Secure Communications

Wireless

Phillip Fitzpatrick
Secure Communications
WLAN
WLAN

➢ Wireless LANs are specified in the IEEE 802.11 series of standards

➢ A WLAN can be operated in either infrastructure mode or in ad-hoc mode

➢ When in ad-hoc mode, mobile terminals will communicate directly

➢ When in infrastructure mode, mobile terminals will connect to a local

network via an access point

➢ Our focus will be on infrastructure mode, and on the access control options on
an access point
Controlling access to a WLAN

➢ Each access point has a service set identifier (SSID)

➢ Normally this SSID is broadcast by the access point allowing users to find and
connect to the access point

➢ Public access points are known as hot spots or open WLAN

➢ An open WLAN does not restrict who may connect to an access point, but it is
not necessarily unprotected. Security mechanisms could be provided in other
protocol layers
Controlling access to a WLAN [1]

➢ One method of controlling access to access points, is by disabling the access

point from broadcasting the SSID

➢ This required the clients to know the SSID of the network in order to connect
to it

➢ What is the problem with this method?

➢ The SSID is included (in plain text) in many of the signaling messages,
which could be intercepted by an attacker
Controlling access to a WLAN [2]

➢ Another method of controlling access to an access point is to configure the

access point to only accept connections from know MAC addresses

➢ However?

➢ An attacker sniffing the traffic could find a valid MAC address of another
user and spoof their own MAC address to match
Controlling access to a WLAN

➢ Essentially, basing access control on information needed by the network to

manage the connection (i.e. by SSID or MAC address) is at best problematic

➢ Hence, it is a more promising strategy to let the client establish a connection

to the access point and then authenticate the client before giving access to
the protected services
Universal Access Mechanism (UAM)

➢ The UAM uses just such an approach

➢ A client connecting to an access point gets an IP address from the DHCP

➢ When the clients web browser starts, either the DNS or http request is intercepted

➢ The user is redirected to a https session and asked for a username and
password

➢ The web server verifies the username and password using a RADIUS server

➢ The protection of subsequent traffic between client and the AP is a sperate issue
Captive Portal Software
Captive Portal

➢ The login page that the users uses is sometimes called a captive portal

➢ A captive portal turns a web browser into an authentication device

➢ The user’s browser is redirected to a web page which may require

authentication and/or payment, or simply display an acceptable use policy and
require the user to agree

➢ Captive portals are used at mostWi-Fi hotspots, and it can be used to control
wired access (e.g. apartment houses, hotel rooms, business centres, "open"
Ethernet jacks) as well
Captive Portal
Captive Portal Software

➢ Air Marshal software based for Linux platform (commercial)

➢ PepperSpot, open-source Linux

➢ M0n0wall, FreeBSD based firewall distribution

➢ pfSense, derived from m0n0wall

➢ WiFiDog Captive Portal Suite, small C based kernel solution (embeddable)

➢ Wilmagate, C++ based and is executable both in Linux and Windows/Cygwin

environments
Remote Authentication Dial In User Service

➢ RADIUS is a networking protocol that provides centralized Authentication,

Authorization, and Accounting (AAA) management for computers to connect
and use a network service

➢ Because of the broad support and the ubiquitous nature of the RADIUS
protocol it is often used by ISPs and enterprises to manage access to the
Internet or internal networks, wireless networks, and integrated e-mail
services

➢ RADIUS is a client/server protocol that runs in the application layer, using

UDP as transport
Remote Authentication Dial In User Service

➢ RADIUS serves three function:

➢ to authenticate users or devices before granting them access to a network

➢ to authorize those users or devices for certain network services and

➢ to account for usage of those services

Secure Communications
WEP
Wired Equivalent Privacy (WEP)

➢ The WEP protocol was specified in IEEE 802.11

➢ Purpose was to protect the confidentiality and integrity of data passed

between a mobile terminal and an access point

➢ And also, to authenticate mobile terminals to the access point

➢ Authentication is based on a shared secret

➢ So-called pre-shared secrets are installed manually in all devices that should
get access to the network

➢ Most LANs use the same key for all terminals

How does WEP work?

➢ WEP uses a stream cipher for encryption

➢ A 24-bit IV is used to randomize the encryption

➢ Users share either a 40-bit or 104-bit shared key, K

How does WEP work?

