1. IEEE 802.11 Security Specifically WEP, WPA, and WPA2 Brett Boge, Presenter CS 450/650 University of Nevada, Reno

2. IEEE 802.11 standard for wireless LAN (802.11-1997) Ratified September 1999 WEP included 2001 UC Berkeley Fluhrer, Mantin, and Shamir "Weaknesses in the Key Scheduling Algorithm of RC4“ ~2002 WPA 2004 802.11i ratified with WPA2 IEEE 802.11-2007 Introduction / History

3. WEP Wired Equivalent Privacy Part of the original 802.11 standard Uses RC4 for confidentiality Uses CRC32 for integrity 64 bit WEP uses a 40-bit key (aka WEP-40) Limited by the government 128 bit WEP uses a 104-bit key Deprecated in 2004

4. RC4 1987, "Rivest Cipher 4“, aka “Ron’s Code” 1994 spread on the internet Stream cipher KSA (Key scheduling algorithm): S[i] = {0,1,2,3…} j = 0 for i = 0 – 255 j := (j + S[i] + key[i mod keylength]) mod 256mod swap values of S[i] and S[j] end

5. RC4 PRGA: i = 0 j = 0 as long as we need output: i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap S[i] and S[j] output S[(S[i] + S[j]) mod 256]

6. WEP Uses RC4 for encryption Uses CRC32 for integrity Encryption:

7. Fixed-sized input into a crypto function Prevents repetition Uniqueness important WEP uses 24 bit Initialization Vector

8. WEP “Authentication” No real authentication Simply associate, and start sending packets Open System Client requests authentication AP sends back a cleartext challenge Client encrypts challenge with WEP key AP responds positive or negative Shared Key 2 Methods

9. Attacking WEP Fluhrer, Mantin, and Shamir With certain weak IVs, knowing the nth byte of a keystream allows the attacker to derive the n+1th byte. IV’s of form (a + 3, n − 1, x) will help to provide a possible key value at index a 2001 “Weaknesses in the Key Scheduling Algorithm of RC4” Key recovery Requires a sufficiently large number of messages Exploits weak IVs

10. Additional WEP Weaknesses No key management, shared key Statistical attack against duplicate IVs 2005 - FBI showed that WEP can be cracked in 3 minutes using publicly available tools More correlations between the keystream and the key than showed by Fluhrer, Mantin, and Shamir (KSA weaknesses) 2007 - Erik Tews, Andrei Pychkine, and Ralf-Philipp Weinmann 104bit WEP key: 50% - 40,000 80% - 60,000 95% - 80,000

11. 2002 Wi-Fi Alliance WPA stopgap until 802.11i No shared key, uses TKIP 128 bit Per-packed Subject to old weaknesses Uses RC4 to run on old hardware Stronger Integrity, no CRC, uses MACs WPA Wi-Fi Protected Access

12. 2004 Wi-Fi Alliance IEEE 802.11i-2004 No TKIP, uses CCMP as standard Counter Mode with Cipher Block Chaining Message Authentication Code Protocol Block Cipher using AES Mandatory for all devices bearing the Wi-Fi mark WPA2 Wi-Fi Protected Access

13. WPA/WPA2 Authentication WPA-PSK (pre shared key) Home/Office which doesn’t require an authentication server Users use the same key/passphrase to access the network WPA-Personal WPA-801.1x Designed for enterprise networks which have an authentication server More secure as access to the network is not governed by one key (susceptible to dictionary attacks) EAP (extensible authentication protocol) used for authentication WPA-Enterprise

14. Conclusion WEP Many weaknesses, deprecated WPA uses weaker TKIP, better than WEP Less intensive Supported on older equipment WPA2 uses AES 802.11i standard Despite wireless security, using a tunnel (IPsec, SSH) when on a wireless network is a good idea to double your Protection.