Sie sind auf Seite 1von 11

WiFi Encryption and Security

International Media Computing


University of Applied Science (HTW) - Berlin

André Silaghi
andre.silaghi@student.htw-berlin.de

February 22, 2010

Abstract

This paper concentrates on the current WiFi technology specified by the IEEE 802.11. It will discuss the
security elements together with cryptographical matters, like WEP, WPA, WPA2 and how they work. It
tries to detect useful cryptographic structures and explain why things are good or bad. It will try also to
detect how WiFi Encryption works and where the security issues are. Especially WEP has been attacked
successfully a lot. WPA2 is still not broken and uses AES for the encryption, which is also not broken yet.
There might be some surprises in the near future using new techniques of cryptanalysis but this field of
research is too large to be discuessed in this paper.

1
WiFi Encryption and Security CONTENTS

Contents
1 Introduction to WiFi 4

2 WiFi Principles 4

3 WiFi Security 5
3.1 Basic Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2.1 Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2.2 WiFi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.3 WiFi Protected Access 2 (WPA2) - 802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4 Conclusion 9

References 11

2
WiFi Encryption and Security LIST OF FIGURES

List of Figures
1 WiFi Environment Example (Managed Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Attacker/Listener in range of clients and access point . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 WEP data flow diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 WPA integrity data flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5 WPA encryption data flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6 WPA2 encryption data flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3
WiFi Encryption and Security 2 WIFI PRINCIPLES

1 Introduction to WiFi
Within the last decades computer technology has evolved to a very important technology on earth. Every aspect
of our life is beeing impacted by computers and computer networks. The best known network is the internet.
A huge connection of various networks all connected together and spread over the entire world. But this wasn’t
enough. There were problems which could be solved by injecting more mobility into the computer networks.
This lead to the first standard, in our houses, in WiFi technology: IEEE 802.11a[1] This standard allowed us
to place computers nearly everywhere into our houses and have access to other computers or/and the internet.
The power supplies within a house are anyway given, the Ethernet sockets are not. A big problem here is
still the slow datarate. With only 11 MBit/s, theoretically, we could not share huge ammount of data in a short
period of time (compared to FastEthernet: 100 MBit/s theoretically or 8-9 MB/s practically). But actually 11
MBit/s was enough for any private reasons to use WiFi. It is not as secure as FastEthernet but using a laptop
you can surf easily everywhere within the range of your access point. There are technologies to extend the range
but this subject has to be discussed in another paper1 .

2 WiFi Principles
This paper concentrates more on security than on other WiFi related topics but some basic principles should
be known before going on to security and cryptography. As you can see in Figure 1 the WiFi network can be

Client 1 Client 2

Access Point

Client 3 Client 4

Figure 1: WiFi Environment Example (Managed Mode)

created using an access point and a variable number of clients. This mode is called the managed mode. There
are far more modes just like monitor, ad-hoc, etc. Monitor is very interesting for client-only networking. This
mode is totally passive which means that a WiFi device is only hearing what happens and capturing packets.
It’s the best mode to check whether your WiFi configuration is secure or not. Well and even for any attacks on
alien WiFi networks. This is not legal, so please don’t use this paper as a tutorial for breaking other people’s
WiFi network.
As every other protocol or network standard, WiFi is also described within the OSI/ISO model. The only
layers which are different from the usual FastEthernet are the physical and link layer which are actually layer
1 and 2, as you can see in [3].

OSI/ISO Layers
... ...
Network Layer (3) .....
Link Layer (2) LLC/MAC
Physical Layer (1) DSSS/FHSS/Infrared

There are a lot more things like Collision-Avoiding but we just don’t care about, because it would enlength
this paper too much.
1 For more information here, see WDS

4
WiFi Encryption and Security 3 WIFI SECURITY

3 WiFi Security
Together with WiFi the security within a private network became very important. There was no problem to
send confidential data within a small network at home or office, because the computers were connected by wire
instead of spreading the information around in a way that everyone in range of the WiFi card and the access
point could read the information.

Client 1 Client 2

Listener 1 Access Point

Client 3 Client 4

Figure 2: Attacker/Listener in range of clients and access point

This means, that a possible intruder or listener has, in most cases, access to both, clients and access points
because of their range, as shown in Figure 2. The solution for this problem is to encrypt the data before it is
send to the access point and back and to keep all clients out of the network which should not get access. For
those purposes there are some solutions that will be discussed in the following chapters.

