Comparison of the WLANs security functions time consumption

Jaroslav Kadlec, Radek Kuchta, Radimir Vrba

Dept. of Microelectronics, FEEC Brno University of Technology Brno, Czech Republic kadlecja | kuchtar | vrbar@feec.vutbr.cz
Abstract Securing of the communication is the key parameter for all wireless networks. WLANs vulnerability to security threads is solved by several security mechanisms but all of these mechanisms have negative impact to the communication speed and final network performance. Time consumption of different security mechanisms used in wireless networks limits availability for several time-sensitive applications. This paper is focused on the performance tests of the WLAN IEEE 802.11g. New testbed for measuring of the basic network parameters with 10 ns resolution was developed and used for measuring influence of different security level which can be applied in IEEE 802.11g. Three main parameters of network communication in the wireless networks are bandwidth, delay and jitter. Knowing values of those three parameters allows us to decide if the WLANs parameters are acceptable for using in real-time applications or not. Based on the measured network dynamics we can select which real-time application is suitable for this wireless network. In our measuring we focused on the basic security mechanisms like WEP, WPA and WPA2.

Global parameters of used network are made by several different reasons but the biggest impact have parameters of used active network components like routers, bridges and access points. Manufacturers of those devices dont provide this kind of information about delay and speed of security functions. Necessity of knowledge network device parameters was origin impulse for our measurement. We measured basic parameters of the common wireless network access point to have rough image about expected values when the similar kind of AP is used. II. MEASUREMENT SCENARIO

I.

INTRODUCTION

Wireless digital communication starts to increase its prominence for the industrial automation domain. Wireless LANs based on IEEE 802.11 and other wireless concepts based on 802.15 (Bluetooth and ZigBee) were introduced and still more and more producers of wireless systems try to offer complete wireless solution for specific network applications which require high level of security, high speed of network communication and well defined QoS parameters. To design remote mechanisms (telemonitoring, teleservice etc.) using wireless communication, an increasing number of communication technologies is available, but using of these technologies in time sensitive applications is limited by strict quality of service and performance requirements. For most of these applications can be used conventional wireless technology which but with well defined network parameters. If user needs monitoring application which wirelessly observes some industrial process with high demand on the monitoring speed, than network parameters have been exactly defined to prevent unintended monitoring interruptions.

To measure WLANs security functions we had used single wireless link between WiFi access point and notebook equipped with embedded WiFi adapter. Wireless connection was settled under laboratory conditions with regards to the best signal quality and minimal outer signal noise. Therefore measured results are ideal. Same tests made in real applications conditions resulted to the worst measured values which strongly depended on the signal quality. Measurement under laboratory conditions is perfect for comparing measured values with ideal parameters because it disables parasitic influences of unstable and undefined WLANs signal quality. This allows us minimize outer environment disturbances and measure only defined network parameters. Wireless AP serves as a router to transfer packet received from LAN between AP and first network board of the measurement system to notebook through wireless network connection. Send packets are secured by the measured WLANs security functions provided by the AP. Notebook on the other side of wireless network connection receives these packets and transfers them through software network bridge to a LAN between notebook and second network board of measured system.

978-1-4244-5091-6/09/$25.00 2009 IEEE

920

Figure 2. Software tool for measuring network parameters

Figure 1. Used measuring scenario of wireless network performance parameters

Our measurement scenario is a mixture of software based packet sniffers and special network boards for precise time measuring of the network communication with 10 ns resolution. Measuring platform with two Siemens EB200 development boards for network testing was created for our measurement. These boards have two independent ports for Ethernet connection and each of these ports have free running timer for adding time stamps to sending packets. Measurement application using the first network board for burning packets with time stamps into a tested system (network, device etc.) and the second one receives packets and evaluates all important parameters. Synchronizing of free running timers is done by special hardware solution that allows us to reach 10 ns highest possible resolution. Boards are controlled by special software. This software tool was developed by us especially for this application. User can set up all parameters of testing scenario in the tool and measured results are stored and displayed during testing process in real time. Due to EB200 Siemens board we can manage each single bit in Ethernet packet from lowest network layers to UDP frames and TCP frames. Lowest network function handling allows us to have precise control of all packets in the network and timing of sending and receiving of these packets into the EB200 network cards buffers. In sending packets is as a payload filled with sequential numbers with length 100 bytes. This packet size has also influence to final value of measured delay and packet length of 146 bytes (100 bytes payload and 46 bytes packet header) was determined as an optimal value by several test cases with different network components. This packet size proves speed of block ciphers because it has 146 bytes and most of the cipher and hash algorithms work with multiples of 2N block size. Used AES block cipher in WPA2 security function has block size 128 bytes therefore packet has to be separated into two blocks with 128 bytes and 18 bytes. The second 18 bytes long block is padded to the required length of 128 bytes. This splitting, padding and recreating of original packet have influence into final time consumption.

