Introduction To Wireless Security Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Cellular networks have a wired backbone with only the last hop being wireless. Satellite networks are composed of track predetermined mobile satellites with the last wireless hop. As the future position of a satellite can be predicted, it is similar to a fixed base station. An ad hoc mobile network is a collection of mobile nodes that are dynamically located in such a pattern that the interconnections between nodes are capable of changing on a steady basis [1].

Due to the dynamic topology and no support of infrastructure, the ad hoc mobile network is the most vulnerable in wireless networks. Routing is the heart of network infrastructure. It controls and manages the "flow" of messages in the network. To set up connection and maintain updated network topology, routers keep exchanging messages about link state, cost and metric. The main goal of a routing protocol for a wireless network is correct and efficient route establishment between a pair of nodes so that messages may be delivered in a timely manner.

Wireless networking presents many advantages Productivity improves because of increased accessibility to information resources. Network configuration and reconfiguration is easier, faster, and less expensive. However, wireless technology also creates new threats and alters the existing information security risk profile. For example, because communications takes place "through the air" using radio frequencies, the risk of interception is greater than with wired networks. If the message is not encrypted, or encrypted with a weak algorithm, the attacker can read it, thereby compromising confidentiality.

Although wireless networking alters the risks associated with various threats to security, the overall security objectives remain the same as with wired networks: preserving confidentiality, ensuring integrity, and maintaining availability of the information and information systems.


A local area network (LAN) is a computer network covering a small area, like an office, home, or a group of buildings. The defining characteristics of LANs are high data-transfer rates dealing with small area and lack of a need for telecommunication lines.

Token Ring and many other technologies have been used in the past, and may be used in the future, but Ethernet over twisted pair cabling and Wi-Fi are the two most common technologies currently in use [2].

Switched Ethernet is the most common used Data Link Layer implementation on local area networks. At the Network Layer, the Internet Protocol is the standard. However, many different specifications have been used in the history of LAN growth and some continue to be popular in other applications. Smaller LANs maminly consist of one or more switches connected to each other where at least one is connected to cable modem, router and ADSL modem for Internet access.

LAN Token Ring


A wireless local area network (WLAN) is a elastic data communications system which was implemented to extend the wired LAN, by Using radio frequency (RF) technology, wireless LANs are able to transmit and receive data all the way through the air, making the need for wired connections fewer.

Thus, wireless LANs joins data connectivity with user mobility. Wireless LANs have gained muscular fame in a number of markets, including health care, the retail, manufacturing and academia. These industries made a large amount of profit from the productivity gains of using hand-held terminals and notebook computers to broadcast real-time information to centralized hosts for processing. Today wireless LANs are becoming more widely known as a main purpose connectivity solution for a broad range of business customers [3].

The extensive spread reliance on networking in business and the growth of the Internet and online services are strong members to the benefits of shared data and shared resources. With wireless LANs, users can right to use common information with no need for looking for a place to plug in, and network managers can set up or augment networks without installing or moving wires. Wireless LANs offer the following productivity and cost advantages over traditional wired networks:

Mobility: Wireless LAN systems provide LAN users with access to real time information in any place in their organization. This mobility supports productivity and service opportunities which can't be done with wired connection.

Installation Speed and Simplicity: Installing a wireless LAN system is fast and easy and sreduces the need to install cables through walls [4].

Installation Flexibility: Wireless technology allows the network to places where wires can't go there.

Scalability: Wireless LAN systems can be configured in a variety of topologies to reach the requirements of exact applications and installations. Configurations are easily changed and range from peer-to-peer networks can fit for a small number of users to full infrastructure networks of thousands of users that enable roaming over a broad area.

How Does a WLAN Work?

The standards used for WLAN communications are based on the Institute of Electrical and Electronic Engineers (IEEE) 802.11 series of standards. The IEEE 802.11 standards help to define and regulate the Physical and Media Access Control (MAC) layers of operation in a WLAN. For example, the IEEE 802.11b standard defines the use of the 2.4 Gigahertz (GHz) band in radio frequency (RF) for high-speed data communications, 802.11b supports data rates of 2 Mbps up to 11 Mbps [5]. The IEEE 802.11g standard supports data rates up to 54 Mbps while also using the 2.4 GHz frequency band. Thus figure (1) shows the hierarchy of wireless lan network.

