Outline

Introduction Physical Layers MAC Layer Deployment Wireless Equivalent Privacy Wireless Protected Access

Mobile Networks
Wi-Fi Pierre Boulet
Master Informatique spcialit TIIR

20082009

Resources
Course page
http://www.lifl.fr/~boulet/ enseignement/wifi/ http://del.icio.us/pboulet/wifi

First Wireless Networks

Waves
electromagnetic waves discovered by Heinrich Hertz in 1888 rst radio transmission in 1898 between the Eiffel tower and the Panthon in Paris (TSF) image transmission in 1924 (television)

Bibliography
Wi-Fi, dploiement et scurit
Aurlien Gron, Dunod http://www.livre-wifi.com/

First data network

AlohaNet in Hawa (Norman Abramson) 1970

Wi-Foo: protger son rseau sans l du piratage

Andrew A. Vladimirov, Konstantin V. Gavrilenko and Andrei A. Mikhailovsky, Campuspress http://www.wi-foo.com/

Why so Late?
Multiple Reasons

Boom of Wi-Fi
Public sensitization to wireless communications
mobile phones

Low bandwidth
today tens of Mb/s compared to several Gb/s for wire networks

A standard
IEEE 802.11 (1997)
theoretical data rate: 1 to 2 Mb/s infrared or RF 2.4GHz (no license in most countries)

No standard
no interoperability dependency on one supplier high prices

IEEE 802.11b (1999)

data rate: 11Mb/s on RF 2.4GHz

Regulations
dependent on the country limit usage, power, technology may impose a license

An association of suppliers
Wi-Fi Alliance quality label: Wi-Fi

WLAN
Wireless Local Area Network

Extension to the Enterprise Network

Allows to connect easily
Portable computers PDAs

IEEE 802.11 designed for WLAN

wireless ethernet

Two modes
Ad Hoc networks
workstations communicate directly

No additional wiring needed Main concern: security

Infrastructure networks
workstations communicate via access points

Wi-Fi at Home
Allow to use the Internet connection from anywhere in the house
usually one access point is enough to cover the whole area

Hotspots
Available in
airports, trains, hotels, restaurants, bars, universities, meeting points in enterprises

Sharing the Internet connection Connecting together various equipments

screens printers ...

Allow the user

to use its own equipment and environment to access the Internet from any place

WISPs (Wireless Internet Service Providers)

Wirst, Wispot, HotCaf, Mtor Networks Orange, SFR, Bouygues, Aroports de Paris Tlcom Swisscom, British Telecom

Roaming
Lots of WISPs partitioning of the networks Roaming partnerships
to allow the user to buy its connection from one WISP and use any partners network in France: W-Link (Orange, SFR, Bouygues, ...) international networks: Boingo, FatPort virtual WISPs: GRIC Communications, iPass, RoamPoint

Associative Wi-Fi
Idea
share the Internet connection with the other members of the association to cover a large area as a small town Paris sans l, Wi-Fi Montauban

main advantage: free main concern: legality

the owner of the Internet connection is responsible of its use

Multi-WISP deployments
one society deploys the network and leaves the exploitation to others examples
Wixos of the Naxos society (RATP) to cover the outside of the Paris metro stations airport of Nantes

Point-to-point Connection
Useful to link to buildings where wiring is not practical Advantages of Wi-Fi
low cost
less than 500e to realize a point-to-point link of several hundred meters

Ethernet
Ethernet cheaper than Wi-Fi
most computers have ethernet connections but not all have Wi-Fi adapters Wi-Fi routers more expensive than classical Ethernet ones wire security much more easy

no license
no declaration, no monthly fee no way to forbid the neighbor to hamper your communications

Higher data rate

Ethernet: 1Gb/s Wi-Fi: 54Mb/s

Often Wi-Fi adds new connection possibilities as an extension to the wire network

Powerline
Data transport over the electrical network
no need for new wires frequency: 1.6 to 30MHz, low power

Infrared and Laser

Infrared
wave length between 750nm and 1mm used for many years to communicate at short distance

HomePlug
American standard duplex, 85Mb/s, several tens meters more powerful technologies exist

Advantages
LEDs are cheap data rate can reach 16Mb/s (Very Fast Infrared) secure because directional and low range no interference with radio waves

comparison with Wi-Fi

no real mobility a little bit sensitive to electromagnetic waves bad security may be complementary: powerligne to link Wi-Fi access points no wires

Drawbacks
low range sensible to obstacles

Laser
used for long distance connections very directional no need for an authorization sensible to weather conditions

Bluetooth
Main technology for WPAN
rst specication by the Bluetooth Special Interest Group in 1999 considered by the IEEE 802.15 group for WPAN frequency band: 2.4GHz
can pass through thin obstacles same as Wi-Fi 802.11b and 802.11g possible interference

