In this research paper I intend to investigate the 802.11 encryption standard Wired Equivalent Privacy and the issues involved in implementing the protocol. The reason for writing this report on WEP is that many Businessï¿½s and personal users unknowingly implement WEP encryption on their networks unaware of the security risks involved.
WEP was introduced in 1997 as the first attempt to secure wireless technology whilst it was being implemented the US laws regarding cryptography where very strong and it wasnï¿½t until they were relaxed that it became easier to break the 40 bit WEP key which at the time was the maximum length. In the early stages of WEP the major vulnerabilities included the use of generic keys and also weak message authentication. As these became widely know within the ï¿½computing undergroundï¿½ universities began to test the implementation of WEP and in a later investigation it was found that it was possible to inject packets into a network due to insecure message authentication meaning no matter what the length of key was it was possible to crack.
Get your grade
or your money back
using our Essay Writing Service!
Breakdown of WEP
WEP is a benchmark created by the IEEE to offer OSI layer 2 defence schemas for 802.11 networks. In this section I will look at the components which make up WEP and discuss the different attributes relating to each aspect.
WEP implements the stream cipher RC4. RC4 was created in 1987 it has the possible key length valueï¿½s of 8 to 2048 bits but is mostly known to use between 40 and 256 bits the initialisation vector (IV) is a length of 8 bits the IVï¿½s purpose is to allow the cipher stream to be executed without having to go through the process of rekeying . The way WEP reuses IV is what makes it easy to be cracked this is because if the IV is reused after a matter of time there will be a pattern and then it is possible to inject packets stimulating the necessary traffic by use of a wireless NIC and placing it into promiscuous mode. The WEP algorithm does not encrypt the packet header or initiation vector making it easy for a vulnerability assessment to be carried out on WEP encrypted networks
(Basic WEP encryption: RC4 keystream XORed with plaintext- http://tapir.cs.ucl.ac.uk/bittau-wep.pdf?)
CRC-32 (cyclic redundancy check) is an insecure hash function which is used to maintain integrity this is done by detecting accidental changes within raw data strings it was created by the RSA to constantly encrypt data between two nodes. CRC works by calculating a set length binary sequence. Each time a new packet is sent or received a new sequence is calculated if the sequenced do not match a request is sent for the corrupted packet to be re issued.
CRC is very good at finding common errors including errors in the transport of the packet but CRC does not protect against injected packets or altered packets along as the sequence is correct therefore an attacker can edit a message and recalculate the CRC without the substitution being detected. An example of how this can be used to attack a network is by monitoring the traffic across a network and taking the sequence numbers after this has been achieved the attacker can the create a packed with the correct sequence number which will be accepted on the network dependant on the other layers of security implemented.
To ensure that only clients permitted can access a router WEP used an authentication sequence as the one described below.
1. Turn on the wireless station.
2. The station listens for messages from any access points that are in range.
3. The station finds a message from an access point that has a matching SSID.
4. The station sends an authentication request to the access point.
5. The access point authenticates the station.
6. The station sends an association request to the access point.
7. The access point associates with the station.
8. The station can now communicate with the Ethernet network through the access point.
Open System Authentication
This type of verification is to permit a client to unite with the network group providing that the clients and hosts SSID match. Another option is to use the any service set identifier setting to combine with any obtainable wireless host inside range, despite matching its SSID.
Always on Time
Marked to Standard
The following steps occur when two devices use Open System Authentication:
1. The station sends an authentication request to the access point.
2. The access point authenticates the station.
3. The station associates with the access point and joins the network.
Shared Key Authentication
This has the requirement that both the client and the AP have identical WEP keys to validate. These verification procedures are explained below.
1. The station sends an authentication request to the access point.
2. The access point sends challenge text to the station.
3. The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and it sends the encrypted text to the access point.
4. The access point decrypts the encrypted text using its configured WEP key that corresponds to the stationï¿½s default key. The access point compares the decrypted text with the original challenge text. If the decrypted text matches the original challenge text, then the access point and the station share the same WEP key, and the access point authenticates the station.
5. The station connects to the network
If the decrypted text does not match the original challenge text (that is, the access point and station do not share the same WEP key), then the access point will refuse to authenticate the station, and the station will be unable to communicate with either the 802.11 networks or Ethernet network.
IEEE 802.11 is a list of standards created by the Institute of Electrical and Electronics Engineers which must be achieved in order to gain the wifi certified logo. IEEE is an international organisation which is non profit and is recognised in over 150 countries. The main purpose of IEEE was to ensure that the same protocols where used around the world. Below is a table showing the IEEE 802.11* protocols.