Figure (1) Wireless Lan Network

WLAN Security:

Wireless Local Area Networks have gained a tremendous and incredible popularity across the computer network market over the years. However, the threats and security fears associated with them have caused some network managers and administrator to avoid installing wireless LAN, regardless of the numerous benefits that they provide. Several manufacturers understand the fears, uncertainties and doubts caused by the security problems of the Wireless Local Area Network [6].

They realize that coming up with a security measure to make the WLAN more secure would be a great asset and source of profit for them. Thus, they invest in research with the goal of coming up with a solution that satisfies the needs of the buyers when it comes to the security of the IEEE 802.11 WLAN. As results of these researches, several measures of security have been proposed by these manufacturers and some of them have been used by the IEEE 802.11. The main goal of the wireless LAN security is to protect the privacy of the clients just to make sure that an attacker is not able to access the network without any permission and attack them [7].

Here is a demonstration of the most IEEE standards:

802.11 standards:


The 802.11b extension was one of two extensions to the 802.11 standard that was published shortly after the basic standard, the other being the 802.11a extension. Because the 802.11b extension operates in the same frequency band as the basic standard, we will discuss it prior to the 802.11a extension.

The 802.11b extension specifies the use of DSSS at 1, 2, 5.5 and 11 Mbps. 802.11b products currently are in volume production and the installed base of such products considerably exceeds 802.11a equipment.


The 802.11a extension to the 802.11 standard uses a frequency division multiplexing scheme referred to as Orthogonal Frequency Division Multiplexing (OFDM). A second difference is the fact that this extension defines a physical layer standard for wireless LANs operating at data rates up to 54 Mbps.

Remembering physics and the fact that high frequencies attenuate more rapidly than low frequencies explains one of the problems associated with the use of 802.11a compatible equipment. That is because the transmission range is less than 802.11b equipment; the former requires more access points to serve a given area than when 802.11b equipment is used.


This extension to the 802.11 standard is focused upon MAC bridges for wireless LANs. The task group completed its effort several years ago and its work was merged into the IEEE 802.1d standard.


The 802.11d extension to the 802.11 standard represents a supplement to the MAC layer. This supplement is designed to support the worldwide use of 802.11 wireless LANs as it enables access points to communicate at different power levels commensurate with the regulations of other countries.


The goal of the 802.11g extension to the 802.11 standard can be considered as a high speed extension to 802.11b. Equipment that supports the 802.11 g extension will operate in the 2.4 GHz frequency band using OFDM to obtain data rates up to 54 Mbps as well as being backward compatible with 802.11b equipment [7].


Recognizing the limitations of WEP resulted in the development of the 802.11i extension to the 802.11 standard. This supplement to the MAC layer is being developed to enhance wireless LAN security and will apply to 802.11 physical standards defined by the a, b and g extensions.

The 802.11i supplement defines two new encryption methods as well as an authentication method. This authentication method uses port-based authentication defined by a prior IEEE standard (802.1x) which was in turn based upon an Internet RFC. The two encryption methods designed to replace WEP include the Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption System (AES). TKIP represents an interim solution that should be accomplished by firmware upgrades to existing products. In comparison, the use of AES will more than likely be accomplished through new silicon containing an AES cipher[8].

As discussed before a wireless network goes under a lot risks one of the most the most important ones is the attacks as any attack can break down the whole network the next part will discuss some of the most well known attacks:

Important types of attacks:

Identity theft (MAC spoofing)

When a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges indentify theft is achievable. Most wireless systems allows some kind of MAC filtering to only give access to certified computers with definite MAC IDs to utilize the network. However, a number of programs are present that have network "sniffing" capabilities, by joining these programs with other software that allow a computer to imagine it has any MAC address that the cracker needs, and the cracker can easily get in the area of that hurdle [9] .

Man in the middle attack:

A man-in-the-middle attacker force computers to log into a computer which is configured as a soft AP (Access Point). As soon as this is done, the hacker connects to a real access point through another wireless card offering a stable flow of traffic from side to side the transparent hacking computer to the real network. The hacker can then sniff the traffic. One type of man-in-the-middle attack depends on security mistakes in challenge and handshake protocols to perform a "de-authentication attack". This attack forces AP connected computers to go down their connections and reconnect with the cracker's soft AP.

Man-in-the-middle attacks are improved by software such as LANjack and AirJack, which mechanize multiple steps of the process. Hotspots are particularly vulnerable to any attack since there is no security on these networks [9] .

