Weaknesses Of Wireless Security Protocols Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract- Wireless Local Area Network (WLAN) has become the easiest medium to connect to the World Wide Web "WWW" (The Internet). It is widely deployed in corporate offices, schools, homes, cafes etc. Irrespective of the flexibility of internet connection through WLAN, it has several security concerns and flaws. Unlike the simple Wired LAN technology, WLANs broadcast radio-frequency (RF) which client wireless devices receive before connection with the Access point is configured. This has enhanced the ease at which hackers crack, monitor and eavesdrop traffic transmitted on WLAN as long as they have the right tools without having physical connection to the wireless Access point. Security Analyst and professionals have raised concerns about the level of security vulnerability and threat that exit in WLAN technology. Wired Equivalent Privacy (WEP) which was the first generation of wireless security protocol, introduced with IEEE 802.11b standard has a lot of identified security flaws. The weaknesses identified in WEP led to the development and release of more secure wireless security protocols like Wi Fi Protected Access (WPA) and Wi Fi protected Access 2 (WPA2) which also has few vulnerabilities. This paper will discuss major security weaknesses and enhancements of the three major wireless security protocols which are Wired Equivalent Privacy (WEP), Wi Fi Protected Access (WPA) and Wi Fi Protected Access 2 (WPA2).

Keywords - WLAN ; WEP ; WPA ; WPA2 ; IEEE 802.11 ; Access point (AP); Initialization Vector (IV) ; Pre-shared Key (PSK) ; Extensible Authentication Protocol (EAP)


Invention of mobile computers, PDA's, has increased the scale at which computing can be done. As a result the need for flexible network connectivity of mobile devices has led to the invention of wireless Local Area Network (WLAN). To ensure compatibility and interoperability, IEEE developed a standard called IEEE 802.11 standard. This standard regulates and ensures that vendors of wireless devices produce compatible products. The absence of wires, flexible connection, cost efficiency and mobility are the major factors driving WLAN popularity. The use of radio waves by WLAN to communicate from one point to another has made it very easy to connect to the internet from any location including locations where the original wired LAN cannot be installed. This mode of communication of WLAN have left network and security administrators in the struggle of retaining control over the usage and privacy of this network. Over the years users have migrated from wired LAN to WLAN but reverse has been the case in recent years because of major security concerns identified in WLAN technology. Various kinds of attacks which have successfully broken the cryptosystem used by IEEE 802.11 standard has made security a major concern to consider during the setup of a WLAN [10]. Unlike the wired LAN which has hacking obstacles as a result of physical security, attackers find it easier to break into corporate LAN via WLANs. To ensure security in WLAN, WEP (Wired Equivalent Privacy) was incorporated in IEEE 802.11b standard. The major aim of WEP was to provide a robust security for WLAN which is equivalent to the security obtained in Wired LAN, but reverse was the case as WEP was cracked after sometime and recently can be easily cracked with freely available tools. At the moment, WEP which has a 64-bit key + Initialization vector (IV) can only keep away casual network sniffers but not professional hackers. Some identified security flaws in WEP include use of the same pre-shared key, IV reuse; use of CRC-32 for message integrity. These flaws enable hackers to perform activities like eavesdropping, packet forgery, packet replay etc. on WLAN. Stronger wireless security protocols like WEP2 (128 bit key + IV), WEP Plus, WPA-PSK (Wi Fi Protected Access Pre-shared key) have been designed but hackers were still able to crack the above mentioned protocols, making it obvious that the security flaws of WLAN is not only on the size of the key and IV. Wireless security experts identified that a wireless security protocol that can provide mutual authentication between the client and the Access Point, provide stronger Message Authentication Code and renew WLAN encryption Keys will boast security on WLAN. This led to the discovery of WPA/WPA2 (Wi Fi Protected Access) which using Extensible Authentication Protocol (EAP). The rest of this paper is organized in the following order: Section II describes flaws of WEP and Improvements, Section III describes flaws of WPA and Improvements, Section IV describes Flaws of WPA2 and Enhancements, and Section V presents the Conclusion.

Weaknesses of wep and Improvements

Wired Equivalent Privacy (WEP) is a security protocol in 802.11b aimed to protect data transmission in WLAN. It uses a 64bit key which is made up of 24bit IV and 40bit pre-shared key. The major concept of WEP was to provide Authentication, Confidentiality and Integrity in 802.11b WLAN standard, which was achieved with Pre-shared keys for Authentication (Access Control), CRC-32 for integrity of packets and RC4 for confidentiality (preventing Eavesdropping) of packets. Brief overview of data transmission processes in WEP will enhance understanding of the flaws identified in WEP.

Data Transmission Process in WEP

Data encryption/decryption in WEP follow the following Process:

For Encryption, First checksum is done on the plain text to generate an ICV (Integrity Check Value) which is concatenated to the plaintext.

RC4 (Stream Cipher) is applied on Key (40bit Pre-shared key) and IV (24bits) to generate a Pseudo Random Number (key stream).

Keystream is XORed with Plaintext to generate Ciphertext.

