IEEE 802.

11 (Wi-Fi) Security
Bheemarjuna Reddy Tamma
IIT HYDERABAD

Adapted from William Stallings textbook on Wireless Security, Kurose and Ross
textbook on Computer Networking and other Internet sources
Wireless Security
 Concerns for wireless security are similar to those
found in Wired networks
 Security requirements are the same:
 Confidentiality, Integrity, Availability, Authenticity,
Accountability
 Most significant source of risk is the underlying wireless
medium which is broadcast in nature
 Key factors contributing to higher security risks
 Broadcast Channel
 Mobility
 Limited Resources
 Accessibility
802.11 LAN (Wi-Fi) architecture
 Wireless host communicates
with base station
Internet
 base station = access point (AP)
 Basic Service Set (BSS) (aka
“cell”)
hub, switch  Building block of IEEE
or router
802.11 WLAN
 In infrastructure mode, BSS
BSS 1 contains:
 Wireless hosts
 AP

BSS 2
How does a STA join an existing BSS in Wi-Fi?
host: must associate with an AP
1) scans channels, listening for beacon frames containing AP’s
name (SSID) and MAC address
2) selects AP to be associated with
3) performs authentication and then associates with BSS
4) will typically run DHCP client to get IP address in AP’s subnet
 Scanning
 Active scanning (Probe-REQ/Probe-Response)
 Passive scanning (listen for period beacons from APs)
 Authentication with AP
 Authentication REQ/Authentication Response
 Only link level encryption of data, not end-to-end
 Association with AP
 Association REQ/Association Response
 STA capabilities, PCF requirements, Power-saving mode, etc
 DHCP (@AP, WLAN controller, or stand-alone server) 4
 DORA (discover, offer, request and ACK)
 How does a STA join an existing BSS?

Supplicant Authenticator

• Authentication Server (AS) provides authentication services to Authenticator

Wireless Security Threats

 Eavesdropping
 Man-in-the-middle (MITM) attacks
 Malicious association to rogue
networks
 Denial of Service (DoS)
Eavesdropping
 Easy to intercept traffic, almost impossible to detect
 By default, everything is transmitted in clear text
 Usernames, passwords, content ...
 No security offered by the transmission medium
 Different tools available on Internet
 Wireshark/Kismet
 With the right equipment, it’s possible to eavesdrop
from few kilometers away
 Affects Confidentiality of data exchanged
 Countermeasures
 Encryption and signal-hiding techniques
Denial of Service (DoS)
 Frequency jamming
 Not very technical, but works very well
 Spoofed deauthentication / disassociation messages
 can target one specific user
 Spoofed MAC control packets
 Evil Twin: Rogue APs on legitimate WLAN system
 Only client side authentication
 Black hole evil twin
 Battery exhaustion
 Attacks on higher levels
 SYN Flooding
 Ping of death
 ...
Wireless MITM Attack
1. Attacker spoofes a
disassociate message from
the victim
2. The victim starts to look
for a new access point,
and the attacker
advertises his own AP on
a different channel, using
the real AP’s MAC
address
3. The attacker connects to
the real AP using victim’s
MAC address
 Affects Integrity
Wi-Fi Security Solutions
 Wired Equivalent Privacy (WEP)
 Wireless Protected Access (WPA)
 IEEE 802.11i (WPA2)
 WPA3 (coming this year!)
Wired Equivalent Privacy (WEP)
 Original security solution offered by IEEE 802.11 standard
 Uses RC4 encryption with pre-shared keys (40-bit or 104-
bit) and 24-bit Initialization Vectors (IV)
 40-bit: 10 Hex chars or 5 ASCII chars
 104-bit: 26 Hex chars or 13 ASCII chars

Key Key
stream stream

http://www.dartmouth.edu/~madory/RC4/wepexp.txt
Credits: https://asecuritysite.com/encryption/rc4_wep
 802.11 Security (WEP)