ZigBee
Dened by the ZigBee Alliance and considered by the IEEE 802.15 group for WPAN Similar technology than Bluetooth
2.4GHz or 868MHz or 915MHz short distance but low data rate: 20 or 250kb/s

Advantages
great simplicity low cost very low power consumption

Advantages
automatic detection mechanism very easy conguration low power, small size, cheap

Drawbacks
low data rate: 1Mb/s low range

WPAN, not WLAN

complementary to Wi-Fi

Ultra Wideband
Radio modulation technique
very large band: several GHz compared to Wi-Fi: few tens MHz

Wi-Fi-like Technologies
HiperLAN (High Performance LAN)
developed by ETSI very similar to Wi-Fi but no interoperability

Characteristics
very high data rate low emitting power low distance (less than 10 to 20m)

HomeRF (Home Radio Frequency)

enhancement of DECT (Digitally Enhanced Cordless Telephony)

Enhanced Wi-Fi
802.11b+ and CCK-OFDM, enhancements of 802.11b led to 802.11g

Considered by the IEEE 802.15 group for WPAN

base to a new version of Bluetooth

Main problem: legality

forbidden in France to use large bands regardless of the emitting power

Terrestrial Microwave
Point-to-point connections Need license
expensive extremely high quality reserved frequency no power limitation range > 10km

Wireless Local Loop

To link the customer to its telecoms supplier
concurrent to ADSL

Replace copper cable by wireless connection

simpler, can reach 9km

Under license
3.5GHz or 26GHz expensive and constrained

Characteristics
range: several km data rate: several tens Mb/s capacity: several thousands of user per base station

Wireless Local Loop contd

Technologies
Local Multipoint Distribution Service Multichannel Multipoint Distribution Service IEEE 802.16 HiperMAN and HiperAccess from ETSI

Mobile Telephony
1G: analog radio connection 2G: digital communication
GSM (Global System for Mobile Communication) in Europe CDPD (Cellular Digital Packet Data) and CDMA (Code Division Multiple Access) in the USA allow voice transport, SMS, WAP (very low data rate for web surng)

WiMAX
quality label for IEEE 802.16 and HiperMAN compatibility mostly point-to-point new versions will handle the hand-over
concurrent to mobile telephony?

2.5G: enhancements to 2G
GPRS (General Packet Radio Service)
max data rate: 171.2kb/s (rather 40 to 60kb/s in practice) expensive

EDGE (Enhanced Data rates for GSM Evolution)

max data rate: 384kb/s

Mobile Telephony contd

3G: UMTS (Universal Mobile Telecommunication System)
allow multimedia exchanges handle a large density of connected users max data rate: 2Mb/s

802.11legacy
Three physical layers
infrared
not successful, better use IrDA

two radio waves

2.4GHz frequency band DSSS / FHSS modulation max data rate: 2Mb/s

3G: others
CDMA2000 in North America and part of Asia TD-SCDMA in China

One MAC layer

Evolutions of 802.11
802.11a
5GHz instead of 2.4GHz, OFDM modulation max data rate: 54Mb/s

Electromagnetic waves
Combined oscillation of electric and magnetic elds
radio waves, infrared, visible light, ultraviolet, X-rays, gamma rays transport energy without any physical support

802.11b
2.4GHz, DSSS or HR-DSSS modulation max data rate: 11Mb/s

Essential measures
frequency () = number of oscillations per second (Hz) period (T) = duration of an oscillation (s) = 1/ propagation speed (c) (m/s) in the vacuum: c = 299, 792, 459m/s in the air: c 299, 700, 000m/s wavelength () = travel distance during one oscillation (m) = cT strength
electrical strength (V/m) magnetic strength (A/m)

802.11g
2.4GHz, DSSS, HR-DSSS or OFDM modulation max data rate: 54Mb/s

802.11n
draft appeared in 2006 should not be standardized before July 2007 adds MIMO to 802.11a and 802.11g max data rate: 540Mb/s

Power
measured in Watts (W) depends on strength and frequency Wi-Fi usually limited to 100mW
10 times less than a mobile phone should present no danger for health

Range of the Signal

decreases like the square of the distance to the emitter the range of a 100mW emitter is twice the range of a 25mW emitter in dBm? lower frequencies have a better range
at equal power 2.4GHz waves have 50% greater range than 5GHz waves legal power limit
2.4GHz: 100mW 5GHz: 200mW

mW decibels (dBm)
PowerdBm = 10 log(PowermW ) PowermW = 10
PowerdBm 10

Example
20dBm 100mW

Sensitivity and Noise

Sensitivity of the receiver
usual 802.11b cards
-88dBm for 1Mb/s data rate -80dBm for 11Mb/s data rate

Data Rate
Decreases with SNR
so with distance

Proportional to the width of the frequency band Outside 100m 150m 200m 300m Indoor 10m 15m 20m 30m 802.11b 11Mb/s 5.5Mb/s 2Mb/s 1Mb/s 802.11a or g 54-48-36Mb/s 24-18Mb/s 12-9Mb/s 6Mb/s

high end cards can go to -94dBm or better

increase in range?

