Wi-Fi Protected Access (WPA and WPA2) is a certification program administered by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance to secure wireless computer networks. This protocol was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP). However, researchers discovered a flaw in 2008 that relied on older weaknesses to retrieve the keystream from short packets to use for re-injection and spoofing. The protocol implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP could be implemented on pre-WPA wireless network interface cards that began shipping as far back as 1999 through firmware upgrades. Because the changes required fewer modifications on the client than on the wireless access point, most pre-2003 APs could not be upgraded to support WPA with TKIP.The later WPA2 certification mark indicates compliance with an advanced protocol that implements the full standard. This advanced protocol will not work with some older network cards. Products that have successfully completed testing by the Wi-Fi Alliance for compliance with the protocol can bear the WPA certification mark.

WPA2

WPA2 replaced WPA; like WPA, WPA2 requires testing and certification by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i. In particular, it introduces a new AES-based algorithm, CCMP, which is considered fully secure. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.

Security in pre-shared key mode

Pre-shared key mode (PSK, also known as Personal mode) is designed for home and small office networks that don’t require the complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits (256 bits). If ASCII characters are used, a hash function that incorporates the SSID reduces the password to a 256 bit string. Most operating systems allow the passphrase to be stored on the user’s computer at the user’s discretion to avoid the inconvenience of entering for each connection. The passphrase must also be stored in the wireless access point.

Security is strengthened by employing a PBKDF2 key derivation function. However, the weak passphrases users may typically employ are vulnerable to password cracking attacks. To protect against a brute force attack, a truly random passphrase of 13 characters (selected from the set of 95 permitted characters) is probably sufficient. Rainbow tables have been computed by the Church of WiFi for the top 1000 SSIDs for a million different WPA/WPA2 passphrases. To further protect against intrusion the network’s SSID should not match any entry in the top 1000 SSIDs.

In August 2008 a post in the Nvidia-CUDA forums announced the possibility to enhance the performance of brute force attacks against WPA-PSK by a factor of 30 and more. The time-consuming PBKDF2-computation is taken from the CPU to a GPU which can compute many passwords and their corresponding Pre-shared keys in parallel. The expected time to successfully guess a common password by at least 50% shrinks to about 2-3 days by that.

Some consumer chip manufacturers have attempted to bypass weak passphrase choice by adding a method of automatically generating and distributing strong keys through a software or hardware interface that uses an external method of adding a new wireless adapter or appliance to a network. These methods include pushing a button (Broadcom SecureEasySetup and Buffalo AirStation One-Touch Secure System) and entering a short challenge phrase through software (Atheros JumpStart and ZyXEL OTIST[citation needed]). The Wi-Fi Alliance has standardized these methods and certifies compliance with these standards through a program called Wi-Fi Protected Setup (formerly Simple Config).

A weakness was uncovered in November 2008 by researchers at two German technical universities, Erik Tews and Martin Beck, which relied on a previously known flaw in WEP that could be exploited only for the TKIP algorithm in WPA and WPA2. The flaw can only decrypt short packets with mostly known contents, such as ARP messages, and 802.11e, which allows Quality of Service packet prioritization for voice calls and streaming media. The flaw does not lead to key recovery, but only a keystream that encrypted a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client.

EAP extensions under WPA- and WPA2- Enterprise

The Wi-Fi alliance has announced the inclusion of additional EAP (Extensible Authentication Protocol) types to its certification programs for WPA- and WPA2- Enterprise certification programs. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.

The EAP types now included in the certification program are:

* EAP-TLS (previously tested)
* EAP-TTLS/MSCHAPv2
* PEAPv0/EAP-MSCHAPv2
* PEAPv1/EAP-GTC
* EAP-SIM

Other EAP types may be supported by 802.1X clients and servers developed by specific firms. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks.

Hardware support

Most newer Wi-Fi CERTIFIED devices support the security protocols discussed above, out-of-the-box, as compliance with this protocol has been required for a Wi-Fi certification since September 2003.[13]

The protocol certified through Wi-Fi Alliance’s WPA program (and to a lesser extent WPA2) was specifically designed to also work with wireless hardware that was produced prior to the introduction of the protocol which usually had only supported inadequate security through WEP. Many of these devices support the security protocol after a firmware upgrade. Firmware upgrades are not available for all legacy devices.

“IEEE 802.1X is an IEEE Standard for port-based Network Access Control; it is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN port, either establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for most wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP).

Overview

802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.

Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to the “unauthorized” state. In this state, only 802.1X traffic is allowed; other traffic, such as DHCP and HTTP, is blocked at the data link layer. The authenticator sends out the EAP-Request identity to the supplicant, the supplicant responds with the EAP-response packet that the authenticator forwards to the authenticating server. If the authenticating server accepts the request, the authenticator sets the port to the “authorized” mode and normal traffic is allowed. When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the “unauthorized” state, once again blocking all non-EAP traffic.

Implementations

Wireless Access Points

Wi-Fi access point vendors now use 802.11i which implements 802.1X for wireless access points to address the security vulnerabilities found in WEP. The authenticator role is either performed by the access point itself via a pre-shared key (referred to as WPA2-PSK) or for larger enterprises, by a third-party entity, such as a RADIUS server. This provides for client-only authentication or, more appropriately, strong mutual authentication using protocols such as EAP-TLS.

Software

Windows XP and Windows Vista support 802.1X for all network connections by default. Windows 2000 has support in the latest service pack. Windows Mobile 2003 and later operating systems also come with a native 802.1X client. Windows XP has major issues with an IP address change (Dynamic VLAN) as the result of a user 802.1X validation, and Microsoft will not backport the SSO feature from Vista which avoids these issues.

A project for Linux known as Open1X produces an open source client, Xsupplicant. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types.

Mac OS X has offered native support since 10.3. The iPhone and iPod Touch support 802.1x as of the release of iPhone OS 2.0.

Vulnerabilities

In the summer of 2005, Microsoft’s Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw is in the fact that 802.1X authenticates only at the beginning of the connection, but that after authentication, it’s possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley then suggests that for wired networks, using IPsec or a combination of IPsec and 802.1X would be more secure.

source: http://en.wikipedia.org/wiki/IEEE_802.1X

In computer networking, a wireless access point (WAP or AP) is a device that allows wireless communication devices to connect to a wireless network using Wi-Fi, Bluetooth and related standards. The WAP usually connects to a wired network, and can relay data between the wireless devices (such as computers or printers) and wired devices on the network.

Introduction

Linksys WAP54G 802.11g Wireless Access Point
embedded RouterBoard 112 with U.FL-RSMA pigtail and R52 mini PCI Wi-Fi card widely used by wireless Internet service providers (WISPs) in the Czech Republic
OSBRiDGE 3GN - 802.11n Access Point and UMTS/GSM Gateway in one device

Prior to wireless networks, setting up a computer network in a business, home, or school often required running many cables through walls and ceilings in order to deliver network access to all of the network-enabled devices in the building. With the advent of the Wireless Access Point, network users are now able to add devices that access the network with few or no new cables. Today’s WAPs are built to support a standard for sending and receiving data using radio frequencies rather than cabling. Those standards, and the frequencies they use are defined by the IEEE. Most WAPs use IEEE 802.11 standards.