Figure (2) shows the components needed for a man in the middle attack.

Figure (2)

Denial of service:

The denial of service threat either produced by an unintentional failure or malicious action forms a severe security risk in any distributed system. The consequences of such attacks, however, depend on the area of application of the ad hoc network. The denial of service attack has many forms: the classical way is to flood any centralized resource so that it no longer operates correctly or crashes, but in ad hoc networks this may not be an applicable approach due to the distribution of responsibility.

Distributed denial of service attack is a more severe threat: if the attackers have enough computing power and bandwidth to operate with, smaller ad hoc networks can be crashed or congested rather easily. There are however more serious threats to ad hoc networks: Compromised nodes may be able to reconfigure the routing protocol or any part of it so that they send routing information very frequently, thus causing congestion or very rarely, thus preventing nodes to gain new information about the changed topology of the network. The Wormhole, The Rushing attack, the Routing Table Overflow and the Sleep Deprivation attack might fall into this category [9] [10] .

Conclusion chapter 1:

Wireless lan has a lot of benefits and can fit in many systems but their problems are huge due to attacks which can be applied to the network and break it down, so the need of security is crucial to save the network from any external interference.

Chapter 2

Wireless Lan vulnerabilities:

The security of the network is very essential task as it provides the protection for the network. This chapter will include a demonstration for the most important protocols used and their vulnerabilities starting with WEP, WPA and WP2 and then a brief description of the most common vulnerabilities in a wireless network.


Considered one of the first security mechanisms introduced by manufactures Wired Equivalent Privacy (WEP), it's considered as a part of 802.11 standards for encrypting WLAN traffic. Wired equivalent privacy is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is planned to protect wireless communication from eavesdropping. The second use of WEP is to stop unauthorized access to a wireless network. WEP encrypts the payload of data packets. Control and management frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm invented by Ron Rivest to encrypt all network data traffic. The shared secret key usually consists of 40 or 104 bits long. The system administrator chooses the key. This key must be common through all the stations and the AP using mechanisms that are not specified in the IEEE 802.11 [11].

WEP Processes:


Figure (3) WEP Encryption [12]

Based on Figure (3), The WEP protocol uses two processes that are applied to the plaintext data. The first one encrypts the plaintext and the second one protects it against any unauthorized modifications. Then, the secret key, 40 bits of size is combined with a 24 bits initialization vector (IV) resulting in a 64-bit total key size. The resulting key is placed into the pseudorandom number generator (PRNG). The PRNG (RC4) on its turn, outputs a pseudorandom key sequence based on the input key. Then, the resulting sequence is being used for data encryption by doing a bitwise XOR.


In the decryption process The IV (Initialization Vector) of the incoming message is used for the generation of the sequence key necessary for the decryption of the incoming message. As shown in figure (4)

Figure (4) WEP decryption [12]

The combination of the ciphertext and the proper key sequence produces the original plaintext and ICV (Integrity Check Value). The decryption is done by doing the integrity check algorithm on the recovered plaintext and comparing the recieved ICV to the ICV transmitted with the message.

In case where the received ICV is unlike the ICV transmitted, the receive message is in error and an error indication will be sent to the MAC management and to the sending station. Mobile clients with erroneous messages caused by the inability to decrypt will not be able to authenticate and access the network resources. In fact, the WEP protocol provides some security measures for the IEEE 802.11 but it still remains ineffective face to certain attacks. Several researches or documents prove the ineffectiveness of the WEP [13].

WEP Authentication:

Authentication in WEP involves authenticating a device when it first joins the LAN. The authentication process in the wireless networks using WEP is to prevent devices/stations joining the network unless they know the WEP key. Figure (5) shows the WEP authentication process.

Figure (5) WEP Authentication

In WEP-based authentication, wireless device sends authentication request to the wireless access point, then wireless access point sends 128 bit random challenge in a clear text to the requesting client. The wireless device uses the shared secret key to sign the challenge and sends it to the wireless access point. Wireless access point decrypts the signed message using the shared secret key and verifies the challenge that it has sent before. If the challenge matches, then authentication succeeds otherwise not.

Unfortunately, in WEP, no secret key is exchanged after authentication. The same secret key or shared key is used for both authentication and encryption. So there is no way to tell whether the subsequent messages come from the trusted device or from an impostor. This kind of authentication is prone to man in the middle attack. This authentication is really not a best effort here. In the Wi-Fi specification, authentication was completely dropped, despite being in the IEEE 802.11 standard.