Signal/Noise Ratio
very important parameter SNRdB = Power of received signaldBm Power of noisedBm usual 802.11b cards: 4dB for a 1Mb/s sustained communication

Noise sources
natural noise: -100dBm for Wi-Fi frequencies human activities the signal itself
multipath

Shannons Formula
Claude Shannon
has invented the information theory

Fundamental Modulations
Amplitude modulation (AM)
xed frequency carrier wave variation of carrier amplitude in function of the signal possible only if frequency of carrier frequency of signal

Max data rate in function of SNR and frequency band width

C = H log2 1 + P S N C, capacity of the channel in bits per second H, frequency band width in hertz PS , power of the signal in watts PN , power of the noise in watts
P

Frequency modulation (FM)

xed amplitude carrier variation of carrier frequency in function of signal

Example: Wi-Fi at 2.4GHz

frequency band width: 22MHz

Phase modulation
phase corresponds to position in time
measured in

variation of phase of carrier in function of signal

Simple digital modulations

Digital signal = 0 or 1 Amplitude-Shift Keying
AM with only two amplitudes very sensitive to noise and interferences

Differential Modulations
DPSK

Take into account the variation of phase instead of phase itself

no change 0 180 change 1

Frequency-Shift Keying
FM with two frequencies basis of Wi-Fi modulations

Could be used for ASK or FSK Properties

more sensitive to noise simpler to implement

Phase-Shift Keying
PM with two phases

Multiple Bit Symbols

PSK using 4 phases instead of 2
codes: 00, 01, 10 and 11 doubling of the data rate Quadrature PSK (QPSK or 4PSK)

Gaussian Filter
GFSK

Apply a Gaussian lter to the binary signal before carrier modulation

square signal is softened

Rate in symbols per second = bauds Combination of PSK with AM

4 phases (or phase transitions with DPSK) 2 amplitudes for each phase 8 combinations 3 bits/symbol 8QAM (Quadrature Amplitude Modulation)

Any modulation can then be used Less harmonics

less interferences with neighbor channels
higher data rate higher frequency of state transitions more harmonics larger spectrum of the signal

Wi-Fi
16QAM with 4 bits per symbol (12 phases with 2 amplitudes for 4 of them) 64QAM

frequency band width

2 data rate of source

Overview
Frequency Hopping Spread Spectrum (FHSS)
used only by 802.11legacy

Frequency Hopping Spread Spectrum

Frequency band separated in several channels Communications by hopping from one channel to the other
in a predened sequence and rhythm

Direct Sequence Spread Spectrum (DSSS)

802.11legacy, 802.11b and 802.11g

Orthogonal Frequency Division Multiplexing (OFDM)

802.11a and 802.11g

If unknown sequence
very difcult to intercept communications use by military communications unused by Wi-Fi

incompatibility between the 3 modulations

only compatibility: 802.11 DSSS, 802.11b and 802.11g

Interference resistance
avoid scrambled channels unused by Wi-Fi, used by Bluetooth and HomeRF

Possibility to share the frequency band by using different sequences 802.11

band: 2400MHz to 2483.5MHz, 1MHz channels in each channel: 2GFSK or 4GFSK

Direct Sequence Spread Spectrum

Chipping
send a sequence of bits (chip) for each information bit higher rate of state transitions spectrum spread

DSSS Modulation
802.11legacy
2DPSK for 1Mb/s 4DPSK for 2Mb/s 11bit spreading code: 10110111000 (Baker code) good for synchronization and to avoid multipath problems

Interest
spread spectrum higher data rate and better noise resistance redundancy to allow error correction

802.11b
Complementary Code Keying (CCK) HR-DSSS use up to 64 different spreading codes data rate adaptation
HR-DSSS at 11Mb/s: 8 bits of information for 8 chips HR-DSSS at 5.5Mb/s: 4 bits of information for 8 chips DSSS/Baker 4DPSK at 2Mb/s DSSS/Baker 2DPSK at 1Mb/s

Wi-Fi
14 channels of width 22MHz in the 2.4GHz frequency band need to choose a channel possibility of interferences