Ciphertext is concatenated with IV and transmitted to the receiving end.

For decryption reverse of the processes is applied.

From the above steps and protocols a lot of security flaws have been identified in WEP.

Security Flaws in WEP

Several security weaknesses Identified in WEP security protocol are discussed below.

1) Initialization Vector (IV) Reuse: Initialization Vector (IV) adds randomness to the generation of Keystream in WEP. The IV size of 24bit used in WEP means that the same IV must be repeated after 224 IVs are used. This implies that the key space of a 24bit IV is about 16,777,216 IVs, which is a very small value and has the following implications:

On a busy network, each IV is repeated every 5hours

There is 50% probability that IVs will be repeated after 5000 packets [1].

From the above flaws hackers can easily capture several 5000 packets and obtain the possible keys to decrypt packets. This has made it possible for WEP to be cracked within few minutes depending on the traffic on the WLAN.

2) Inappropriate use of RC4 Algorithm: During the design of WEP appropriate measures was not put in place to prevent key reuse which original RC4 does not do. RC4 is a stream cipher and stream ciphers are known for one time use of key.

3) Weak IVs generated by RC4: Security experts have identified that RC4 algorithms generates weak IVs. It has been identified that every 1 out of 256 IVs produced by RC4 algorithm is weak and creates a pattern in a cryptosystem [6]. Weak IVs are IVs that can be easily guessed usually they are made up of all 1's or 0's or half 1's, half 0's [8].

4) Poor Key Management and Key Update: One static Pre-shared key is shared among all clients connecting to a particular Access point. Key generation, renewal and distribution are not in the design of WEP. Keys can only be renewed manually by an administrator which is very tedious.

5) Use of CRC-32 for Integrity check: CRC-32 is very good for detecting errors and noise in packets but not for message integrity in WEP. CRC-32 is not a cryptographic means of ensuring data integrity. CRC-32 ICV (integrity Check Value) is a linear function of a message which means an attacker can flip a bit in captured packets and easily adjust the ICV to match the packet, thus this defeats the purpose of data integrity.

Enhancement in WEP

Several Improvements made in WEP are stated below:

Increase of key to 128bits (WEP2).which include 104bit key and 24bit IV (this did not stop IV reuse and thus WEP2 was still vulnerable to attack)

Development of WEP+ which is a proprietary security protocol (This will not work if WEP+ is not used at both the sending and receiving end).

WPA (Wi Fi Protected Access) was developed to rectify the issues identified in WEP. It has features like improved encryption using TKIP, improved user authentication using EAP method and Integrity (using MIC).

Weaknesses of wPA and IMPROVEMENTS

In the view to reinforce the security flaws identified in WEP, WPA (Wi Fi Protected Access) was developed as an interim security protocol pending when 802.11i/WPA2 was launched [7]. Unlike WEP use of RC4 and CRC-32 to provide encryption and message integrity WPA uses TKIP (Temporal key Integrity protocol) to provide encryption and Integrity. TKIP uses RC4 for encryption and MIC (message integrity check) for integrity. The choice of RC4 was for WPA to provide WLAN security for older hardware which cannot support newer protocols. MIC is a cryptographic message integrity check that uses hash algorithm to generate a hash. This is preferable to WEP's CRC-32 ICV which is a linear function of transmitted message. In addition, unlike WEP different keys are used for different purposes in WPA. The key for encryption is different from the key for authentication. TKIP introduced features like key sequencing and two-phase key mixing on per packet encryption to prevent replay attack and weak IV attack. Authentication in WPA depends on the mode WPA is operating on. Two operating mode of WPA are Pre-shared Mode (Personal-WPA) and Enterprise mode (Enterprise-WPA).

Pre-Shared Mode (WPA-PSK): This mode of WPA is mostly used by small offices and home users. Authentication in this mode is done using a passphrase. This passphrase can be up to 256bits and 64 ASCII characters. This passphrase is known by both the client and the Access Point (AP) and can contain alphanumeric characters unlike WEP. The security of this WPA mode depends on the complexity of the passphrase. Complex passphrase with a mix of alphanumeric characters are very hard to crack using brute force dictionary attack. When a client wants to connect to an AP the initial session negotiation is done with the passphrase, once the client is authenticated, TKIP is used for generating, renewing and distributing encryption keys. The Passphrase is not transmitted over the communication medium during mutual authentication between the client and the AP. TKIP uses 128bit key + 48bit IV to ensure strong encryption.

Enterprise-WPA: This mode of WPA is mostly used by corporate users to ensure mutual authentication and prevent clients from joining "Rogue Networks or AP". Authentication in this mode is based on IEEE 802.1x/EAP with an authentication server (AAA or radius server). 802.1 x is a port- based protocol used for authentication. Authentication in Enterprise-WPA involves three entities namely

Supplicant (Client)

Authenticator (AP)

Authentication Server (Radius Server)

The Authentication steps in 802.1x are explained below:

The supplicant makes a connection request to the authenticator

Authenticator gets client credentials and identity.

Authenticator passes client identity to the authentication server.