3.1 Basic Methods


Every WiFi adapter has a specific MAC address which is not hidden. This means that if the attacker turns
on its WiFi adapter of the laptop and just searches around for WiFi networks, other WiFi adapters can find
him or her using the right software like kismet under unix based systems. The attacker here would use the so
called managed mode. He tries to find beacon signals from any access points and responds to them by just
saying who they are. And here we can find a simple solution to keep other clients out of the network. The
access point has a table which contains all allowed MAC addresses. This is working for most cases because not
every attacker be able to spoof his or her MAC with an approved address. So for every MAC address that is
not known to be safe by the access point as safe, all data packets are dropped. This provides a good package
injection protection until the address is spoofed by an accepted address. To close this chapter let us summarize
it up. A MAC address filter helps with keeping the middle-skilled attacker out of your WiFi but it will be
deceived by any serious attackers who could spoof their MAC address with another, that is known to the access
point as approved.
And finally there is BSSID2 hiding. You can try to hide your BSSID in a way that the attacker just sees
”no name” instead of your actual name. It might be good because most people are using the standard name3
and this is the name of the device. Just change the name into something senseless because most vulnerabilities
of a device are known, and if you know the correct name you know how to attack. Hiding the BSSID is not the
best security solution because it can be sniffed easily.

3.2 Encryption
3.2.1 Wired Equivalent Privacy (WEP)

WEP utilizes the shared key method. Everyone who wants to participate on the WiFi network has to know the
key. Actually there could be up to four WEP keys. To ensure that the clients and the access point choose the
2 BSSID: The name of a WiFi network
3 Stats: https://wardriving-forum.de/forum/extern_parser_statistiken.php

5
WiFi Encryption and Security 3 WIFI SECURITY

correct one, 2 bits are reserved for the number of the correct key. Those bits are allocated in the unencrypted
intializiation vector4 . And here begins the ”unsecureness” of WEP.

24 Bit IV + 40 Bit Key

RC4

Data CRC Data + 32 Bit ICV XOR

Encrypted Data + 32 Bit ICV

Figure 3: WEP data flow diagram

In Figure 3 you can see how the WEP algorithm works. First the random generated 24 Bit IV combined
with the 40 Bit WEP Key are going into the ”RC4-Box” to generate a keystream. Create a CRC checksum out
of the data and store it into a 32 Bit ICV (integrity check value). The result of the CRC checksuming and the
keystream is going to be XORed. The data can now be transmitted. If any receiver catches the data packet
the IV is going to be extracted, in order to create the same keystream with the RC4 algorithm. This is going
to be XORed with the encrypted data and the 32 Bit ICV. Finally a CRC checksum, from the data, has to be
created and checked with the 32 Bit ICV. If these are the same, the packet is going to be accepted.
To put it in a nutshell: WEP is not safe. It can be broken in about one minute [5] using statistical analysis
[6]. One of the most known attacks is the ChopChop [7] attack, whhich is used in popular security software like
aircrack-ng.
This was just a short excursion to know attacks on WEP. I want to discuss where WEP makes mistakes in a
way that it can be broken very easy, according to [4]. The first problem of WEP is the usage of CRC or CRC32.
This algorithm is used for data copy5 to check whether some errors have been occured during the proccess.
CRC was not designed to be a cryptographic module and therefor it is a linear algorithm. This means that if
you change one bit within the input, the output will also have changed one bit, maybe at the same location. A
very good choice here is SHA-128 or SHA-256, where a bitchange leads to a completly new hashvalue.
The next problem is the authentication. WEP uses a type of authentication, called a challenge. It is very
simple, because everyone who knows the correct WEP key can be authenticated and is accepted as a valid
member of the network. The possible attack at this point is a very dramatical one. The challange request is
plaintext, the challenge response is ciphertext and the IV is also plaintext. This means that an attacker can
easily authenticate himself without knowing the WEP key but with the knowledge of a correct, and working
challenge. Finally the information can be used to recreate the RC4 keystream. You might say: ”Why isn’t the
access point telling the client which IV he or she should use?”. Well this is the problem, if it would be like this,
it would be a lot harder to get into the network, but the so called Shared Key authentication lets the client
choose the IV.
There are lot more things that were not designed very well like a short IV with only 24 bit. It is also a
problem that changing the IV is very simple. After 224 bits you’ll get the same IV again. The last point is the
4 Initalization Vector: IV
5 e.g. external harddrive to internal harddrive

6
WiFi Encryption and Security 3 WIFI SECURITY

weak RC4 Key6 which should be at least 128 bit.

3.2.2 WiFi Protected Access (WPA)

WPA was designed to replace WEP because of it’s weaknesses. It is also designed in a way that no one had
to change their hardware because a simple software or firmware upgrade would do the job. This leads to the
conclusion that WPA is based on WEP. WPA uses a so called master key for its cryptographic and security
purposes. Just to be sure the whole process here works within the WPA-PSK mode7 .

