Sie sind auf Seite 1von 7

Overview of WLAN security

Timo Hassinen
Helsinki University of Technology


WEP uses a pre-shared key for encryption and user authentication. WEP was developed to protect link-level data
Wireless networks are on the cutting edge of modern tech- during wireless transmission and it was accompanied by
nology and are fast becoming ubiquitous. As a result in- three main security goals. These goals are presented below
creasing interest surrounding possible security problems has in priority order:
arisen. This paper offers a general overview of various se Confidentiality: Prevent eavesdropping
curity schemes designed to protect wireless networks. For
each respective scheme, advantages and disadvantages are
Access control: Protect access to a wireless network


Wireless networks are rapidly gaining popularity in todays

world due to their excellent usability. The usability is a sum
of two things: wireless networks can be used everywhere and
no cables are required. Yet, relying on the radio waves to
transmit important data, such as credit card numbers, raises
questions about the security of wireless networks. How can
users be guaranteed their data is protected while being broadcast over the air? The aim of this paper is to present the
reader with a general idea of wireless network security. The
paper is organized as follows. Section 2 introduces the first
security scheme for wireless networks: Wired Equivalent
Privacy [1], or for short WEP. This introduction is followed
by outlining the various shortcomings of WEP, consequently
the need for a better security scheme is made apparent. Section 3 provides this scheme and presents the successor of
WEP, i.e. Wi-Fi Protected Access (WPA) [2]. This section
then continues by explaining how WPAs advances eliminate
the shortcomings of WEP. Finally, section 3 closes with an
introduction to WPA2 [3], the refined version of WPA. Section 4 briefly discusses the future of WLAN security and section 5 summarizes the paper.

Data Integrity: Prevent tampering with transmitted



WEP in detail

Confidentiality in WEP is achieved using RC4 stream cipher:

In encryption (Fig. 1), first the 24-bit Initialization Vector
and the pre-shared WEP key that is usually 40 or 104 bits
long, are concatenated to produce the seed for RC4. RC4
uses this seed to generate a long sequence of pseudorandom
bytes i.e a keystream. Then the exclusive-or (XOR) is applied to the plaintext and keystream to obtain the ciphertext.
The decryption is done reversely: first the keystream is regenerated and then its XORed againts the ciphertext. The
chosen IV is prepended in clear-text in the payload being


Wired Equivalent Privacy (WEP) is a security protocol that

is part of IEEE 802.11 standard [4] for wireless networks.
WEP is still widely employed around the world due to the
fact that old network interface cards cannot match the reFigure 1: WEP Encryption process
quirements of newer security protocols. As a demonstration of this a field survey [5] on home security conducted
in December 2005 shows that 41 percent of households with
Standard WEP uses only a 40-bit key, due to US Governa wireless connection still use WEP. According to the same
survey 47 percent of these households do not use any secu- ment restrictions on the export of cryptographic technology
at the time the protocol was drafted. This key length was too
rity scheme at all, and only 12 percent employ WPA.

TKK T-110.5290 Seminar on Network Security

short and made brute force attacks, i.e. trying all the possible key combinations until finding the correct key, practical.
As a result anybody with fairly modest computing resources
could eventually break the key. After restrictions on the export of cryptographic technology were removed, all major
manufacturers eventually implemented an extended 128-bit
WEP protocol with the 104-bit key size. This rendered the
brute force attacks impossible, but still failed to make WEP
impenetrable. Indications of other weaknesses, not related
to key size, such as IV collisions and altered packets, were
found. We will examine these weaknesses closer in next subsection (sec. 2.2).
The two other security goals of WEP were the protection
of access to a wireless network infrastructure and the prevention of tampering with transmitted messages. The protection
of wireless network infrastructure is implemented through
the IEEE 802.11 standard that includes an optional feature
to discard all packets not properly encrypted using WEP.
Prevention of tampering with transmitted messages on the
other hand is implemented with the integrity checksum field
(CRC32), which indicates if the data has been altered or not.
CRC32 is appended to the packets message body and encrypted with it.


the keystream by exclusive-oring the challenges. Although
the 802.11 standard discourages stations to reuse the IV from
this handshake, the attacker is left with the possibility to
transmit and authenticate indefinitely with this keystream
(replay attack). .
The possibility to forge packets was implemented by exploiting the linear CRC checksum, which was only designed
to protect against random errors. As a result the attacker may
modify and redirect the packets from the network to himself
(IP redirection). Its also possible for an attacker to modify
and release the packet and to gather information about packet
by observing, if the ACK is received or not (TCP Reaction
attack). These mechanisms clearly demonstrated the defeat
of two of the WEPs security goals mentioned earlier, i.e.
Access Control and Data Integrity.