We made several performance tests of the WLAN with network topology made by computer with two EB200 cards, one notebook with Wi-Fi connection and one wireless access point D-LINK DWL-G700AP. At the beginning we measured parameters of WLAN without any security functions. These values are used as a reference value for all security functions tests and remove all influences of used network components and notebooks network bridge from final values. All measurements were done with at least 5000 test packets for ensuring sufficient quantity of input data for statistical evaluation. All measurements of wireless network were done in laboratory conditions to prevent influence of external parasitic disturbances. Wireless network had only one active connection and wasnt loaded by any other network traffic. Wireless signal strength and quality were optimized to reach the best wireless network conditions with minimized level of interferences. III. RESULTS

Measured results are as was described ideal and are related to the exact type of WiFi AP and embedded notebook WiFi adapter but most of WiFi devices manufacturers use the same network controllers and security chips. Therefore measured results can provide us good image about speed of security functions.

Figure 3. Histogram of measured packet latencies of WEP security protocol

921

We measured four widest used security functions in Wi-Fi networks. The first measured security function was 64-bit WEP (Wired Equivalent Privacy). This protocol uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity. Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is preceded with a 24-bit initialization vector (IV) to form the RC4 traffic key. Measured mean of time consumption of WEP64 is 142 ms. Packet latencies histograms have similar shape for all measured security protocols except WPA2 which uses block cipher encryption.

which is 177 ms and aligned histogram of packet latencies (see fig. 4). In the fig. 5 are shown histograms of all measured security protocols latencies. Most of the packets are below latency 5000 ns. For better lucidity has Y-axis logarithmic scale. Peak on the value other is done by the used Wi-Fi technology and wasnt included in security functions results. Value of this peak is very similar across all measured security functions.

Figure 4. Histogram of measured packet latencies of WPA2 security protocol

All measured parameters are summarized in the table 1 and figure 5.

TABLE I. Security function WEP64 WEP128 WPA WPA2 COMPARING OF MEASURED WIRELESS NETWORK SECURITY
FUNCTIONS

Second measured security function was extended 128-bit WEP protocol using a 104-bit key size. Biggest size of used key and the same encryption mechanism and hash function evoke longest required time for packet encryption. Measured mean of time needs is 146 ms. Third measured security protocol was WPA which is defined in IEEE802.11i standard. WPA protocol uses also RC4 cryptographic function but upgrades using and exchanging of shared secret (TKIP - Wired Equivalent Privacy). WPA increased the size of the IV to 48 bits and alters the values acceptable as IVs. This allows WPA to use the same algorithm as WEP, but plugs the hole by controlling the IV values going into the algorithm and make WPA more resistant to security threads. For ensuring integrity WPA incorporates an algorithm known as Michael instead of simple CRC used by WEP. This algorithm creates a unique integrity value, using the sender's and receiver's MAC addresses. However, Michael uses a simple encryption scheme that can be cracked using brute-force methods. To compensate for this issue, if Michael detects more than two invalid packets in under a minute, it halts the network for one minute and resets all passwords. This reset function wasnt call during our measurements. Added algorithms and functions such as MD5, SHA-1, HMAC, PMK and PTK decrease speed of WPA according to WEP. Measured mean of time consumption on the packet preparing is 152 ms. Last measured security protocol was WPA2. WPA2 main difference of WPA2 to WPA is using of block cipher AES instead of stream cipher RC4. Different type of encryption generates the biggest time consumption for packet encryption

Mean [ms] 142,761 146,798 152,359 177,946

Deviation [ms] 1645,948 1693,578 1789,710 2049,761

Time consumption [ms] 12,799 16,836 22,396 47,983

IV.