Data integrity The master key generates two kinds of keys, the 64 bit MIC key (mK) and the 128 bit
encryption key (eK). The algorithm[9] that uses MIC is called Michael. Michael creates a MIC out of 64 bit
key, destination address and source address. The plaintext is concatenatedated with the output from Michael
algorithm: MIC. After this process the entire data unit (plaintext and MIC, called MAC Service Data Unit
(MSDU)) is fragmented into MPDUs (MAC Protocol Data Units):

M SDU ⇒ M ichael(mK, M SDU )

M P DU ⇒ CRC32(M P DU )

⇒ means concatenate. MAC means message authentication code and is used to keep the data’s integrity [10].
Or in other words: ”Eve won’t be able to manipulate the data.” Now, every fragment is going into the old WEP
structure where every fragment gets a CRC32 checksum. The original message8 is concatenated to the new
checksum. This results in a data input for the RC4 algorithm, but there is still the encryption input missing.

plaintext

64 bit key

source address MICHAEL

destination address

MIC plaintext

fragmented message

CRC32

Figure 4: WPA integrity data flow

Encryption The encryption works in parallel to the data integrity algorithm until both merge into one
thread. This is where TKIP9 comes in. Here we start using the 128 bit key derived from the master key for
the encryption [8]. Together with the source address and the result of the Packet Sequence Counter10 the
6 RC4 Key: 40 bit
7 WPA-PSK: pre-shared key or master key
8 still plaintext and MIC
9 TKIP: Temporal Integrity Protocol
10 Packet Sequence Counter: 48 bit initialization vector

7
WiFi Encryption and Security 3 WIFI SECURITY

algorithm enters the so called Per Packet Key Mixing. The mixing algorithm works in two different phases
and has been placed there to remove the weaknesses between the initialization vector and a weak key. The FMS
[11] attack won’t work at this point.
After the key mixing is completed, the output is the Per-Packet-Key together with the initialization vector.
Both are additional input for the RC4 algorithm, and this is where the key comes together with the MPDU and
it’s CRC32 checksum. RC4 [12] produces a key stream containing the MPDU and its CRC32 checksum. Both
are encrypted. The package contains more than just this, because the header’s content is the IV, which is not
encrypted. I created also a diagram for the encryption. Green fields are encryted.

source address

temporal 128 bit key keymixing phase 1 and 2

sequence counter IV

RC4 CRC32

IV fragmented plaintext CRC32 checksum

Figure 5: WPA encryption data flow

3.2.3 WiFi Protected Access 2 (WPA2) - 802.11i

WPA2 is the official name for the newest security standard for WiFi networks. It is called RSN (Robust Security
Network). Instead of using RC4 and MICHAEL the WiFi Alliance11 decided to use the AES standard (Ad-
vanced Encryption Standard) for encryption which works in the Counter Mode (CTR). For more information
about AES see [14]. AES is very strong and as of today, there are no known working attacks. There might be
an attack soon called XSL attack12 . A very interesting document about XSL can be found here [15]. XSL is
still a method that is not common to many cryptographers because no one has really tried to break codes using
multivariate polynominal equations.
CTR uses nonces to prevent replay attacks as you can read here [13]. It is also used in banks. Imagine
that you have an account and you send a ciphertext which is interpreted by the server as a transfer of 100
dollars to another account. A replay attack would be to catch this cipher and resend it. The server would think
that you want to transfer 100 dollar again. If you use CTR (including nonces) the server sees that this nonce
was already used and the data package will be dropped. CTR works very simple, it concatenates the nonce
with a counter value, and encrypts this. The result is a block of the key stream. CTR also does not require
padding because there will not be blocks that are too small. It also allows you to parallelize the computations
which could improve the encryption speed dramatically. One of the greatest advance is that you will not need
a decryption implementation. You can use the encrpytion algorithm for decryption as well, just like DES. The
standard formulation for CTR is as follows [13]:

Ki := E(K, Nonce||i) for i = 1, ..., k

Ci := Pi ⊕ Ki
To get better data integrity the Cipher Block Chaining Message Authentication (CBC-MAC) is used.
CBC also produces a lot of confusion because it takes the previous ciphertext block and XORs this with each
11 http://www.wi-fi.org/
12 http://en.wikipedia.org/wiki/XSL_attack

8
WiFi Encryption and Security 4 CONCLUSION

plaintext block. ECB does not have this and hence it is very weak. The standard formulation for CBC is as
follows[13]:
Ci = E(K, Pi ⊕ Ci−1 ) for i = 1, ..., k

Together the protocols are combined to a new protocol called CCMP.