Shortcomings of WEP
An Inductive Chosen Plaintext Attack

One of the first attacks [6] against WEP security protocol

was introduced in May 2001. The attack demonstrated how
it is possible to recover one byte of keystream after sending
at most 256 packets.
In this attack, an attacker gets to know the exact plain text
and the cipher text of one message, for example by eavesdropping a DHCP discovery packet. With this knowledge
the attacker can construct a part of keystream by XORing the
cipher text and the plain text together. After this the attacker
generates one bit longer plain text, for example an ARP request and adds one byte to the keystream. Then the attacker
encrypts the plain text and sends it to the access point or
Figure 2: Shared Key Authentication attack
other mobile station. If the attacker gets a response, the new
byte in keystream is correct, otherwise he can try the other
255 possibilities. Eventually the attacker finds the correct
byte, i.e. expands the known keystream by one. The attacker 2.2.3 Weaknesses in RC4 key scheduling
can continue this, until the desired length of keystream is reA month later, a cryptanalysis [8] pertaining to the exploitavealed.
tion of the way RC4 cipher and IV were used, was published.
In this cryptanalysis two major weaknesses were found in
2.2.2 Insecurity of 802.11
RC4s key scheduling algorithm (KSA). The first being the
Another indication of WEPs inadequate security occurred existence of a large class of weak keys,and the second being
in July 2001, when mechanisms for reliably discovering a related key vulnerability.
A weak key is a key that makes a cipher behave in some
keystream and forging the encrypted packets were discovered [7]. The most practical attack to recover a keystream undesirable way. In this case a key, i.e. a single weak IV,
relied on the IEEE 802.11 Shared Key Authentication mech- has a 5 percent probability of revealing the correct key byte
anism feature to be enabled. The goal of this feature was to in RC4. By collecting enough packets, the most probable
key can be calculated. Related key vulnerability on the other
prevent unauthorized access to a wireless network.
In this scheme (Fig. 2) a two-way handshake is imple- hand means that the operation of a cipher can be observed
mented: first the Access Point (AP) sends a clear-text chal- when using unknown initial values if the attacker knows the
lenge to the authenticating peer, to which the peer responds mathematical connection between different keys of a cipher.
In this case a mathematical connection between the differby sending an encrypted version of the same challenge. By
eavesdropping on both challenges, the attacker may obtain ent keys (IV, WEP key) can be established, because the WEP

TKK T-110.5290 Seminar on Network Security

key is not frequently changed and the IV is repeating as mentioned earlier. These two weaknesses prepared the way for
the attackers to recover RC4 key with a passive attack. This
could be accomplished by either eavesdropping on the network traffic or forcing the traffic onto the network, where it
could be inspected (IP redirection). The amount of time required to find the key depended on the number of inspected
Not long after this cryptanalysis was published, real attacks againts WEP were implemented and automated tools
for attacks released. The first publically available automated
tool, WEPCrack [11] was released on Aug 12, 2001. One
week later AirSnort [12], another tool with more usable implementations for both the collection of packets and computing the key was released. These automated tools enabled
the attackers to crack RC4 key in 2 minutes or less and they
could be employed in normal computer.

WEP implementation weaknesses

A field survey [9] on WEP security conducted in 2003, deduced two new weaknesses in WEP. First the WEP was optional in installation programs resulting in the fact that in
most cases WEP wasnt activated after the installation. Second the absence of key management protocol in WEP forced
users to rely on a single shared key. If this key was exposed,
the security of wireless network could be compromised.

