2. Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized at the same time, as if the two were holding a conversation Researchers and scholars who have studied the data on avian communication carefully write the (a) the communication code of birds such has crows has not been broken by any means; (b) probably all birds have wider vocabularies than anyone realizes; and (c) greater complexity and depth are recognized in avian communication as research progresses. —The Human Nature of Birds, Theodore Barber

3.  IEEE 802 committee for LAN standards  IEEE 802.11 formed in 1990’s ◦ charter to develop a protocol & transmission specifications for wireless LANs (WLANs)  since then demand for WLANs, at different frequencies and data rates, has exploded  hence seen ever-expanding list of standards issued

5.  802.11b first broadly accepted standard  Wireless Ethernet Compatibility Alliance (WECA) industry consortium formed 1999 ◦ to assist interoperability of products ◦ renamed Wi-Fi (Wireless Fidelity) Alliance ◦ created a test suite to certify interoperability ◦ initially for 802.11b, later extended to 802.11g ◦ concerned with a range of WLANs markets, including enterprise, home, and hot spots

8.  wireless traffic can be monitored by any radio in range, not physically connected  original 802.11 spec had security features ◦ Wired Equivalent Privacy (WEP) algorithm ◦ but found this contained major weaknesses  802.11i task group developed capabilities to address WLAN security issues ◦ Wi-Fi Alliance Wi-Fi Protected Access (WPA) ◦ final 802.11i Robust Security Network (RSN)

9.  Symmetric key crypto ◦ Confidentiality ◦ Station authorization ◦ Data integrity  Self synchronizing: each packet separately encrypted ◦ Given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost ◦ Unlike Cipher Block Chaining (CBC) in block ciphers  Efficient ◦ Can be implemented in hardware or software 9

10.  Combine each byte of keystream with byte of plaintext to get ciphertext  m(i) = ith unit of message  ks(i) = ith unit of keystream  c(i) = ith unit of ciphertext  c(i) = ks(i)  m(i) (  = exclusive or)  m(i) = ks(i)  c(i)  WEP uses RC4 10 keystream generator key keystream

11.  Recall design goal: each packet separately encrypted  If for frame n+1, use keystream from where we left off for frame n, then each frame is not separately encrypted ◦ Need to know where we left off for packet n  WEP approach: initialize keystream with key + new IV for each packet: 11 keystream generator Key+IV packet keystream packet

12.  Sender calculates Integrity Check Value (ICV) over data ◦ four-byte hash/CRC for data integrity  Each side has 104-bit shared key  Sender creates 24-bit initialization vector (IV), appends to key: gives 128-bit key  Sender also appends keyID (in 8-bit field)  128-bit key inputted into pseudo random number generator to get keystream  data in frame + ICV is encrypted with RC4: ◦ Bytes of keystream are XORed with bytes of data & ICV ◦ IV & keyID are appended to encrypted data to create payload ◦ Payload inserted into 802.11 frame 12 encrypted dataICVIV MAC payload Key ID

13. 13 New IV for each frame

14.  Receiver extracts IV  Inputs IV and shared secret key into pseudo random generator, gets keystream  XORs keystream with encrypted data to decrypt data + ICV  Verifies integrity of data with ICV ◦ Note that message integrity approach used here is different from the MAC (message authentication code) and signatures (using PKI). 14 encrypted dataICVIV MAC payload Key ID

15. 15 Nonce: number (R) used only once –in-a-lifetime How: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R K (R) A-B Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice!

16. 16 AP authentication request nonce (128 bytes) nonce encrypted shared key success if decrypted value equals nonce Not all APs do it, even if WEP is being used. AP indicates if authentication is necessary in beacon frame. Done before association.

17. security hole:  24-bit IV, one IV per frame, -> IV’s eventually reused  IV transmitted in plaintext -> IV reuse detected  attack: ◦ Trudy causes Alice to encrypt known plaintext d 1 d 2 d 3 d 4 … ◦ Trudy sees: c i = d i XOR k i IV ◦ Trudy knows c i d i, so can compute k i IV ◦ Trudy knows encrypting key sequence k 1 IV k 2 IV k 3 IV … ◦ Next time IV is used, Trudy can decrypt!

18.  numerous (stronger) forms of encryption possible  provides key distribution  uses authentication server separate from access point

19. AP: access point AS: Authentication server wired network STA: client station 1 Discovery of security capabilities 3 STA and AS mutually authenticate, together generate Master Key (MK). AP servers as “pass through” 2 3 STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity

21. wired network EAP TLS EAP EAP over LAN (EAPoL) IEEE 802.11 RADIUS UDP/IP  EAP: end-end client (mobile) to authentication server protocol  EAP sent over separate “links” ◦ mobile-to-AP (EAP over LAN) ◦ AP to authentication server (RADIUS over UDP)