Securing Wireless Network With WEP and WPA 110922

School of Computer Sciences UniversitiSains Malaysia, Pulau Pinang CST233Information Security and Assurance Academic Session: 2011/12 Assignment 2 White Paper Tittle: Securing Wireless Network With WEP and WPA NAME: CHEW KHA SON NO.MATRIC: 110922 LECTURER NAME: DR AMAN JANTAN

1|Page

Securing Wireless Network With WEP and WPA 110922

Table of Contents Introduction ........................................................................................................ 2 What are WEP and WPA ..................................................................................... 3 WEP (Wired Equivalent Privacy) ............................................................................ 3 WPA (Wi-Fi Protected Access) ............................................................................... 6 Why need WEP and WPA .................................................................................... 9 WEP (Wired Equivalent Privacy) ............................................................................ 9 WPA (Wi-Fi Protected Access) ............................................................................. 10 Attack on WEP network .................................................................................... 11 Setup WPA on access point DLink DIR-300 ..................................................... 16 The End .............................................................................................................. 19 Reference .......................................................................................................... 20

2|Page

Securing Wireless Network With WEP and WPA 110922

Introduction According to website Washington.edu, Wifi security is a main issue to all Wifi network users. The security protocols are defined underorganization IEEE802.11i and the system such as WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access) and WPA2 (WiFi Protected Access 2). Up until the early 2000s, WEP was a primary security protocol for protect the wireless computer networks, unfortunately the technology is evolve every day, WEP encryption has become a weak security control for wireless networks. However, things have just gotten worse. A researcher at the Technical University of Darmstadt in Germany has written a paper in which they claim to be able to crack 104 bit WEP encryption in 60 seconds or less. In recent years, WPA and WPA2 have replaced old mechanism that is WEP as the standard for all wireless network security. WPA and WPA2 are more powerful compare with WEP security protocol, because WPA allow for more password complexity, which leads to a more secure network, but the newest security protocol is WPA2 and it more secure compare to WPA. WPA2 has stronger security because of it has new encryption mode that is AES-based.

3|Page

Securing Wireless Netwo With WEP an WPA g ork nd 110922

What are WEP an WPA2 nd WEP (W Wired Equiv valent Priv vacy) WEP is 802.11 first hardw f ware form of secur rity and u used to protect wire eless commun nication fro eavesdropping. Be om esides, it ca prevent unauthoriz an zed access to a wireless network (access control) and prev vent tamp pering wit th transm mitted

e.WEP uses the RC4 cipher stre s eam to enc crypt each packet usin 64 bits key. ng message This key created using a 24 bits initializ y u zation vecto (IV) and a 40 bits key value. The or d packets are formed using an XOR functi to use t RC4 ke value str d ion the ey ream to enc crypt ta sers cancon nfigure wit an enc th cryption ke of ey the dat packet. Additionally, the us 64bits,128 bits and d256 bits in HEX. This is the ba asic WEP e encryption RC4 keystr ream th t http://en.w wikipedia.org rg/wiki/Wire ed_Equivale ent_Privacy).For y) XOR wit plaintext (Source: h exampl le, a 64-b WEP k bit key is us sually entered as a string of 10 hex d g xadecimal. Each charact represents four bi ter its, 10 digits of four bit each gives 40 bits, adding the 24ts e bit IV produces t the comple 64-bit WEP ete key. Mo devices also allow the user to enter the key a five AS ost s w as SCII charac cters. However, this rest tricts each byte to be a printab ASCII c e ble character, w which is on a nly small fraction of possible by values, greatly re p yte educing the space of possible k e f keys. Besides, the longer key the be , r etter as it w increase the difficu for crac will e ulty ckers to cra it, ack but crac cking a lon nger key r requires interception of more p packets. There are o other weaknes sses in WEP, including the possib g bility of IV collisions a altered packets, w and which
4|Page