Orthogonal Freq. Division Multiplexing

Base on multiplexing
Frequency Division Multiplexing large spectrum divided in several sub-carriers simultaneous emission on the sub-carriers

802.11 FHSS
Band: 2.4GHz 1MHz channels numbered from 2400MHz Usable channels
Europe: 2 to 83 USA: 2 to 80

Possibility of inter-carrier interference

use IFFT to orthogonalize the sub-carriers

Wi-Fi
52 carriers of 312.5kHz each 16.66MHz channel carrier modulation: 2PSK, 4PSK, 16QAM or 64QAM 4 carriers as pilots 48 symbols send simultaneously

No more in use

Enhancement by using convulutive codes

add redundancy in the message error detection and correction allows to resist to interferences

Data rate adaptation

802.11 DSSS, 802.11b, 802.11g

Band: 2.4GHz 14 22MHz channels numbered from 2400MHz Centers spaced by 5MHz
overlap between channels

802.11a (and 802.11n)

Band: 5GHz 20MHz channels numbered from 5000MHz Centers spaced by 5MHz 12 channels used by 802.11a in the world
34, 36, . . . , 48 52, 56, . . . , 64

Usable channels
Europe: 1 to 13 USA: 1 to 11 14 only in Japan

In France
5GHz forbidden outside 8 channels without overlap
36, 40, 44, 48, 52, 56, 60 and 64

Recommendation
1, 6 and 11 available everywhere and do not overlap

up to 8 simultaneous communications 432Mb/s

up to 3 simultaneous communications 162Mb/s

Structure of a Frame
MAC layer
fragmentation MAC Protocol Data Unit (MPDU) packets

Preamble
used for synchronization FHSS
80bit for synchronization: 010101. . . 01 16bit Start Frame Delimiter: 0x0CBD

Physical layer
MPDU encapsulated in 802.11 frame Preamble PLCP header MPDU

DSSS
128bit or 56bit (optional for 802.11b) synchronization 16bit SFD: 0xF3A0

OFDM
12 predened symbols

PLCP Header
Physical Layer Convergence Procedure

Network Layer 2
Data Link

Indicates frame length and data rate

always transmitted at 1Mb/s!

IP LLC 802.2 (Logical Link Control) MAC 802.11 (Wi-Fi) 802.11a 802.11b 802.11g

IPX

...

FHSS
Length 12 bits Data rate 4 bits Error control (CRC) 16 bits

MAC 802.3 (Ethernet) Fiber Copper ...

... ...

LLC layer
layer 3 protocols independent of underlying protocol several layer 3 protocols can share same network

DSSS and OFDM

similar to FHSS a few additional elds more bits for data rate error control of OFDM: parity bit

MAC layer
MAC address denition (same as Ethernet, token ring) wave sharing, association, error control, security

MAC Layer Evolutions

First 802.11 version denes the core functionality 802.11c: precisions on the connection of an AP to the wired network 802.11d: rule of emission by country (legal channels, power limitation) 802.11e: quality of service 802.11f: Inter Access Point Protocol (withdrawn Feb. 2006) 802.11h: adaptation of 802.11a and MAC layer to the European market (Transmit Control Power, Dynamic Frequency Selection) 802.11i: security (WPA2) 802.11j: adaptation of 802.11a and MAC layer to the Japanese market 802.11k: Radio Resource Measurements (2007?)

Reminder on Ethernet
Communication over wires
small packets (1500 bytes in general) direct connection or through hubs

Medium sharing
allows broadcast/multicast sensible to denial of service attacks bandwidth sharing

CSMA
Carrier Sense Multiple Access

CSMA/CD
CSMA with Collision Detection

Emission protocol
sense the network wait for silence of a predened duration
DIFS (Distributed Inter Frame Space)

While sending a packet

sense the network to detect collision interrupt immediately if detecting a collision wait for DIFS restart with double CW
exponential back-off

start a countdown of random duration

max duration: CW (Collision Window)

if no equipment talks before the end of the countdown, send the packet otherwise,
interrupt countdown and wait for next DIFS restart countdown

As soon as correct emission of a packet

CW back to initial duration

Equal opportunity, simple, efcient under low load Sensitive to collisions under high load

Wi-Fi Wave Sharing

Many common points with Ethernet
possibility of unicast, broadcast and multicast sharing of the communication medium sensing the medium is possible

DCF
Distributed Coordination Function

Based on CSMA/CA (CSMA with Collision Avoidance)

enhancement of CSMA/CD after emission of a packet, wait for ACK (Acknowledge) goal: detect collision and ensure packet has arrived