Credit: Kevin Benton

• WEP employs RC4 algo (stream cipher) for encryption of Wi-Fi MAC frame
• Weakness: 24-bit IV is txed in plain text and hence allows attacker to crack
12
the shared secret kept (40-bit) by capturing millions of WEP pkts
Wired Equivalent Privacy (WEP)
 Flawed design, easily broken
 There’s no key management;
 All users always share the same WEP key
• Used for both authentication and encryption 
 IV is too small, sent in clear text and its reuse causes problems
 Tools to break WEP are widely available on Internet (e.g., AirCrack-ng)
 No cryptographic integrity protection
 Offers very little security at all

http://www.dartmouth.edu/~madory/RC4/wepexp.txt
https://asecuritysite.com/encryption/rc4_wep
 WLAN security mechanisms
Wireless Protected Access 2 (WPA2)
 WPA2 is the Wi-Fi alliance name for the 802.11i amendment to the
IEEE standard, which is now part of 802.11-2012
 Robust security network (RSN) = name of WPA2 in the standard
 Uses 802.1X for access control
 Uses EAP for authentication and key exchange, e.g., EAP-TLS
 Confidentiality and integrity protocol: AES-CCMP

Historical: WPA
 Used in the transition period before the 11i standard was finalized
and before AES support in NIC hardware
 TKIP encryption = RC4 with frequently changing keys and other
enhancements
 Security of TKIP and WPA is now considered broken; always
disable them in your (old) AP!

14
 802.11i RSN security services
 Access control: enforces the use of the
authentication function, routes the messages
properly, and facilitates key exchange
 It can work with a variety of authentication protocols
 Authentication: between a user and an
Authentication Server that provides mutual
authentication and generates temporary keys to be
used between the client and the AP over the wireless
link
 Privacy with message integrity: MAC-level data
are encrypted along with a message integrity code
that ensures that the data has not been altered
 Elements
of
IEEE 802.11i
 Authentication and Key Management
Architecture

Out of scope of
802.11i standard

Wireless Access Point Authentication Server

Station

EAP-TLS

EAP

802.1X (EAPoL) RADIUS

802.11 UDP/IP

17
 802.1X stack and specifications

TLS (RFC5246)

EAP-TLS (RFC5216)

EAP (RFC3748, 5247)

EAP over RADIUS (RFC3579)

Server
Authentication
STA

EAPOL
RADIUS (RFC2865)
(IEEE 802.1X)
TCP/IP

IEEE 802.11 AP IEEE 802.3 or other

18
 RSN key hierarchy

*********** 802.1X
Two alternative ways to
Passphrase authentication
obtain keys:

!
 802.1X authentication=
WPA2-EAP =
Pre-Shared Key PSK = Master Session Key
PBKDF2(Passphrase) MSK WPA2-Enterprise
 Preshared key (PSK)
authentication = WPA2-
Pairwise Master Key PMK = PSK =
PSK or MSK WPA2-Personal
 Home/small business
 No AS in network
Pairwise Temporal Key PTK =  No mutual auth
PRF(PMK,BSSID,MACaddrSTA,NAP,NSTA)
split

Key Confirmation Key KCK Key Encryption Key KEK Temporal Key TK
(for encrypting the (key material
group i.e. broadcast key) for session keys)
19
 IEEE 802.1X
• IEEE Std 802.1X-2004
• Port based network access control mechanism offering authentication
services for 802 LAN attachments
• Originally intended for enabling and disabling physical ports on switches and
modem banks
• Also used in Ethernet switches and Wi-Fi APs
• Uses Extensible Authentication Protocol (EAP) to support many
authentication methods; usually EAP-TLS
• Encapsulation of Extensible Authentication Protocol (EAP) messages is
defined in 802.1X and known as EAP over 802 LANs (EAPOL)
• EAPOL operates at the network layer
• Defines two logical port entities at switch/AP
• Controlled port: To allow/prevent network traffic from/to the controlled port
• Uncontrolled port: To send/receive EAPOL frames
 802.1X Access Control in 802.11i