History of WEP attacks [14]

The WEP protocol was not formed by experts in cryptography or security or, so as a result it proved to be vulnerable to RC4 issues described by David Wagner. In 2001, Scott Fluhrer, Itsik Mantin and Adi Shamir (FMS for short) released their well known paper on WEP, describing two vulnerabilities in the RC4 encryption algorithm:

1) Known IV attacks

2) Invariance weaknesses.

Both attacks are based on the idea that for certain key values it is achievable for bits in the initial bytes of the key stream to depend on just a few number of bits of the encryption key (though normally each key stream has a the probability of 50% of being different from the previous one). Collection of the encryption key is done by concatenating the secret key with the IV, certain IV values give up weak keys.

The vulnerabilities were shown by such security tools as AirSnort, allowing WEP keys to be improved by analyzing an enough amount of traffic. While this type of attack could work in its best form on a busy network within a logical timeframe, the time necessary for data processing was quite long. David Hulton (h1kari) invented an optimized version of the attack, taking into consideration not only the first byte of Rc4 output (as in the FMS method), but also subsequent ones. This give the result that a reduction of the amount of data required for analysis.

Ian Goldberg, Nikita Borisov, and David Wagner stated back in 2001 that also the integrity check phase suffers from a severe weakness due to the CRC32 algorithm used for this task. CRC32 is used for the detection of errors, but we could never consider it a secure task, as Since then it had been accepted that WEP gives a suitable level of security only for home users and small areas but not wide wireless networks.

With the appearance of KoreK attacks in 2004 and the inverted Arbaugh inductive attack allowing arbitrary packets using packets injection to be decrypted without knowledge of the key. Cracking tools like WepLab by José Ignacio Sánchez and Aircrack by Christophe Devine apply these attacks and can discover a 128-bit WEP secret key in less than 10 minutes (or a little bit longer, depending on the specific access point and wireless cards).

Adding packet injection made better WEP cracking times, the need for millions of packets is no longer exists , but only thousands of them with enough unique IVs, approximately 150,000 for a 64-bit WEP key and 500,000 for a 128-bit key. Collecting the needed data took minutes by using the packet injection mechanism. At present, WEP is quite definitely dead (see Table 1) and should not be used, not even with key rotation.

Table (1)

WEP Vulnerabilities:

Implementation of IV Mechanisms:

The process of implementing IV mechanisms has the protocol vulnerable in the opposite of strengthen the encryption. The purpose of IV in RC4 process is to make sure that no key is repeated, thus WEP uses 40 bit protection with a 24 bit IV, hence the 24 bit IV space can be used within few hours and IV's are repeated again As the shared key is fixed, the key to RC4 key stream generator is repeated if IV's are repeated. This violates the RC4 rule of never repeating the keys. As IV is sent in clear text, the attacker can identify when IV collision occurs. IV collisions help attacker to determine the key stream. By analyzing the two packets derived from the same IV, key stream can be obtained.

Same key is shared:

The same key is shared between access point and wireless device. If there are multiple

Users/devices using the same key, this helps to make the attacks on WEP more practical and increases the chances of IV collision. The key change at access point requires every user to change their key accordingly. So, the key management is difficult to administer manually. Hence, most of the users don't change acesspoint keys frequently. They keep the same key for many months or years or forever which buys the attacker more time to analyze the traffic and identify the keystream and IV reuse [15].

Checksum failure to protect data integrity:

In WEP, data integrity is verified using the CRC checksum operation. The idea behind CRC is to to prevent anyone from tampering with the message in transit. The CRC is performed on the plaintext but not on the ciphertext. CRC was designed to detect random errors in the message but not to prevent from any harmful attacks. It is possible to make changes to the ciphertext without affecting the checksum. This shows that the WEP checksum failed to protect data integrity (one of the main goals of the WEP) [15].

Known plaintext attacks:

If an attacker knows the plaintext he/she can easily compute the checksum and can inject the forged messages into the network. An attacker can also change the destination address of the packet and replace the old CRC with the modified CRC and also recomputed the IP checksum. The access point won't be able to notice the changes to the original packet and forward it to the selected IP address [16].

Denial of Service Attacks:

Lacking strong authentication methods, DoS are trivial to implement. An attacker can record valid WEP packets and then retransmit them later (replay attack) [16].