WPA2 uses a 128 bit key for all purposes (integrity, encryption). Common things to the old WPA standard
are things like the sequence counter to avoid replay attacks. MIC is also still used to filter invalid packets. New
modifications are for example a faster reauthentication to make roaming faster. Another very usefull thing is
that the Ad-Hoc mode13 is now also protected, which wasn’t in WPA nor WEP.

In order to understand the following text better have a look at the figure 6. WPA2 or 802.11i works as the
following paragraph. The input for the algorithm consists of the MAC address, the fragmented plaintext and
the 128 bit key. The first computation is the creation of the MIC using the MAC address, the plaintext and
the key. The next step is the concatenation of the fragmented plaintext with the newly generated MIC. Finally
the plaintext and the MIC are both encrypted together with the 128 bit key using AES. The data package after
the encryption consists of the unencrypted MAC address, a CCMP header and the encrypted message with its
MIC. The CCMP header [16] consists out of 48 bits, including a so called ExtIV (extended intialization vector)
which in this case is set to 1 because CCMP is used and finally the key ID field.

plaintext (fragmented)

MAC Header MIC (CBC-MAC)

plaintext (fragmented) MIC 128 bit key

AES

MAC-Header CCMP Header plaintext (fragmented) MIC

Figure 6: WPA2 encryption data flow

4 Conclusion
Although the current WiFi technology evolved to be very secure, it is always suggested to use a wired network.
The problem on WiFi is still that an access point spreads the data out spherical to every point around itself.
Within a wired network only the recipient receives the data that is created for it, except of ARP attacks. A
13 Client-to-Client mode in WiFi network technology

9
WiFi Encryption and Security 4 CONCLUSION

WiFi network should be used there where unimportant data is send because it has a much more higher potential
to be attacked than a wired network.
For professional

10
WiFi Encryption and Security REFERENCES

References
[1] IEEE Website on WiFi: http://www.ieee802.org/11/ - November, 9th 2009

[2] WiFi Statistics from Wardriving-Forum.de https://wardriving-forum.de/forum/extern_


parser_karte.php - November, 9th 2009

[3] Slides of Prof. Dr. Messer, Lecture: Networks, IMI Semester 2 Bachelor HTW-Berlin (Wireless LAN):
http://wi.f4.htw-berlin.de/users/messer/LV/Netze-WS09/index.html - November, 9th
2009

[4] Netzwerkauthentifizierung im WLAN - Studienarbeit von Thomas Otto, TU Braunschweig http://www.


ibr.cs.tu-bs.de/theses/schmidt/otto_eap.html - November, 9th 2009

[5] Break WEP in one minute with PTW attack by Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann
- http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/ - November, 14th 2009

[6] Break WEP faster with statistical analysis by Rafik Chaabouni http://lasecwww.epfl.ch/pub/
lasec/doc/cha06.pdf - November, 14th 2009

[7] ChopChop Attack on WEP explained by aircrack-ng.org http://www.informit.com/guides/


printerfriendly.asp?g=security&seqNum=196 - November, 14th 2009

[8] Diplomarbeit - Untersuchung und Bewertung von Netzzugangssteuerungen auf Basis des Standards 802.1x
(Port-Based Network Access Control) by Lars Richter http://archiv.tu-chemnitz.de/pub/2005/
0021/data/diplom.pdf

[9] A practical message falsification attack on WPA by Toshihiro Ohigashi and Masakatu Morii (Hiroshima
University and Kobe University)

[10] Practical Cryptography, Bruce Schneier, Wiley Publishing Inc. 2006, Chapter 7, Page 97 etc

[11] Fluhrer, Mantin and Shamir attack http://en.wikipedia.org/wiki/Fluhrer,_Mantin,_and_


Shamir_attack - November, 14th 2009

[12] Weaknesses in the Key Scheduling Algorithm of RC4 by Scott Fluhrer, Itsik Martin and Adi Shamir -
http://www.drizzle.com/˜aboba/IEEE/rc4_ksaproc.pdf

[13] Practical Cryptography, Bruce Schneier, Wiley Publishing Inc. 2006, Chapter 5, Page 75 etc (CTR)

[14] Official AES specifications by the NIST - http://csrc.nist.gov/publications/fips/fips197/


fips-197.pdf - November, 16th 2009

[15] Nicolas Courtois, Josef Pieprzyk (2002). ”Cryptanalysis of Block Ciphers with Overdefined Systems of
Equations”. http://eprint.iacr.org/2002/044

[16] Wireless LAN Medium Access Control (MAC) and Physical Layer specifications: http://standards.
ieee.org/getieee802/download/802.11i-2004.pdf - November, 16th 2009

11