Securing Wireless Network With WEP and WPA 110922

are not helped by using a longer key. WEP has two kind of authentication such as shared key and open system. This two authentication has its own function. For the shared key authentication it needs four steps to complete the handshake (happens when a computer wants to talk to another computer. Before anything is sent and received the handshake takes place), first is the client send an authentication request to access point (AP), then the AP will replies with a clear text. Next, the clients encrypts the challenge-text based on the configuration WEP key and send the challenge-text back to another authentication request. Lastly, the AP will decrypt the request. If the challenges-text is match then it will reply back.In addition, open system authentication is the WLAN client need not provide its credentials to the AP during authentication. Any client can authenticate with the AP and then attempt to associate. In effect, no authentication occurs. Subsequently WEP keys can be used for encrypting data frames. At this point, the client must have the correct keys. According to many research papers, WEP is too weak for wireless network setting. The vulnerability of WEP can be attributed to the following: It only provides a method for network card to authenticate access point and there are no ways for access point to authenticate the network card. So it is possible for a hacker or cracker to sniff the data through access point. Unauthorized decryption and the violation of data integrity Once the WEP key is revealed, a hacker may transform the cipher text into its original form and understand the meaning of the algorithm. Based on the understanding of the

5|Page

Securing Wireless Network With WEP and WPA 110922

algorithm, a hacker may use the cracked WEP key to modify the cipher text and forward the changed message to the receiver. Poor key management The key management is not effective since most networks use a single shared secret key value for each client. Synchronizing key change is a tedious process, and no key management is defined in the protocol, so keys are seldom changed. WEP uses the same WEP key and a different IV to encrypt data. The IV has only a limited range that is 0 until 16777215 to choose from. In time, the same IVs may be used over and over again. By picking the repeating IVs out of the data stream, hacker can ultimately have enough collection of data to crack the WEP key.

There are many vendor produce their own solution to address the leak of WEP, such as enhance the WEP to WEP+. In 1998, Lucent pioneered a 128-bit WEP to extend the WEP key from 40-bit to 104-bit in order to enhance security. Under this approach, attackers might take longer amount of time to break the enhanced WEP keys. However, the approach was not very helpful because the previous security flaws in WEP still persisted. Agere and US Robotics also went after Lucent and created their own enhanced WEP solutions (Ageres 152-bit WEP and US Robotics 256-bit WEP). Besides, dynamic WEP is implementing by several vendors, including Cisco andMicrosoft, implemented dynamic WEP re-keying of access points. The dynamic WEP keys

6|Page

Securing Wireless Network With WEP and WPA 110922

prevented attackers from eavesdropping the communications. The attackers might never collect enough data to crack WEP keys.

WPA (Wi-Fi Protected Access) WPAwas created to resolve the issues with WEP. WPA is used to secure wireless networks and it much stronger encryption algorithm created specifically by the networking industry to mitigate the problems associated with WEP. WPA has a key size of 128 bits and instead of static, seldom changed keys, it uses dynamic keys created and shared by an authentication server. This figure shows WPA work flow. Besides, it uses the same encryption and decryption method with all devices on the wireless network, but does not use the same master key. Devices connected to a WPA encrypted wireless network use temporary keys that are dynamically changed to communicate. WPA is designed to work with all wireless network cards, but not necessarily with first generation wireless access points. The WPA protocol

implements much of the IEEE 802.11i standard. Specifically, the Temporal Key Integrity Protocol (TKIP) is used to accomplish the WPA. TKIP is a collection of algorithm that attempt to deliver the best security that can be obtained given the constraints of the wireless of the wireless network environment. It employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the
7|Page