In the next part two of the most famous tools will be briefly discussed that are used to crack WEP.

Air Jack:

AirJack is a suite of tools that is designed as a proof-of-concept to establish layer 1 man- in-the-middle attacks against 802.11 networks. Included in this toolset is "wlan-jack", a tool to perform a denial-of-service attack against users on a target wireless network; it works by sending spoofed de-authenticate frames to a broadcast address, purportedly from the network access point's MAC address.

the wireless network to be effective. This tool works because the clients that receive the de-authenticate frames believe they have been sent from the access point they are currently associated with.

Since wlan-jack has to spoof the MAC address of the target access point, we have the opportunity to identify this traffic as anomalous based on sequence number analysis.

Air Snort:

The most commonly used tool for WEP key extraction is the Linux program Air Snort. An intruder using Air Snort would surreptitiously collect wireless network traffic of the target network. When enough frames have been collected from the network, Air Snort can determine the WEP key of the network by examining the "weak" frames. It usually takes only a few hours to collect enough frames. Manufacturers have released updated firmware that addresses the transmission of such weak frames; however, a network remains vulnerable if a client continues to use an outdated wireless network adap

Strengthening WEP:

There are many solutions available to overcome the weaknesses of WEP that are. Some of them are:

The bigger size of the Initialization Vector (IV) can be chosen.

The hashed value of IV can be prepended or appended to the ciphertext instead of the clear text.

Instead of using CRC checksum, different method can be used for the data integrity verification. i.e. Hash functions

Change secret key regularly, dynamically using secure symmetric key distribution protocols.

Better key management using security handshake protocols .

New authentication mechanisms using the Extensible Authentication Protocol (EAP) [17].


As discussed before, in the WEP encryption section, the WEP algorithm is compromised and has many flaws that can permit an attacker to access the information compromising the WLAN. At the same time WPA is intended to be interoperable with all existing Wi-Fi devices already in the market and that were shipped in millions implementing this flawed and poorly designed IEEE native security mechanism [18].

TKIP is a binding around WEP that intends to improve its security features. To comply with these limitations, TKIP uses the same stream cipher used by WEP: RC4. This way only a software upgrade is needed to implement TKIP. In general, most security experts believe that TKIP is a stronger encryption than WEP. However, they also have the same opinion that TKIP should be an interim solution because of its use of RC4 algorithm.

The main advantage of TKIP over WEP is the key rotation. TKIP changes the keys used for RC4 often (every 10,000 packets), and the mechanism used to create Initialization Vectors (IVs) is different.

In fact, TKIP is composed of four algorithms wrapping WEP to achieve the best security possible given the problem design constraints, these are:

Cryptographic Message Integrity Code (MIC).

New IV sequencing discipline.

Re-keying mechanism.

Message Integrity Code (MIC):

Planned to sense forgeries, it is composed of three components. A secret 64-bit authentication key K, shared only between the sender and the receiver. A tagging function takes the key K and a message M as an input and creates a message integrity code T as an output.

This tag T is sent with the message M. To identify an error, the receiver inputs K,T and

M into the verification predicate and creates his own tag code T' with M and K. If both

tag codes match the message is presumed authentic.

IV sequencing discipline:

In WEP an attacker could make forgeries by recording valid WEP packets and the retransmitting them later (replay attack). To defeat this, TKIP employs packet sequencing numbers and synchronization between sender and receiver. Proper IV sequencing of arriving packets determines if there has been a replay and if so, get rid of the packet. Both sender and receiver reset their counters whenever new keys are set.

Re-keying Mechanism:

TKIP re-key architecture is hierarchical, with three key types: temporal keys, key encryption keys, and master keys. TKIP uses a key update mechanism using special re-key messages that give out keying material deriving the next set of temporal keys between the access point and the station. There are two kinds of temporal keys; 128-bit keys are used for encryption and 64-bit keys for data integrity.

The re-key messages are secured with the key encryption keys, which protect temporal keys. The station and Access Point have to communicate and establish a fresh set of keys on association or re-association. To accomplish all these transactions, TKIP uses 802.1X authentication servers to push a common set of key encryption keys to the station and AP. The master key is used to secure their distribution, and it's closely tied to the authentication process and the authentication server. A new and un-related master key is used for each session [19]. Thus TKIP plays a very important role in WPA which will be discussed later and also TKIP vulnerabilities will be illustrated in the WPA vulnerabilities section as they are both mainly the same.