Several strategies
DCF, PCF 802.11e: EDCF, EPCF

DCF
before sending a packet send a very small RTS (Request To Send) packet
contains an estimate of packet emission duration

receiver waits for SIFS (Short Inter Frame Space) receiver sends CTS (Clear To Send) packet after SIFS, sender emits packet after SIFS, receiver sends ACK

DCF Discussion
Only for unicast
broadcast or multicast packets sent without RTS, CTS, ACK

PCF
Point Coordination Function

The AP coordinates the other devices

impossible in Ad Hoc networks contention free

Advantage: detect most collisions Drawback: loss of bandwidth Why use DCF instead of CSMA/CD?
wireless device are usually half-duplex, so can not detect collisions non transitive view of the network

For each station in turn

AP sends a CF-Poll with a time allocation If station accepts
reply with CF-ACK can send one or several packets during allocated time

For small packets

dont use RTS/CTS size RTS threshold (1000 bytes by default)

If no answer after PIFS (PCF Inter Frame Space)

AP ask an other station in turn

Does not work well in high load conditions One slow device slows down all the others No support for QoS

PCF Discussion
PCF more predictable and fair
good for synchronous data (multimedia)

802.11e Enhancements
Trafc Classes (TC)
priority (between 4 and 8 levels)

But
loss of bandwidth if many stations have nothing to send not all devices compatible

Enhanced DCF
Arbitration IFS (< DIFS) and CW dened by TC queue by TC on each station transmission opportunity (TXOP)
possibility to send several packets separated by SIFS duration indicated in beacon frames

PCF is always combined with DCF in alternation

beacon frame indicates beginning of PCF/DCF sequence, total duration and PCF stage max duration CF-End ends PCF stage at any moment

Wireless Multi-Media certication

Enhanced PCF
sequences PCF/EDCF during PCF, AP can decide the order during EDCF, AP can send CF-Poll to any station after PIFS TXOP local parameters sent in MAC header

SIFS < PIFS < DIFS PCF not mandatory and not included in Wi-Fi Alliance interoperability tests

Ad Hoc Mode
Direct communication
no access point Independent Basic Service Set (IBSS)

Infrastructure Mode
Clients connected to network via a Wi-Fi AP
1 AP + its clients = Basic Service Set (BSS) area covered: cell or Basic Service Area (BSA) identied by a 48bit number: BSSID
BSSID = AP MAC address

Drawbacks
difcult conguration
Wi-Fi setup manual IP setup

Connection of several BSS by a Distribution System (DS)

DS can be wired Ethernet, point-to-point or wireless Extended Service Set covering Extended Service Area hand-over
connection maintained when going from BSS to BSS in a same EBSS automatic choice of best quality AP identied by SSID (max 32 characters)

no dened routing
with a routing software, mesh network

May be used to connect several AP

Client/Server Detection
Beacon frame broadcast (by AP)
usually every 100ms contain BSSID, SSID, possible data rates, . . . synchronization information

Authentication
Identication needed before being associated to an AP Open authentication
client send authentication request with required SSID AP always answers success

Probe requests (by client)

send probe request on each canal with required SSID and possible data rates AP answers with probe response
similar contents as beacon frame

WEP authentication
AP answers with a challenge
random 128bit number

Comparison
probe request ensures communication is possible in both directions too much probe requests may impact bandwidth

client encrypts the challenge with its WEP key send result to AP in a new authentication request AP can verify with its own WEP key

WEP Authentication Weaknesses

Client does not authenticate AP
possibility of pirate AP

Association / Reassociation
After successful identication Send association request
list of the handled data rates

What have we gained by authentication?

AP knows that client with x MAC address is legitimate pirate can sniff the communication add congure its Wi-Fi adapter with this x MAC address no way for the AP to check that MAC address x belongs to the same adapter

AP
allocates unique ID register information in allocation table send acknowledge

Hand-over: if station detects a better AP

send a unassociation request to former AP send a reassociation request to new AP
contains ID of former AP

Man in the middle attack

replace authentication request forward challenge and response no need to change MAC address!

completely transparent to the user

WEP authentication considered harmful

not used anymore

Security
SSID masking
weak: sniff probe packets

Error Control / Fragmentation

32bit CRC for each packet
high condence in validated packets in case of interferences: elimination of packets

MAC address ltering

not feasible if several AP and lots of stations MAC spoong

Fragmentation
error rate: FER = 1 (1 BER)size it can be interesting to fragment packets
threshold parametrized trade-off between FER and overhead

WEP (Wired Equivalent Privacy)

shared key free software allow to break WEP

802.1x and WEP key rotation

needs a RADIUS server

beacon frames, broadcast and multicast not fragmented

802.11i and WPA (Wireless Protected Access)

based on 802.1x needs a RADIUS server WPA: TKIP cryptography 802.11i: AES cryptography (WPA2 certication)

Dispatching and WDS

Dispatch problem
where to forward received packets? to the BSS or to the DS?