Securing Wireless Network With WEP and WPA 110922

types of attacks that compromised WEP.Besides TKIP, WPA adopts 802.1X EAP based to report the issue of user authentication in WEP. This feature initially is designed for wired networks but is also applicable to wireless networks. 802.1X EAP based authentication is contained of three elements that is supplicant, authentication server and authenticator. Supplicant is a client wants to be authenticated. It can be the client software on wireless device. The authentication server is a system, such as a RADIUS server and handles actual authentications. For the authenticator is a device (Access Point) acts as an intermediary between a supplicant and an authentication server. The exact method of supplying identity is defined in the Extensible AuthenticationProtocol (EAP). EAP is the protocol that 802.1X uses to manage mutual authentication. There is several type of EAP method such as: EAP LEAP - Uses a username and password to transmit the identity to the RADIUS server for authentication. EAP PEAP Provide a secure mutual authentication and design to overcome some vulnerability exist in other method. EAP TLS Used an X 509 certificate to handle authentication. EAP TTLS Used while authenticator identifies itself to the client with a server certificate, the supplicant uses a username and password identity instead.

According to the book Principles of Information Security 3rd edition, TKIP adds four new algorithms to WEP:

8|Page

Securing Wireless Network With WEP and WPA 110922

A cryptographic message integrity code, or MIC, called Michael, to defeat forgeries;

A new IV sequencing discipline, to remove replay attacks from the attacker arsenal;

A per-packet key mixing function, to de-correlate the public IVs from weak keys; and

A rekeying mechanism, to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse.

While it offered dramatically improved security over WEP, WPA was not the most secure wireless protocol design. Some compromises were made in the security design to countenance compatibility with existing wireless network components. Protocols to replace TKIP are currently under development. Apart from that, Counter Cipher Mode with Block Chaining Message Authentication Code Protocol also is an encryption protocol and common call as CCMP. CCMP used to implement the standards of the IEEE 802.11i modification to the original IEEE 802.11 standard and is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM) of the AES standard. It was created to address the vulnerabilities presented by TKIP, a protocol in WPA, and WEP, a dated, insecure protocol.

9|Page

Securing Wireless Network With WEP and WPA 110922

Why need WEP and WPA WEP For several people, WEP is the only choice until the new security methods added to the IEEE 802.11 standard become established. Even with its weaknesses, WEP is still more effective than no security at all, providing you are aware of its potential weaknesses. It provides a barrier, although small, to attack and is therefore likely to cause many attackers to just drive on down the street in search of an unsecure network. Most of the attacks depend on collecting a reasonable sample of transmitted data so, for a home user, where the number of packets sent is quite small, WEP is still a fairly safe option. Here are some advantages of WEP. It can prevent illegal usage from spamming to accessing or viewing pornography may be traced back to your router. Avoid wasted internet bandwidth to slow you down. Thwart other people can connect your router which your computer will assume is a trusted member of your network and the computer will allow them to gain information from your system. Prevent identity theft.

10 | P a g e

Securing Wireless Network With WEP and WPA 110922

WPA WPA was industrialized by the WiFi Alliance in conjunction with the IEEE as an interim wireless security solution that works with existing hardware, in anticipation of the 802.11i wireless security standards that were recently consented, but are not compatible with all legacy hardware. For those who aren't ready to upgrade all of their wireless hardware and who need more security than WEP can provide, WPA is the answer. Below are some advantages of WPA: WPA uses much stronger encryption algorithms than its predecessor. WPA uses a Temporary Key Integrity Protocol (TKIP), which dynamically changes the key as data packets are sent across the network. WPA provides a way for enterprises to authenticate wireless users with a RADIUS server. The authentication protocol that's used is the Extensible Authentication Protocol (EAP). The RADIUS server also allows you to set user access policies to control wireless access to your network. For example, you can set time limits on wireless sessions or place restrictions on days and times that users can connect. Has backward compatible WEP support for devices that are not upgraded.

11 | P a g e

Securing Wireless Network With WEP and WPA 110922

Attack on WEP network Tools: Backtrack 3 BT3 (Linux Kernel), Spoonwep2, and USB Wi-Fi adapter

1. Firstly, boot the BT3 and plug in the USB Wi-Fi adapter. 2. Start the Spoonwep2 by click on start button >BackTrack> Radio Network Analysis > 80211 > all > Spoonwep2.

