Seminar on Wireless Security Protocols (WEP & WPA)

Presented by: Piyush Mittal Dept. of Computer Science, NIT Rourkela

Introduction
The IEEE 802.11 committee realized that wireless

transmissions were vulnerable to attack and interceptions. So they implemented several protections in 1997 in 802.11 standard. These protections divided into: 1. Access Control 2. Wired Equivalent Privacy(WEP) 3. Authentication In 2003 introduced Wi-Fi Protected Access(WPA). In 2004 introduced WPA2.

Access Control
Access control is a method of restricting access to resources, only

accessible to authorized users. Wireless access control is accomplished by limiting a devices access to the access point(AP). An access point contains an antenna and radio transmitter/receiver to send and receive wireless signals, and an RJ-45 port that allows it to connect it to a wired network. All wireless devices transmit to AP, which directs the signal to the other wireless devices. So AP acts as a bridge between wireless and wired networks. Hence restricting access to AP is the ideal access control solution. MAC address is a hardware address that uniquely identifies each node in a network. A node can be restricted by entering its MAC address in AP.

WEP
Wired Equivalent Privacy(WEP) is intended to guard

confidentiality. WEP is used in IEEE 802.11 to encrypt wireless transmissions. And is a cryptography mechanism. WEP relies on a secret key shared between a wireless device and the access point. IEEE 208.11 WEP secret key must be a minimum of 64-bits in length. An option to use a larger 128-bit key is also possible. Keys are created by the user entering the same string of either ASCII or hexadecimal characters. IEEE standard also specifies that the access points and devices can hold up to 4 shared secret keys, one of them designated as the default key .
4

Encryption Mechanism
1. 2.

3.

4.

5.

The plaintext has a cyclic redundancy check(CRC) value calculated, the WEP calls this the integrity check value(ICV). And appends it to the end of the text. The shared secret key designated as default key is combined with an initialization vector(IV). The IV is a 24 bit value that changes each time a packet is encrypted. The default key and IV are then entered into the pseudo-random number generator(PRNG) that creates a random number. The PRNG is based on the RC4 cipher algorithm which is a stream cipher. The output is known as keystream. The two values(text plus ICV and keystream) are then combined through XOR operation to create the ciphertext. The IV is added to the front of the ciphertext and the packet is ready for transmission. IV is not encrypted.

Encryption Process

Transmitting with WEP

Weaknesses
Key Management and Key Size The Initialization Vector (IV) is Too Small

The Integrity Check Value (ICV) algorithm is not

appropriate. WEPs use of RC4 is weak. Authentication Messages can be easily forged. WEP implementation violates the cardinal rule of cryptography. Because of the weaknesses of WEP it is possible for an attacker to identify two packets derived from the same IV.

Example
operation1 Plaintext A 11010011 XOR Keystream 10100110 ------------------------------------Ciphertext A 01110101 01110101 XOR Ciphertext B 10001011 --------------------------------------------------11111110 operation2 Plaintext B 00101101 XOR Keystream 10100110 ------------------------------------Ciphertext B 10001011 11111110 operation 3 Ciphertext A operation 4 Plaintext A 11010011 XOR Plaintext B 00101101 -------------------------

WPA
WPA(Wi-Fi Protected Access) replaces WEP with an

encryption technology called Temporal Key Integrity Protocol(TKIP) TKIP dynamically generates a new key for each packet that is created, called per-packet keys. Per-packet keys prevent collisions. TKIP provides greater level of security. TKIP distributes the key to the wireless device and AP. Then dynamically generates unique keys to encrypt every data packet. WPA replaces the cyclic redundancy check(CRC) in WEP with Message Integrity Check(MIC).
10

TKIP Encryption
Instead of using an initialization vector and secret key the temporal key is XORed with the senders MAC address to create an intermediate Value 1. 2. Value 1 is then mixed with a sequence number to produce Value 2, Value 2 is then entered into the Pseudo-Random Number Generator(PRNG). 3. Instead of sending the text through the CRC generator, the MIC key, senders MAC address, and receivers MAC address are all sent through a MIC function. This creates a text with the MIC key appended. This value is then XORed with the keystream to create the ciphertext.
1.

11

TKIP Encryption

12

 If a wireless device was transmitting 10000 packets per

second with WEP IV, collisions would occur in 90 minutes; using TKIP, collision would not occur for over 900 years.

13

WPA2
WPA2 is based on IEEE 802.11i. It uses Advanced Encryption Standard(AES)for data

encryption and supports PSK(pre-shared key) technology. Use of AES provides more security. Because AES encryption is based on 9,11 or 13 rounds depending on different key size.

14

Conclusion
At first, we explain the structure of WEP and its encryption process and weaknesses. Secondly, we discuss about the second generation of wireless security protocol as WPA and its encryption process. Finally, we discuss about third generation of wireless security protocol as WPA2/802.11i. And conclude that WPA2 is more secure than WPA more secure than WEP.

15

References
IEEE 2009 Paper On A Survey on Wireless Security protocols

(WEP,WPA and WPA2/802.11i) by ARASH HABIBI LASHKARI and MIR MOHAMMAD SEYED DANESH CWSP Guide to Wireless security by Mark Ciampa

16

Thank You

17