WLANSecurity&Encryption

JosefDengg,WolfgangFriedl,PhilippHrtler,MarkusJger,ManuelLehner,CsabaMacsksi, MichaelMatscheko,GregorPumberger,AlexanderRitt,MichaelWasilewski

Abstract.Wirelessnetworksareespeciallypronetosecurityexploits,thereforeafewthings

shouldbekept inmindbyanyoperatorofwireless access pointsinordertokeepthe network secure from outside intrusion. First of all the Access Points management interface
shouldonlybeaccessedviawiredconnectionoratleastviaasecureconnection.Asitwasstated before,notalloftodayscommonencryptionstandardsaresecure,soitisrecommendedtousea standard whichisnotalreadycrackedorpossibletocrack.ThereforeWPA2protectionshouldbe enabled. TodayWPA2can beconsideredasuncrackableincombinationwithastrongpassword, sinceitisonlyvulnerabletodictionaryandbruteforce(incombinationwithshortpassphrases) attacks.Forchoosingasecurepassphrase,itisimportanttochoosealongkeyconsistingofnumbers, upperandlowercaselettersmixedwithspecialcharacters.Itshouldalsobeavoidedtousewords inferablefromadictionaryandyour(social)environment. Keywords:AccessPoint,Security,WPA,WPA2,WEP,VPN,TKIP.

1BasicsofWirelessLANs

1.1Introduction A wireless LAN (WLAN) is a wireless local area network that links two or more computers ordevices usingspread spectrum orOFDM (orthogonal frequencydivision multiplexing)modulationtechnologydesignedtoenablecommunicationbetweendevices inalimitedarea. For the home user, wireless has become popular due to the ease of installation, and locationfreedomwiththegainingpopularityoflaptops.Publicbusinessessuchascoffee shopsormallshavebeguntooffer wireless access totheircustomers;someareeven providedasafreeservice.[Wiki01]

1.2History 1940:AustrianmusicianandactressHedyLamarr,GeorgeAntheil;PatentforFrequency Hopping[5] 1970:ALOHAnet;UniversityofHawaii,bidirectionalstartopologyvialowcosthamlike radiosWaveLan,LucentTechnology 1979:F.R.GfellerandU.Bapst;experimentalWLANusingdiffusedinfrared communication 1980:P.Ferrert;experimentalapplicationofasinglecodespreadspectrum (electromagneticenergy) 1984:K.Pahlavan;comparisonbetweeninfraredandCDMAspreadspectrum communications 1991:FirstIEEEworkshoponWirelessLANsatWorcesterPolytechnicInstitute 1996:Technologywasrelativelymature,avarietyofapplicationshasbeenidentifiedan addressed

1999:AppleiBookwithAirportTechnology;firstWLANusageforconvenientprivate usage

1.3Advantages&Disadvantages Benefits contain aspects like cheap costs, easy expandability (in wired networks, additionalclientswouldrequireadditionalwiring),deployment(forasmallwirelessLAN notmorethanasingleaccesspointisrequired),highproductivity(Computersconnected toaWLANcanmaintainanearlyconstantaffiliationwiththeirdesirednetworkasthey are movedfrom oneplace toanother),goodmobility/flexibility(forexamplewireless telephonenetworkthatallowsuserstocommunicatewherevertheywantorstudentsofthe universitytoaccesstheInternetfromanywhereonthecampus [3])andconvenience(the natureofWLANsallowsuserstoaccessnetworkresourcesfromnearlyanyconvenient locationwithintheirnetworkingenvironment) Ofcoursetheresalsoanegativesideofthecoin,disadvantagesare:range(thetypical rangeofaWLANwithstandardequipmentisintheorderoftensofmeters.Toobtain additional range, repeaters or additional access points have tobe installed), reliability (Among the most insidious problems that can affect the stability of a WLAN are microwaveovensandanalogwirelesstransmitterssuchasbabymonitors),speed(WLANs havetypicallyspeed from1to108Mbit/sreasonablyslowcomparedtotheslowest wirednetworks(100Mbit/suptoseveralGbit/s))andsecurity(problemsconcerningWEP andWPA/WPA2,seeonlater).