Figure (1) illustrates TKIP design:

Figure (6) TKIP Design [20]



Concerned that a weak wireless security mechanism like WEP would refrain enterprises from deploying WLANs, the Wi-Fi alliance along with the IEEE launched an effort to bring a strongly better, standards-based, interoperable Wi-Fi security answer to the market. In October 2002, WPA was born as a strong interoperable security specification for WLAN.

WPA very much increases the level of data protection and access control on existing and future WLANs, deleting all the vulnerabilities of its predecessor WEP. And it fully replaced WEP as the Wi-Fi security solution [21].

With the vision of Wi-Fi Protected Access, companies that have been using add-on security mechanisms such as VPNs will find that there's no need to secure the wireless segments of the network. WPA allows securing all existing versions of 802.11 devices: a, b, g, multi-band and multi-mode, since it has been established to reduce the impact on network performance running as a software upgrade on the many Wi-Fi devices in today's market [22].

Access Points, Network Interface Cards and possibly Operating systems will require a software upgrade in order to implement WPA. Enterprises will require an authentication server like RADIUS, but WPA accommodates home and small office/home office with a special mode of operation without them, using a shared password mechanism to activate WPA protection [23].


WPA uses the RC4 stream cipher with the 128-bit keys and 48-bit IV in encryption. RC4 is still used, because it's compatible with the old hardware. In addition, WPA introduces a new key security protocol, Temporal Key Integrity Protocol (TKIP) [24], which dynamically changes the keys during the session. As a result the repetition of the same traffic keys is prevented. For this TKIP uses a packet sequencing discipline and a two-phase per-packet key mixing function. Packet sequencing discipline means that every encryption key is associated with a sequence number. This effectively prevents replay attacks. The per packet mixing function takes this sequence number along with the base WPA key and the transmitter MAC address as inputs, and outputs a new per packet WPA key. This new WPA key is then used along with the IV to generate the key stream.

Authentication Process:

Authentication Server is called WPA-Enterprise. WPA-Enterprise employs Extensible Authentication Protocol (EAP) [25] together with a mutual authentication so that the wireless user does not accidentally join a rogue network. EAP is not an actual authentication mechanism but rather an authentication framework, which provides some common functions and a negotiation of the desired authentication mechanism. The Authentication server works with the following principle:

Authentication Server accepts user's credentials.

Authentication Server uses 802.1X framework and EAP to generate unique master key.

802.1X distributes the key to the AP and the client.

TKIP sets up a key hierarchy and management system using the master key. In other words unique data encryption keys to encrypt every data packet are generated from the master key.

Encryption Process:

WPA enhances also the encryption. The principle is basically the same as the encryption for the WEP. But with the Temporal Key Integrity Protocol (TKIP) it fixes the flaw of shared secret key re-use in WEP. To improve that, TKIP dynamically changes the keys over the time by rotation of the keys and the IVs for each packet. With the WEP it was possible to change the keys to make it more secure by changing the user's password. Here TKIP generate a number of keys from the password itself.

Each change is synchronized between the wireless client and the wireless AP. Otherwise the length of the IV has been increased to 48 bits to decrease the probability to re-use. TKIP also provides the verification of the security configuration after the initial encryption keys are determined.

Data Integrity:

Moreover WPA improves the Integrity Check Value (ICV) used by the WEP to calculate the CRC. A new security measure called Michael has been created: an 8 bit Message Integrity Code is calculated in addition to the ICV. WPA makes sure that the packets have not been intercepted or altered by anyone on their way thanks to the Integrity Check Value which checks not only the data but also the header to protect the whole message. Michael also implements a frame counter to discourage replay attacks [26].



WPA 2 is the same as WPA but there are slight difference between them first that WPA2 makes use of a detailed mode of the Advanced Encryption Standard (AES) known as the Counter Mode Cipher Block Chaining-Message Authentication Code (CBC-MAC) protocol (CCMP). CCMP provides both data integrity data confidentiality (encryption). The use of the Advanced Encryption Standard (AES) is a more secure alternative to the RC4 stream cipher used by WEP and WPA; also WPA2 uses CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) instead of TKIP as a message authenticator. (Less likely to be hacked). While both played an important role to addresses weakness of the WEP as shown in table (2) [28]

WEP weakness

How weakness is addressed by WPA2

Initialization vector (IV) is too short

In AES CCMP, the IV has been removed and replaced with a Packet Number field and its size has been doubled to 48 bits.

