PEOPLE’S DEMOCRATIC REPUBLIC OF ALGERIA

MINISTERE DE HIGHER EDUCATION AND SCIENTIFIC RESEARCH

Mohamed El-Bachir El-Ibrahimi University - Bordj Bou Arreridj
Faculty of Science and Technology
Department of Electronics

Mini-project
Sector: Telecommunications

Specialty: System & Telecommunications

Module: RSF-RM

Theme

Wi-Fi Security WPA2 Using Python

Group:

Presented by: Responsable teacher

• SEGUENI Oussama Pr. Salih Aidel

• TABABOUCHET Hamouda

College year 2023 / 2024

 Contents
Table of Figure

Acronyms

Chapter 01: Generality of Security Wi-Fi Network

1.1. Introduction ................................................................................................................ 7

1.2. The Topology of a Wi-Fi Network ............................................................................. 7

1.2.1. Infrastructure Mode .......................................................................................... 7
1.2.2. Ad-Hoc Mode ...................................................................................................... 8

1.3. The layered model of IEEE 802.11 ............................................................................ 8

.1.3.1 Physical Layer .................................................................................................... 8
.1.3.2 Data Link Layer ................................................................................................. 9

1.4. Wi-Fi Security Techniques ......................................................................................... 9

1.4.1. WPA (Wi-Fi Protected Access) and WPA2 ..................................................... 9
1.4.2. TKIP Encryption .............................................................................................. 10
1.4.3. AES Encryption ................................................................................................ 10
.1.4.4 Authentication .................................................................................................. 11

1.5. Conclusion ................................................................................................................ 11

Chapter 02: implementation Security and Attack Wi-Fi

2.1. Introduction .............................................................................................................. 13

2.2. Simulation of RC4 and AES algorithm ................................................................... 13

2.2.1. Simulation of RC4 ............................................................................................ 13
2.2.2. Simulation of AES algorithm .......................................................................... 14

2.3. Attack on WPA2/WPS .............................................................................................. 16

2.4. Attack on WPA2 ........................................................................................................ 17

.2.5 Conclusion ................................................................................................................ 18

Bibliography ........................................................................................................................... 19
Table of Figure

Chapter 01

Figure 1. 1 : Wi-Fi Logo........................................................................................................... 7

Figure 1. 2 : Infrastructure mode Wi-Fi network ................................................................. 7
Figure 1. 3 : Ad-Hoc Wi-Fi Network ..................................................................................... 8
Figure 1. 4 : Layers 802.11 ...................................................................................................... 8
Figure 1. 5 : MAC frame format ............................................................................................. 9
Figure 1. 6. Construction of TKIP based on RC4 stream cipher which uses long IV ..... 10
Figure 1. 7 : AES encryption ................................................................................................. 11
Figure 1. 8 : Authentication Types ....................................................................................... 11

Chapter 02

Figure2. 1 : python software UI ............................................................................................ 13

Figure2. 2 : Results of encryption and decryption of RC4 algorithm ............................... 14
Figure2. 3 : Byte substitution ................................................................................................ 14
Figure2. 4 : Shift row ............................................................................................................. 15
Figure2. 5 : Mix column ......................................................................................................... 15
Figure2. 6 : Key addition ....................................................................................................... 15
Figure2. 7 : Results of encryption and decryption of AES algorithm ............................... 16
Figure2. 8: Attack Wi-Fi -WPA2/WPS ................................................................................ 16
Figure2. 9 : Attack WPA2 by aircrack-ng attack................................................................ 17
Figure2. 10 : Key FOUND .................................................................................................... 17
 Acronyms

AES Advanced Encryption Standard

AP Access Point

BSS Basic Service Set

CCA Clear Channel Assessment

CCM Counter with CBC-MAC

CRC Cyclic Redundancy Check

DSSS Direct Sequence Spread Spectrum

FHSS Frequency Hopping Spread Spectrum

GTK Group Temporal Key

IBSS Independent Basic Service Set

ID Identification

IEEE Institute of Electrical and Electronics Engineers

IV Initialization Vector

LLC Logical Link Control

MAC Media Access Control

MIC Message Integrity Code

MPDU MAC Protocol Data Unit

MSDU MAC Service Data Unit

OSI Open Systems Interconnection

OFDM Orthogonal Frequency Division Multiplexing

P2P Peer-to-Peer

PHY Physical Layer

PMP Point-to-Multipoint

PN Packet Number

PLCP Physical Layer Convergence Protocol

PTK Pairwise Transient Key

RC4 Rivest Cipher 4

STA Station

TKIP Temporal Key Integrity Protocol

WEP Wired Equivalent Privacy

WECA Wireless Ethernet Compatibility Alliance

WI-FI Wireless Fidelity

WPA Wi-Fi Protected Access

WPS Wi-Fi Protected Setup

 Chapter 01:
Generality of Security Wi-Fi Network
 Chapter 01: Generality of Security Wi-Fi Network