2VPN(VirtualPrivateNetwork)
Theterm"virtual"meansthatthisnetworkexistsmerelyasalogicalstructure,infact, actinginapublicnetwork,asopposedtotheprivatenetwork,whichisbasedonlinks, especiallybasedforthispurpose.Althoughthemechanismofactionoftheendstationscan usetheVPNexactlyasiftherewereaphysicallinkbetweenprivatecompanies.Solutions basedontheVPNshouldbeusedinnetworkssuchascorporatebusinessesorremoteusers whoquiteoftenworkfromhomeontheseunsecuredconnections.VirtualPrivateNetworks are characterized by a relatively high efficiency, even in the weak link (with data compression)andahighlevelofsafety(becauseofencryption).TosetupaVPN,youneed bothsymmetricandasymmetricencryptionmethods.

2.1MostcommonVPNprotocols:

2.1.1Ipsec IPsec is a set of protocols for implementing secure connections and encryption key exchange between computers. VPN based on IPsec consists of two channels of communicationbetweentheconnected computers: achannel forkeyexchange through whichdataisassociatedwithauthenticationandencryption(keys)andthechannel(oneor more),whichcarriespacketstransmittedviatheprivatenetwork.Channelforexchanging keysisastandardprotocol(UDPport500).Channelsoftransmissionofdataarebasedon theESPprotocol(protocolnumber50)asdescribedinRFC2406.

ESP (Encapsulating Security Payload) is a protocol to ensure safety: Datasourceauthentication,theintegrityofthedata(usingashortcutfromthecalculation already encrypteddata), indisputability (usingashortcutfrom thecalculationalready encrypteddata),Supportstheavoidanceofduplicationofpacketsaswellastheattackby repeating(usingsequencenumbers).

2.1.2PPTP PointtoPointTunnelingProtocol(PPTPforshort)isacommunicationsprotocolallowing thecreationofvirtualprivatenetworkusingtunnelingtechnology.Itallowstheconnection remotelytoworkstationsorthenetwork(mainlybasedontheWindowsoperatingsystem) viatheInternetandcreatingavirtualcalltothelocalnetwork(ex.Corporate)it.Hasto ensuresafetywhiletransmissionofdata.Initializationoftheserviceisonport1723.PPTP isaprotocolstandardequipmentoftheoperatingsystemfromWindows98andNT.Since theemergenceofthePPTPprotocolinMicrosoft'simplementation,hasbeenrepeatedly broken,anditsuseinseriousapplicationsdoesnotguaranteeanadequatelevelofsecurity oftransmitteddata.

2.1.4OpenVPN OpenVPN is a VPN package developed by James Yonana. It allows the creation of encrypted connections between hosts such as OpenSSL libraries and protocols SSLv3/TLSv1.IncontrasttootherVPNsolutionsitdoesnotrelyonIPsecprotocolasa medium.Thispackageisavailableonthefollowingplatforms:Linux,BSD,MacOSX and Windows 2000/XP/Vista. Thewhole package consists ofone binarycode for the clientandserver,andanoptionalconfigurationfilewithoneormorekeys,dependingon themethodofauthentication.OpenVPNusestheOpenSSLlibrarytoencryptdataand controlchannels.ItcanalsotakeadvantageoftheHMACtocreateanadditionallayerof securitycalls.Thepackageisalsoabletousethehardwarecapabilitiestoimprovethe qualityandlevelofencryption.

2.1.5L2TP L2TP(calledLayerTwoTunnelingProtocol)(decapsulatedtunneleddatausingIPsec) allowsyoutoencrypttrafficIP,IPXandNetBEUI,andtransferitbyanytransmission medium,providingsupportdatagramsincombination,pointtopoint,forexampleIP,X.25 ,FrameRelayorATM.

2.1.6Hamachi Hamachiisafree(orpaidyouhavemoreopportunities)VPN(VirtualPrivateNetwork) application, it does not require a configuration. This is the first and, until now, only allowingtheVPNtoestablishadirectconnectionbetweentwocomputers,ifbothare behind aNAT(as youconnect theserver it helps, but is thenmaintained without its support).IsavailableontheWindowsNTfamily(NT,2000,XP,2003)andonLinuxand Mac OS. Free Hamachi networks can accommodate a maximum of 15 people (plus founder)active(online)atthesametime(paid:255users).