Common WAP Applications

A typical corporate use involves attaching several WAPs to a wired network and then providing wireless access to the office LAN. Within the range of the WAPs, the wireless end user has a full network connection with the benefit of mobility. In this instance, the WAP functions as a gateway for clients to access the wired network.

Another wireless topology, a lily-pad network, consists of a series of access points spread over a large area, each connected to a different network. This provides hot spots where wireless clients can connect to the Internet without regard for the particular networks to which they have attached for the moment. The concept can become common in large cities, where a combination of coffeehouses, libraries, other public spaces offering wireless access, as well as privately owned open access points, allow clients to stay more or less continuously connected to a network (like hopping from lily pad to lilypad), while moving around.

Home wireless networks, the majority, generally have only one WAP to connect all the computers in a home. Most are wireless routers, meaning converged devices that include a WAP, Ethernet router, and often a switch in the same package. Many also converge a broadband modem. Most owners leave their encryption settings at default, hence neighbors can use them. In places where most homes have their own WAP within range of the neighbors’ WAP, it’s possible for technically savvy people to turn off their encryption and set up a wireless community network, creating an intra-city communication network without the need of wired networks.

A WAP may also act as the network’s arbitrator, negotiating when each nearby client device can transmit. However, the vast majority of currently installed IEEE 802.11 networks do not implement this, using a distributed pseudo-random algorithm instead.

Access Point vs. Ad-Hoc Network

Some people confuse Access Point with Wireless ad hoc network. An Ad-Hoc network uses a connection between two or more devices without using an access point: the devices communicate directly. An Ad-hoc network is used in situations, such as for a quick data exchange, or for a Multiplayer LAN game, because it is easy to set up and does not require an access point. Due to its peer-to-peer layout, Ad-hoc connections are similar to Bluetooth ones, and are generally not recommended for a permanent installation.

Internet access via ad-hoc networks, using features like Windows’ Internet Connection Sharing, may work well with a small number of devices that are close to each other, but an Ad-hoc networks don’t scale well. Internet traffic will converge to the nodes with direct internet connection, potentially congesting these nodes. For internet-enabled node, Access Points have a clear advantage, being designed to handle this load.

Limitations

One IEEE 802.11 WAP can typically communicate with 30 client systems located within a radius of 100 m. However, the actual range of communication can vary significantly, depending on such variables as indoor or outdoor placement, height above ground, nearby obstructions, other electronic devices that might actively interfere with the signal by broadcasting on the same frequency, type of antenna, the current weather, operating radio frequency, and the power output of devices. Network designers can extend the range of WAPs through the use of repeaters and reflectors, which can bounce or amplify radio signals that ordinarily would go un-received. In experimental conditions, wireless networking has operated over distances of several kilometers.

Most jurisdictions have only a limited number of frequencies legally available for use by wireless networks. Usually, adjacent WAPs will use different frequencies to communicate with their clients in order to avoid interference between the two nearby systems. Wireless devices can “listen” for data traffic on other frequencies, and can rapidly switch from one frequency to another to achieve better reception. However, the limited number of frequencies becomes problematic in crowded downtown areas with tall buildings using multiple WAPs. In such an environment, signal overlap becomes an issue causing interference, which results in signal dropage and data errors.

Wireless networking lags behind wired networking in terms of increasing bandwidth and throughput. While (as of 2004) typical wireless devices for the consumer market can reach speeds of 11 Mbit/s (megabits per second) (IEEE 802.11b) or 54 Mbit/s (IEEE 802.11a, IEEE 802.11g), wired hardware of similar cost reaches 1000 Mbit/s (Gigabit Ethernet). One impediment to increasing the speed of wireless communications comes from Wi-Fi’s use of a shared communications medium, so a WAP is only able to use somewhat less than half the actual over-the-air rate for data throughput. Thus a typical 54 MBit/s wireless connection actually carries TCP/IP data at 20 to 25 Mbit/s. Users of legacy wired networks expect the faster speeds, and people using wireless connections keenly want to see the wireless networks catch up.

As of 2007 a new standard for wireless, 802.11n is awaiting final certification from IEEE. This new standard operates at speeds up to 540 Mbit/s and at longer distances (~50 m) than 802.11g. Use of legacy wired networks (especially in consumer applications) is expected to decline sharply as the common 100 Mbit/s speed is surpassed and users no longer need to worry about running wires to attain high bandwidth.

By the year 2008 draft 802.11n based access points and client devices have already taken a fair share of the market place but with inherent problems integrating products from different vendors.

Interference can commonly cause problems with wireless networking reception, as many devices operate using the 2.4 GHz ISM band. A nearby wireless phone or anything with greater transmission power within close proximity can markedly reduce the perceived signal strength of a wireless access point. Microwave ovens are also known to interfere with wireless networks.

Security

Wireless LAN Security

Wireless access has special security considerations. Many wired networks base the security on physical access control, trusting all the users on the local network, but if wireless access points are connected to the network, anyone on the street or in the neighboring office could connect.

The most common solution is wireless traffic encryption. Modern access points come with built-in encryption. The first generation encryption scheme WEP proved easy to crack; the second and third generation schemes, WPA and WPA2, are considered secure if a strong enough password or passphrase is used.

Some WAPs support hotspot style authentication using RADIUS and other authentication servers. For example, DD-WRT v24 supports Chilisoft hotspot authentication which separates the WLAN from the hard wired LAN so that your guests cannot browse the local wired network.

A Hot-spot, or Hot spot or HotSpot is a venue that offers internet access over a wireless LAN. It should not be confused with a Hot-zone, which is a internet-sharing wireless wide area network.

History

Wi-Fi hotspots were first proposed by Brett Stewart at the NetWorld+Interop conference in The Moscone Center in San Francisco in August 1993. Stewart did not use the term ‘hotspot’ but referred to publicly accessible wireless LANs. Stewart went on to found the companies PLANCOM in 1994 (for Public LAN Communications, which became MobileStar and then the HotSpot unit of T-Mobile USA) and Wayport in 1996.

The term ‘HotSpot’ may have first been advanced by Nokia about five years after Stewart first proposed the concept.

During the dot-com boom and subsequent burst in 2000, dozens of companies had the notion that Wi-Fi could become the payphone for broadband. The original notion was that users would pay for broadband access at hotspots. Although some companies like T-mobile, and Boingo have had some success with charging for access, over 90% of the over 300,000 hotspots offer free service to entice customers to their venue.[citation needed]

Both paid and free hotspots continue to grow. Wireless networks that cover entire cities, such as municipal broadband have mushroomed. MuniWireless reports that over 300 metropolitan projects have been started. WiFi hotspots can be found in remote RV / Campground Parks across the US.

Many business models have emerged for hotspots. The final structure of the hotspot marketplace will ultimately have to consider the intellectual property rights of the early movers; portfolios of more than 1,000 allowed and pending patent claims are held by some of these parties.