Power Saving
Wi-Fi communications can reduce autonomy up to 80%! Power Save Polling Mode
instead of Continuously Available Mode

Mechanism: 2 bits toDS 0 1 0 1 fromDS 0 0 1 1 signication Ad Hoc station AP AP station WDS: AP AP

Principle
turn off radio between emissions and receptions queue packets till wake up station warn AP of sleeping AP sends in beacon frames the list of stations it has queued some packets for (Trafc Indication Map) if stations has queued packets, ask the AP for them (PS-Poll) otherwise, go back to sleep mode

Wireless Distribution Service

extension of a wireless network with AP not connected to wired network vague specication compatibility problems discussion for mesh networks 802.11s

Special case for broadcast and multicast trafc Important power saving but no more QoS

Deployment
See http://www.jres.org/tutoriel/ Reseaux_sans_fil.livre.pdf by Daniel Azuelos, a tutorial made at JRES 2005.

Wireless Security
Fundamental qualities
condentiality integrity availability non repudiation

Common attacks
war-driving spying intrusion denial of service message modication

Solutions
First solutions
limit overowing deployment avoid pirate access points limit temptation by a good coverage radio supervision mask the SSID MAC address ltering VLANs WEP cryptography isolate the wireless network from the wired network use VPNs

Principle
Everybody shares a common key
key length: 40 or 104 bits key format: hexadecimal or text possibility of key generation from a password

Key handling problem

lots of copies of the key lots of potential security leaks difculty of key changing many enterprises never change their WEP key

New solutions
LEAP (Cisco) and proprietary solutions, WPA, 802.11i (WPA2) all based on 802.1x, itself based on EAP use an authenticating sever, nearly always RADIUS

Key Rotation
Mechanism to allow key changing
not possible to change all keys at the same time! solution: up to 4 keys at the same time
all can be used for reception only the active one can be used for emission

Individual Keys
Principle
each user has its own key APs know all the keys AP use MAC address to choose the key

Key changing procedure

at the beginning: only one active key in all equipments add the new key in position 2 in all AP (key 1 is still active) ask users to add the new key in position 2 in their station and to activate it once all stations are updated, activate key 2 in all AP remove key 1

Very heavy system Isolation of the communications from the other users Broadcast and multicast
users use individual key to AP AP use shared key for such trafc each station must know individual and shared key

Conguration
4 keys to allow changing of shared and individual keys few AP can handle individual keys key handling so heavy that nearly never used

RC4
Rivest Cipher 4

Integrity Control
CRC Used in SSL and WPA
a good tool! protects from transmission errors but not from pirates
can be recomputed for a modied message

Principle: generate a pseudo-random bit stream

initialized by a key reproducible

ICV (Integrity Check Value)

CRC computed on the clear text added to the message to encrypt

Encryption procedure (in WEP and WPA)

message RC4-generated-bit-stream

Need to avoid the same RC4 key for different messages

simple solution: combine WEP key with a nonce (Initialization Vector) RC4 key = IV (24 bits) || WEP key (40 or 104 bits) need to transmit IV to allow decryption
IV sent in clear form at the beginning of each packet

Cryptographic Weaknesses
RC4 key repetition
length IV = 24 too small! as soon as two packets with same IV received, pirate knows part of the messages independent of WEP key length

Decryption dictionary
If pirate gets clear text and encrypted message
can deduce the RC4-generated bit stream for the used IV make a dictionary of these bit streams (less than 30GB) how to get these clear text messages?

Better ones exist

decryption dictionary attacks on weak keys

Ping requests
response to a ping is an echo of the request different responses are encrypted with different IVs how to generated ping requests?
replay not very good method

forge a ping request

intercept an ARP request (easy to guess contents) increase byte by byte the size of the ping request

Dangerous as pirate acts on the network but automatizable

Weak Keys
Weakness of RC4
rst bits of the pseudo random stream have a high probability to correspond to some bits of the key drop rst 256 bytes

Integrity Check Weakness

CRC is linear
CRC(A B) = CRC(A) CRC(B)

Allows to modify packets transparently

add a sequence of the same length of the message M C = (M||CRC(M)) R C = C (||CRC()) C passes the integrity check!