3WEPWiredEquivalentProtection
WiredEquivalentPrivacywastheoriginalsecuritymechanismspecifiedbyIEEE802.11. Itisnoamendment,butpartofthe(legacy)standard.Itisavailableandsupportedbyall 802.11products.ItwasdesignedtoprovideAuthentication/Authorization,Confidentiality andIntegrity. ItistheLOWESTcommonlevelofsecurityin802.11networks.

3.1Overview
TodayWEPisobsoletebecauseitisinherentlyinsecure,duetothefactthattheWEP encryption routine based on the streamcipher RC4 is faulty. To remain backward compatibility,allWiFicertifiedproductsmuststillimplementWEP. Attention:DonotuseWEPtoprotectrealworldwirelessnetworks.

3.2WEPstreamcipher The cryptographic algorithm underlying WEP is the RC4 streamcipher. RC4 is a symmetricstreamcipherinventedin1987byRonRivestofRSASecurity.RC4iseasyto implement inbothhardware andsoftware. TheRC4streamcipheritselfisconsidered insecure,butthisisnotthemainreasonbehindtheinsecurityofWEP. Astreamcipherusesasharedprivatekeytogenerateapseudorandomnumbercalledthe keystream.Thisprocessiscalledkeyscheduling.Thesharedprivatekeydoesnotdepend ontheinputdataandmustthusonlybeusedonce.(differenttoablockcipherlikeDESor AES) Thekeystreamisofexactlythesamesizeasthedatathatshouldbeprotected.Thekey streamandthedataareXORedandtransmittedtothereceiver.Thereceiverreconstructs thekeystreambyknowingthesharedprivatekeyandusingthesamePseudoRandom NumberGeneratorasthesender.Withthekeystream,thereceivercaneasilyreversethe XORoperationandreadthemessageascleartext.

3.3WEPBasicOperations

Figure3:WEPBasicOperationI

Figure4:WEPBasicOperationII Toovercometheproblemofonekeystreamresultingfromonesharedkey,WEPusesa 24bit random InitializationVector (IV). Theconcatenationoftherandom IVplusthe sharedkeyareusedastheentrykeyinthePNGRtocreatethekeystream.Theresulting keystreamisnowdifferentforeverydistinctIV,evenifthesamesharedkeyisused.The sharedkeyitselfcanhavealengthof40bitor104bitinWEP Togetherwiththe24bitIV,thisyields68bit,respectively128bitseedsasinputforthe PRNG.Therefore,thesetwovariantsareoftenreferredtoas68bitWEPor128bit WEP. WEPallowsforatmost4sharedkeystobeusedsimultaneously,butthenumberofthe usedkeyisalsostoredinclearinthe802.11frame.Toprovidefordataintegrity,WEP calculatesanIntegrityCheckValue(ICV)ofthe802.11framepayload(withoutFCS!). TheICVusesnocryptographicalgorithmbutthewellknownCRC.Thepayloadplusthe ICVareencrypted(XORed)withthekeystream. Consequently,WEPdoesonlyencryptthepayloadnotthe802.11MACheaders. Finally,theFCSiscalculatedasusualovertheencryptedframe.Wewillseethatthistype ofencryptionisveryinsecureandobsoletenowadays.

4WEPcracking
AsweknowWEPusestheRC4streamcipheralgorithm.RC4itselfcannotbeconsidered secure anymore. However this is not the mainproblem withWEP.Incase ofstream ciphersthesamekeystreamshouldnotbeusedmorethanonceasitisinsecureandthe keycouldbequiteeasilyrecovered.IncaseofWEPa24bitinitializationvector(IV)is appended to the Preshared key to generate the key stream. In each packet the IV is incrementedbyone.Inaverage2^12framesareneededfor50%chancethatthesame (weak) IVisbeingusedagain.As thereisnosequence control,frames caneasilybe caughtandreplayedintothesystemwhichgeneratesevenmoretraffic.ThefirstByteof