Fragmentation Attack

In 2006, a new research paper on 802.11 and WEP protocols

[10] showed that the fragmentation feature of 802.11 protocol can be used against WEP.
After eavesdropping one data packet, the attacker recovers
eight bytes of keystream due to the fact that the initial portion
of 802.11 packets is virtually constant (LLC/SNAP Header).
Then the attacker generates a 64 bytes long plain text and
uses 802.11 fragmentation feature to divide it to 8 byte fragments. Because the attacker knows 8 bytes of the keystream,
he can encrypt the fragments, and send them to the address of
the snooped packet. These fragments go through an access
point, which reassembles them into a single packet, encrypts
the packet and forwards it to its destination. By eavesdropping on this, the attacker gets the encrypted version of his
own plain text, and can XOR the plain and cipher text to obtain the keystream. After this, snooped data packet can be
decrypted to discover the local network IP addresses.
Finally the attacker can use 802.11 fragmentation to replay
snooped packets and craft a new IP header for sending them
to the access point. The access point decrypts these packets and forwards them to an attacker on the Internet. This
is accomplished by putting the attackers IP address to this
new IP header. The attacker receives these packets in clear
text, because WEP only protects the wireless link. With this
technique the attacker can eventually manage a real-time decryption of WEP traffic.

lem of short IV by expanding the IV key space to 128 bits.
As a result, the repetition of IV was decreased, making the
attacks exploiting the weak keys, slow down considerably.
Yet, due to the fact that the reuse of IV was still permitted,
WEP could still be compromised.
The second extension, WEPPlus (or WEP+) [14], provided the methods for hardware to avoid weak IVs. This
made the attacks based on use of weak IVs practically impossible, but the fragmentation attack was still possible. The
other disadvantage of this security scheme was that it had to
be employed at both ends of the wireless connection, which
was difficult to enforce. As a result, the need for a completely new and better security scheme continued to grow.


Summary of WEPs flaws

A small piece of keystream can be obtained, because the

header of 802.11 packet is constant. This piece of keystream
can be used to build the whole keystream by either expanding
it byte by byte with a dictionary style, or by using the 802.11
fragmentation and the access point. The whole keystream
can also be discovered either by eavesdropping on 802.11
Shared Key Authentication mechanism or gathering masses
of packets and making a statistical analysis on them. The statistical analysis exploits the weak keys and related key vulnerability and relies on the fact that on a busy network there
is a 50 percent possibility IV repeating after 5000 packets
(Birthday Paradox Phenomenon).
Data integrity in WEP is not well protected, because the
CRC checksum only protects against random errors. Therefore the WEP encrypted packets can be altered and, for example, forwarded to the attacker. WEP is also optional in
installation programs and relies on a single shared key in
both authentication and encryption, which may cause security risks.

Wi-Fi Protected Access (WPA), the successor of WEP,
is a security protocol that implements majority of IEEE
802.11i[15] standard. WPA was created by the Wi-Fi Alliance [16] as an interim solution to replace WEP before
802.11i standard was ready. WPA vastly improves WEPs
encrypting process and adds a concrete user authentication mechanism. In WPA users can be either authenticated
through an IEEE 802.1X [17] Authenticate Server (often
a RADIUS server [18]) or through an access point with a
passphrase in Pre-shared key (PSK) mode. WPA also provides software upgrades to accomplish interoperability with
the older network cards and access points.


WPA in detail
Key security

WPA uses the RC4 stream cipher with the 128-bit keys and
48-bit IV in encryption. RC4 is still used, because its com2.3 Solutions
patible with the old hardware. In addition, WPA introduces a
WEP protocol was extended to counteract the uncovered new key security protocol, Temporal Key Integrity Protocol
flaws. The first extension, WEP2 [13], addressed the prob- (TKIP) [19], which dynamically changes the keys during the

TKK T-110.5290 Seminar on Network Security

session. As a result the repetition of the same traffic keys is
prevented. For this TKIP uses a packet sequencing discipline
and a two-phase per-packet key mixing function. Packet sequencing discipline means that every encryption key is associated with a sequence number. This effectively prevents
replay attacks. The per packet mixing function takes this sequence number along with the base WPA key and the transmitter MAC address as inputs, and outputs a new per packet
WPA key. This new WPA key is then used along with the IV
to generate the keystream (Fig. 3).