Breaking the WEP key

rst bits of the key determine if it is weak IV pirate records weak key packets use an algorithm to get the WEP key
complexity linear in the size of the WEP key

Advantages
no need to send messages on the network can be faster than the dictionary attack at the end: WEP key vs 30GB dictionary

Counter measure: avoid IV leading to weak keys

makes the dictionary attack faster :-(

Conclusion on WEP
Free software tools exist to exploit attacks against
cryptographic weaknesses integrity check and dont forget authentication

Towards a Secure Wi-Fi

Strong encryption
key distribution during authentication solve all the problems of WEP encryption two solutions
WPA: TKIP encryption (based on RC4) WPA2: CCMP encryption (based on AES)

But WEP is better than nothing

most attacks need to listen to a lot of trafc need to be in range of the network more dangerous threats: viruses on legitimate computers

Strong authentication
use 802.1x based on EAP necessitate an authentication server
RADIUS

If you can, use WPA or WPA2

very strong security more difcult to install once installed, more manageable network

General Presentation
Goals
solve the security problems of WEP in a way that old devices dont have to be replaced
rmware update use RC4

RC4 Key
16 last bits of IV + 8 bits against weak keys || changing part for each packet (104 bits)
104-bit part = hash(IV, PTK, MAC sender)

IV distribution
rst 32 bits send before encrypted data last 16 bits + 8 bits against weak keys in place of WEP IV

New features
more powerful integrity control (Michael protocol) 48 bit IV instead of 24 bits (no reuse of RC4 keys) mechanism to avoid weak RC4 keys encryption key different for each packet IV used to counter replay attacks better key distribution mechanism

Protect Against Replay

Use IV to date packets
IV is incremented at each packet old packet = IV < IV of last received packet

Michael Integrity Protocol

hash(PTK, MAC sender, MAC receiver, clear text message)
20 bit

Adaptation to burst ACK

possibility to send ACK for a group of packets (up to 16) keep the last 16 IVs

computed on MSDU
before fragmentation

added to clear text message before encryption weakness

20 bit is small a few hours for a brute force attack if message fails integrity control, block AP for 1 min more than 2 years

IEEE 802.11i
ratied in June 2004 names
802.11i, WPA2, WPA/AES

CCM
Counter-Mode + CBC-MAC

Counter-Mode
a counter is continuously incremented that counter is encrypted by AES resulting bit stream message

main drawback
necessitate new devices

encryption mode: CCMP integrity control: CBC

CBC-MAC: Cipher Block Chaining - Message Authentication Code

rst bloc encrypted by AES previous encrypted block current block result encrypted by AES and so on

CCM = Counter-Mode + CBC

same encryption key 48-bit nonce used to encrypt and compute CBC
sequential packet number (PN)

CBC can be computed on encrypted message + clear text data

CCMP
CCM Protocol

CCMP Details
MIC = CBC (
MAC header (with zeros replacing variable parts) CCMP header (with zeros replacing variable parts) clear text data zero padding)

Dene how CCM is used in Wi-Fi context Packet structure

MSDU fragmented in MPDU packets MPDU = MAC header + data in case of WEP or TKIP: WEP header inserted between MAC header and data in case of CCMP: idem

CCM Counter Options Priority 1B 1B

MAC sender 6B

PN 6B

Counter 2B

CCMP header PN0 PN1 Rsv

ID

PN2

PN3

PN4

PN5 CRC 4B

CCMP packet structure MAC CCMP Encrypted header header data 30B 8B 0 to 2296B

Encrypted MIC 8B

Mixed Modes
Possibility to deploy mixed-mode Wi-Fi networks
WEP + WPA TKIP + AES

AAA Methodology
Authentication, Authorization, Accounting

Access control to resources

informations needed to charge for the resource usage central to control security policy application

To allow old devices / to ease transition Should be avoided

weakest mode use for broadcast/multicast need compatible APs

Authentication
compare the references of the user with a database grant access to the network if data correspond

Authorization
control resource access by an authenticated user point of policy enforcement

Accounting
measure and log resource activities may be used for
billing analysis of the usage for capacity prevision or maintenance strategy

RADIUS Protocol
Remote Authentication Dial-In User Service

Key Mechanisms
Network security
communication between RADIUS client and server authenticated by shared secret user passwords encrypted

Concrete implementation of AAA methodology

dened by IETF: RFC 2865 client-server approach authenticate distant users in an heterogeneous environment

Flexible authentication mechanisms

several possible authentication methods (PAP, CHAP, EAP, ...) several data repositories (le, PAM, LDAP, SQL, ...)