thePDUofawirelessframealwayscontainstheLLC/SNAPheaderswhichis0xAA[3].In caseofARPpacketsweevenknowthewholecontentoftheencryptedframe.Andwhat happensifwehaveacleartextmessageandthecipherasastreamcipher?Wesimply havetoXORtheminordertogetthekeywhichhasbeenusedtoencryptthatframe. However,westillhavetodealwiththeIVs,asframesarenotalwaysencryptedwiththe samekey.BecauseoftheshortnessoftheIVwesimplywaitforthefirstARPpacketto arrive,replayituntilwegetafewMBofdata.AftertheIVhasrepeateditselfitisonlya questionofsecondsuntilthesharedkey,whichhasbeenusedfortheRC4algorithmcan berecovered. IfthelengthoftheWEPkeyis40bit,thekeycanberecoveredinmostcasesfrom5000 frames.After10000frameskeyrecoveryisguaranteed.Incaseof104bitWEP15000 packetsareneeded.Noadditionalsecurityisprovidedbythelongerkey,astheweakest pointistheIV,notthePresharedkey. WithgoodsignalqualityacommonnotebookwithanAtherosWiFitransceiver(oreven anoldIntelProfessionalWireless2200adapter![1])canbeusedtoinject300400frames per second. All these frames will be answered by the access point as required by CSMA/CAwhichispartofIEEE802.11a,b,gandn. AnicetooltotrythisattackistheAircackngsuite[4].

5WiFiand(Open)SSH
ThereareseveralattemptstomakeWiFimoresecure.SomeoftheseareontheOSI/ISO layer 12 like WEP (RC4) or WPA2 (AES). Other approaches are to secure communicationonhigherlevelsoftheOSI/ISOmodele.g.viaVPN.Afairlyunknown techniqueistheuseofssh.Sshcannotonlybeusedforremoteadministrationorport forwarding,buthasasocksproxyfunctionality[2].WiththecommandlineoptionDa specifiedlocalportcanbeusedasasocksproxy.Thetrafficwillberoutedthroughthe securetunneltothesshserver.Sshcanbeconsideredverysecureasitsupports3DES, Blowfish, AES and RC4 and asymmetric encryption (private/public key) for authenticationandkeyexchange. However,thereisonepossiblesecurityissue:DNSandother(partly)UDPbasedtrafficis notbeingsentoverthetunnelassocksonlysupportsTCPasISO/OSIlayer4. OpenSSHcanbeveryusefultogainprivacyinpublicwirelessnetworks.

6WPA802.11
WiFiProtectionAccess(WPA)wascreatedbytheWiFiAllianceinresponsetoseveral seriousweaknessesresearchershadfoundintheprevioussystemWEP. TheIEEE802.11startedTaskGroupI,tocreateanewlinklayerencryptionforwireless LANs.Thisnewstandardmainlyconsistsoftwonewencryptionprotocols TKIPTemporalKeyIntegrityProtocol CCMPCounterModewithCBCMAC andsomemethodsthatdefineanewmethodforkeydeductionanddistributionbetween AccessPointsandClients.RSNRobustSecurityNetwork[WikiWPA].

6.1WhyWPA? WPA addresses combine confidentiality and integrity with new encryption and key distributionfunctions.ThelengthoftheInitializationVectorhasbeendoubledandinstead of the CRC used with WEP, WPA now uses a cryptographic integrity check called Michael[WLANs09].

6.2TKIP TKIPwasdesignedasasolutiontoreplacetheRC4usedinWEPwithoutrequiringthe replacementoflegacyhardware.ThereforTKIPusesRC4asitscypher. Unlike WEP, TKIP does not use the master key directly, instead it derives the keys effectivelyfromthemasterkey,whichareneededforencryption.[WLANs09].

6.2.1Keyderivationandkeymanagement TKIPuseskeymixing.Thisrekeyingmechanismensuresthateverypacketissentwith auniqueencryptionkey,whichisdeducedfromthemasterkey. Thenewkeymanagementoperationsallowtheautomaticrefreshmentofthemasterkeys [WLANs09].

6.2.2Sequencecounter TKIPpreventsreplayattackswhichwereverycommoninWEPbyuniquely numberingeachframewithasequencecounter[WLANs09].

6.2.3MICMessageIntegrityCheck Michaelmakesdetectingforgedframesmorereliable.Itismuchmoredifficulttoadjust theICVtofitmanipulatedframes.Michaelalsoensuresthatthesourceanddestination addressesareprotected[WikiTKIP].