Uses

The public can use a laptop, WiFi phone, or other suitable portable device to access the wireless connection (usually Wi-Fi) provided. Of the estimated 150 million laptops, 14 million PDAs, and other emerging Wi-Fi devices sold per year for the last few years, most include the Wi-Fi feature.

For venues that have broadband Internet access, offering wireless access is as simple as purchasing one AP, in conjunction with a router and connecting the AP to the Internet connection. Alternatively, if the router is equipped with wireless connectivity, this single wireless router suffices too.

Locations

Hotspots are often found at restaurants, train stations, airports, military bases, libraries, hotels, hospitals, coffee shops, bookstores, fuel stations, department stores, supermarkets, RV parks and campgrounds and other public places. Many universities and schools have wireless networks in their campus.

Finding free and commercial hotspots can be done trough special websites as JiWire. Also, Free-hotspot.com can be browsed to find free hotspots.

Types

Free Wi-Fi hotspots

Free hotspots operate in two ways:

* Using an open public network is the easiest way to create a free HotSpot. All that is needed is a Wi-Fi router. However, the disadvantage is that access to the router cannot be controlled.
* Closed public networks use a HotSpot Management System to control the HotSpot. This software runs on the router itself or uses an external computer for it. With the help of this software, operators can authorize only specific users to be able to access the Internet, and they often associate the free access to a menu or to a purchase limit.

Commercial hotspots

A commercial hotspot may feature:

* A captive portal that users are redirected to for authentication and payment
* A payment option using credit card, PayPal, BOZII, iPass, or other payment service
* A walled garden feature that allows free access to certain sites

Many services provide payment services to hotspot providers, for a monthly fee or commission from the end-user income. ZoneCD is a Linux distribution that provides payment services for hotspots who wish to deploy their own service.

Major airports and business hotels are more likely to charge for service. Most hotels provide free service to guests; and increasingly small airports and airline lounges offer free service.

FON is a European company that allows users to share their wireless broadband and sells excess bandwidth to outside users (Aliens). Since this may breach users terms of service, FON has agreements with many broadband providers / ISPs.

One of the companies is TravelNetCon - an international high-speed Internet HotSpot mediator. Boingo is another major provider of hotspots.

Billing

The so called “User-Fairness-Model” allows a volume-based billing, with only the payload (data, video, audio) will be charged. Moreover, the tariff is classified by net traffic and user needs (Pommer, p.116ff).

If the net traffic increases, then the user has to pay the next higher tariff class. By the way the user is asked for if he still wishes the session also by a higher traffic class. Moreover, in time-critical applications (video, audio) a higher class fare is charged, than for non time-critical applications (such as reading Web pages, e-mail).The “User-fairness model” can be implemented with the help of EDCF (IEEE 802.11e). A EDCF user priority list shares the traffic in 3 access categories (data, video, audio) and user priorities (UP) (Pommer, p.117):

* Data [UP 0|2]
* Video [UP 5|4]
* Audio [UP 7|6]

If the net traffic increases, then the frames of the particular access category (AC) are assigned a low priority value (e.g. video UP 5 to UP 4). This is also, if the data transfer is not time-critical.

Security concerns

Most hotspots are unsecured. User data is shared as clear text as all users access the internet via the hotspot. This is very dangerous as users may thus sniff the network quite easily and retrieve potentially sensitive information.

A problem however for people wishing to set up free hotspots is that the network cannot be secured, as securing it will not allow anybody to use it anymore (unless they know the password).

In order to still be able to increase security, reserving at least 1 access point completely for public use is recommended. Any personal additional wireless or wired network should be kept separate by specifying a different IP-range. Also, it is advocated by some that all ports except those for e-mail (TCP/25) and browsing (TCP/80) are closed down. Finally, the ESSID should be set to value that indicates it is indeed a public network, e.g. “Public Hotspot”

Some hotspots authenticate users. This does not secure the data transmission or prevent packet sniffers from allowing people to see traffic on the network.

Some venues offer VPN as an option, sometimes for an additional fee. This solution is expensive to scale. Also, it may still not be secure as only the connection between user and network is shielded, and the network itself is not.

Others such as T-mobile and Boingo provide a download option that deploys WPA support specific to T-mobile. This conflicts with enterprise configurations at Cisco, IBM, HP, Google, and other large enterprises who have solutions specific to their internal WLAN.

A “poisoned/rogue hotspot” refers to a free public hotspot set up by identity thieves or other malicious individuals for the purpose of “sniffing” the data sent by the user. This abuse can be avoided by the use of VPN.

Wired Equivalent Privacy (WEP) is a deprecated algorithm to secure IEEE 802.11 wireless networks. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks. When introduced in 1997, WEP was intended to provide confidentiality comparable to that of a traditional wired network.

Beginning in 2001, several serious weaknesses were identified by cryptanalysts with the result that today a WEP connection can be cracked with readily available software within minutes. Within a few months the IEEE created a new 802.11i task force to counteract the problems. By 2003, the Wi-Fi Alliance announced that WEP had been superseded by Wi-Fi Protected Access (WPA), which was a subset of then upcoming 802.11i amendment. Finally in 2004, with the ratification of the full 802.11i standard (a.k.a. WPA2), the IEEE declared that both WEP-40 and WEP-104 “have been deprecated as they fail to meet their security goals”. Despite its weaknesses, WEP is still widely in use. WEP is often the first security choice presented to users by router configuration tools even though it provides a level of security that deters only unintentional use, leaving the network vulnerable to deliberate compromise.

WEP is sometimes inaccurately referred to as Wireless Encryption Protocol.

Encryption details

WEP was included as the privacy of the original IEEE 802.11 standard ratified in September 1999. WEP uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity. It was deprecated as a wireless privacy mechanism in 2004, but for legacy purposes is still documented in the current standard.

Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. At the time that the original WEP standard was being drafted, U.S. Government export restrictions on cryptographic technology limited the key size. Once the restrictions were lifted, all of the major manufacturers eventually implemented an extended 128-bit WEP protocol using a 104-bit key size (WEP-104).

A 128-bit WEP key is almost always entered by users as a string of 26 hexadecimal (base 16) characters (0-9 and A-F). Each character represents four bits of the key. 26 digits of four bits each gives 104 bits; adding the 24-bit IV produces the final 128-bit WEP key. A 256-bit WEP system is available from some vendors, and as with the 128-bit key system, 24 bits of that is for the IV, leaving 232 actual bits for protection. These 232 bits are typically entered as 58 hexadecimal characters. (58 × 4 = 232 bits) + 24 IV bits = 256-bit WEP key.

Key size is not the only major security limitation in WEP. Cracking a longer key requires interception of more packets, but there are active attacks that simulate the necessary traffic. There are other weaknesses in WEP, including the possibility of IV collisions and altered packets, that are not helped at all by a longer key.

Authentication

Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication.

For the sake of clarity, we discuss WEP authentication in the Infrastructure mode (ie, between a WLAN client and an Access Point), but the discussion applies to the Ad-Hoc mode as well.