CONCLUSION

A set of measurements of WLAN security functions performance is proposed in this paper. For measurement purposes a sophisticated tool with high precision resolution and absolute control of network traffic was created. Our measured results are unique due to their precision. Manufacturers of wireless network devices do not provide this kind of measurements which are very important for time sensitive applications. We focused on the wireless network device parameters and security technologies definition for wireless mobile platform and on the measurements of available technologies for wireless network applications. After analyzing our results we can simply decide which WLAN security function can be applied in planned application. Based on those results it is possible to find wireless security level which perfectly fits on target WLAN application. The main gap between the security level and the network performance which was measured in this paper couldnt be improved but user can choose optimal settings for his application. Our results are related only for one Wi-Fi AP of one manufacturer. Values of security functions time consumption can vary for

922

different Wi-Fi AP types from different manufacturers but most of the manufacturers use same network controllers and security chips. Our future work will be focused on these different Wi-Fi AP types and compare implementation of basic security functions into the final wireless network devices. ACKNOWLEDGMENT The research has been supported by the Czech Ministry of Education in the frame of MSM 0021630503 MIKROSYN New Trends in Microelectronic Systems and Nanotechnologies Research Project, partly supported by the Ministry of Industry and Trade of the Czech Republic in a Project - KAAPS Research of Universal and Complex Authentication and Authorization for Permanent and Mobile Computer Networks, under the National Program of Research II and by the European Commission in the 6th Framework Program under the IST-016969 VAN - Virtual Automation Networks project. REFERENCES
[1] [2] J. W. Mark and W. Zhuang, Wireless Communications and Networking. Prentice Hall, 2003, ISBN: 0-13-040905-7 The Cable Gay, May 2005, Wi-Fi Protected Access 2, http://www.microsoft.com/technet/community/columns/cableguy/cg05 05.mspx#EFD VAN Virtual Automation Network, Real Time for Embedded Automation Systems including Status and Analysis and closed loop

[3]

Real time control, Real-time for Embedded Automation Systems deliverable, 6th Framework Program, 2007, http://www.vaneu.org/sites/van/pages/files/D04.1-1_FinalV1_2_060702.pdf [4] VAN Virtual Automation Network, Specification for wireless in industrial environment and industrial embedded devices, Wireless in Industries - deliverable, 6th Framework Program, 2007, http://www.van-eu.eu/sites/van/pages/files/D03.2-1.pdf [5] SARKAR, N.I., SOWERBY, K.W. Wi-Fi Performance Measurements in the Crowded Office Environment: a Case Study. In International Conference on Communication Technology, 2006. ICCT \'06.. Guilin : [s.n.], 2006. s. 1-4. ISBN 1-4244-0800-8. [6] Alexander Wiesmaier, Marcus Lippert, Vangelis Karatsiolis. The Key Authority Secure Key Management in Hierarchical Public Key Infrastructures. Department of Computer Science. Darmstadt, Germany : Proc. of the International Conference on Security and Management (SAM 2004), 2004. p. 5 [7] IEEE. Draft 4 Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11Operation. s.l. : IEEE, 2002. Draft 802.1f/D4 [8] IEEE. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. 1999. IEEE Standard 802.11 [9] Molta, Dave. 802.11r: Wireless LAN Fast Roaming. Network Computing. [Online] 4 16, 2007. [Cited: 5 1, 2007.] http://www.networkcomputing.com/channels/wireless/showArticle.jht ml?articleID=198900107. [10] CELINE, Graham. Creating Wi-Fi Test Metrics [online]. Advantage Business Media, c2009 [cit. 2009-03-12]. Accessible from WWW: <http://www.wirelessdesignmag.com/ShowPR.aspx?PUBCODE=055& ACCT=0031546&ISSUE=0505&RELTYPE=PR&ORIGRELTYPE=F E&PRODCODE=0000&PRODLETT=B>.

923