6.2.4Selfdefense Inordertodefendthenetworkwhichisbroken,TKIPprovidescountermeasures. Ifanattackisdetected,TKIPcanshutdownthenetworkandrefreshallkeys.Thisensures thatthenetworkisn'tcompletelycompromised. TKIPisn'tabletodetecteveryattack.ForexampleDOSDenialofServiceattacksstill areaproblembecauseitonlyencryptsthedatapayloadandtheMIC,butnottheMAC headers[WikiTKIP].

6.3TKIPAttacks TKIPisvulnerabletokeystreamrecoveryattacksthat,ifsuccessfullyexecuted,permits anattackertotransmit7to15packetsoftheattacker'schoiceonthenetwork.

Iftherekeyingintervals aresetverylongitwouldbepossibletocalculate acorrect sessionkey.Becauseofthenewkeymanagementitstilldoesnotallowintruderstoread datafreelylikeinWEPattacks. Onepossibleprotectioncouldbeshortrekeyingintervalsunder4minutes. Alsothewellknowndictionaryattacksarepossible[WikiTKIP].

6.4Summary WPAprovidesbackwardcompatibility. TKIPisdefinitelymoresecurethenWEP,butitstillusestheinsecureRC4streamcipher. Therearecountermeasurestoprotectthenetworkautomatically.

WPA2802.11i
AtaskgroupstartedworkingonanewWLANencryptionstandardin2001,andinJune 2004 the 802.11i standard [IEEE04] was finally accepted. Parts of the standard were alreadyimplementedinWPA(e.g.TKIP),sotheWiFiAlliancecalledthenewstandard WPA2. ThemainnoveltyinWPA2isareplacementfortheRC4basedTKIPprotocol,called CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol).ItsupportstheIndependentBasicServiceSet(IBSS),whichenablesdevicesto operateinadhocmode.

7.1CCMP CCMPisbasedonAES(AdvancedEncryptionStandard)witha128bitkeyandblock size.LikeTKIPitusesa48bitpacketnumbertoprotectagainstreplayattacks(seePN0 PN5infigurebelow).

Figure1:ExpandedCCMPMPDU[IEEE04] CCMPincreasesthepacketsizeto16octets:8fortheheaderandanother8fortheMIC (MessageIntegrityCheck).Mostoftheheaderisusedforthepacketnumber(PN0PN5), only1bitisfortheExtIVand2othersfortheKeyID.NotethatDataandMICareAES/ CCMencrypted.

ThepacketnumberisincreasedforeachpacketandisoneoftheinputsoftheCMM encryptionprocess,toensureanattackercannotreinsertpacketsinthenetwork(replay attack).Theremustneverbeanidenticalpacketnumberforthesametemporalkey. TheMICisgeneratedbytheCCMprocessandauthenticatesthedata.Inveryshortterms, the MIC is produced by a AES cipherblockchain with zeroinitialization (see figure below).

Figure2:CBCMACcomputation[wiki03]

7.2Authentication Thereare2authenticationmethodsinWPA/WPA2:PSK(PreSharedKey),alsocalled WPAPersonal and EAP (Extensible Authentication Protocol), also called WPA Enterprise. PSK relies on a shared, secret passphrase which is 863 ASCII characters or 64 hexadecimaldigitslong.Thisatypicalsetupforahomeorsmallofficenetwork(hence thenameWPAPersonal).ASCIIcharactersarereducedbyahashfunction(PBKDFv2 from [RFC2898]) to256bits.It is recommended touse at least a14characters long password[MOSK03](see2.4.1forfurtherdetails). EAPisdesignedforlargerbusinessnetworksandusesanauthenticationserver(usually RADIUS).Afterasuccessfulclientauthentication,theserverdistributesaMasterSession Key(MSK)tobothclientandaccesspoint,fromwhichtherespectivePairwiseMaster Key(PMK)iscomputed.EAPisonlyanauthenticationframework/protocol,currently thereareabout40differentmethodsknown(e.g.EAPTLS,EAPTTLS,EAPPSK).