In Open System authentication, the WLAN client need not provide its credentials to the Access Point during authentication. Thus, any client, regardless of its WEP keys, can authenticate itself with the Access Point and then attempt to associate. In effect, no authentication (in the true sense of the term) occurs. After the authentication and association, WEP can be used for encrypting the data frames. At this point, the client needs to have the right keys.

In Shared Key authentication, WEP is used for authentication. A four-way challenge-response handshake is used:

1. The client station sends an authentication request to the Access Point.
2. The Access Point sends back a clear-text challenge.
3. The client has to encrypt the challenge text using the configured WEP key, and send it back in another authentication request.
4. The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response.

After the authentication and association, WEP can be used for encrypting the data frames.

At first glance, it might seem as though Shared Key authentication is more secure than Open System authentication, since the latter offers no real authentication. However, it is quite the reverse. It is possible to derive the keystream used for the handshake by capturing the challenge frames in Shared Key authentication.^[2] Hence, it is advisable to use Open System authentication for WEP authentication, rather than Shared Key authentication. (Note that both authentication mechanisms are weak).

Flaws

Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.

Many WEP systems require a key in hexadecimal format. Some users choose keys that spell words in the limited 0-9, A-F hex character set, for example C0DE C0DE C0DE C0DE. Such keys are often easily guessed.

In August 2001, Scott Fluhrer, Itsik Mantin, and Adi Shamir published a cryptanalysis of WEP that exploits the way the RC4 cipher and IV is used in WEP, resulting in a passive attack that can recover the RC4 key after eavesdropping on the network. Depending on the amount of network traffic, and thus the number of packets available for inspection, a successful key recovery could take as little as one minute. If an insufficient number of packets are being sent, there are ways for an attacker to send packets on the network and thereby stimulate reply packets which can then be inspected to find the key. The attack was soon implemented, and automated tools have since been released. It is possible to perform the attack with a personal computer, off-the-shelf hardware and freely available software such as aircrack-ng and crack any WEP key in one minute or less.

Cam-Winget et al. (2003) surveyed a variety of shortcomings in WEP. They write “Experiments in the field indicate that, with proper equipment, it is practical to eavesdrop on WEP-protected networks from distances of a mile or more from the target.” They also reported two generic weaknesses:

• the use of WEP was optional, resulting in many installations never even activating it, and
• WEP did not include a key management protocol, relying instead on a single shared key amongst users.

In 2005, a group from the U.S. Federal Bureau of Investigation gave a demonstration where they cracked a WEP-protected network in 3 minutes using publicly available tools. Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir which can additionally be used to break WEP in WEP like usage modes.

In 2006, Bittau, Handley and Lackey showed that the 802.11 protocol itself can be used against WEP to enable earlier attacks that were previously thought impractical. After eavesdropping a single packet, an attacker can rapidly bootstrap to be able to transmit arbitrary data. The eavesdropped packet can then be decrypted one byte at a time (by transmitting about 128 packets per byte to decrypt) to discover the local network IP addresses. Finally, if the 802.11 network is connected to the Internet, the attacker can use 802.11 fragmentation to replay eavesdropped packets while crafting a new IP header onto them. The access point can then be used to decrypt these packets and relay them on to a buddy on the Internet, allowing real-time decryption of WEP traffic within a minute of eavesdropping the first packet.

In 2007, Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann were able to extend Klein’s 2005 attack and optimize it for usage against WEP. With the new attack it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good conditions. The actual computation takes about 3 seconds and 3 MB of main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys with an even higher success probability.

Remedies

Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) can provide secure data transmission over an insecure network. However, replacements for WEP have been developed with the goal of restoring security to the wireless network itself.

802.11i (WPA and WPA2)

The recommended solution to WEP security problems is to switch to WPA2 or the less resource intensive WPA. Either is much more secure than WEP. To add support for WPA or WPA2, some old Wi-Fi access points might need to be replaced or have their firmware upgraded. WPA was designed as an interim software solution for WEP; it runs on the same hardware that WEP does.

Implemented non-standard fixes

WEP2

This stopgap enhancement to WEP was present in some of the early 802.11i drafts. It was implementable on some (not all) hardware not able to handle WPA or WPA2, and extended both the IV and the key values to 128 bits. It was hoped to eliminate the duplicate IV deficiency as well as stop brute force key attacks.

After it became clear that the overall WEP algorithm was deficient (and not just the IV and key sizes) and would require even more fixes, both the WEP2 name and original algorithm were dropped. The two extended key lengths remained in what eventually became WPA’s TKIP.

WEPplus

WEPplus, also known as WEP+, is a proprietary enhancement to WEP by Agere Systems (formerly a subsidiary of Lucent Technologies) that enhances WEP security by avoiding “weak IVs”. It is only completely effective when WEPplus is used at both ends of the wireless connection. As this cannot easily be enforced, it remains a serious limitation. It is possible that successful attacks against WEPplus will eventually be found. It also does not necessarily prevent replay attacks.

Dynamic WEP

Dynamic WEP changes WEP keys dynamically. It is a vendor-specific feature provided by several vendors such as 3Com.

The dynamic change idea made it into 802.11i as part of TKIP, but not for the actual WEP algorithm.

Wi-Fi Protected Access is a certification program administered by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance to secure wireless computer networks. This protocol was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP). However, researchers discovered a flaw in 2008 that relied on older weaknesses to retrieve the keystream from short packets to use for re-injection and spoofing.The protocol implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP could be implemented on pre-WPA wireless network interface cards that began shipping as far back as 1999 through firmware upgrades. Because the changes required fewer modifications on the client than on the wireless access point, most pre-2003 APs could not be upgraded to support WPA with TKIP.

The later WPA2 certification mark indicates compliance with an advanced protocol that implements the full standard. This advanced protocol will not work with some older network cards. Products that have successfully completed testing by the Wi-Fi Alliance for compliance with the protocol can bear the WPA certification mark.

WPA2

WPA2 replaced WPA; like WPA, WPA2 requires testing and certification by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i. In particular, it introduces a new AES-based algorithm, CCMP, which is considered fully secure. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.^[3]

Security in pre-shared key mode

Pre-shared key mode (PSK, also known as Personal mode) is designed for home and small office networks that don’t require the complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits (256 bits). If ASCII characters are used, a hash function that incorporates the SSID reduces the password to a 256 bit string. Most operating systems allow the passphrase to be stored on the user’s computer at the user’s discretion to avoid the inconvenience of entering for each connection. The passphrase must also be stored in the wireless access point.

Security is strengthened by employing a PBKDF2 key derivation function. However, the weak passphrases users may typically employ are vulnerable to password cracking attacks. To protect against a brute force attack, a truly random passphrase of 13 characters (selected from the set of 95 permitted characters) is probably sufficient. Rainbow tables have been computed by the Church of WiFi for the top 1000 SSIDs for a million different WPA/WPA2 passphrases. To further protect against intrusion the network’s SSID should not match any entry in the top 1000 SSIDs.