tication mechanism but rather an authentication framework,
which provides some common functions and a negotiation
of the desired authentication mechanism. The Authentication server works with the following principle:
1. Authentication Server accepts users credentials
2. Authentication Server uses 802.1X framework and EAP
to generate unique master key
3. 802.1X distributes the key to the AP and the client
4. TKIP sets up a key hierarchy and management system
using the master key. In other words unique data encryption keys to encrypt every data packet are generated
from the master key.
The second option, PSK mode, is called WPA-Personal.
WPA-Personal is designed for home and small office networks, which cannot afford the luxury of Authentication
Server. In this mode users are authenticated to the Access
Point (AP) with a passphrase, which is 8-63 ASCII characters or 64 hexadecimal digits long. If the ASCII characters
are chosen, a hash function reduces it from 504 bits (63 characters * 8 bits/character) to 256 bits. The passphrase can
be stored and automatically used on the users computer in
most operating systems. PSK mode employs also PBKDF2
key derivation function [21], which uses a repeated process
of cryptographic hash and salting to the passphrase. As a result stronger and more secure password is generated. However choosing a weak passphrase can still lead to a password
cracking attack. Password cracking attack can be defeated
by choosing at least 14, but preferably 22 random letters as
a passphrase [22].

Figure 3: TKIP process


Integrity protection

TKIP also enhances the integrity of the packets by adding

a Message Integration Check (MIC) field to protect against
forgeries. The value of MIC is computed with a cryptographic algorithm called Michael. Michael uses a 64-bit key,
and divides packets into 32-bit blocks. Michael then uses
shifts, exclusive ORs, and additions to process each 32-bit
block into two 32-bit registers, i.e a 64-bit authentication
tag. Michael also provides an additional feature, i.e. a special countermeasure mechanism, which detects any attempt
to break TKIP and as a result blocks the communication with
the attacker.


As mentioned earlier, there are two options for user authentication in WPA. The first option, Authentication Server, is
called WPA-Enterprise. WPA-Enterprise employs Extensible Authentication Protocol (EAP) [20] together with a mutual authentication so that the wireless user does not accidentally join a rogue network. EAP is not an actual authen-

WPA versus WEP

WPA and WEP both use RC4 stream cipher for encryption.
However, instead of the standard WEPs combination of 24bit IV and 40/104-bit key, WPA employs a 48-bit IV together
with a 128-bit key.
As discussed earlier, WEPs inadequate security resulted
from IV collisions and altered packets. In WPA, these problems have been eliminated with a combination of Temporal Key Integrity Protocol (TKIP), Message Integrity check
(MIC) and extended IV space. TKIPs key hierarchy exchanges WEPs single static key for roughly 500 trillion possible keys that can be used to encrypt a packet. Combined
with a 48-bit IV, TKIP effectively makes the attacks based
on recovering the key infeasible. MIC and its cryptographic
algorithm, "Michael", put a stop to the packet forgery that
was possible in WEP due to CRCs linearity.
The 802.1X/EAP framework and PSK-mode provides
WPA a concrete user authentication mechanism, which was
largely missing in WEP. As mentioned earlier, in WEP, the
user could be authenticated with the Shared-Key Authentication mechanism (Sec. 2.2), an optional feature that involves
the use of challenges. This scheme relies on the use of the
same pre-shared WEP key that was used in encryption, and
therefore was proven to be a security risk. In WPA the encryption and the authentication are separated. After authenticating to the 802.11x server/AP with credentials/passphrase,

TKK T-110.5290 Seminar on Network Security


the keys are distributed to the user automatically. A summary usability. In other words, when setting up a wireless netof the differences between WEP and WPA is demonstrated work, users still have to enter the keys manually, which is
in the following table (Table 1).
time consuming and can be too challenging for the beginners. Therefore the WPA/WPA2 security scheme still needs
to be developed.
Fixes WEP flaws
Key length
40/104 bit keys 128 bit keys
Key type
Static keys
Dynamic keys
Key distribution Manual
4 Future of WLAN security - User

friendly WLAN setup

Table 1: Comparison of WEP and WPA


As mentioned in previous section, the need for a more userfriendly solution is needed. Some solutions have already
been introduced.