(authenticator)

(Supplicant)
 802.11i/802.1X architecture

Wired LAN
or Internet !
Supplicant Authenticator Authentication Server
(STA) (AP) (RADIUS Server)

• Supplicant wants to access the wired network via the AP, so it sends
Authentication credentials to Authentication Server (AS) with EAP
• AS authenticates the supplicant and ”tells” the AP whether access to
controlled ports should be allowed or not
• So, AP is simply a pass-through device during authentication process
• Authenticator (AP) then enables network access for the supplicant
after successful authentication
• E.g., IITH Wi-Fi and Eduroam services 23
 EAP Encapsulation over EAPOL/Radius

Credits: Arran Cudbard-Bell

• Extensible Authentication Protocol (EAP), defined in IETF RFC5247 enables extensible

network access authentication
• EAP provides a framework for for robust user authentication and encryption key exchange
• Security is provided by the authentication protocol carried inside EAP, not by EAP itself
like EAP-TSL, EAP-SIM, etc
• In Wi-Fi, WPA and WPA2 (802.11i) standards have adopted IEEE 802.1X with several EAP
Types (e.g., EAP-TLS, PEAP) as the official authentication mechanisms
• EAP-TLS= TLS handshake over EAP, RFC 2246 (certificate-based)
• In 802.1X, AP is a pass-through device: it forwards most EAP messages without reading
them
 802.11i Operational Phases

Station Access Point Authentication Server

Security capabilities
discovery

802.1X authentication

802.1X key management RADIUS-based key

distribution
Data protection

25
IEEE 802.11i Phases of Operation
 IEEE
802.11i

Phases
of
Operation
Phases of
Operation
 IEEE 802.11i

Key Hierarchies
 Purpose of each phase (1/2)

Discovery
 Determine promising parties with whom to communicate
 AP advertises network security capabilities to STAs

802.1X authentication
 Centralize network admission policy decisions at the AS
 STA determines whether it does indeed want to
communicate
 Mutually authenticate STA and AS/AP
 Generate Master Key as a side effect of authentication
 Use master key to generate session keys = authorization
token

30
 Purpose of each phase (2/2)
RADIUS-based key distribution
 Remote access dial-in user service (RADIUS), not part
of 11i, but is the de facto back-end protocol (RFC 2138)
 Encapsulates EAP messages as a RADIUS attribute
 RADIUS has its own security protocol based on shared
keys between the endpoints (AP and server)!
 AS moves (not copies) session key (PMK) to STA’s AP

802.1X key management

 Bind PMK to STA and AP
 Confirm both AP and STA possess PMK
 Generate fresh operational key (PTK)
 Prove each peer is live
 Synchronize PTK use 31
 Authentication Overview
STA
AP

STA 802.1X blocks port AP 802.1X blocks port for

AS
for data traffic data traffic

802.1X/EAP-Request Identity

802.1X/EAP-Response
Identity (EAP type specific)
RADIUS Access
Request/Identity

EAP type specific

mutual authentication

Derive Pairwise Master Key (PMK) Derive Pairwise Master Key (PMK)

RADIUS Accept (with PMK)

802.1X/EAP-SUCCESS

802.1X RADIUS 32
33
 Example –EAP-TLS (1/2)
STA
AP

AP-RADIUS Key AS
802.1X/EAP-Request Identity

802.1X/EAP-Response RADIUS Access Request/EAP-

Identity (My ID) Response Identity

RADIUS Access
802.1X/EAP-Request(TLS) Challenge/EAP-Request

802.1X/EAP-Response(TLS RADIUS Access Request/EAP-

ClientHello(random1)) Response TLS ClientHello

802.1X/EAP-Request(TLS RADIUS Access

ServerHello(random2) || TLS Challenge/EAP-Request
Certificate || TLS
CertificateRequest || TLS
server_key_exchange || TLS
server_done)