7.3RSNAConnectionEstablishment TheRSNAestablishment procedure consistsofthe802.1Xauthenticationandthekey managementprotocols.Threeentitiesareinvolvedintheprocess,thesupplicant(Client), the authenticator (Access Point) and the Authentication Server. In a successful authenticationprocessthesupplicantandtheauthenticatorverifyeachothersidentityand generateasharedsecretforkeyderivations.Thekeysfordatacommunicationsessionsare computedbythekeymanagementprotocolsbasedonthissecret.Theauthenticatorand authentication server canbe implemented either inonephysical device orinseparate devices.Incaseofaseparateimplementationthelinkbetweenthetwomustbephysically secure.Theconnectionestablishmentprocesscanbedividedinto6phases[Mitchell05]: Phase1NetworkandSecurityCapabilityDiscovery: The access point either broadcasts its security capabilities periodically in a specific channel, or responds to a probe request through a specific channel. A wireless client discoversavailableaccesspointsandtheirsecuritycapabilitiesbymonitoringthechannels orbyactivelyprobingthechannels.

Phase2802.11AuthenticationandAssociation: Theclientchoosesoneoftheavailableaccesspointsandtriestoauthenticateandassociate with it. The client should indicate its security capabilities in the association request, 802.11OpenSystemAuthenticationisincludedonlyforbackwardcompatibility.After thisphasetheclientandtheaccesspointareauthenticatedandassociated,howeverthe 802.1Xportsremainblockedbecausethisauthenticationisstillweak. Phase3EAP/802.1X/RadiusAuthentication: Supplicantandauthenticationserverexecuteaauthenticationprotocol,theauthenticator actsasarelay.Thesupplicantandtheauthenticationserverauthenticateeachotherand generatetheMasterSessionKey(MSK).TheMSKisusedbythesupplicanttogeneratea Pairwise Master Key (PMK). The data is sent to the authenticator, allowing him to generatethesamePMK.ThecreationofthePMKisskippedifthesupplicantandthe authenticatorareconfiguredusingastaticPreSharedKey(PSK),orwhenacachedPMK canbeusedduringareassociation. Phase44WayHandshake: Throughthe4wayhandshakethesupplicantandtheauthenticatorconfirmtheexistence ofthePMK,regardlessofhowitwasgeneratedorreusedinstep3.Theyalsoverifythe selectionofaciphersuiteandgenerateanewPairwiseTransientKey(PTK)forthedata sessionafterwards.InthisphasetheauthenticatormightalsodistributeaGroupTransient Key(GTK).AfterthisphaseanewPTKissharedbetweenauthenticatorandsupplicant andthe802.1Xportsarenolongerblockedfordatapackets. Phase5GroupKeyHandshake: IncaseofmulticastapplicationstheauthenticatorwillgenerateaGTKanddistributeitto thesupplicants.IfaGTKwasalreadygeneratedanddistributedinPhase4thishandshake mightbeskipped. Phase6SecureDataCommunication: ThesupplicantandtheauthenticatorexchangeprotecteddatapacketsusingthePTKor GTKandtheverifiedciphersuitefromthephasesabove.

7.4WPA2Weaknesses EventhoughtheWPA2standardisstronginmattersofencryption,somemeasuresto attackithavealreadybeenfound.Theseattacksmostlybaseonweakkeysandcan be avertedbyfollowingsomesimplesecurityadvices.Thefollowingsectionshowsafew attackingpossibilitiesinthedifferentphasesofconnectionestablishment.

7.4.1PSKBruteForceDictionaryAttack ThebiggestweaknessandbestchancetoattackWPA2isattackingthePSK(PreShared Key)whichisanalternativetoEAP/PMK.APSKisa256bitcharacterstringorapass phrasebetween8and63characters.Togeneratesuchapassphrasethefollowingformula isused[Lehem06]:

PSK = PMK = PBKDF2 (Pass-phrase, SSID(Service Set Identifier), SSID-Length 4096, 256) PBKDF2(PasswordBasedKeyDerivationFunction)isakeyderivationfunctionthatis partoftheRSAStandard PKCS#5(PasswordBasedCryptographySpecificationv2.0), 4096representsthenumberofiterationsthealgorithmperformsand256representthebits oftheoutput. PBKDF2 isacryptographicfunctionforapassphrase,addedwithasaltvalueandthe processofrepeatingitforacertainnumberofiterationstoproduceacryptographickey. Thesaltvalueisanindexofasetofkeysderivedfromthepassword[Rsa99].Changing thesaltvalueleadstoawholenewdictionary,makingtheoldoneuseless.Themore iterations,theharderitgetsforbruteforceattackerstosucceed. Toperformanattackonthispassphrasetheattackermustsniffthenetworkduringthe4 wayhandshakeinphase4forthePTK,wherehereceivesallbutthepassphraseofthe formulaabove.Afterthistheattackercanperformanofflinedictionarybruteforceattack. TherearealreadysomeLinuxtoolsforthosebruteforceattacksavailable[Air]which representarealthreattowirelessnetworks.

