Wifi Security Protocols
By Ashish Chhatani - March 15, 2018
In today’s world Wi-Fi has become the essential thing in our daily routine. The wireless networks are also not secure in this digital age.
In today’s world Wi-Fi has become the essential thing in our daily routine. The wireless networks are also not secure in this digital age. New flaws and exploits are found on daily basis and Wi-Fi is no exception in that. Let’s understand the functioning and the flaws present in it.
Before diving deep into the protocols and standards, here is an overview of Wi-Fi.
Wi-Fi (802.11) - an IEEE wireless communication standard has 14 channels. These channels ranges from 2.412GHz (Channel 1), 2.417GHz (Channel 2) to 2.484 GHz (Channel 14) and 6 modes- Master, Managed, Ad-Hoc, Mesh, Repeater and Monitor. As we all are familiar with the terminologies- Packets and Frames, let’s jump onto the main topic- Wi-Fi security Protocols and flaws in it.
WEP, WPA, WPA2(AES)
Wired Equivalent Privacy is the security protocol which uses 64, 128 and 256 bit keys. 256 bit key is rarely used. Initialization Vector is used along with RC4 for the encryption. The interesting fact about WEP is it uses the CRC (Cyclic Redundancy Check) instead of MAC (Message Authentication Code).
Where's the Flaw?
The length of initialization vector is 24 bit and RC4 is the stream cipher and the same key cannot be used twice. WEP uses a 64/128 bit key which is concatenated with a 24bit initialization vector (IV) to form the RC4 traffic key.
64 Bit key is made of 24bit IV + 48bit key (12 hex characters)
128 Bit key is made of 24bit IV + 104bit key (26 hex characters)
The content in IV is in plain text and the sole purpose of IV is to avoid the repetition but the length of 24 bit is too much to ask for on the busy network. The probability increases to 50% for the repetition of IV after 5000 packets having 24-bit length.
Here is the WEP schema diagram to illustrate more:
There are 2 ways for the authentication: Open and Shared Key
In Open system any person, regardless of its WEP keys, can authenticate itself with the Access Point and then attempt to associate. Right keys are required for the authentication and that’s the only catch.
While in Shared Key, four way handshake happens:
1. Authentication Request 2. AP acknowledges back with clear text challenge 3. Challenge Encrypted 4. AP Decrypts and authenticates client by checking the key
The Share key is less secure because it allows the attacker to get Initialization Vectors using the challenge through response mechanism.
The attacking methods:
Passive also known as Silence mode:
Sniffing the air for packets without sending any data to the AP or clients
Breaking the key while sending data to the AP or client.
WPA TKIP (Temporal Key Integrity Protocol) was created after WEP. The purpose was to close all the vulnerabilities and use the same hardware. The encryption algorithm remained the same- RC4 but the major change was TKIP. TKIP basically works by generating a sequence of WEP keys based on a master key and re-keying periodically before enough volume of data.
Where's the Flaw?
3 steps are required to crack WPA:
Send a De-Auth to AP
AP Re-Auth the Client
Capture the handshake and brute force it
Beck-Tew attack of WPA: It allows to decrypt a packet without knowing the key. The Beck-tew attack is based on the Chop-Chop attack.
So, WPA2 is the best solution than WEP and WPA1 with more confidentiality.
WPA2 with AES
WPA2 was built using CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) which is AES based encryption. However, WPA2 is also vulnerable. It is vulnerable to brute force attack with 4-way handshake. The length and complexity of the password is a key factor in the hack.
Basics to ensure Wi-Fi security:
Keep your router's firmware updated.
Use WPA2 (AES) as it’s the strongest protocol currently. If you do have a router that has WPA2 in either TKIP or AES, its always recommended to go for AES. it’s faster and more secure.
Make your Wi-Fi network hidden if possible