Re-evaluating the WPA2 Security Protocol Network Security (WPA—PSK): Just How Safe is Your Information over Wi-Fi? Re-evaluating the WPA2 Security Protocol Statement of Problem Materials and Methods Results Discussion A server, client, and attacking machine were used to perform this experiment. Software such as PineAP, Wireshark, Airbase, Aircrack-ng. Pyrit, and the Command Line were also used to launch the attack. Several dictionaries containing passphrases were utilized to crack the network passphrase. Procedure for attack: Snooping: 1) Run Wireshark to collect network packets. MAC Spoofing: 1) Change MAC address on attacking machine 2) Collect network packets with Wireshark. De-Authentication: 1) Create Data file to capture handshake 2) De-Authenticate client, handshake captured. 3)Import dictionary file into system. 4) Utilize Pyrit to crack passphrase from 4-way handshake Rogue Access Point (offline attack): 1) Create rogue access point 2) Create file to capture handshake 3) Repeat Steps 3 &4 of De-Authentication How resistant is the Wi-Fi Protected Access 2, Preshared Key (WPA2-PSK) security mechanism against common network attacks? De-Authentication attacks yielded a 100% success rate in obtaining the network passphrase. Rogue Access point yielded a 80% success rate in obtaining the network passphrase. MAC Spoofing did not yield any information Snooping yielded client information 100% of the time that was not previously known. Although WPA2-PSK has been considered the most secure mechanism available for protecting information on networks for nearly a decade, my data shows that this is no longer the case. At the conclusion of this study, it can be reasonably determined that WPA2-PSK is no longer safe for protecting sensitive information on a network. Through a series of experimental attacks, both the passphrase and client information that can lead to another more direct attack was obtained in a majority of the trails. Simply put, a security mechanism cannot be considered secure if certain attacks are able to bypass it on a majority of trials. The rogue access point has not been widely studied for penetration of the WPA2 network. However, my experiment resulted in an 80% success rate which suggests that the rogue access point attack is also effective in defeating the WPA2 security protocol. Introduction WPA2-PSK is currently the most advanced network security protocol available to encrypt and prevent unauthorized access to information on a small to moderate network. WPA2-PSK utilizes a hierarchy of encryption keys derived from a network passphrase and a series of authentication steps to secure information. It’s encryption is based off of the Advanced Encryption Standard (AES) which is extremely strong. However, certain minute flaws in the authentication sequence may allow the network to be compromised. In this experiment, a series of attacks will target the flaws within the WPA2-PSK’s authentication sequence. The amount of supposedly encrypted information gained will be subsequently recorded. My hypothesis is that WPA2-PSK will be effective against traffic snooping, MAC Spoofing, and Evil Twin Access Points, but may be ineffective against a client de-authentication attack. The independent variable is the type of the network attack, where the dependent variable is the amount of information gained. Figure 4: Average Time for Each Attack Figure 5: Success Rate of Obtaining Network Passphrase Future Implications It has been widely accepted in the IT Community that once a network passphrase is gained, several other additional pieces of information can be also be exploited. The network passphrase can be imported into a network traffic analyzer to decrypt encrypted client to station information exchange. It would be of interest to see what information can be obtained using this method. Due to the nature of the attack, no real solutions are obvious. The best way to prevent such an attack is to create a secure passphrase, and enable MAC filtering as these will make the network a less viable target. However, I believe that in the long term, a network manager can be created to detect De-authentication frames and alter network settings to prevent information from being exploited. The handshake can also be altered so that crucial information is not released to the attack. I plan to study these mechanisms and test the effectiveness of my proposed solutions in the future. Figure 2: Snooping Attack Results: Client Information shown Figure 1: Key Hierarchy for WPA2-PSK Encryption (Unicast Traffic) EAPOLMIC is used to preserve integrity during initial handshake. EAPOL is used to prevent unauthorized modification of user data Data Encryption/MIC is used for encrypting user data. Combined with random generated values and the Pairwise Master Key to produce a set of keys called the Pairwise Transient Key Derived in Phrase 1 from the Preshared Key (which includes network passphrase, SSID, n-iterations, and key length) Pairwise Master Key (256 bits) Pairwise Transient Key (384 bits) EAPOLMIC key (128 bits) EAPOLEncrkey (128bits) Data Encr /MIC key (128 bits) Figure 6: Diagram of WPA2 Authentication Phase Phase 1 Probe request. Open Authentication Request Association Request Phase 2 Message 2: EAPOLKey(SNonce,MIC) Message 4: EAPOLKey(Ready,MIC) Probe Response Open Authentication Response Association Response Message 1 EAPOLKey(ANonce) Message 2 EAPOLKey(SNonce.MIC) Figure 3: De-Authentication Results: Passphrase shown. Access Point (AP) Station (STA)