35
 Example – EAP-TLS (2/2) AS

STA AP

AP-RADIUS Key

MasterKey = TLS-PRF(PreMasterKey, “master secret” || random1 || random2)

802.1X/EAP-Response(TLS
client_key_exchange || TLS || TLS RADIUS Access Request/EAP-
certificate || TLS certificateVerify || Response
TLS change_cipher_suite || TLS
finished
802.1X/EAP-Request(TLS RADIUS Access
change_cipher_suite || TLS Challenge/EAP-Request
finished)
802.1X/EAP-Response RADIUS Access Request/EAP-
Response Identity

PMK = TLS-PRF(MasterKey, “client EAP encryption” || random1 || random2)

RADIUS Accept/EAP-
802.1X/EAP-Success Success, PMK

36
 Full WPA2 Authentication (EAP-TLS) & Key Exchange

Wireless [Probe-Request] Access Authentication

Station Point Server
Beacon or Probe-Response (RADIUS
(STA) (AP)
Authentication-Request Server)

!
Authentication-Response
Association-Request
EAP-TLS
Association-Response inside EAPOL EAP-TLS
inside RADIUS
EAP Request / Identity
EAP Response / Identity RADIUS-Access-Request
EAP-TLS Request (start) RADIUS-Access-Challenge
EAP-TLS Response ClientHello RADIUS-Access-Request
ServerHello, Certificate,
EAP-TLS Request ServerKeyExchange,
CertificateRequest, ServerHelloDone
RADIUS-Access-Challenge
Certificate, ClientKeyExchange,
EAP-TLS-Response CertificateVerify,
ChangeCipherSpec, Finished
RADIUS-Access-Request
EAP-TLS Request ChangeCipherSpec,
Finished RADIUS-Access-Challenge
EAP-TLS-Response (empty) RADIUS-Access-Request
EAP Success RADIUS-Access-Accept
EAPOL-Key (4-way handshake)
Key material from
EAPOL-Key (4-way handshake) TLS sent to AP
EAPOL-Key (4-way handshake)
EAPOL-Key (4-way handshake)
 Authentication Summary
At the end of authentication
 The AS and STA have established a session
 The AS and STA possess a mutually
authenticated Master Key
 Master Key represents decision to grant access based
on authentication
 STA and AS have derived PMK
 PMK is an authorization token to enforce access control
decision
 AS has distributed PMK to an AP (hopefully, to the
STA’s AP!)
For data tx in 802.11i (WPA2)
 WPA2-TKIP vs WPA2-AES encryption protocols
 TKIP (Temporal Key Integrity Protocol) from WPA
 AES (Advanced Encryption Standard) for WPA2
 WPA2-Enterprise (uses 802.1X) vs WPA2-Personal (uses PSK)38
 Both reply on AES-CCMP to encrypt data over the air
How does a STA join an existing BSS?
DHCP: DORA

39
 IITH Wi-Fi
 Cisco Aironet 3700 Series Access Points
• Dual-band 2.4 and 5 GHz with 802.11ac Wave 1 (draft std) support
• Servers 11a/b/g/n/ac STAs /w integrated radios
• Supports 20-, 40- and 80 MHz channels
• Max Tx Power of 23 dBm (200 mW)
• 4*4 MIMO with 3 spatial streams
• A-MSDU and A-MPDU aggregation, WMM (11e)
• 802.11 Dynamic Frequency Selection (DFS)
• PHY data rates up to 1.3 Gbps (80 MHz on 5 GHz)
• Data Sheet
 Cisco 5508 WLAN Controller
• CAPWAP Architecture where APs are kept in light-weight (split-MAC) mode
• CAPWAP: Control and Provisioning of Wireless Access Points, IETF std
• Timing-dependent operations are generally managed locally on CAPWAP AP,
while more complex, less time-dependent operations are managed on the WLC
• Beacons, control and data frames, encryption by CAPWAP AP, rest by WLC
• Central configuration, management of APs & two-way (UDP) tunneling of traffic
b/w Controller and APs
• Load-balancing, interference management (DFS), Uninterrupted network access
when roaming, QoS, power control, etc
• Supports up to 500 APs and 7000 STAs
40
 Data Sheet
 IITH Wi-Fi

