Wireless Lan Security Issues And Solutions Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


Wireless network has made our life pretty simpler when it comes to the sharing of resources where we can share printers, broadband connections, data files and even audio and video streaming and without the use extensive wires that use to come in between our way. This kind of resource sharing is changing habits of the users by taking them from the world of stand-alone computers to networks where there are multiple computers. The range of a Wireless network is very wide as compare to the wired LAN where listening is minimum .Also wireless network gives us the same transmission speed, as by wired networks 10 Mbps transmission speed without the difficulties of laying the wire also as every room is wirelessly connected the addition of users is very easy. Home users have an opportunity of creating a wireless network out of an existing wired network and increasing the reach of the internet between multiple computers.

The 802.11 standard is family member of 802 standards issued by IEEE, which included 802.3(known as Ethernet) and 802.5(known as token ring). Nowadays, WLAN is implemented in places such as office conference rooms, industrial warehouses, internet-ready classrooms, and even coffeehouses. With the continues growth of WLAN it's become a very difficult for the network administrators to handle security issues as WLAN is based on Radio frequencies data ,it raises many complex security issues. When we talk about the security of the wireless LAN different authentication, encryption technologies and range all falls in this heading.

Association vulnerabilities include open and shared authentication mechanisms and SSID. RF limitations include how to limit the range of radio frequency. Man in the middle attacks includes the active network attacks. In WEP, we explained the work of RC4 algorithm and for generating key stream (discussed later).and then a little explanation of other security weak points of WLAN.


IEEE (Electrical and Electronic Engineers Institute) has released specifications 802.11in June 1999. The first design, known as 802.11, used the 2.4 GHz frequency and maintained a large data rate of 1 to 2 Mbps. In late 1999, two new additions were introduce.

The 802.11b design improved the performance to 11 Mbps in the 2.4 GHz range while the 802.11a design used the 5 GHz range and supported up to 54 Mbps. Inappropriately, the two new design were unsuited because they used changed frequencies. This means that 802.11a network interface cards (NICs) and access points cannot talk with 802.11b NICs and access points. This mismatch forced the formation of the new draft standard known as 802.11g. 802.11g supports up to 54 Mbps and is interoperable with 802.11b products on the market today.

3. IEEE 802.11

Although the 802.11 PHY is dissimilar from that of 802.3 Ethernet, the MAC requirement is similar to the 802.3 Ethernet MAC requirement plus the 802.2 Logical Link Control (LLC), which makes the MAC address space of 802.11 well-matched with those of the other 802 protocols. Although the 802.3 Ethernet MAC is essentially Carrier Sense Multiple Access/Collision Detection (CSMA/CD), the 802.11 MAC is Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA). The reason for this alteration is that there is no applied way to both convey and accept at the same time on the wireless medium (WM) (Geier 1999, 130). As the name implies, CSMA/CA attempts to avoid crashes on the WM by placing duration information in each MAC frame, so that accepting stations can decide how long the frame will remain on the WM. If the previous MAC frame's duration is finished and a quick check of the WM shows that it is not hectic, the sending station is permitted to convey. In this way, it is a matched effort, unlike that of CSMA/CD, which permits a sender to transmit any time the medium is not busy.

4.Wireless Security Issues:

Authentication and Its Vulnerabilities

The 802.11 specification stipulates two mechanisms for authenticating wireless LAN clients: open authentication and shared key authentication. Two other mechanisms-the Service Set Identifier (SSID) and authentication by client Media Access Control (MAC) address-are also commonly used.

The SSID is a concept that allows reasonable separation of wireless LANs. In general, a client must be configured with the appropriate SSID to advance access to the wireless LAN. The SSID does not provide any data-privacy functions, nor does it truly validate the client to the access point.

Authentication in the 802.11 design is made on authenticating a wireless station or device instead of authenticating a handler. The description provides for two modes of authentication: open authentication and shared key authentication.