1.1. Introduction
Wi-Fi (Wireless Fidelity) is a wireless networking technology that allows devices such
as laptops, smart phones, and other equipment (printers and video cameras) to interface with
the Internet. It allows these devices--and many more--to exchange information with one
another, creating a network. It created in 1997 by WECA (Wireless Ethernet Compatibility
Alliance), which aims to ensure interoperability of 802.11 products and enhance this
technology. When devices are approved for Wi-Fi, they should have a logo (Figure 1.1).
It is the technology most vulnerable to hacking. Without the security of Wi-Fi, anyone
can connect to a network device using a computer within range, which threatens the stability of
the system and data protection. So, how can it be protected? [1]

Figure 1. 1 : Wi-Fi Logo

1.2. The Topology of a Wi-Fi Network

The IEEE 802.11 standard is based on a cellular architecture that can be compared to that
used in cell phones. There are two possible topologies in IEEE 802.11 wireless networks:
• Infrastructure Mode
• Ad-Hoc Mode
1.2.1. Infrastructure Mode
The infrastructure mode is characterized by the availability of an AP between the
networks, where each fixed or mobile station is connected, referred to as a STA. This allows
ensuring communication between stations belonging to the same BSS.
This architecture allows for the expansion of networks, as all communications must pass
through the AP, even if they are between two stations of the same BSS. [1] [2] [3]

Figure 1. 2 : Infrastructure mode Wi-Fi network

7
 Chapter 01: Generality of Security Wi-Fi Network

1.2.2. Ad-Hoc Mode

The ad hoc mode is characterized by a group of stations, each using a radio interface, any
of which can communicate directly provided they are within range.
This mode creates a network from one point to another within the range of other stations,
where each device or station plays the role of a client and an access point at the same time,
which limits the size of the network, and this is called IBSS. [1] [2] [3]

Figure 1. 3 : Ad-Hoc mode Wi-Fi Network

1.3. The layered model of IEEE 802.11

IEEE 802.11 is based on the two lower layers of the OSI model, the physical layer and
the data link layer.

Figure 1. 4 : Layers 802.11

1.3.1.Physical Layer
known as PHY, it consists of two sub-layers:
• PMP determines the type of medium, connector, transmitter and receiver, and
modulation techniques.
• PLCP detects the medium and sends a signal called CCA to the MAC to know if
the medium is busy or not. It is characterized by three modulation techniques:
FHSS, DSSS, OFDM. [4] [3]

8
 Chapter 01: Generality of Security Wi-Fi Network

1.3.2.Data Link Layer

It is the brain of the Wi-Fi network, and it is the functions that work to transfer types of
data such as voice, error control, and even security. It also determines network addresses. It
consists of two sub-layers: [1] [3]
• LLC, which consists of three types. The first type is connectionless, allowing
communication from Point-to-point only. The second type is a connection-oriented
service for the purpose of controlling the flow with verification, which ensures the
discovery of errors and repetitions. The last type is also without connection, but with
acknowledgment, which retransmits without correcting the errors.
• MAC defines access, framing, error detection mechanisms, and controls the medium.

Figure 1. 5 : MAC frame format

1.4. Wi-Fi Security Techniques

The security of 802.11 networks from attacks such as War-driving, the intrusion, or the
denial of service depends on authentication and several types of encryption such as WEP, WPA,
WPA2 and 802. 11i.At the present time, WPA2 encryption is considered the best type of
encryption to provide fairly sufficient security guarantees.
1.4.1. WPA (Wi-Fi Protected Access) and WPA2
WPA is a solution to the security of Wi-Fi networks with the aim of closing WEP
vulnerabilities. It is a light version of the 802.11i protocol that is based on the TKIP encryption
algorithm, which allows providing random generation several times per second, and it itself is
based on the RC4 encryption algorithm. It only supports networks in infrastructure mode, which
means It does not allow securing Ad-hoc mode networks.
WPA2 is based on TKIP or the AES encryption algorithm, as both modes are supported by
networks unlike WPA.
There are two architectures for WPA or WPA2:
• With shared keys: we are talking about WPA Personal.
• With an 802.1x architecture: we are talking about WPA Enterprise. [3] [2]