PEAP-Microsoft Challenge
Authentication Protocol
Version 2 (PEAP-
MSCHAPv2): TLS tunnel

Secure Wireless Topology, EAP Message Flow, Credit: Cisco

41
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html
 EAP-TLS

Client certificate management would be a burden

42
https://mrncciew.com/2013/03/03/eap-overview/
 PEAP

43
https://mrncciew.com/2014/08/25/cwsp-eap-peap/
Hacking Wi-Fi Networks
 Tools of the trade
 Wireshark/TCPDUMP
 Kismet
 WEPCrack/AirSnort
 AirCrack NG
 CoWPAtty
 NetStumbler
 WiFuzz
 Pyrit, Fern
 Cain & Able
 AirXploit
 etc 44
Kismet
 Kismet is a passive scanner for Linux
 The software is advertised as being more than just a
wireless network detector.
 Kismet is also a sniffer and an intrusion detection system
 Wireshark- and Tcpdump-compatible data logging
 Compatible with AirSnort and AirCrack
 Network IP range detection
 Detection of hidden network SSIDs
 Graphical mapping of networks
 Manufacturer and model identification of APs and clients
 Detection of known default AP configurations
 Kismet can be used to conduct wardriving, but it can also
be used to detect rogue APs on a company’s network
Other tools
 AirSnort was the first widely used WEP-cracking
program and woke up nonbelievers who thought
WEP was enough protection for Wi-Fi!
 AirCrack-NG is the tool most hackers use to access
WEP/WPA2-PSK WLANs
 airmon-ng
 airodump-ng
 aireplay-ng
 aircrack-ng
 WPA2-PSK Offline Dictionary Attack
Access Point

Wireless Channel Ethernet

Laptop computer

PMK Known, PMK Known,

Last Seen < n Counter = n
{AA, ANonce, n, msg1}

PTK=PRF{PMK,AA||SA||Anonce||Snonce}
{SPA, SNonce, n, msg2, MICPTK(SNonce, n, msg2)}