In August 2008 a post in the Nvidia-CUDA forums announced the possibility to enhance the performance of brute force attacks against WPA-PSK by a factor of 30 and more. The time-consuming PBKDF2-computation is taken from the CPU to a GPU which can compute many passwords and their corresponding Pre-shared keys in parallel. The expected time to successfully guess a common password by at least 50% shrinks to about 2-3 days by that.

Some consumer chip manufacturers have attempted to bypass weak passphrase choice by adding a method of automatically generating and distributing strong keys through a software or hardware interface that uses an external method of adding a new wireless adapter or appliance to a network. These methods include pushing a button (Broadcom SecureEasySetup^[10] and Buffalo AirStation One-Touch Secure System) and entering a short challenge phrase through software (Atheros JumpStart and ZyXEL OTIST). The Wi-Fi Alliance has standardized these methods and certifies compliance with these standards through a program called Wi-Fi Protected Setup (formerly Simple Config).

A weakness was uncovered in November 2008 by researchers at two German technical universities, Erik Tews and Martin Beck, which relied on a previously known flaw in WEP that could be exploited only for the TKIP algorithm in WPA and WPA2. The flaw can only decrypt short packets with mostly known contents, such as ARP messages, and 802.11e, which allows Quality of Service packet prioritization for voice calls and streaming media. The flaw does not lead to key recovery, but only a keystream that encrypted a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client.

EAP extensions under WPA- and WPA2- Enterprise

The Wi-Fi alliance has announced the inclusion of additional EAP (Extensible Authentication Protocol) types to its certification programs for WPA- and WPA2- Enterprise certification programs. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.

The EAP types now included in the certification program are:

• EAP-TLS (previously tested)
• EAP-TTLS/MSCHAPv2
• PEAPv0/EAP-MSCHAPv2
• PEAPv1/EAP-GTC
• EAP-SIM

Other EAP types may be supported by 802.1X clients and servers developed by specific firms. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks.

Hardware support

Most newer Wi-Fi CERTIFIED devices support the security protocols discussed above, out-of-the-box, as compliance with this protocol has been required for a Wi-Fi certification since September 2003.

The protocol certified through Wi-Fi Alliance’s WPA program (and to a lesser extent WPA2) was specifically designed to also work with wireless hardware that was produced prior to the introduction of the protocol ^[2] which usually had only supported inadequate security through WEP. Many of these devices support the security protocol after a firmware upgrade. Firmware upgrades are not available for all legacy devices.

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service. When a person or device connects to a network often “Authentication” is required. Networks or services not requiring authentication are said to be anonymous or open.

Connecting a computer to a telecommunication network raises several problems for the network owner or the telco. The telco first needs to know who is operating the computer. Once the user has been identified, the telco needs to know what facilities to allow the user to access. At the same time the telco needs to collect billing data relating to the time or capacity that was consumed. RADIUS is a protocol used by many common open source and proprietary systems to control these processes. RADIUS based systems are commonly implemented by telcos to identify their customers, and by companies to identify their remote employees.

Once authenticated, RADIUS also determines what rights or privileges the person or computer is “Authorized” to perform and makes a record of this access in the “Accounting” feature of the server. The support of Authentication, Authorization and Accounting is referred to as the AAA (said triple A) process.

Because of the broad support and the ubiquitous nature of the RADIUS protocol it is often used by ISPs, Wireless Networks, integrated e-mail services, Access Points, Network Ports, Web Servers or any provider needing a well supported AAA server.

RADIUS is commonly used by ISPs and corporations managing access to the Internet or internal networks employing a variety of networking technologies, including modems, DSL, wireless and VPNs.

AAA

RADIUS servers use the AAA concept to manage network access in the following two-step process, also known as an “AAA transaction”.

Authentication, Authorization & Accounting

Authentication, Authorization & are described in RFC 2865

The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol - for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers.

In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.

This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request contains information which the NAS knows about the user, such as its network address or phone number, and information regarding the user’s physical point of attachment to the NAS.

The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. The user’s proof of identification is verified, along with, optionally, other information related to the request, such as the user’s network address or phone number, account status and specific network service access privileges. Historically, RADIUS servers checked the user’s information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources - commonly SQL, Kerberos, LDAP, or Active Directory servers - to verify the user’s credentials.

The RADIUS server then returns one of three responses to the NAS; a “Nay” (Access Reject), “Challenge” (Access Challenge) or “Yea” (Access Accept).

• Access Reject - The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.
• Access Challenge - Requests additional information from the user such as a secondary password, PIN, token or card. Access Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.
• Access Accept - The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company’s wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server, or may be looked up in an external source like LDAP or Active Directory.

Authorization attributes are conveyed to the NAS stipulating terms of access to be granted. For example: the following authorization attributes may be included in an Access-Accept.

• The specific IP address to be assigned to the user
• The address pool from which the user’s IP should be chosen
• The maximum length that the user may remain connected
• An access list, priority queue or other restrictions on a user’s access
• L2TP parameters
• VLAN parameters
• Quality of Service (QoS) parameters

Accounting

Accounting is described in RFC 2866

• When network access is granted to the user by the NAS, an Accounting Start request is sent by the NAS to the RADIUS server to signal the start of the user’s network access. “Start” records typically contain the user’s identification, network address, point of attachment and a unique session identifier.
• Periodically, Interim Accounting records may be sent by the NAS to the RADIUS server, to update it on the status of an active session. “Interim” records typically convey the current session duration and information on current data usage.
• Finally, when the user’s network access is closed, the NAS issues a final Accounting Stop record to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user’s network access.

The primary purpose of this data is that the user can be billed accordingly; the data is also commonly used for statistical purposes and for general network monitoring.

Properties of RADIUS

The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate passwords. Because MD5 is not considered to be a very strong protection of the user’s credentials, additional protection - such as IPsec tunnels - should be used to further encrypt the RADIUS traffic. The user’s credentials are the only part protected by RADIUS itself, but other user-specific attributes passed by RADIUS may be considered sensitive or private information as well. Please refer to the references for more details on this subject.

RADIUS is a common authentication protocol utilized by the IEEE 802.1X security standard (often used in wireless networks). Although RADIUS was not initially intended to be a wireless security authentication method, it improves the WEP encryption key standard, in conjunction with other security methods such as EAP-PEAP.

RADIUS is extensible; many vendors of RADIUS hardware and software implement their own variants using Vendor-Specific Attributes (VSAs).

RADIUS has been officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting by the Internet Assigned Number Authority (IANA) however before IANA allocation ports 1645 - Authentication and 1646 - Accounting were used unofficially and became the default ports assigned by many RADIUS Client/Server implementations of the time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason many RADIUS Server implementations monitor both sets of UDP ports for RADIUS requests. Microsoft RADIUS servers default to 1812 and 1813 but Cisco devices default to the traditional 1645 and 1646 ports. Juniper Networks’ RADIUS servers also default to 1645 and 1646.

RADIUS is used by RSA SecurID to enable strong authentication for access control; products such as PhoneFactor add two-factor authentication to legacy RADIUS applications that typically only support username and password authentication.