3. The window will pop up the Spoonwep2. Then choose the network card (USB WiFi adapter) RAUSB0 > for option Driver choose NORMAL (If your wifi adapter is
12 | P a g e

Securing Wireless Network With WEP and WPA 110922

Atheros, please select option Atheros) >MODE choose UNKNOW VICTIM > click on NEXT.

Click on it

13 | P a g e

Securing Wireless Network With WEP and WPA 110922

4. Then you will see a window like below. Click on LAUNCH button to start scanning the nearby network.

Click on it

5. During scanning, you will see a window display the details about the AP (Access Point) such as channel, data, SSID, packet, power and so on.

14 | P a g e

Securing Wireless Network With WEP and WPA 110922

6. After that, you will see the wireless network that you desire to hack appear on the main window like below. Then you need click on the wireless network you would like to hack, and click on button SELECTION OK.

7. Then it go to attack panel, that will let you choose the attack method and select the length of bits and channel. After select, click on LAUNCH button to start the attack.

15 | P a g e

Securing Wireless Network With WEP and WPA 110922

8. You need to wait until the spoonwep2 found the key. The key that you get will in HEX, so you need to convert into ACSII for easy you remember.

16 | P a g e

Securing Wireless Network With WEP and WPA 110922

Setup WPA on access point DLink DIR-300 1. Log into the web-based configuration by using web browser and entering the default IP address of the router (192.168.0.1). Then click on Wireless Setup on the left hand side.

17 | P a g e

Securing Wireless Network With WEP and WPA 110922

2. Go to WIRELESS SECURITY MODE, select Enable WPA only wireless security (enhanced).

3. Then go to Cipher Mode, select TKIP, AES or Both. 4. Next to PSK/EAP option panel, select PSK.

5. Then enter the password that you desire.

18 | P a g e

Securing Wireless Network With WEP and WPA 110922

6. Click on Save Setting and wait the router save the setting. Then the page will refresh.

19 | P a g e

Securing Wireless Network With WEP and WPA 110922

The End As a conclusion, a wireless networks without WEP or WPA are unacceptable due to the exceedingly high risks involved. If the wireless network that without any security (WEP or WPA), mean the user can does not take any skill to discover and gain unauthorized access to wireless networks. One does not have to be a programmer, Linux expert, or network specialist. All it takes is a laptop with a wireless network card, and some software or tools that can be easily downloaded for free from the Internet. Armed with these basic tools anybody can drive around, detect open wireless networks, and connect to them. With a Linux machine, additional software, some advanced knowledge, and some time and patience it is even possible to break into wireless networks that use encryption. Although, WEP offers such weak encryption that it is generally considered as unsecured but it better than your wireless network that do not have any

20 | P a g e

Securing Wireless Network With WEP and WPA 110922

security.WPA is enhancement of WEP, but many researchers found faults that make it impartially insecure as well compare to protocol WPA2.

Reference Principles of Information Security Third Edition http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy http://www.pcworld.com/article/130330/how_to_secure_your_wireless_network. html http://wifihelps.com/disadvantages.php http://en.wikipedia.org/wiki/CCMP http://www.techrepublic.com/article/wpa-wireless-security-offers-multipleadvantages-over-wep/5060773 http://support.netgear.com/app/answers/detail/a_id/1105/~/what%27s-new-insecurity%3A-wpa-%28wi-fi-protected-access%29

21 | P a g e

Securing Wireless Network With WEP and WPA 110922

http://etutorials.org/Networking/802.11+security.+wifi+protected+access+and+802.11i/Part+III+WiFi+Security+in+the+Real+World/

http://www.practicallynetworked.com/support/wireless_secure.htm http://www.brighthub.com/computing/smb-security/articles/78216.aspx http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

22 | P a g e