Derive PTK, Counter = n+1

{AA, ANonce, n+1, msg3, MICPTK(ANonce, n+1, msg3)}

Install PTK,
Last Seen = n+1 {SPA, n+1, msg4, MICPTK(n+1, msg4)}

Install PTK,
The MIC is calculated using HMAC_MD5, which takes Counter = n+2
its input from the KCK Key within the PTK.
KRACK: Key Reinstallation Attacks
on WPA2
 Discovered by Mathy Vanhoef, KU Leuven in 2017
 Kind of weakness/ambiguity in .11i std, so affects vary
across OS implementations
 So, any device with Wi-Fi radio is most likely affected
 Linux and Android 6.0 or higher are highly vulnerable
 All data from victim can be decrypted
 Main attack is against the 4-way handshake of the
WPA2 protocol
 Both WPA2-Personal and WPA2-Enterprise
 It does not recover passphrase of Wi-Fi network
 Also do not recover (any parts of) the fresh encryption key that is
negotiated during the 4-way handshake.
KRACK: WPA2 Attacks (Videos)
 KRACK
 https://www.youtube.com/watch?v=Oh4WURZoR98
 https://blog.mojonetworks.com/wpa2-vulnerability
 YouTube Playlist on WPA2 Attacks
 https://www.youtube.com/watch?v=fOgJswt7nAc
WPA3: OWE
 OWE: Opportunistic Wireless Encryption for
Open SSIDs
 IETF RFC 8110
 Encryption w/o authentication like HTTPS browsing
 Meant for open/public APs
 Diffie Hellman key exchange, does n’t require any certs
 OWE handshake using Re(association) REQ/RES negotiates a
new PMK b/w STA and AP
 Not a replacement for any of existing auth methods
 Does not offer AUTH (both client-side and AP-side)
 Sol for client-side AUTH: Captive portal
 No sol for server-side AUTH
• Honeypots and Evil Twins can still be setup
WPA3: Dragonfly
 Dragonfly: Offline Dictionary Attack
Resistance for PSK Passwords
 Even when users choose weak passwords
 IRTF RFC 7664 and Section 12.4 (SAE) of IEEE 802.11 Std
• Simultaneous Authentication of Equals (SAE)
 It uses Diffie Hellman key exchange to facilitate both
the encryption key generation and mutual AUTH
 SAE handshake to derive a fresh PMK at STA and AP after
mutual AUTH
 PMK is used to get PTK by doing 4-way handshake as usual
 Forward secrecy: Even if passphrase is leaked at a
later point in time, it still cannot be used to decrypt
the eavesdropped packets from the past
Counter Measures for Wireless Attacks
 Many countermeasure, such as using certificates on all
wireless devices, are time consuming and costly
 Be sure wireless users are authenticated before being
able to access any network resources
 Deploy honeypots which are hosts or networks available
to the public that entice hackers to attack them instead of
a company’s real network
 To make it more difficult for wardrivers to discover your
WLAN, you can use Black Alchemy Fake AP (available
free at ww.blackalchemy.to/project/fakeap/).
 As its name implies, creates fake APs, which keeps war-drivers
so busy trying to connect to nonexistent wireless networks that
they don’t have time to discover your legitimate AP.
Wireless Security Techniques
allow only specific
Use 802.1x based
computers to
Auth & Protected
access your
Mgmt Frames
wireless network

use wireless IDS, change your

anti-virus and anti- router’s pre-set
spyware software password for
and a firewall administration

change the
turn off identifier
identifier on your
broadcasting, apply
router from the
patches ASAP
default
 References

 IEEE 802.11 Stds:

http://standards.ieee.org/about/get/802/802.11.html
 802.11i and 802.11w
 https://code.google.com/archive/p/wifuzz/wikis/WiFuzz.wiki
 http://www.secdev.org/projects/scapy/
 https://www.eetimes.com/document.asp?doc_id=1206324
 https://www.krackattacks.com/
 https://asecuritysite.com/encryption/
 WPA3:
 https://blog.mojonetworks.com/wpa3-security-enhancements
 http://www.mathyvanhoef.com/2018/03/wpa3-technical-details.html
Final Exam
 Mid-sem exam 2
 Syllabus: Topics covered after mid-sem break
 Date: April 27 at 11AM
 Venue: A-317
 MPDU Exchange

authentication phase consists of three phases:

 connect to AS
 the STA sends a request to its AP that it has an association with for
connection to the AS;
 the AP acknowledges this request and sends an access request to the AS
 EAP exchange
 authenticates the STA and AS to each other
 secure key delivery
 once authentication is established, the AS generates a master session key
and sends it to the STA
 IEEE
802.11i

Keys
for Data
Confidentialit
y and
Integrity
Protocols
 Temporal Key Integrity Protocol
(TKIP)
• designed to require only software changes to devices that are
implemented with the older wireless LAN security approach called
WEP

• provides two
services:

message data
integrity confidentiality

adds a message provided by

integrity code to encrypting the
the 802.11 MAC MPDU
frame after the
data field
 Counter Mode-CBC MAC Protocol
(CCMP)
Intended for newer IEEE 802.11 devices that are equipped with the
hardware to support this scheme

Provides two services:

Message Data
integrity confidentiality

Uses the CTR

Uses the cipher- block cipher mode
block-chaining of operation with
message AES for encryption
authentication code
(CBC-MAC)
Pseudorandom Function