RADIUS is widely used by VoIP service providers. It is used to pass login credentials of a SIP end point (like a broadband phone) to a SIP Registrar using digest authentication, and then to RADIUS server using RADIUS. Sometimes it is also used to collect call detail records (CDRs) later used, for instance, to bill customers for international long distance.

RADIUS was originally specified in an RFI by Merit Network in 1991 to control dial-in access to NSFnet. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866). Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP servers, various databases, etc. Accounting records can be written to text files, various databases, forwarded to external servers, etc. SNMP is often used for remote monitoring. RADIUS proxy servers are used for centralized administration and can rewrite RADIUS packets on the fly (for security reasons, or to convert between vendor dialects).

The Diameter protocol is the planned replacement for RADIUS. Diameter uses SCTP or TCP while RADIUS uses UDP as the transport layer.

Roaming

RADIUS is commonly used to facilitate roaming between ISPs, for example by companies which provide a single global set of credentials that are usable on many public networks. RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.

Realms

A realm is commonly appended to a user’s username and delimited with an ‘@’ sign, resembling an email address domain name. This is known a postfix notation for the realm. Another common usage is prefix notation, which involves prepending the realm to the username and using ‘\’ as a delimiter. a Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice ‘@’ and ‘\’ are usually used.

Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example, somedomain.com\username@anotherdomain.com could be a valid username with two realms.

Although realms often resemble email domains, it is important to note that realms are in fact arbitrary text and need not contain real domain names.

Proxy operations

When a RADIUS server receives an AAA request for a username containing a realm, the server will reference a table of configured realms. If the realm is known, the server will then proxy the request to the configured home server for that domain. The behaviour of the proxying server regarding the removal of the realm from the request (”stripping”) is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite AAA requests when they are proxied.

Security

Roaming with RADIUS exposes the users to various security and privacy concerns. Some EAP methods establish a secure tunnel between an authenticator and the home AAA server before the transmission of sensitive data, providing relief for most of those concerns. In these cases, there is sometimes an outer identity in clear text transmitted outside the eap tunnel, visible to proxies so they can route packets, and which doesn’t have to reveal much about the user’s true identity, and an inner identity which does, and as such is transmitted inside the secure EAP tunnel.

More generally, some roaming partners establish a secure tunnel between the RADIUS servers to ensure that users’ credentials cannot be intercepted while being proxied across the internet. This is a concern as the encyption built into RADIUS is considered insecure.

Standards

The RADIUS protocol is currently defined in:

• RFC 2865 Remote Authentication Dial In User Service (RADIUS)
• RFC 2866 RADIUS Accounting

Other relevant RFCs are:

• RFC 2548 Microsoft Vendor-specific RADIUS Attributes
• RFC 2607 Proxy Chaining and Policy Implementation in Roaming
• RFC 2618 RADIUS Authentication Client MIB
• RFC 4668 RADIUS Authentication Client MIB for IPv6 (Obsoletes: RFC 2618)
• RFC 2619 RADIUS Authentication Server MIB
• RFC 4669 RADIUS Authentication Server MIB for IPv6 (Obsoletes: RFC 2619)
• RFC 2620 RADIUS Accounting Client MIB
• RFC 4670 RADIUS Accounting Client MIB for IPv6 (Obsoletes: RFC 2620)
• RFC 2621 RADIUS Accounting Server MIB
• RFC 4671 RADIUS Accounting Server MIB for IPv6 (Obsoletes: RFC 2621)
• RFC 2809 Implementation of L2TP Compulsory Tunneling via RADIUS
• RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support
• RFC 2868 RADIUS Attributes for Tunnel Protocol Support
• RFC 2869 RADIUS Extensions
• RFC 2882 Network Access Servers Requirements: Extended RADIUS Practices
• RFC 3162 RADIUS and IPv6
• RFC 3575 IANA Considerations for RADIUS
• RFC 5176 Dynamic Authorization Extensions to RADIUS (Obsoletes: RFC 3576)
• RFC 3579 RADIUS Support for EAP (Updates: RFC 2869)
• RFC 3580 IEEE 802.1X RADIUS Usage Guidelines
• RFC 4014 RADIUS Attributes Suboption for the DHCP Relay Agent Information Option
• RFC 4372 Chargeable User Identity
• RFC 5090 RADIUS Extension for Digest Authentication (Obsoletes: RFC 4590)
• RFC 4675 RADIUS Attributes for Virtual LAN and Priority Support
• RFC 4679 DSL Forum Vendor-Specific RADIUS Attributes
• RFC 4818 RADIUS Delegated-IPv6-Prefix Attribute
• RFC 4849 RADIUS Filter Rule Attribute
• RFC 5080 Common RADIUS Implementation Issues and Suggested Fixes

IEEE 802.11i-2004, or802.11i, refers to an amendment to the original IEEE 802.11 standard specifying security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with a detailed Security clause, in the process deprecating the broken WEP. The amendment was later incorporated into the published IEEE 802.11-2007 standard.The draft standard was ratified on 24 June 2004, and supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have severe security weaknesses. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security Network). 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher.

The 802.11i architecture contains the following components: 802.1X for authentication (entailing the use of EAP and an authentication server), RSN for keeping track of associations, and AES-based CCMP to provide confidentiality, integrity and origin authentication. Another important element of the authentication process is the four-way handshake, explained below.

Encryption key distribution

The IEEE 802.11i-2004 introduced new key distribution methods to overcome weaknesses in earlier methods. The keys derived from the may be used in any RSNA network, whether WPA or WPA2, TKIP or CCMP (AES).

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange has provided the shared secret key PMK (Pairwise Master Key). This key is however designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address and STA MAC address. The product is then put through a cryptographic hash function.

The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:

1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, what really is a Message Authentication and Integrity Code: (MAIC).
3. The AP sends the GTK and a sequence number together with another MIC. The sequence number is the sequence number that will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
4. The STA sends a confirmation to the AP.

As soon as the PTK is obtained it is divided into five separate keys:

PTK (Pairwise Transient Key – 64 bytes)

1. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the ‘Key Data’ field) to the client (for example, the RSN IE or the GTK)
2. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.

The Group Key Handshake

The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.

To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:

1. The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA and protects the data from being tampered using a MIC.
2. The STA acknowledges the new GTK and replies to the AP.

GTK ( Groupwise Transient Key – 32 bytes)

1. 16 bytes of Group Temporal Encryption Key – Used to encrypt Multicast data packets
2. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on Multicast packet transmitted by AP
3. 8 bytes of Michael MIC Authenticator Rx Key – This is currently not used as stations do not send multicast traffic

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.

Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.

Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking has many security issues. Hackers have found wireless networks relatively easy to break into, and even use wireless technology to crack into wired networks. As a result, it’s very important that enterprises define effective wireless security policies that guard against unauthorized access to important resources.

The risks to users of wireless technology have increased as the service has become more popular. There were relatively few dangers when wireless technology was first introduced. Crackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. However, there are a great number of security risks associated with the current wireless protocols and encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level. Cracking methods have become much more sophisticated and innovative with wireless. Cracking has also become much easier and more accessible with easy-to-use Windows-based and Linux-based tools being made available on the web at no charge.