Involved entities
user trying to get access to the network network access server (NAS)
transmit the user informations to the RADIUS server grant access to the network if authorized by the RADIUS server

Extensible protocol
transaction = Attribute-Value-Length tuple possibility to dene new attributes attributes used for authorization and accounting

RADIUS server
handle the connection requests from the user give to the NAS all the needed informations to give access to the required resources can act as a proxy to other RADIUS servers

RADIUS Protocol Details

Transport protocol: UDP
authentication and authorization: port 1812 accounting: port 1813

Architecture
3 participants
user, NAS, authentication server

Communication between user and NAS

EAP packets same LAN: EAPoL protocol

6 principal packet types

Access-Request: C S, user id + id proof Access-Challenge: S C, answer to Access-Request Access-Accept: S C, may contain attributes Access-Reject: S C Accounting-Request: C S, Start, Stop, Interim-Update Accounting-Response: S C: ack Accounting-Request

Communication between NAS and authentication server

no precision

Full compatibility with RADIUS

de facto standard for Wi-Fi RADIUS/EAP dened in RFC 2869
EAP-Attribute to encapsulate EAP messages

EAP Origin
PPP (Point-to-Point Protocol) PPP authentication methods
PAP (Password Authentication Protocol): clear text password CHAP (Challenge Handshake Authentication Protocol): MD5 hash of challenge, counter, password MS-CHAP: password hashed on server by proprietary algorithm, security weaknesses MS-CHAP-v2: mutual authentication, widely used on windows networks since Windows 2000

EAP Packets
4 packet types
Request: S C, ask for an information based on an authentication method chosen by the server Answer: C S, if authentication method not handled, propose a list of alternatives Success Failure

Only one authentication method in a dialog

once client has started an answer, can not change

Weaknesses
sensitive to off-line dictionary attacks no possibility to use non password based authentication

EAP (Extensible Authentication Protocol)

EAP and 802.1x

EAP on LAN
transport EAP packets over a LAN (e.g. Wi-Fi)
between user and access point

EAP Methods
EAP allows many authentication methods
list not closed

Password based methods

EAP/MD5: CHAP protocol with MD5 hash EAP/MS-CHAP-v2, included in Windows EAP/OTP: One Time Password
use a generator hashing a challenge and a passphrase S/Key, OPIE sensitive to off-line dictionary attacks

new packet types

EAPoL-Start: C noties server of its wish of connection EAPoL-Packet: encapsulate EAP packets EAPoL-Key: allow encryption key exchange EAPoL-Logoff: C ask for end of session

RADIUS encapsulation
between access point and RADIUS server

EAP Methods Contd

EAP/GTC: Generic Token Card
token sent in clear text in response to an optional challenge use of a token generator (token card) double factor security: card + password

EAP Methods Contd

EAP/PEAP: Protected EAP
developped by Cisco and Microsoft rst TLS negociation to setup a tunnel
not necessary with real identity only the server needs a certicate

EAP/SIM: use the SIM card of the portable phone EAP/TLS: Transport Layer Security
new version of SSL (RFC 2246) mutual authentication by certicates in EAP: only authentication, no use of the TLS tunnel heavy deployment (PKI)

new EAP authentication inside the tunnel

once authentication successful tunnel closed and success packet sent in clear text

advantages
easy deployment (only server certicate) id of the user hidden

EAP Methods End

EAP/TTLS: Tunneled TLS
very similar to PEAP allows any internal authentication, not only EAP possibility to add AVP in TTLS packets

EAP Security
Attack of the EAP method
off-line dictionary attacks MD5, MS-CHAP-v2, OTP on-line dictionary attacks PEAP/MD5, PEAP/MS-CHAP-v2, PEAP/OTP
easy to protect

EAP/FAST: Flexible Authentication via Secure Tunneling

similar to TTLS symmetric tunnel vs TLS tunnel
higher performance in hand-over

Attack of the session

only the authentication is protected session sensitive to MAC spoong need to encrypt the data exchanges
static key key negotiation during authentication

Man-in-the-Middle attacks
only protection: strong session encryption
pirate has no way to get the keys

attack of PEAP and TTLS

pirate use a false certicate protection: server certicate verication

WPA Personal
Pre-Shared Key (PSK)
manually congured in each equipment

WPA Enterprise
Use 802.1x
install and congure an EAP compatible RADIUS server congure every equipment with WPA/WPA2 and 802.1x choose one or several EAP method and congure the clients and server

Very simple Drawbacks

sensitive to off-line dictionary attacks key sharing high leakage risk no mechanism for key changing

Use a key-generating EAP method

all TLS based methods EAP/TLS, PEAP, TTLS, EAP/FAST

Connection Sequence
Wi-Fi association
open authentication association with AP

802.1x authentication
client send EAPoL-Start authentication sequence accord on a 256-bit key: Pairwise Master Key (PMK) RADIUS server send PMK to AP RADIUS server send success to client (and AP)

Temporary key negotiation

client and AP negotiate new key derived from PMK: Pairwise Transient Key (PTK) secure tunnel established AP send Group Transient Key (GTK) to client
used for broadcast and multicast changed regularly by AP (key rotation)