Authentication server generates a unique master key using 802.1x and EAP (Extensible Authentication Protocol)

Key is distributed to Access point and supplicant

Authentication is completed with a four way handshake and radius server sends an EAP success message to the supplicant

TKIP ensures per-packet key mixing and key generation for encryption.

This mode of WPA has been gaining commendations and is widely accepted especially because of its ability to integrate a public key cryptography infrastructure (EAP-TLS).

Data Encryption/Decryption Process in WAP

The IV, the base key and the mac address of the client machine is hashed to generate a message digest value (hash).

The hash and the IV are applied on RC4 to generate a sequential Keystream (to prevent replay attack).

The Plaintext is hashed to generate a MIC (Message Integrity Value) value for integrity and this value is concatenated with the plaintext.

The sequential Keystream is XORed with the Plaintext to generate a ciphertext which is transmitted to the other end.

For decryption reverse of the processes is applied.

Because of the use of protocols like MIC for integrity, TKIP for Encryption, TKIP for key distribution and renewal, security flaws identified in WPA was not as much as that identified in WEP.

Security Flaws in WAP

Some security weaknesses Identified in WAP security protocol are discussed below.

1) Weak Passphrase: Use of weak passphrase in Personal- WPA was identified as a vulnerability for dictionary attack. This kind of vulnerability can be avoided by the use of complex passphrase, preferably use of mix of different alphanumeric characters.

2) No Authentication for Access Point: Original Enterprise-WPA was designed to trust the Access point and only provide mutual authentication between the supplicant (Client) and the Authentication server. This has created high vulnerability by allowing attackers to use fake or rogue AP to spoof WPA-EAP networks. During this spoofing, attacker captures unencrypted packets like the EAP success message sent by the authentication server to the client. When this message is captured the attacker uses the information obtained to disguise as an authentic AP and client will start passing packets through it.

3) Vulnerable to Denial of Service Attack: Countless authentication requests to the authentication server can cause denial of service in WPA-EAP. This is because the authentication server proceeds processing of supplicant's request for authentication without verifying its legitimacy. Attackers use this as a means to send repeated authentication request to the server which eventually causes denial of service to legitimate supplicants.

Enhancement in WAP

Several Improvements made in WAP are stated below:

Use of MIC to prevent Forgery attack unlike WEP.

IV sequencing to prevent replay attack, any packet with out of order sequence is dropped.

Per-packet key mixing using TKIP to prevent weak key attacks

Provision of fresh keys and key distribution using TKIP to prevent key reuse.

EAP-TLS which uses public key infrastructure (PKI) to provide addition authentication for the Access point and encryption of all the messages transmitted in a WPA-EAP network. EAP-TLS ensures authentication of all the components of 802.1x framework

Use of a puzzle solution to ensure legitimacy of supplicants and ensure they are verified before they are allowed to request for authentication hence, reducing denial of service attack.

IEEE 802.11i/WPA2 (Wi Fi Protected Access 2) was launched with AES algorithm as a default encryption algorithm. (AES was adopted by NIST as a standard encryption algorithm).

Weaknesses of wPA2 and Improvements

WPA2 which is also vulnerable, dictionary attack (Personal-WPA2), has similar concept, mode of operations, Data transmission pattern as WPA, but has few security improvements explained below:

Enhancement in WAP2

Several Improvements made in WAP2 are stated below:

WPA2 will be a durable security protocol because of its use of AES, which is an encryption standard adopted by NIST.

In addition to TKIP, MIC, WPA2 provides AES based algorithm CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) [9] to replace RC4. CCMP uses 48-bit IV which is also sequential. AES uses single AES key for confidentiality instead of per-packet key mixing identified in TKIP.

Unlike WPA, WPA2 uses three security groups to ensure protection. Which are Point to Point encryption of unicast traffic (Pairwise Cipher Suite), Point to multipoint encryption of multicast traffic (Group Cipher Suite) and Use of Pre-shared key (PSK) for home users.

The weakness of pairwise master key (PMK) subject to dictionary attack in WPA-PSK was solved in WPA2 by adding two authentication steps to the PMK authentication.

Use of a puzzle solution to ensure legitimacy of supplicants and ensure they are verified before they are allowed to request for authentication hence, reducing denial of service attack.

IEEE 802.11i/WPA2 (Wi Fi Protected Access 2) was launched with AES algorithm as a default encryption algorithm.


This paper discussed the weaknesses identified in wireless Security protocols. WEP which is the first generation wireless security protocols has a lot of identified security flaws ranging from weak IV, Size of IV, No key distribution mechanism, inappropriate use of RC4 and use of CRC-32 checksum protocol etc. These security flaws led to the design of stronger Wireless security protocols like WPA and WPA2 that uses TKIP, EAP-TLS, and AES to provide robust security platform in WLAN Networks. However any perfect security technology is worthless if that technology is complex and people don't know how to use it. Setting up a WPA / WPA2 (especially WPA2-EAP) is at times challenging for users, and this is why 60% of wireless LAN users have ignored migrating from WEP to WPA/WPA2 irrespective of the identified vulnerabities in WEP.