7.4.2SecurityLevelRollbackAttack UsingbothPreRSNAandRSNAalgorithmsenablesanattackertoperforma'Security Level Rollback Attack'. The WPA2 defines a TSN (Transient Security Network) [Mitchell05] tosupportoldandnewstandards atthesametimeinorder tomake the transitiontothenewstandardeasier.Suchanimplementationwithlowersecuritylike WEPinworstcase.TheattackersendswrongBeaconorProberequeststoestablisha PreRSNAconnection,evenifbothwouldsupportamoresecureRSNAconnectionlike WPA2.AsPreRSNAdoesnotsupportaciphersuite,theywon'tbeabletodetectthe fraudandaccepttheinsecureconnection.Theattackerisnowabletogetthedefaultkeys byexploitingWEPsweaknesses. Asimplesolutionis todisable PreRSNAconnections inhigher security areas where sensitivedatacanbefound.

7.4.3ReflectionAttack The4wayhandshakeinphase4usessymmetriccryptographytoguaranteetheintegrity ofthemessages. TheauthenticatorandthesupplicantaretheonlytwowhoknowthesharedPMKto authenticatecorrectmessagesviaMICs.Ifadeviceisconfiguredtobesupplicantand authenticatoratthesametimeusingthesamePMK,anattackercaninitializeareflection attackduringthe4wayhandshake.Theoriginaldevicestartsthehandshakeas authenticator,theattackerstartsanother4wayhandshakeusingthesameparametersbut thedeviceassupplicant.Oncethedevicestartstosendmessagesassupplicant,the attackercanusethesemessagesasavalidmessagefortheinitial4wayhandshakeofthe attackerstarget. ReflectionAttacksonlypresentathreatin'adhocnetworks'andnotininfrastructure networks,whereadeviceisnotallowedtoplayboththesupplicantandauthenticatorroles atthesametime.TopreventthisthedevicecouldalsousedifferentPMKsfordifferent roles.

References
[Mitchell05] C.HeandJ.Mitchell.SecurityAnalysisandImprovementsforIEEE802.11i.In ProceedingsoftheNetworkandDistributedSystemSecuritySymposium,2005. [IEEE04] IEEEStandard802.11iPart11WirelessLANMediumAccessControl(MAC)and PhysicalLayer(PHY)specifications,2004. [WIKI03]http://en.wikipedia.org/wiki/File:CBCMAC_structure_(en).svg [RFC2898] PKCS #5: PasswordBased Cryptography Specification, B. Kaliski, 2000. http://www.ietf.org/rfc/rfc2898.txt [MOSK03] Robert Moskowitz. Weakness in Passphrase Choice in WPA Interface, 2003. http://wifinetnews.com/archives/002452.html [Lehem06]G.Lehembre.WiFiSicherheitWEP,WPAundWPA2.Inhakin91/2006,2005. [Air]Aircrackhttp://www.aircrackng.org/doku.php [Rsa99]PKCS#5v2.0:PasswordBasedCryptographyStandardRSALaboratoriesMarch25,99 [1]ipw2200injection:http://www.box.net/index.php? rm=box_download_shared_file&file_id=f_66026697&shared_name=j3qvacbbmb [2]openssh,http://www.openssh.com/features.html [3]Praher2009,www.fim.at [4]http://www.aircrackng.org/doku.php [5]GeschichtevonWLAN:http://www.voipinformation.de/wlangeschichte.html [wiki01]Wikipedia,thefreeencyclopedia:http://en.wikipedia.org/wiki/Wireless_LAN [WikiWPA]WiFiProtectedAccesshttp://de.wikipedia.org/wiki/WiFi_Protected_Access [WikiTKIP]TemporalKeyIntegrityProtocol http://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol [WLANs09]LVAWirelessLANs,DIChristianPraher,JKULinz,2009