By Billy Ripple

 Security requirements  Authentication  Integrity  Privacy  Security concerns  Security techniques  WEP  WPA/WPA2  Conclusion

 Security between two network entities should provide the following  Authentication ▪ Process of determining whether somebody or something is who or what it is declared  Integrity ▪ Maintaining accuracy and consistency of data  Privacy ▪ Prevents security threats, primarily eavesdropping attempts

 Denial of service  Man-in-the-middle attacks  Rogue access points  Other threats include:  Ad hoc networks  MAC Spoofing  Network Injection

 An attempt to make a machine or network unavailable  Many different methods of attacks  Internet Control Message Protocol Flood  SYN flood  Teardrop attacks  Peer-to-peer attacks

 Smurf Attack  Relies on misconfigured network devices that allow packets to be sent to all computer hosts  The attackers will send large numbers of IP packets with the source address faked to appear to be the address of the victim  The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination

 Ping Flood  Based on sending the victim an overwhelming number of ping packets by using the “ping” command from Unix-like hosts  This allows access to greater bandwidth than the victim  Ping of death  Sending the victim a malformed ping packet which ultimately leads to a system crash

 Occurs when a host sends a flood of TCP/SYN packets  Each packet is handled like a connection request  The server creates a half open connection by sending back an ACK packet and waiting for a response to the ACK packet  These half-open connections keep the server from responding to legitimate requests until after the attack is over

 Attacker sends mangled IP fragments with over-sized payloads to the victims machine  This crashes operating systems due to a bug in their TCP/IP fragmentation  Newer operating systems aren’t affected by this type of attack  Except Windows Vista

 The attacker intercepts messages in a public key exchange and retransmits them. The attacker substitutes his own public key for the requested one.  The original parties believe they are just communicating with each other  The attacker has access to both user’s messages

 Attacker spoofs a disassociate message from the victim  The victim starts to look for a new access point  The attacker advertises his access point using the real access point’s mac address  The attacker connects to the real access point using the victim’s mac address.

 A wireless access point that has been installed on a secure company network without authorization from a network administrator  Often created to allow a hacker to conduct a man-in-the-middle attack  There are many different types of software that allow businesses to detect a rogue access point

 WEP – Wired Equivalent Privacy  WPA- Wi-Fi Protected Access  WPA2/802.11i

 The original encryption protocol developed for IEEE wireless LANs  Designed to provide the same level of security as wired networks  No longer recommended  Uses a network security key to encrypt information that one computer sends to another across your network

 When WEP is active, each packet is encrypted separately  These packets are encrypted with an RC4 cipher stream generated by a 64-bit RC4 key  This key is composed of a 24-bit initialization vector(IV) and a 40-bit WEP key  The encrypted packet is generated with a bitwise XOR of the original packet and the RC4 stream  The IV is chosen by the sender and can be changed periodically

RC4 Most widely used software stream cipher Very simple, relatively weak

 Key Management and key size  Keys are long-lived and of poor quality  The Initialization Vector is too small  WEP’s IV size of 24 bits allows for 16,777,216 different RC4 cipher streams for a given WEP key  If the RC4 cipher for a given IV is found an attacker can decrypt packets  Message Integrity Checking is ineffective  WEP has a message integrity check but hackers can change messages and recompute a new value to match

  Uses AirPcap and Cain and Abel software  Software must capture at least one Address Resolution Protocol request from a system on the target access point  You can force this by sending something to the connected client  You must make sure you have over 250,000 Ivs before attempting to crack the WEP key

 Security technology that improves on the authentication and encryption of WEP  Developed to replace WEP in 2003  Provides stronger encryption than WEP by using two standard technologies  TKIP – Temporal Key Integrity Protocol  AES – Advanced Encryption Standard  Includes built-in authentication support that WEP doesn’t offer

 Wraps additional code around WEP  TKIP implements a key mixing function that combines the secret root key with the IV before passing it to the RC4 routine  WPA then implements a sequence counter to protect against replay attacks  Packets received out of order will be rejected by the access point  TKIP then implements a 64-bit message integrity check

 Very complex  Requires more computing power  Better than the TKIP option  Based on a design principle known as substitution- permutation network  AES operates on a 4X4 matrix of bytes  The key size used for AES specifies the number of repetitions of rounds that convert the input into output  10 cycles of repetition for 128-bit keys  12 cycles of repetition for 192-bit keys  14 cycles of repetition for 256-bit keys

Possible Combinations: 128-bit- 3.4 X 10^ bit- 6.2 X 10^ bit- 1.1 X 10^77 It would take 1 billion years to crack the 128-bit AES key using a brute force method

 The primary weakness with WPA is it is password protected  Easy password makes this easier to hack  TKIP isn’t much more secure than WEP due to the simplicity of the RC4 algorithm  WPA AES isn’t supported on older equipment  WPA used to only be able to use TKIP

 Replaced WPA on all Wi-Fi hardware since 2006  Provides government grade security by combining the AES encryption algorithm and 802.1x-based authentication  Based on the IEEE i technology standard for data encryption  Has several different forms of security keys  Two versions  Enterprise – Server authentication 802.1x  Personal – AES pre-shared key  Backward compatible with WPA

 Personal  Uses pre-shared key to optimize its effectiveness without an authentication server ▪ Used in small office and home environments  Enterprise  Caters to big businesses  Uses open system authentication in its first phase and the Extensible Authentication protocol method and 802.1x protocol in its second phase

 IEEE 802.1x  Standard defined by IEEE for port based network access control  Protocol to make sure only legitimate clients can use a network secured by WPA2  Separates the user authentication from the message integrity and privacy  Allows for more flexibility  WPA2 personal doesn’t require an authentication server  WPA2 enterprise consists of the following:  Client  Access Point  Authentication Server

 WPA2 has immunity against  Man-in-the-middle attacks  Weak Keys  Packet forging  Brute-force attacks  Allows the client to reconnect to APs he has recently connected to without needing re- authentication

 Can’t withstand a physical layer attack such as:  Data flooding  Access point failure  Vulnerable to a DoS attack  Vulnerable to MAC address spoofing

 To have a secure connection between two connection entities you must have authentication, integrity, and privacy  There are many security threats in a WLAN  WEP, WPA,WPA2 are wireless network security methods  WEP should be avoided  WPA2 is the best security method  Questions?

 Top-Ten-WiFi-Security-Threats.htm Top-Ten-WiFi-Security-Threats.htm  middle-attack middle-attack  security-protocols-wep-wpa-and-wpa2.html security-protocols-wep-wpa-and-wpa2.html   difference-between-wep-wpa-and-wpa2-wireless- encryption-and-why-it-matters/ difference-between-wep-wpa-and-wpa2-wireless- encryption-and-why-it-matters/ 