WPA2 is based on IEEE 802.11i [15] standard. In addition to TKIP, MIC and Michael algorithm, it provides a new
AES-based [23] algorithm CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) to replace the old RC4 stream cipher. Like TKIP, CCMP
uses a 48-bit IV as a sequence number to provide replay detection. But instead of per packet key derivation function
CCMP uses single AES key to protect confidentiality and
message integrity.
In WPA2, AES is defined in counter cipher-block chaining
mode (CCM) and supports the Independent Basic Service
Set (IBSS), which enables security between client workstations operating in ad hoc mode. WPA2 also offers interoperability between WPA and WPA2 client workstations, which
enables an orderly transition from WPA to WPA2 without
compromising the security. Other new features in WPA2 are
reduced overhead in key derivation during the authentication
exchange, opportunistic key caching, when roaming between
access points and pre-authentication with IEEE 802.1X Authentication Exchange before roaming. The relationship between WPA2, WPA and WEP is presented in table 2.

Encryption cip.
Key sizes
IV size
Per-packet key
Data integrity
Replay detection
Key mng.

40/104 bit
24 bit
Key + IV

128 bit
48 bit
TKIP mix.fc.
IV seq.

128 bit
48 bit
IV seq.

Table 2: Comparison of WEP,WPA and WPA2


Weaknesses of WPA/WPA2

Although WPA/WPA2 security schemes are strong, attacks

against them have already been implemented. These attacks
are based on users tendency to choose weak passwords that
are easy to guess. CoWPAtty [24] is a tool that goes through
all possible key combinations (brute force) starting with the
easiest choices. With this strategy an easy password may be
cracked. The root cause for this problem lies in the lack of

Broadcom has developed a new protocol, SecureEasySetup (SES) [25], to make it easier for consumers to set up
wireless LANs with WPA. SES includes firmware for routers
and access points, as well as a software utility for devices
such as PC Card adapters. SES consists of two phases: device discovery triggered by a pushing button, and unauthenticated key exchange. In SES users set up a WPA protected
wireless network by simply clicking a software button in the
setup utility and pushing a physical button on routers and access points. When pressing the buttons, both devices enter
the configuration mode, in which they locate each other using some protocol to agree on Pre-Shared Key (PSK). A suitable protocol for this is an unauthenticated key agreement
protocol, such as Diffie-Hellman key exchange. However
this solution has two weaknesses. First the attacker can wait
in the configuration mode and when the user presses the buttons, the attacker generates a quicker response. As a result
the attacker gains access to the wireless network. Second the
user must have a physical access to the access point, which
can be a problem in larger organisations or homes, where the
AP is in a place that is difficult to access.
Windows Connect Now-NET [26] is the Microsoft implementation of the Wi-Fi Simple Configuration Protocol,
which provides a user-friendly and simple way to set up secure wireless networks and add devices to the them. This
solution works for both in-band wireless devices and out-ofband devices that use another channel, e.g. USB stick, for
exchanging authentication information. The architecture of
WCN-NET consists of three objects: the enrollee, the registrar and the access point. The enrollee is a new device
that doesnt have the settings for the wireless network. The
registrar provides these settings to the enrollee and the access point provides normal wireless network hosting and also
proxies messages between the enrollee and the registrar. In
this solution the authentication between the enrollee and registrar is typically done with a PIN code. PIN code is either
dynamically created to users screen or is a fixed PIN printed
to it as a sticker. After the PIN and the network settings have
been collected from the user, the Registration Protocol is
run between the registrar and the enrollee. When completed
the registrar displays a message to show that the enrollee
was successfully configured for the network. Compared to
WPA/WPA2, this solution is more user-friendly, since the
users do not need to remember the long WPA key.