Some organizations that have no wireless access points installed do not feel that they need to address wireless security concerns. In-Stat MDR and META Group have estimated that 95% of all corporate laptop computers that were planned to be purchased in 2005 were equipped with wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop is plugged into the corporate network. A cracker could sit out in the parking lot and gather info from it through laptops and/or other devices as handhelds, or even break in through his wireless card-equipped laptop and gain access to the wired network.

Types of unauthorized access

Accidental association

Unauthorized access to company wireless and wired networks can come from a number of different methods and intents. One of these methods is referred to as “accidental association”. When a user turns on a computer and it latches on to a wireless access point from a neighboring company’s overlapping network, the user may not even know that this has occurred. However, it is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network.

Malicious association

“Malicious associations” are when wireless devices can be actively made by crackers to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as “soft APs” and are created when a cracker runs some software that makes his/her wireless network card look like a legitimate access point. Once the cracker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate at the Layer 2 level, Layer 3 protections such as network authentication and virtual private networks (VPNs) offer no barrier. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the cracker is just trying to take over the client at the Layer 2 level.

Ad-hoc networks

Ad-hoc networks can pose a security threat. Ad-hoc networks are defined as peer-to-peer networks between wireless computers that do not have an access point in between them. While these types of networks usually have little protection, encryption methods can be used to provide security.

Non-traditional networks

Non-traditional networks such as personal network Bluetooth devices are not safe from cracking and should be regarded as a security risk. Even barcode readers, handheld PDAs, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel who have narrowly focused on laptops and access points.

Identity theft (MAC spoofing)

Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network “sniffing” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires, and the cracker can easily get around that hurdle.

Man-in-the-middle attacks

A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP (Access Point). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols to execute a “de-authentication attack”. This attack forces AP-connected computers to drop their connections and reconnect with the cracker’s soft AP. Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.

Denial of service

A Denial-of-Service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP).

Network injection

In a network injection attack, a cracker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, and HSRP. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.

Caffe Latte attack

The Caffe Latte attack is another way to defeat WEP. It is not necessary for the attacker to be in the area of the network using this exploit. By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client. By sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes.

Counteracting risks

Risks from crackers are sure to remain with us for any foreseeable future. The challenge for IT personnel will be to keep one step ahead of crackers. Members of the IT field need to keep learning about the types of attacks and what counter measures are available.

Counteracting security risks

There are many technologies available to counteract wireless network intrusion, but currently no method is absolutely secure. The best strategy may be to combine a number of security measures.

Possible steps towards securing a wireless network include:

1. All wireless LAN devices need to be secured
2. All users of the wireless network need to be educated in wireless network security
3. All wireless networks need to be actively monitored for weaknesses and breaches

MAC ID filtering

Most wireless access points contain some type of MAC ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, it must be remembered that MAC IDs over a network can be faked. Cracking utilities such as SMAC are widely available, and some computer hardware also gives the option in the BIOS to select any desired MAC ID for its built in network capability.

Static IP addressing

Disabling at least the IP Address assignment function of the network’s DHCP server, with the IP addresses of the various network devices then set by hand, will also make it more difficult for a casual or unsophisticated intruder to log onto the network. This is especially effective if the subnet size is also reduced from a standard default setting to what is absolutely necessary and if permitted but unused IP addresses are blocked by the access point’s firewall. In this case, where no unused IP addresses are available, a new user can log on without detection using TCP/IP only if he or she stages a successful Man in the Middle Attack using appropriate software.

802.11 security

Regular WEP

WEP stands for Wired Equivalent Privacy. This encryption standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks. Unfortunately, this never happened as flaws were quickly discovered and exploited. There are several open source utilities like aircrack-ng, weplab, WEPCrack, or airsnort that can be used by crackers to break in by examining packets and looking for patterns in the encryption. WEP comes in different key sizes. The common key lengths are currently 128- and 256-bit. The longer the better as it will increase the difficulty for crackers. However, this type of encryption is now being considered outdated and seriously flawed. In 2005 a group from the FBI held a demonstration where they used publicly available tools to break a WEP encrypted network in three minutes. WEP protection is better than nothing, though generally not as secure as the more sophisticated WPA-PSK encryption. A big problem is that if a cracker can receive packets on a network, it is only a matter of time until the WEP encryption is cracked.

WEP has some serious issues. First, it does not deal with the issue of key management at all. Either the keys have to be manually given to end users, or they have to be distributed in some other authentication method. Since WEP is a shared key system, the AP uses the same key as all the clients and the clients also share the same key with each other. A hacker would only have to compromise the key from a single user, and he would then know the key for all users.

In addition to key management, a recently published paper describes ways in which WEP can actually be broken (“Weaknesses in the Key Scheduling Algorithm of RC4” by Fluhrer, Mantin and Shamir). This is due to a weakness in RC4 as it is implemented in WEP. If enough traffic can be intercepted, then it can be broken by brute force in a matter of an hour or two. If that weren’t bad enough, the time it takes to crack WEP only grows linearly with key length, so a 104-bit key doesn’t provide any significant protection over a 40-bit key when faced against a determined hacker. There are several freely available programs that allow for the cracking of WEP. WEP is indeed a broken solution, but it should be used as it is better than nothing. In addition, higher layer encryption (SSL, TLS, etc) should be used when possible.

WPAv1

Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipement that worked with WEP are able to be simply upgraded and no new equipement needs to be bought. WPA is an trimmed-down version of the 802.11i security standard that was developed by the Wi-Fi Alliance to replace WEP. The TKIP encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware upgrades to existing 802.11 devices. The WPA profile also provides optional support for the AES-CCMP algorithm that is the preferred algorithm in 802.11i and WPA2.

WPA Enterprise provides RADIUS based authentication using 802.1x. WPA Personal uses a pre-shared Shared Key (PSK) to establish the security using an 8 to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken using off-line dictionary attacks by capturing the messages in the four-way exchange when the client reconnects after being deauthenticated. Wireless suites such as aircrack-ng can crack a weak passphrase in less than a minute. Other WEP/WPA crackers are AirSnort and Auditor Security Collection. Still, WPA Personal is secure when used with ‘good’ passphrases or a full 64-character hexadecimal key.

There is information, however, that Erik Tews (the man who created the fragmentation attach against WEP) is going to reveal a way of breaking the WPA TKIP implementation at Tokyo’s PacSec security conference in November 2008, cracking the encryption protocol in between 12-15 minutes.

Additions to WPAv1

In addition to WPAv1, TKIP, WIDS and EAP may be added alongside. Also, VPN-networks (non-continous secure network connections) may be set-up under the 802.11-standard. VPN-networks include PPTP, L2TP, IPSec and SSH. One must however still realise that this extra secure connections may also be cracked with tools as Anger, Deceit, Ettercap (for PPTP); and ike-scan, IKEProbe, ipsectrace, and IKEcrack (for IPSec-connections).

TKIP

This stands for Temporal Key Integrity Protocol and the acronym is pronounced as tee-kip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system and also provides a message integrity check. These avoid the problems of WEP.

