Download presentation
Presentation is loading. Please wait.
1
Antti Miettinen (modified by JJ)
WLAN Security Antti Miettinen (modified by JJ)
2
What is WLAN? A wireless data communication system implemented as an extension to, or alternative for, a wired local area network. Operates at uncontrolled ISM (Industrial, Scientific and Medical) band
3
What is WLAN? (cont.) Standards by IEEE for 802.11
First standard, up to 802.11a Accepted standard, up to 802.11b Accepted standard, up to 802.11d MAC Enhancements for wider use of
4
What is WLAN? (cont.) Standards by IEEE for 802.11 (cont.)
802.11e MAC Enhancements for Quality of Service 802.11f Recommended Practice for Inter Access Point Protocol = Roaming & hand over 802.11g Accepted standard, up to 802.11i Improved WEP and EAP (802.1X)
5
What is WLAN? (cont.) Standards by ETSI HiperLAN/1 23,5Mbps@5GHz
published 1999 HiperLAN/2 ( Asynchronous data communication Support for QoS (real-time voice & video) support Transmit Power Control and Dynamic Frequency Selection (required in Europe at 5GHz) Uses 56 bit to 168 bit key encryption (DES)
6
WLAN structure Two possibility, either ad-hoc or Access Point
BSS or ESS ad-hoc network IBSS IBSS: Independent Basic Service Set (ad hoc BSS: (Infrastructure) Basic Service Set ESS: Extended Service Set AP: Access Point Access Point network Fix to:
7
802.11 WLAN security features
DSSS (Direct sequence Spread Spectrum) Isn’t very secure, although theoretically it could be a good security feature. AP transmits the hop sequence in plain. ESSID (Extended Service Set Identifier) By default all stations are broadcasting ESSID Can be passively received, when legitimate user associates with Access Point WEP (Wired Equivalent Privacy) By default is turned off Includes flaws (AirSnort attack: collect weak initialization vectors) MAC-address controlled authorization to Access Point MAC-address is easy to spoof (command line)
8
WEP Goals Includes security flaws!
Access control: To prevent unauthorized users who lack a correct WEP key from gaining access to the network. Privacy: To protect wireless LAN data streams by encrypting them and allowing decryption only by users with the correct WEP keys. Includes security flaws!
9
WEP Authentication Access request by client
Challenge text sent to client by AP Challenge text encoded by client using a shared secret then sent to AP If challenge text encoded properly AP allows access else denied
10
WEP (cont.) Based on symmetric RC4-encryption algorithm
Support 40bit and 104bit encryption All clients and AP’s in wireless network share the same encryption key (weakness) No protocol for encryption key distribution (weakness) Initialization Vector (IV) transmitted in the clear (weakness)
11
WEP overview A master key k0 (either 40 or 104 bits) is shared between two parties wishing to communicate a priori. Each packet (header|data) is then protected by: An integrity check field IC = h(header|data) A random initialization vector (IV) The master key and IV are used to generate a keystream using RC4 in stream cypher mode k = RC4(k0, IV) The data and IC are then encrypted by this keystream Ek(m) = m k
12
WEP packet header data IC RC4 generated keystream header IV encrypted
random packet = header | IV | Ek(data | IC)
13
Possible Attacks War-driving, war-walking etc. Monitoring
Moving around the city and scanning the WLANs Many of the WLANs are without protection! (about in 50% of present WLANs WEP isn’t enabled) Usually used to find networks, not to penetrate them Monitoring Just listening the traffic
14
Possible Attacks (cont.)
DOS-attack Use high power 2,45Ghz (or 5GHz) signal generator for instance, a microwave oven Send continuous streams of CLS (clear-to-send) frames to a fictitious user Legitimate users won’t be able to access the medium Send deassociate frame in name of others (MAC-address can be faked) It is possible! Take the Access Point down!
15
Possible Attacks (cont.)
Man-in-the-middle attack If WEP is used, the secret key must first be solved Set up fake Access Point No authentication required (from Access Points) Legitimate users change their Access Point to yours, if it has better SNR. You can e.g. deassociate them from the real Access Point.
16
Why is WLAN still used? It is fast and easy to set up
It supports mobility Reduced installation time and costs compared with cable Broadband connection, up to 54Mbps
17
Transmission rate (kbit/s)
WLAN is fast Fixed LAN 50 000 802.11a, g and HiperLAN2 10 000 802.11b/WiFi Transmission rate (kbit/s) 1000 500 Bluetooth Bluetooth UMTS GPRS 50 GSM Walking speed Driving speed Stationary Source: Public Wireless LAN Access: A Threat to Mobile Operators, Analysys Research, 2001
18
How to check security of your WLAN-network?
AirSnort ( For Linux and Windows Recovers encryption keys Operates by passively WEPCrack ( Open source tool for breaking WEP secret keys For Linux only
19
How to check security of your WLAN-network?
Other software: Netstumbler ( Only for Windows Dstumbler ( Only for Linux Kismet (
20
WLAN security To Be Continued…
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.