➢ To transmit a message, M
➢ The user calculate a checksum, H
➢ H = CRC-32(M)

➢ The user generates a 64-bit or 128-bit key stream K* using the stream
cipher RC4
➢ K* = IV || K

➢ The ciphertext, C, is the bitwise XOR of (M || H) and the key stream

➢ C = (M || H)  RC4(k*)
How does WEP work?
How does WEP work?

➢ The ciphertext and IV are transmitted to the receiver

➢ The receiver computes C  RC4(K*) = M || H and verifies the checksum

➢ To authenticate a client, the AP sends a 1024-bit challenge in the clear to the

client

➢ The client uses the above algorithm to encrypt the challenge with the pre-
shared key, and the AP verifies the response
The Flaws with WEP

➢ The cryptographic mechanisms used in WEP suffers from two major design
flaws

➢ Exercise: What are they?

The Flaws with WEP

➢ CRC-32 is a cyclic redundancy check, useful for detecting random errors but
no defence against targeted modifications

➢ An attacker who only has a WEP ciphertext, but neither K* nor plaintext M,
can modify the plaintext
The Flaws with WEP [1]

Example:

➢ Let M’ be the new altered plaintext

➢ The attacker computes A = CRC-32(M’) and adds (M’||A) to the ciphertext,

obtaining a valid encryption of the plaintext M ⊕ M’

➢ (M || CRC-32(M)) ⊕ RC4(K*) ⊕ (M’ || A)

➢ = (M ⊕ M’|| CRC-32(M) ⊕ A) ⊕ RC4(K*)
➢ = (M ⊕ M’|| CRC-32(M⊕A)) ⊕ RC4(K*)
The Flaws with WEP [2]

➢ The second problem is the size of the IV

➢ As long as the secret key remains unchanged, the IV is the only variable
part of the key K*

➢ An attacker could observe traffic for a longer period until IVs repeat and
then try to reconstruct the key streams and build a table of IV’s and
corresponding key streams
Secure Communications
WPA
WiFi Protected Access (WPA)

➢ WPA was designed as a quick preliminary solution that removed the major
flaws in WEP prior to a complete redesign of the WLAN security architecture

➢ Given the design constraints, the WPA security mechanisms are not as strong
as one might expect from a cryptographic perspective, but WPA is still a
definite improvement of WEP
How does WPA work?

➢ WPA replaced CRC-32 with a MIC called Michael

➢ The length of the IV has doubled to 48 bits

➢ It uses the Temporal Key Integrity Protocol (TKIP) to create a key hierarchy
➢ Client and AP have a long-term Pairwise Master Key (PMK)
➢ For each connection new Pairwise Transient Keys (PTKs) are derived from
the master key
How does WPA work?

➢ When WPA is deployed with pre-shared master keys (WPA-PSK), the PMK is
computed with the key generation function PBKDF2
➢ PMK = PBKDF2(passphase, SSID, SSID Length, 4096, 256)

➢ The inputs (Passphase, SSID, Length) are hashed 4096 times and a 256-bit
key is returned

➢ The algorithm computing a PTK takes the PMK, the MAC address of both
devices, and nonces (sent in the clear) generated by both devices, as its
inputs
Attacking WPA

➢ WPA-PSK is vulnerable to password guessing attacks

➢ The attacker records the messages exchanged when the victim connects
to the WLAN
➢ Then the attacker guesses a passphase and computes a master key PMK
for the keyphase and the known (intercepted) values SSID and SSID
length
➢ and a transient key PTK from PMK and the intercepted MAC addresses
and nonces
➢ Encrypted messages that had been recorded are decrypted with the
candidate key PTK
➢ If the result is meaningful plaintext, the guess of the passphase is correct
with very high probability
Secure Communications
WPA2
802.11i – WPA2

➢ A complete redesign of WLAN mechanisms has been specified in the

standard IEEE 802.11i, published in 2004

➢ This standard is known as WPA2

➢ In WPA2, the stream cipher RC4 has been replaced by AES

➢ WPA2 required new hardware

Secure Communications
Review of WPA3
Supporting Material

➢ How we ended up in WPA3? – Wi-Fi Security Evolution

➢ Wi-Fi Security Evolution - How we ended up in WPA3? (grandmetric.com)

➢ WEP | WPA | WPA2 | WPA3 | Wireless Security Protocols

➢ WEP | WPA | WPA2 | WPA3 | Wireless Security Protocols ⋆ IpCisco

➢ “Review on wireless security protocols” – Google Scholar

➢ https://www.academia.edu/download/65316864/CSEIT1953127.pdf