Gopal Pawar

161060976
B.Tech Electronics
E-security

Assignment No.3

Q1) This authentication scheme is one-sided. How can it be made mutual?

Ans-

● IEEE 802.11i supersedes its previous security specification WEP

which had security vulnerabilities.

● WPA (Wifi Protected Access) had been previously introduced by the

Wi-Fi Alliance.

● WPA has implemented a subset of draft 802.11i. Wi-Fi Alliance refers

to its approved interoperable implementation of full 802.11i as WPA2
also called RSN (Robust Security). 802.11i uses AES block cipher
whereas WPA and WEP use RC4 stream cipher.

● 802.11i enhances 802.11-1999 by providing a Robust Security Network

with two protocols: four-way handshake and group key handshake.
These utilize authentication and port access control described in
IEEE 802.1X to establish and change the appropriate cryptographic
keys.

● The RSN is the security only allows creating RSNA(Robust Security

Network Associations) which are a type of associations used by pair
of stations (STAs) if the procedure of association or authentication
between them includes four-way handshakes.

● The standard also provides two RSNA data confidentiality and

integrity protocols: TKIP and CCMP with the implementation of CCMP
being mandatory because the confidentiality and integrity of TKIP are
not as robust as CCMP. The main reason to implement TKIP was that
 the algorithm should be implementable within the capabilities of old
devices.

● The initial authentication process is carried out by using a pre-shared

key (PSK) or following an EAP exchange through IEEE 802.1X(which is
known as EAPOL which requires the presence of an authentication
server).

● This process ensures that the client station (STA) is authenticated

with the access point. After the authentication a shared secret key is
generated which is known as Pairwise Master Key (PMK). In PSK
authentication PMK is actually PSK, which is typically derived from the
Wi-Fi password by putting it through a key derivation function using
SHA-1 cryptographic hash function. If an IEEE 802.1X EAP exchange
was carried out, the PMK is derived from EAP parameters provided by
the authentication server.

● Once PMK is computed it will act as a shared secret key. This key is to
be used as less frequently as possible so that it will be less exposed.
So it cannot be passed as a message.

● That causes us to derive new keys. A four-way handshake uses a key

called Pairwise Transient Key (PTK) to deal with the traffic.

● This key is derived from concatenating the following attributes AP

Nonce, STA Nonce, AP MAC address, STA MAC address, PMK.

● The product is then put through a pseudo-random function. This

handshake also yields a GTK (Group Temporal Key) used to decrypt
multicast and broadcast traffic.

● Following are the steps in Four-way Handshake:

 ○ AP generates a nonce(ANonce) and sends the Nonce along with
Key Replay Counter to STA. The Key Replay Counter keeps the
number of pairs of messages sent. After this message, STA has
everything to compute the PTK.

○ STA also sends its Nonce(SNonce) along with MIC(Message

Integrity Code) including authentication which is really a MAIC
(Message Authentication and Integrity Code) and the Key
Replay Counter which will be the same as message 1, to allow AP
to match right message 1.

○ AP verifies message 2 by checking MIC, RSN, ANonce, Key

Replay Counter Field and if valid constructs and sends the GTK
(Group Temporal Key) and another MIC.

○ STA verifies message 3 by checking MIC and Key Replay

Counter Field and if valid sends a confirmation to the AP.

Q2) What information does it provide to an attacker making it easy to attack?

Ans-

● WEP is a one-sided protocol, meaning that only one party gets

authenticated and the party (which is authenticated) remains blind
about the party which is unauthenticated.

● So the party which is authenticated is at constant risk as it is

connected to an unknown source.

● This is one drawback of WEP, while it could also be a case that a third
party is actually trying to intervene in the communication between a
subscriber and an Access Point.

● Let’s consider that one subscriber is trying to gain access to the

access point, here access point could also be a WIFI.
● At first, the subscriber requests the WIFI by sending a request
message.

● In response, the WIFI sends a challenge(Nonce) and says the

subscriber to encrypt the challenge message with a shared key. This
message is actually a broadcast message and can also be seen by an
attacker. So this plain text is exposed.

● Now when the challenge message is reached to the subscriber, it

encrypts the message using IV(Initialization Vector), Keystream, CRC-
32, RC4 algorithm and sends the encrypted message to the WIFI.
This message is also a broadcast message and hence can also be seen
by the attacker. So the encrypted message is also exposed.

● Hence, in the process of authentication of a subscriber with WEP,

encrypted text and plain text both get provided to the attacker.

● Now the only thing left for an attacker is to exor both the obtained
quantities and the resulted quantity is the keystream which was
generated by the RC4 algorithm during the encryption process of the
challenge message(plain text).

● Considering the policies for WEP a keystream can be reused and IV

(Initialization Vector) is a number chosen by the subscriber so the
attacker can now request the Access Point (WIFI), use the new
challenge message and basically use the
 same pair of Keystream and IV(Initialization Vector) to encrypt the new
challenge message. The attacker is thus authenticated by the Access
Point.

● Hence it very easy for the attacker to attack an Access Point using
the obtained information i.e. Plain Text (challenge) and Encrypted
text.

Q3) The encryption scheme is an RC4 stream cipher. How can an attacker
create a valid response for any challenge after watching just one valid
authentication?
Ans-

● During one valid authentication challenge message (plain text) and

encrypted message, both are broadcasted and hence are visible to the
attacker.

● The attacker can do an Exor operation on both the quantities, the

resultant quantity is Keystream.

● A keystream is generated by the RC4 algorithm. When a subscriber

wants to encrypt a challenge given by the access point it does that by
using one of the shared key and an IV (Initialization Vector).

● IV is used for extending the time at which a keystream gets

repeated. Since a keystream is generally 40 bit or 80 bit it is highly
possible that an attacker exhaust all possible values of a key.

● So in order to protect this from happening, a 24 bit IV is added to

one of the keys. The resultant value is given for RC4 encryption. RC4
thus produces a keystream.
● Now the challenge (message) is given to the CRC-32 block for creating
an ICV(Integrity Check Value) data unit which is then appended to the
challenge (plain text) given by the Access Point.
● The resultant data is Exor-ed with the Keystream obtained from the
RC4 algorithm to get a final value. This value forms the Ciphertext.

● The attacker does not know about any shared key but still can use the
same keystream.

● IV can be the same as used in the valid authentication process by a

subscriber or it can be a different number created by the attacker.

● Now when the attacker wants to gain access to the Access Point, it
sends a request message.

● The access point sends a challenge(Nonce) to the attacker in

response.

● The attacker uses the same Keystream and IV(Initialization Vector)

and encrypts the message(challenge).

● The attacker sends the encrypted text to the Access Point and after
the decryption process, a key is obtained to the access point.

● Now, this key is the same key that was used during the previous valid
authentication process however, the attacker has no clue about the
value of the key.

● The access point then compares the value of the key (obtained after
the decryption process) with a list of the registered keys. If it gets
matched with one of the keys the attacker is authenticated.
● Hence, after watching one valid authentication, an attacker can get
access to an access point with a valid response.