EAP

The WPA-improvement over the IEEE 802.1X standard already improved the authentication and authorization for access of wireless and wired LANs. In addition to this, extra measures such as the Extensible Authentication Protocol (EAP) have initiated an even greater amount of security. This, as EAP uses a central authentication server. Unfortunately, during 2002 a Maryland professor discovered some shortcomings[citation needed]. Over the next few years these shortcomings were addressed with the use of TLS and other enhancements[citation needed]. This new version of EAP is now called Extended EAP and is available in several versions; these include: EAP-MD5, PEAPv0, PEAPv1, EAP-MSCHAPv2, LEAP, EAP-FAST, EAP-TLS, EAP-TTLS, MSCHAv2, EAP-SIM, …

EAP-versions

EAP-versions include LEAP, PEAP and other EAP’s

LEAP

This stands for the Lightweight Extensible Authentication Protocol. This protocol is based on 802.1X and helps minimize the original security flaws by using WEP and a sophisticated key management system. This EAP-version is safer than EAP-MD5. This also uses MAC address authentication. LEAP is not safe from crackers. THC-LeapCracker can be used to break Cisco’s version of LEAP and be used against computers connected to an access point in the form of a dictionary attack. Anwrap and asleap finally are other crackers capable of breaking LEAP.

PEAP

This stands for Protected Extensible Authentication Protocol. This protocol allows for a secure transport of data, passwords, and encryption keys without the need of a certificate server. This was developed by Cisco, Microsoft, and RSA Security.

Other EAPs There are other types of Extensible Authentication Protocol implementations that are based on the EAP framework. The framework that was established supports existing EAP types as well as future authentication methods. EAP-TLS offers very good protection because of its mutual authentication. Both the client and the network are authenticated using certificates and per-session WEP keys. EAP-FAST also offers good protection. EAP-TTLS is an alternative made by Funk Software (unlike most EAP-variations and EAP-TLS, which are all microsoft-material). It is more convenient as one does not need to distribute certificates to users, yet offers slightly less protection than EAP-TLS.

802.11i security

The newest and most rigorous security to implement into WLAN’s today is the 802.11i RSN-standard. This full-fledged 802.11i standard (which uses WPAv2) however does require the newest hardware (unlike WPAv1), thus potentially requiring the purchase of new equipment. This new hardware required may be either AES-WRAP (an early version of 802.11i) or the newer and better AES-CCMP-equipment. One should make sure one needs WRAP or CCMP-equipment, as the 2 harware standards are not compatible.

WPAv2

WPA2 is a WiFi Alliance branded version of the final 802.11i standard. The primary enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory feature. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK).

Additions to WPAv2

Unlike 802.1X, 802.11i already has most other additional security-services such as TKIP, PKI, … Just as with WPAv1, WPAv2 may work in cooperation with EAP and a WIDS

WAPI

This stands for WLAN Authentication and Privacy Infrastructure. This is a wireless security standard defined by the Chinese government.

Smart cards, USB tokens, and software tokens

This is a very high form of security. When combined with some server software, the hardware or software card or token will use its internal identity code combined with a user entered PIN to create a powerful algorithm that will very frequently generate a new encryption code. The server will be time synced to the card or token. This is a very secure way to conduct wireless transmissions. Companies in this area make USB tokens, software tokens, and smart cards. They even make hardware versions that double as an employee picture badge. Currently the safest security measures are the smart cards / USB tokens. However, these are expensive. The next safest methods are WPA2 or WPA with a RADIUS server. Any one of the three will provide a good base foundation for security. The third item on the list is to educate both employees and contractors on security risks and personal preventive measures. It is also IT’s task to keep the company workers’ knowledge base up-to-date on any new dangers that they should be cautious about. If the employees are educated, there will be a much lower chance that anyone will accidentally cause a breach in security by not locking down their laptop or bring in a wide open home access point to extend their mobile range. Employees need to be made aware that company laptop security extends to outside of their site walls as well. This includes places such as coffee houses where workers can be at their most vulnerable. The last item on the list deals with 24/7 active defense measures to ensure that the company network is secure and compliant. This can take the form of regularly looking at access point, server, and firewall logs to try and detect any unusual activity. For instance, if any large files went through an access point in the early hours of the morning, a serious investigation into the incident would be called for. There are a number of software and hardware devices that can be used to supplement the usual logs and usual other safety measures.

RF shielding

It’s practical in some cases to apply specialized wall paint and window film to a room or building to significantly attenuate wireless signals, which keeps the signals from propagating outside a facility. This can significantly improve wireless security because it’s difficult for hackers to receive the signals beyond the controlled area of an enterprise, such as within parking lots.

Network encryption cracking

Despite security measures as encryption, hackers may still be able to crack them. This is done using several techniques and tools. An overview of them can be found at the Network encryption cracking article, to understand what we are dealing with. Understanding the mindset/techniques of the hacker allows one to better protect his system.

Mobile devices and wireless IPS

With increasing number of mobile devices with 802.1x interfaces, security of such mobile devices becomes a concern. While open standards such as Kismet are targeted towards securing laptops, access points solutions should extend towards covering mobile devices also. Host based solutions for mobile handsets and PDA’s with 802.1x interface.

Security within mobile devices fall under two categories:

1. Protecting against ad-hoc networks
2. Connecting to rogue access points
3. Mutual authentication schemes such as WPA2 as described above

Wireless IPS alone does not guarantee complete security on a device. It is a part of a bigger solution.

Implementing network encryption

In order to implement 802.11i, one must first make sure both that the router/access point(s), as well as all client devices are indeed equipped to support the network encryption. If this is done, a server such as RADIUS, ADS, NDS, or LDAP needs to be integrated. This server can be one a computer on the local network, an access point / router with integrated authentication server, or a remote server. AP’s/routers with integrated authentication servers are often very expensive and specifically an option for commercial usage like hot spots. Hosted 802.1X servers via the Internet require a monthly fee; running a private server is free yet has the disadvantage that one must set it up and that the server needs to be on continuously

To set up a server, server and client software must be installed. Server software required is a enterprise authentication server such as RADIUS, ADS, NDS, or LDAP. The required software can be picked from various suppliers as Microsoft, Cisco, Funk Software, Meetinghouse Data, and from some open-source projects. Software includes:

* Cisco Secure Access Control Software
* Microsoft Internet Authentication Service
* Meetinghouse Data EAGIS
* Funk Software Steel Belted RADIUS (Odyssey)
* freeRADIUS (open-source)

Client software comes built-in with Windows XP and may be integrated into other OS’s using any of following software:

* Cisco ACU-client
* Odyssey client
* AEGIS-client
* Xsupplicant (open1X)-project

RADIUS

This stands for Remote Authentication Dial In User Service. This is an AAA (authentication, authorization and accounting) protocol used for remote network access. This service provides an excellent weapon against crackers. RADIUS was originally proprietary but was later published under ISOC documents RFC 2138 and RFC 2139. The idea is to have an inside server act as a gatekeeper through the use of verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as recording accounting information such as time connected for billing purposes.