The IEEE also define the wireless frequencies which can be used these are split into channels the main reason for this is to control which frequencies are being used below is a table graph showing the defined channels notice how each channel over laps.
Graph 1.1 (802.11 Channels and frequencies)
Wireless Foot printing
War driving is a technique used by security enthusiasts and criminals to scan large areas for networks. For this research paper I scanned networks around my home town of (Newcastle Upon-Tyne UK) the aims of the ï¿½war driveï¿½ are to highlight the fact that even though WEP has been replaced with WPA due to security issues large numbers of personal and business users still implement WEP as a way of securing their networks. There are a number of key elements to carrying out a successful ï¿½war driveï¿½ which are discussed below.
Wireless card are not made to the same specification therefore it is advised to research which is the most suited card to your needs, factors which can affect the scan involve power requirements, sensitivity and sockets to add a antenna. For the tests carried out in this research paper I used a high power ALFA Network AWUS036H. This wireless card supports promiscuous mode as well as having the capability to add a different antenna. For the antenna I researched the three main types of antenna which are directional, multi-directional and omni-directional. Each has a benefit depending on the circumstances in which they are used but due to the tests being carried out within a large built up city the low gain omni antenna was ideal.
For mapping of wireless networks a GPS device can be used with most of the major wireless sniffing tools such as NetStumbler and Kismet the software records when the signal is at its strongest then takes a reading from the GPS device so when a map is required the coordinates are linked with the wireless network and a map can be drawn. There are also many open source websites which enables users to input information on wireless networks to share with other users online such as are www.wifimaps.com which is worth checking out.
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
As far as software goes the major two are NetStumbler for windows and Kismet for Linux they both work by sending probe requests which in turn receive a 802.11 probe response the tools analyse the header of the packet in order to determine the service set identifier (SSID), Media Access Control address (MAC address), WEP usage, WEP key length (40 or 128 bit), signal strength and also the manufacturer of the equipment. NetStumblers disadvantage over Kismet is that as a counter measure a user can disable the broadcast probe request within the router or AP settings page which effectively renders NetStumbler useless although as default this is set to on by vendors. Kismet does not suffer from these disadvantages as it uses passive network detection which involves cycling through channels to listen for 802.11 traffic which indicate the occurrence of a network.
Wireless Scanning and Enumeration
Now that the potential targets have been identified and mapped it is time to determine the method to gain access to the network this is done by investigating the results from the ï¿½war driveï¿½ since all the data is encrypted it is best to determine whether it is encrypted via WEP or WPA and then the length of the key which for WEP ranges from 40 to 128 bit. Also the channel of the wireless network which you intend to test is needed as the wireless card will need to be in promiscuous mode on that specific channel.
Once your card is configured it is time to start sniffing out packets for this I used wire shark which has a feature to capture and un-encode 802.11 packets it also runs with all its features on both Linux and windows bases systems.
Connecting to the encrypted network
Now that the initial stages have been carried out it is time to gain access to the network, to do this you need to set your wireless interface to connect to the desired SSID and then implement the MAC address of the client from the scanning stage. Now that the computer is set up you can choose whether to carry out brute force attacks or IV analysis in connection to the primary RC4 Byte. The brute-force attack uses a dictionary of words to attempt each one and from research an attack on a 40 bit key space can take up to 4 weeks carried out from a single system. This time can be shortened dramatically by IV analysis which involves passively collecting IVï¿½s from the network (client-network / network-client) the larger amount of IVï¿½s collected the higher chance of success. When you gather two packets with an identical IV header you need to X-OR them to gain a single X-OR of the packets. By doing this it is possible to gain the shared key as it is the same used to create the X-OR packets.
To make the process of penetrating a wireless network tools designed for the automation of this have been produced. AirSnort is the most popular tool used by wireless testers and comprises of a collection of scripts and programs. AirSnort has a GUI which simplifies the process. A tool called WEPAttack has the ability to carry out dictionary attacks using wordlists.
In this section of my research paper I will identify the ways in which to harden wireless security. Firstly due to the SSID being used as a reference to the network it is a good idea to prevent this from being issued as mentioned above by blocking probe requests. The SSID can be seen in a number of places such as:
ï¿½ Beacons these by default are sent continuously and can be viewed using wireshark by setting the filter to beacons.
ï¿½ Probe Requests are from clients connecting to the network.
ï¿½ Probe Responses are replies from the requests from the client.