TKK T-110.5290 Seminar on Network Security


In this paper, we presented a general overview of the past,

the present and the future of the wireless networks security. A closer examination of various research papers on
the first security scheme, WEP, revealed some serious flaws.
These "academic attacks" soon became reality, when automated and publically available tools, such as AirSnort and
WEPCrack, were released. As a result, anyone with a modern computer and some understanding of computer technology, could implement the attacks. In response to the attacks,
WEP was refined (e.g. improved key and IV sizes) and later
extended (WEP2, WEPPlus), but nevertheless, eventually resulted in a failure. The failure resulted from the fact that
instead of fixing the found flaws, these improvements more
like pursued to make the attacks impractical by stalling them.
Of course, in the modern world, technology is evolving so
fast, that this kind of solution is insufficient. A new, better
solution, WPA, was developed to address and fix the known
flaws in WEP as well as improve its user authentication. This
attempt has so far proven to be successful and WPA has been
extended (WPA2) to provide even better security. However,
even a perfect security scheme is worthless if nobody knows
how to use it. In this case, setting up a WPA protected wireless network can often be too challenging for the users and
quite possibly they will ignore the security completely just
to get it to work. Therefore, the future of wireless network
security lies in the development of a simplified and userfriendly solution based on the WPA/WPA2 security scheme.

[1] IEEE Computer Society. Wired Equivalent Privacy,
[2] Wi-Fi Alliance. Wi-Fi Protected Access, 2003.\
[3] Wi-Fi Alliance. Wi-Fi Protected Access 2, 2004.

[7] Nikita Borisov, Ian Goldberg, David Wagner,
Intercepting Mobile Communications: The Insecurity
of 802.11 , 2001.
[8] Scott R. Fluhrer, Itsik Mantin, Adi Shamir, Weaknesses
in the Key Scheduling Algorithm of RC4 Selected Areas

in Cryptography 2001: pp1U24.

[9] Nancy Cam-Winget, Russell Housley, David Wagner,
Jesse Walker: Security flaws in 802.11 data link protocols. Communications of the ACM 46(5): 35-39 (2003)
[10] Andrea Bittau, Mark Handley, Joshua Lackey, The Final Nail in WEPs Coffin, IEEE Symposium on Security and Privacy (Oakland) 2006.
[11] Anton T. Rager. WEPCrack homepage, 2001.
[12] The Shmoo Group. AirSnort homepage, 2001.
[13] IEEE 802.11i Working Group, WEP2 Enhancements,
[14] ORiNOCO. WEPplus Whitepaper, 2001.
[15] IEEE Computer Society. IEEE Standard 802.11i: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications, Amendment 6: Medium
Access Control (MAC) Security Enhancements, 2004.
[16] Wi-Fi Alliance.
[17] IEEE Computer Society. 802.1X specification, 2004.
[18] The Internet Engineering Task Force. Remote Authentication Dial In User Service, 2000.

[4] L. M. S. C. of the IEEE Computer Society. Wireless
LAN medium access control (MAC) and physical layer
(PHY) specifications. IEEE Standard 802.11, 1999 Edition, 1999.

Jon Edney and Arbaugh. Real 802.11 Security: Wi-Fi

Protected Access and 802.11i, Addison Wesley, 2003.
(Updated in 2004), ISBN 0-321-13620-9.
The Internet Engineering Task Force. Extensible Authentication Protocol, 2004.

[5] America Online and the National Cyber Security

Alliance, AOL/NCSA Online Safety Study conducted in
December 2005.
[21] The Internet Engineering Task Force. Password-Based
Cryptography Specification Version 2.0, 2000.
[6] William A. Arbaugh An Inductive Chosen Plaintext [22] Robert Moskowitz.
Attack against WEP/WEP2, 2001.
Weakness in Passphrase Choice in WPA Interface,

TKK T-110.5290 Seminar on Network Security

[23] NIST Computer Security Division. Advanced Encryption Standard, 2001.
[24] Seth Fogie. Cracking Wi-Fi Protected Access (WPA),
Part 2, 2005.
[25] Broadcom. "Secure Easy Setup", January 2005.
[26] Microsoft. Windows Connect Now -NET, 2006.