The 802.11 client authentication process consists of the following dealings

1. Client broadcasts a review request frame on each channel

2. Access points within range reply with a review response frame

3. The client chooses which access point (AP) is the best for contact and sends an authentication request

4. The access point will drive an authentication response

5. Upon effective authentication, the client will send an offer request frame to the access point

6. The access point will response with an association reply

7. The client is now able to permit traffic to the access point


Once the client becomes dynamic on the middle, it searches for access points in radio range using the 802.11 management frames known as probe request frames

All access points that are in range and match the probe request criteria will respond with a probe reply frame having organization information and access point load. The client can decide which access point to associate to by weighing the supported data rates and access point load. Once the client determines the best access point to connect to, it moves to the authentication stage of 802.11 network access.

Open authentication is a null authentication algorithm. The access point will allowance any request for authentication. It might sound useless to use such an algorithm, but open authentication has its place in 802.11 network authentication. Authentication in the 1997 802.11 specification is connectivity-oriented. The wants for authentication are designed to allow devices to gain quick access to the network.

Open authentication consists of two messages:

The authentication request

The authentication response

Open authentication agrees any device network access. If no encryption is allowed on the network, any device that knows the SSID of the access point can gain access to the network. With WEP encryption allowed on an access point, the WEP key itself becomes a means of access control. If a device does not have the exact WEP key, even though authentication is effective, the device will be unable to transmit data through the access point.


Shared key authentication is the another type of authentication stated in the 802.11 standard. Shared key authentication needs that the client configure a static WEP key.

1. The client sends an authentication request to the access point requesting shared key authentication

2. The access point replies with an authentication reply containing challenge text

3. The client uses its locally configured WEP key to encode the challenge text and reply with a consecutive authentication request

4. If the access point can decrypt the authentication request and regain the unique challenge text, then it replies with an authentication reply that grants the client access


MAC address authentication is not specified in the 802.11 standard, but many vendors-including Cisco-support it. MAC address authentication verifies the client's MAC address against a locally configured list of allowed addresses or against an external authentication server (Figure 7). MAC authentication is used to augment the open and shared key authentications provided by 802.11, further reducing the likelihood of unauthorized devices accessing the network.


Limiting RF Propagation

Before any other security measures are implemented, it is important to consider the implications of RF propagation by APs in a wireless network. Chosen wisely, the proper transmitter/antenna combination can be an effective security tool that will help limit access to the wireless network to only the intended coverage area. Chosen poorly, they can extend a network beyond the intended area into a parking lot or farther.

Primarily, antennas can be characterized in two features. Directionality and gain. Omnidirectional antennas have a 360-deg coverage area; while directional antennas limit coverage to better-defined areas (see Fig. 2). Antenna gain is typically measured in dBi2 and is defined as the increase in power that an antenna adds to an RF signal.

Figure 2. RF propagation patterns of common antennas.

Because current 802.11 products make use of the unlicensed Industrial, Scientific, and Medical (ISM) 2.4-GHz band, they are subject to the rules promulgated by the FCC in 1994 for spread spectrum use. These rules specify that any antenna sold with a product must be tested and approved by an FCC laboratory. To keep end users from using incorrect or illegal antennas with 802.11 products, the FCC also requires that any APs capable of using removable antennas must use nonstandard connectors. In the U.S., the FCC defines the maximum Effective Isotropic Radiated Power (EIRP) of a transmitter/antenna combination as 36 dBm, where EIRP = transmitter power + antenna gain. Cable loss. Essentially, this means that as transmitter power increases, antenna gain must decrease to remain below the 36 dBm legal maximum. For example, a 100-mW transmitter equates to 20 dBm. This transmitter combined with a 16-dBi antenna produces a total of 36 dBm, the legal limit. To increase antenna gain, we would legally be required to reduce transmitter power. In practice, most transmitter/antenna combinations sold today are well below the FCC maximum of 36 dBm.

The implications of all this are that transmitter power/antenna gain combinations are strictly regulated and limit the area that can be legally covered by any single AP. When designing WLANs, it is important to perform a thorough site survey and consider the RF propagation patterns of the antennas in use and the effective power of the transmitter/antenna combination. Also, because the ISM band is essentially open for use by anybody without licensing, it is important to consider the possibility of denial of service (DOS) from otherwise benign sources such as 2.4-GHz cordless phones. Finally, consider that a potential attacker may not be playing within the FCC rules. A resourceful attacker may be using high-power transmitters, high-gain antennas, and/or more sensitive receivers. Each of these can increase the effective range of

wireless networks.