9
 Chapter 01: Generality of Security Wi-Fi Network

1.4.2. TKIP Encryption

TKIP is based on the same RC4 algorithm with 48 bits of IV, and the encryption keys are
changed with each packet and are distributed in a more flexible and secure mechanism. This
ensures that the same key is not used consecutively. 16 bits of IV are sent clearly in each packet
between the MAC and Champ ID el The remaining 32 bits are then inserted into the encrypted
data and are called Extended IV. Finally, the Champ ID is used to determine the presence of
Extended IV or not. [3]

Figure 1. 6. Construction of TKIP based on RC4 stream cipher which uses long IV

1.4.3. AES Encryption

AES is based on counter-mode + CCM-MAC (CCM) CCM is the counter-mode for
encryption and calculates the CBC for each message, as it provides two different messages even
if it is the same key. It is called the packet number PN. It also includes the CCMP, which is
used to calculate the MIC integrity code on the message, in addition to the CCMA header and
MAC. Its main role is to determine how CCM is used.
We briefly mention how the packet to be sent is processed by the MAC layer:
• The packet presented to the MAC layer by the upper network layers is called MSDU
(Mac Service Data Unit).
• The MAC layer eventually begins to break up the MSDU into several parts called
MPDU (Mac Protocol Data Unit)
• Each MPDU consists of a MAC header and data.
A header is added between the MAC header and the data: it has a structure similar to that
of the TKIP header and contains the 48-bit packet number (PN) used by CCM, as well as the
temporary key (PTK or GTK) index used for encryption. [3] [5] [6]

10
 Chapter 01: Generality of Security Wi-Fi Network

Figure 1. 7 : AES encryption

1.4.4. Authentication
The IEEE has defined two authentication algorithms for 802.11 networks:
• Open authentication that corresponds to the null algorithm: any terminal that requests
authentication gets access.
• Shared key authentication requires that both the requesting station and the station
granting access be configured with identical WEP keys. So, station A sends an
authentication request to B, which sends it a clear test frame. A encrypts the test frame
with its WEP key and sends it back to the authentication station. This attempts to decrypt
the frame: if the decoded text matches the plaintext that was initially sent, it grants
access. [1]

Figure 1. 8 : Authentication Types

1.5. Conclusion
Wi-Fi, based on the IEEE 802.11 standard, is an integral part of our everyday lives,
enabling wireless connectivity for a wide range of devices. This technology has evolved over
the years, introducing many architectures, encryption and authentication methods to ensure that
information is transmitted smoothly and securely.

11
 Chapter 02:
implementation Security and Attack
Wi-Fi
 Chapter 02: implementation Security and Attack Wi-Fi

2.1. Introduction
In this chapter, we will implement the encryption algorithms used by the Wi-Fi network
in WEP and WPA/WPA2, that is, the AES and RC4 algorithms. Therefore, we created a
simulation of AES and a simulation of RC4 using the Python program. To know the efficiency
of the Wi-Fi protection system, we attacked three WPA2+WPS protection modes using Wircut,
and WPA2 using Kali Linux operating system. [7]
2.2. Simulation of RC4 and AES algorithm
The RC4 and AES encryption algorithm is considered one of the basic pillars of
protecting the Wi-Fi network from hacking, and since this type of encryption is not open source,
that is why we used the Python program in the simulation process, as shown in Figure 2.1.

Figure2. 1 : python software UI

2.2.1. Simulation of RC4

In the RC4 algorithm simulation, we produce a sequence of bytes and bits r from the
key and this sequence is combined with the bytes and bits of the clear message m to give the
bytes and bits encrypted c using XOR.
We initialize the algorithm with a key K with a length of 128 bits, then we initialize a
matrix S consisting of 256 bits and set two numbers i and j to zero. Then we generate a random
byte so that the input is subject to only one permutation. The results of encryption and
decryption of this algorithm are shown in Figure 2.2 [8]

13
 Chapter 02: implementation Security and Attack Wi-Fi

Figure2. 2 : Results of encryption and decryption of RC4 algorithm

We notice that in this simulation we sent the text “Oussama” using the key “000011101”,
so it was encrypted as follows: “XcKtUV5JaTQ=”. To retrieve the message, we note that the
key used must be known. If there is an error in the key, the message will not be retrieved.