Weak data integrity

The WEP-encrypted checksum calculation has been replaced with the AES CBC-MAC algorithm, which is measured to present strong data integrity. The CBC-MAC algorithm calculates a 128-bit value, and WPA2 uses the high-order 64-bits as a message integrity code (MIC). WPA2 encrypts the MIC with AES counter mode encryption.

Uses the master key instead of the derived key

AES CCMP uses a set of temporal keys that are derived from a master key and other values Like WPA and the Temporal Key Integrity Protocol (TKIP) . The master key is resulting from the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected EAP (PEAP) 802.1X authentication process.

No rekeying

AES CCMP rekeys on its own to obtain new sets of temporal keys.

No replay protection

By using a Packet Number field as a counter it provides safety from replay protection.

Table (2)

Table (3) shows comparison between WEP, WPA and WPA 2

Table (3)

Most of the features of both WPA and WPA2 are similar different than WEP which shows more security standards while the difference between WPA and WPA2 lies in the area of data integrity and per-packet key, hence WPA2 shows more security.

WPA/WPA2 Vulnerabilities:

Lack of usability:

Although WPA/WPA2 security schemes are strong, attacks against them have already been implemented. These attacks are based on users tendency to choose weak passwords that are easy to guess. CoWPAtty is a tool that goes through all possible key combinations (brute force) starting with the easiest choices. With this strategy an easy password may be cracked. The root cause for this problem lies in the lack of usability. In other words, when setting up a wireless network, users still have to enter the keys manually, which is time consuming and can be too challenging for the beginners [29].

Management Frames:

Report network topology and modify client behavior are not protected so they provide an attacker the means to discover the layout of the network, pinpoint the location of devices therefore allowing for more successful DoS attacks against a network.

Control Frames:

Are not protected leaving them open to DoS attacks.


The plan is to force the client to re authenticate, which joined with the lack of authentication for control frames which are used for association and authentication make it achievable for the attacker to spoof MAC addresses to [30].

MIC is vulnerable:

The Michael Message Integrity Code also has weaknesses which is a result from its design. The security of Michael depends on communication being encrypted. While cryptographic MICs are usually designed to resist known plaintext attacks (where the attacker has a plaintext message and it's MIC). By knowing a single known message and its MIC value, it is possible to find out the secret MIC key, so keeping the MIC value secret is a crucial part.

No protection against attacks on underlying technologies:

Operations like radio frequency jamming, DoS through 802.11 violations, de-authentication, de-association etc. the WPA/WPA2 protocol provides no safety against these technologies, and hence any attack on them.

The major wireless vulnerabilities points are:

Accidental associations:

Wireless access points can lose signals because of doors, wall, floors, insulation and other building materials. The signals may also enter into another user's area and users start to connect with it. This is referred to as accidental associations and can occur in densely populated areas where several people or businesses use wireless technology.

Physically insecure locations:

Since Access points are easily accessible because they can be removed and tampered with (configurations copied or altered) then returned. They must be inserted in safe location abd out of reach.

Insufficient network monitoring:

Intrusion detection tools can be used successfully to continuously monitor for rogue access points. Not inserting some means of detection with alarms and event data recorders practically will allow any undesirable member to enter and destroy the system.

MAC address filtering:

A media access control (MAC) address is a unique number given to every computer. In wireless LANs this number is used to allow an access point to connect to a particular network. Total reliance on this filtering can result in a security break as a user may change the MAC address, which as a result changes its identity, thereby resulting in identity theft. Thus may result to Mac spoofing attack [31].

Easy to detect a network:

Because Wireless uses the airwaves, it is easy to listen to a network traffic or even connect to a network. However, just listening to network traffic does not necessarily produce results if the data is encrypted with strong encryption. If WEP encryption is used it is more likely that hackers can, with some effort decrypt the information they have intercepted.

Unsecured holes in the Network:

A hacker can enter a wireless LAN by breaking into the firewalls then allowing others to come in, as a result sensitive data on the network may be compromised. Hackers may also use the enterprise's resources including the Internet connection.

No configured security or poor security:

a service set identifier (SSID) is a code attached to all packets on wireless network to indentify each packet as a part of this network , all wireless devices attempting to communicate with each other must share the same SSID, so if the 802.11 security settings for authentication and encryption are not functional, or the service set identifiers (SSIDs) are not changed, this can cause external attacks as most of the time hackers know the default password [31].

