SYST44998: Wireless Security

802.11 Legacy Security

Outline
Legacy Security
Authentication
Wired Equivalent Privacy (WEP) Encryption
Virtual Private Networks (VPNs)
MAC Filters
SSID Segmentation
SSID Cloaking/ Hiding
Learning Outcome
Explain how security information can be gathered using various
techniques.
Describe the vulnerabilities of original IEEE 802.11 authentication and
WEP.
Identify security measures against threats and attacks in wireless
networks.
Legacy 802.11 Security

It allows legacy client access

It provides backward compatibility with exiting equipment
It can be the weak spot of the network
Legacy 802.11 Security

Standard Legacy 802.11 security means exactly

Open System Authentication, Shared Key Authentication, WEP encryption
Nonstandard Legacy 802.11 security
VPN over wireless, MAC filtering, SSID segmentation, SSID cloaking/hiding.
Legacy Authentication

Methods
Open System Authentication
Shared Key Authentication
Wired Equivalent Privacy (WEP)
Pre-Shared Keys
Status: Deprecated
Open System Authentication

Two-way exchange between the client STAs and the AP:

Client STA sends an authentication request
AP then sends an authentication response
It can use WEP for data encryption after authentication
Open System Authentication Messages
Open System and 802.11X/EAP authentication

Authentication methods: radio and user

Shared Key Authentication

It uses WEP encryption for authentication

Client STA and AP should be configured with the static WEP key
Authentication will not work if the keys do not match.
Shared Key Authentication Messages
Shared Key Authentication: Weaknesses

If the cleartext challenge phrase and encrypted challenge phrase in the response
is captured, then the static WEP key might be derived.
Wired Equivalent Privacy (WEP) Encryption

Layer 2 encryption method

Use ARC4
Encrypts the layers 3-7 & LLC sublayer
Payload of 802.11 data frame – MAC Service Data Unit
(MSDU)
WEP Services
Data Integrity
Confidentiality
Access Control WEP
WEP Services
Data Integrity
A data integrity checksum known as the Integrity Check Value (ICV) is
computed on data before encryption and used to prevent data from being
modified
WEP Services
Confidentiality
The primary goal of confidentiality was to provide data privacy by
encrypting the data before transmission.
WEP Services
Access Control WEP
Client stations that do not have the same matching static WEP key as an
access point are refused access to network resources
Wired Equivalent Privacy (WEP) Encryption
Can use either a 40 bit or 104 bit user-supplied key
Prepends a 24 bit Initialization Vector (IV) to user’s key
Wired Equivalent Privacy (WEP) Encryption
IV is sent in cleartext and a new IV is created for every frame
There are only 16,777,216 possible IVs
Overtime, IVs are repeated.
Wired Equivalent Privacy (WEP) Encryption

Static WEP key can be entered in hex or ASCII characters

Some APs and STAs support up to 4 keys
Use selects a default or transmission key
Wired Equivalent Privacy (WEP) Encryption

STAs and AP encryption

and decryption
WEP Encryption Process
RC4- Rivest Cipher
Stream cipher

CRC = cyclic redundancy check

WEP Weaknesses

It has been deprecated since it is easily cracked using freeware

Temporal Key Integrity Protocol (TKIP)

Design to replace the WEP until strong encryption was

available.
No need for legacy equipment replacement, but a firmware
upgrade
Also based on ARC4 encryption/decryption.
Temporal Key Integrity Protocol (TKIP)

Some features…
Temporal keys:
uses dynamic keys instead of static ones
Sequencing:
uses a TKIP sequence counter (TSC) to avoid replay
attacks
Temporal Key Integrity Protocol (TKIP)

Some features…
Key mixing:
two-phase cryptographic mixing process to produce a
stronger seed to ARC4
Enhanced data integrity:
uses a stronger data integrity check known as Message
Integrity Code (MIC)
Temporal Key Integrity Protocol (TKIP)

Some features…
TKIP countermeasures. If MIC fails, then:
Logging
60-sec shutdown
New temporal keys
Easily cracked with freeware tools
MAC Filters

Almost all wireless APs implement access control

Through Media Access Control (MAC) address filtering
MAC Filters

Implementing restrictions
A device can be permitted into the network
A device can be prevented from the network
Vulnerable solution since MAC can be easily spoofed or
impersonated
SSID Cloaking/Hiding
SSID stands for service set identifier
Logical name of the WLAN
Removes the SSID from Beacon frames, then STAs that do not know the
SSID will not associate to it.
Passive scan will not reveal the SSID, but active will.
Do not secure the WLAN
Might cause problems for the WLAN administration.
Recommendation: Broadcast the SSID!
Virtual Private Networks (VPNs)
No longer recommended practice for WLAN security, but often
implemented since the VPN server is already deployed in the
wired network
The solution calls for a Firewall (FW) between the WLAN client
and the VPN server
FW allows only VPN traffic to pass
VPN client encrypts (decrypts) traffic which is decrypted
(encrypted) by the VPN server
Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs)

VPN suffers from two major drawbacks for WLAN security

Configuration complexity
Scalability
Recommendations:
For remote access when client STAs connect the
enterprise from a public WLAN
SSID Segmentation

It is a common practice to create different SSIDs for different

types of users
SSIDs are typically mapped into individuals VLANs leading to
multiple SSIDs per AP
Consequence:
Users are segmented by the SSID/VLAN pair
SSID Segmentation

Recommendation:
Enterprise APs might support up to 16 SSIDs, each of which
is mapped into a VLAN
Layer 2 overhead is considerable when 16 SSIDs are lifted
leading to 40% performance reduction
Best practice: 3-4 SSIDs.
SSID Segmentation: example
Guest SSID/VLAN
Open access
Deny access to local network
resources
Routed off to an Internet gateway
Voice SSID/VLAN
Use WPA2 encryption
VoWiFi clients are routed to VoIP
server
Employee SSID/VLAN
Strong security solutions WPA2
encryption, ACLs or FWs to access
network resources after
authentication