and, if not already
installed, in the AP.
► Confirm the cipher suite selection.

22


Upon successful
completion of the 4-Way
Handshake,
the Authenticator and
Supplicant have

authenticated each other;
and the IEEE 802.1X
Controlled Ports are
unblocked to permit general
data traffic.

23


Operation of AKM with PSM
 The following AKM operations are carried out
when the PMK is a PSK:
► A STA discovers the AP’s security policy through
passively monitoring Beacon frames or through
active probing A STA associates with an AP and
negotiates a security policy.
► The PMK is the PSK.
► The 4-Way Handshake using EAPOL-Key frames is
used just as with IEEE 802.1X authentication, when
an AS is present.
► The GTK and GTK sequence number are sent from
the Authenticator to the Supplicant just as in the AS
case.
24


IBSS Key usage Model
 In an IBSS, the unicast data frames between two STAs
are protected with a pairwise key. The key is part of the
PTK, which is derived during a 4-Way Handshake.

 In an IBSS, the broadcast/multicast data frames are
protected by a key, e.g., named B1, that is generated
by the STA transmitting the broadcast/multicast frame.
 To allow other STAs to decrypt broadcast/multicast
frames, B1 must be sent to all the other STAs in the
IBSS.
► B1 is sent in an EAPOL-Key frame, encrypted under the
EAPOL-Key encryption key (KEK) portion of the PTK,
► and protected from modification by the EAPOL-Key
confirmation key (KCK) portion of the PTK.

 In an IBSS, a STA’s SME responds to Deauthentication
frames from a STA by deleting the PTK SA associated
with that STA.
25