Rogue access points:

They might poor access points constructed by untrained employee. An employee might also mistakenly use SOHO access points that are not designed to be used in an enterprise because of its weak security options. Other rogues may include external malicious users such as hackers engaging in war driving in an attempt to access the wireless LAN from nearby location. External rogue access point may lead to two main dangerous attacks such as Denial of service (Dos) and man in the middle attack [31].

Conclusion chapter 2:

WEP was used to provide the security needed but by the evolution of networking it became completely insecure due to its large number of vulnerabilities and hence cracking of WEP is now done in three minutes only. The appearance of WPA and WPA2 provided more security to the network but though they still have a small number of vulnerabilities but they proved to be more secure than WEP.

The most common vulnerabilities of a wireless network that an attacker could use to attack the security of the network are demonstrated in this chapter.

Chapter 3:

After describing the weak points of the network it's time to try to minimize the risk, I inserted here a table that a network manager could use to overcome the threats and the needed countermeasures to secure the network.


A vulnerability assessment is an explicit study that uses penetration testing and observation to identify security weaknesses that could be exploited, and the risks. The results obtained are then evaluated to determine severity and steps to reduce or eliminate the threats. To be truly effective, assessments should be carried out regularly to spot out newly-introduced vulnerabilities and verify that installed security measures are working as intended.

Assessments may be performed by in-house or third-party staff, with full, partial, or no knowledge of the organization network and security implementation. In the following sections, I present the techniques and tools that can be useful for conducting a WLAN vulnerability assessment: from wireless device discovery and penetration testing, to security event monitoring and spectrum analysis. A sample worksheet, provided in appendix, illustrates how assessment results can be documented for review and remediation.

Tools like Nmap or Superscan are used to scan devices and ports to discover vulnerablities. WEP traffic may be analyzed with a tool like Aircrack-ptw, while PSK authentication messages may be analyzed with coWPAtty. 802.1X/EAP user IDs may be recorded and passwords based EAPs may be tested using a tool like Asleap. Table 2 contains the most important procedures that can be used to increase the network security.

Security Requirements

Currently in Place


Default shared key replaced every month

Network users are well trained to deal with wireless technology

Default SSID and default IP's are changed

MAC filtering is enabled and in use

Antivirus is installed and all its definitions is maintained on all wireless clients

Personal firewall is installed on all clients

Table (4)

This checklist provides the most essential tasks that a network manager must check before working on the network so as to avoid any interfernce from outside and to avoid the network failure.

Making sure that everything is in place and to add any remarks if there is any remarks for the people working on the site to put into consideration.


Wireless Networks are not secure:

WLan present different security challenges than wired networks as wired are more secure due to the wireless environment so not allowing traffic between wired and wireless to exist in a trusted environment, placing firewalls between them is a good solution and requiring of authentication between the two environments before traffic travels between the two of them is also an obligatory task.

Do not rely on WEP for encryption:

WEP is insecure, this reality because WEP was not designed to provide a complete security solution but only to provide a level of privacy. Do not use WEP as security solution instead use it in combinations with other encryption standards for other insecure networks such as VPNs.

Do not use descriptive names for SSID or Access points:

Using descriptive names such as company name makes the hacker job easier because indentifying the source of the signal becomes minor.

Change encryption keys:

Changing encryption keys would not prevent the compromise of WEP because the attacker could break the key in matter of hours, however by changing the encryption keys will ensure that a compromised network doesn't remain compromised indefinitely. A hacker can always break the key in matter of minutes but by changing the key frequently will provide some obstacles to the attacker.

Locate Access Points centrally:

When creating the layout of the APs within an office, factor in their broadcasting range. Ensure that the signals reach all necessary areas within the building area and not beyond that such as the parking lot for example.

Indentify rogue access points :

The low cost of the of the hardware components allows the spread of some devices like access points which may result that the company have a large number of access points which causes a big risk for the company to avoid such task monitoring of such thing is every important and this is done by a wlan scanner and a laptop to monitor any access point in range and may cause a threat.

Conclusion chapter 3:

A wireless network goes under a large number of threats due to its nature, though a lot of procedures could be taken into consideration to avoid these threats and countermeasures play an important role in the success of any wireless network.