2.2.2. Simulation of AES algorithm

AES, on the other hand, has three types of keys with lengths of 128 bits, 192 bits and
256 bits. This algorithm works on a series of 𝑟𝑡𝑜𝑢𝑟𝑠 , each of which performs a series of
permutations and substitutions depending on the key 𝐾𝑛 , and works on three types of matrices
4*4, 4*6 or 4 * 8 bytes depending on the length of the key. These operations are described as
follows: [5]
• Byte substitution: Each byte of the block is replaced by another byte according to a
fixed substitution schedule (called S-box) Figure 2.3.

Figure2. 3 : Byte substitution

14
 Chapter 02: implementation Security and Attack Wi-Fi

• Shift Rows: Block rows are shifted by different offsets. The number of positions each
byte is shifted depends on the row index Figure 2.4.

Figure2. 4 : Shift row

• Columns mix: It operates on the columns of the state matrix, which is the block of
data that is being processed. Each column is treated as a polynomial over a finite field,
and the matrix multiplication is performed on each column Figure 2.5.

Figure2. 5 : Mix column

• Key addition: The circular key derived from the original encryption key is XORed
with a state array. The rotated key is generated from the original key using the key
table. Each round of AES uses a different round key Figure 2.6.

Figure2. 6 : Key addition

15
 Chapter 02: implementation Security and Attack Wi-Fi

In the end, after simulating these steps, we were able to encrypt and decrypt the
message, Figure 2.7.

Figure2. 7 : Results of encryption and decryption of AES algorithm

We note that the AES algorithm is very complex, as by placing the message
“Oussama&Hamouda”, the message was directly encrypted using its private keys randomly
without using a single key, in the same way but in reverse, where the encrypted message
“AAAAAAAAAAAAAAAAAAAAAIMdezLyVsgc4UtnhTQ5cg==” was taken and the
steps were reversed. Retrieve the message.
We also note that the AES algorithm is more secure since the encryption key is variable
and random for each round.
2.3. Attack on WPA2/WPS
We carried out an attack on a router that uses the WPA2+WPS security system, using the
Waircut program, which works to find a WPS vulnerability that allows us to hack the Wi-Fi
device and know the password, Figure 2.8. [7] [9]

Figure2. 8: Attack Wi-Fi -WPA2/WPS

16
 Chapter 02: implementation Security and Attack Wi-Fi

The network was easily hacked, as we mentioned previously, through the

WPS vulnerability, and we obtained the network's password.
2.4. Attack on WPA2
We carried out an attack on a router that uses the WPA2 security system, using the Kali-
Linux operating system, relying on the airecrack-ng attack, which allows us to hack the Wi-Fi
device and find out the password through the guessing process, as we used a file containing
millions of passwords, and this method is 50% successful. We generally use this method when
we have information about the victim, Figures 2.9,2.10. [7] [9]

Figure2. 9 : Attack WPA2 by aircrack-ng attack

Figure2. 10 : Key FOUND

17
 Chapter 02: implementation Security and Attack Wi-Fi

We note that in this case, the WPA2 Wi-Fi network was hacked and the password was
found within a few minutes. We also note that this method is successful with victims for whom
we have information such as dates of birth, and that the victim must be connected to the
network.

2.5. Conclusion
RC4 encryption depends on a single key, which makes it easy to hack, and this is what
makes WEP weak compared to protection with WPA2, which relies on AES encryption, which
has a variable key, which makes it more complex and difficult to hack. However, through our
experience, it has been proven that even WPA2 can be hacked, and this is what confirms that
the methods Wi-Fi security does not provide sufficient security guarantees.

18
 Bibliography

[1] F. Dupont, "Réseaux sans-fil," University claude bernard lyon 1.

[2] D. G. Frédéric, "L’essentiel WiFi," 2003.

[3] A. V. Sophie, ""LE CHIFFREMENT DES DONNEES DANS LES RESEAUX

WIFI.," UNIVERSITE D’ANTANANARIVO, 15 janvier 2009.

[4] D. LALOT, l’Université de la Méditerranée..

[5] C. M. ,. M. T. Saifurrab, ""AES algorithm using advance key implementation in

MATLAB."," Int. Res. J. Eng, Vols. 846-850, 2016.

[6] M. Terré, "WiFi Le Standard 802.11 Couche physique et couche MAC," Mars 2007.

[7] J. H. Taha, Hacking wireless networks.

[8] W. Stallings, "THE RC4 STREAM ENCRYPTIION," 2005.

[9] G. Lehembre, ""Wi-Fi security–wep, wpa and wpa2."," 1995.