ï¿½ Association and Reassociation Requests are sent when a client is joining or rejoining a network they are mainly used to facilitate wandering from around connecting to different within APï¿½s within the same ESS
If the access point has the requests blocked you will need to wait until a client establishes a connection in order to capture the Association / Reassociation packet to speed up this process a tool can be used called essid_jack available at http://sourceforge.net/projects/airjack/ which will send a deauthentication packet spoofed to appear resembling traffic coming from the access point.
MAC access lists though not stated within the 802.11 requirements on some occasions have been used by vendors as a way of hardening security, only users with the MAC address in the table are able to connect. The first major problem which can be seen is if you are planning to implement filtering on large scale networks all wireless MAC addresses will be needed and updated when new NICï¿½s are added to the network. Another problem with MAC filtering is that by using readily available wireless sniffers the MAC address for the network/ AP can be seen along with the addresses for the clients connected; by gathering these it is then possible to change you MAC address to a client in order to bypass the filter to do this a tool can be used which is called Bwmachak by BlackWave.
To prevent against these types of attack is impossible unless you upgrade to WPA but to attempt to harden against these tools it is advised to use 128-bit encryption and use a word not found in the dictionary containing a mixture of alphabetic, numeric and special characters. Also change the default SSID of the network and changing the password regularly.
Other ways to attempt to harden WEP is to implement a layered security with multiple encryptions but the only way to protect you from WEP is by upgrading to WPA/ WPA2.
For this research paper I have implemented the methods described above and set up a ï¿½war drivingï¿½ machine as discusses and drove around my local area I wasnï¿½t surprised at the amount of WEP encrypted networks I came across. Out of 1000 scanned networks 35% had WEP encryption in the appendix is details of just some of the networks I came across alarmingly many appear to be businesses. Due the laws regarding these types of wireless attacks I could not attempt to gain access to someoneï¿½s network without gaining consent therefore I had to use my own network. I found it very simple to carry out the attacks due to the many in depth guides readily available through the internet.
"Gaining unauthorised access to someone else's network is an offence and people have to take responsibility for their actions. Some people might argue that taking a joy-ride in someone else's car is not an offence either,"
The Computer Misuse Act 1990 states the following:
1 Unauthorised access to computer material
(1) A person is guilty of an offence ifï¿½
(a) He causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) The access he intends to secure is unauthorised; and
(c) He knows at the time when he causes the computer to perform the function that that is the case.
This act protects users from people attempting to illegally gain access to your network; other acts which are in place to prevent attacks are the Communications Act 2003 (c. 21) which states:
125 Dishonestly obtaining electronic communications services
(1) A person whoï¿½
(a) Dishonestly obtains an electronic communications service, and
(b) Does so with intent to avoid payment of a charge applicable to the provision of that service,
Unauthorised access to someoneï¿½s wireless network without permission is illegal and covered under the computer misuse act and also the Communications Act as shown above. The first reported case of this happening within the United Kingdom involved a man called Gregory Straszkiewicz he was reported as looking suspicious whilst sitting in his car on a laptop. After further investigations were carried out and it was found that he was using wireless equipment to steal internet. ï¿½Mr Straszkiewicz was fined ï¿½500 and sentenced to 12 months' conditional discharge for hijacking a wireless broadband connectionï¿½.
As technology advances so with the hacking community this is why the public need to be advised of the security issues involving their personal data. As far as WEP goes it will be a legacy type of encryption and I predict that for many years to come it will continue to be implemented without knowing the risks involved. In the hope that by writing this research paper with will encourage people to upgrade their encryption to WPA which offers a range of benefits including enhanced data privacy, robust key management, data origin authentication and data integrity protection. Every Wi-Fi certified product after August 2003 has to support WPA or they will lose their certification. Also WPA is forward compatible with the 802.11i security specification currently being developed
http://tapir.cs.ucl.ac.uk/bittau-wep.pdf (Figure 1.1)
http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-08.html (Figure 2.1/2)
en.wikipedia.org/wiki/IEEE_802.11#802.11-1997_.28802.11_legacy.29 (Table 1.1)
http://upload.wikimedia.org/wikipedia/commons/8/8c/2.4_GHz_Wi-fi_channels_%28802.11b%2Cg_WLAN%29.svg (Graph 1.1 channels/ frequencies)
www.wifimaps.com (open source maps)
news.bbc.co.uk/2/hi/technology/8305379.stm (BBC News quote)
http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm (Computer misuse Act)
http://www.opsi.gov.uk/ACTS/acts2003/ukpga_20030021_en_13#pt2-ch1-pb20-l1g125 (Communications Act)
IEEE-SA Standards Board. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Speci_cations. Communications Magazine, IEEE, 2007.