WEP is based on the RC4 algorithm, which is a symmetric key stream cipher. As noted previously, the encryption keys must match on both the client and the access point for frame exchanges to succeed. The following section will examine stream ciphers and provide some perspective on how they work and how they compare to block ciphers.

A stream cipher encrypts data by generating a key stream from the key and performing the XOR function on the key stream with the plain-text data. The key stream can be any size necessary to match the size of the plain-text frame to encrypt (Figure 11).

Figure 11   Stream Cipher Operation


Block ciphers deal with data in defined blocks, rather than frames of varying sizes. The block cipher fragments the frame into blocks of predetermined size and performs the XOR function on each block. Each block must be the predetermined size, and leftover frame fragments are padded to the appropriate block size (Figure 12). For example, if a block cipher fragments frames into 16 byte blocks, and a 38-byte frame is to be encrypted, the block cipher fragments the frame into two 16-byte blocks and one six-byte block. The six-byte block is padded with 10 bytes of padding to meet the 16-byte block size.

Figure 12   Block Cipher Operation


The process of encryption described above for stream ciphers and block ciphers is known as Electronic Code Book (ECB) mode encryption. With ECB mode encryption, the same plain-text input always generates the same cipher-text output. As Figure 13 illustrates, the input text of "FOO" always produces the same cipher-text. This is a potential security threat because eavesdroppers can see patterns in the cipher-text and start making educated guesses about what the original plain-text is.

Figure 13   Electronic Code Book Encryption


There are two encryption techniques to overcome this issue:

Initialization vectors

Feedback modes

An initialization vector (IV) is used to alter the key stream. The IV is a numeric value that is concatenated to the base key before the key stream is generated. Every time the IV changes, so does the key stream. Figure 14 shows the same plain-text "FOO" with the XOR function performed with the IV augmented key stream to generate different cipher-text. The 802.11 standard recommends that the IV change on a per-frame basis. This way, if the same packet is transmitted twice, the resulting cipher-text will be different for each transmission.

Figure 14   Encryption with an Initialization Vector


The IV is a 24-bit value (Figure 15) that augments a 40-bit WEP key to 64 bits and a 104-bit WEP key to 128 bits. The IV is sent in the clear in the frame header so the receiving station knows the IV value and is able to decrypt the frame (Figure 16). Although 40-bit and 104-bit WEP keys are often referred to as 64-bit and 128-bit WEP keys, the effective key strength is only 40 bits and 104 bits, respectively, because the IV is sent unencrypted.

Figure 15   Initialization Vector in a WEP-Encrypted Frame


Feedback modes are modifications to the encryption process to prevent a plain-text message from generating the same cipher-text during encryption. Feedback modes are generally used with block ciphers, and the most common feedback mode is known as cipher block chaining (CBC) mode.

The premise behind CBC mode is that a plain-text block has the XOR function performed with the previous block of cipher-text. Because the first block has no preceding cipher-text block, an IV is used to change the key stream. Figure 17 illustrates the operation of CBC mode. Other feedback modes are available, and some will be discussed later in this paper.

Figure 17   CBC Mode Block Cipher


In August 2001, cryptanalysts Fluhrer, Mantin, and Shamir determined that a WEP key could be derived by passively collecting particular frames from a wireless LAN. The vulnerability is how WEP has implemented the key scheduling algorithm (KSA) from the RC4 stream cipher. Several IVs (referred to as weak IVs) can reveal key bytes after statistical analysis. Researchers at AT&T/Rice University as well as the developers of the AirSnort application implemented this vulnerability and verified that WEP keys of either 40- or 128-bit key length can be derived after as few as 4 million frames. For high-usage wireless LANs, this translates to roughly four hours until a 128-bit WEP key is derived.

This vulnerability renders WEP ineffective. Using dynamic WEP keys can mitigate this vulnerability, but reactive efforts only mitigate known issues. To eliminate this vulnerability, a mechanism that strengthens the WEP key is required.