In a wireless network data is transmitted through air. so it is easier to interfere as they are not protected physically and data is difficult to secure.
Multinational companies use high tech methods to safe guard the wireless communication. But, it is expensive and smaller commercials cannot afford.
The privacy is at risk as data is difficult to secure and a method of solution involving encryption offers a reduced quality of service.
Wireless communication issues are continually under review, and development in the wireless protocols and technology to lessen the threats and risks .
WIRELESS LAN TOPOLOGY:
A group of clients who communicate with each other on an 802.11 network standard is k now as a basic service set(BSS).this can be arranged in to two topologies they are independent and infrastructure BSS.
Independent BSS means the mean of communication directly with each other creatin a peer-to-peer network. These are also referred as ad hoc networks.
Infrastructure BSS includes access point through which all communication process takes place. To access the network , client must associate with access point. In infrastructure network has multiple BSSs are linked together so that to create a larger a coverage area. The number of BSS's are called as service set identifier(SSID). A SSID can be any string up to 32 bytes.
Wirelss LAN security:
There are many threats and vulnerabilities associated with wireless lan as data is broadcasted directly through air. To achieve a secure network there are four main goals which has to be considered.confidentiality, integrity , availability and authentication.
1.Confidentiality in WLAN:
Confidentiality means restrictiingthe information from other people use or to access it. Which can be achieved through encryption. There are two types of encryption: symmetric and asymmetric encryption.
Symmetric encryption means where both the clients use the same key to encrypt and decrypt data.
Asymmetric encryption : here tow clients use different keys to encrpt and decrypt the data.
In IEEE 802.11 specifies an encryption algorithm to encrypt the data between access point and client to connect to it. Wired equivalent pricvacy is a symmetric encryption algorithm
Integrity means safeguarding or protecting the accuracy and completeness of information. The designer of IEEE 802.11 standard addressed integrity by including cyclic redundancy check integrity value in the payload of data frames.
Availability in WLAN's:
Availability is about ensuring that the information is used by the authorized users if required. Availability is particularly problematic with wireless lan's which are susceptible to interference and jamming.
Authentication in WLAN's:
Authentication is a process of proving ones identity to another.Authentication is required to prevent unauthorized user from accessing the network.
Professionals agree that attacker generally fall into two categories:targeted attacker and attacker of opportunity.
Targeted attacker: attacker deliberately targets , attack on some other network to retrieve sensitive and valuable information.
Attackers of opportunity:
These attackers waits for the opportunity as they intrude in to as many systems as possible.
WIRELESS LAN STANDARD SECURITY ISSUES
Now a day's wireless local area network is been deployed in various locations including homes,schools,airports,business offices etc.
Wired equivalent privacy protocol which is proposed as a security mechanism for 802.11 wlans can be easily hacked by the hacking software, hence there is every need to develop an alternate solution to enhance security in WLANs.
. Here , in this paper we study the security in wireless lans, by starting with the overview of wlan and their vulnerabilities.
This project is on WLANs and related security issues are of a major importance.
Here we discuss about wireless lans standards ,features and vulnerabilities. The survey of security mechanisms for WLANs revealed that secure socket layer, virtual private network,Cisco's lightweight EAP and the new 802.11i protocols are the best protection methods adopted to enhance WLAN security.
Wireless lan consist of central medium point between the hoster and the requester is called as the Access Point(AP).
The access point transmits the data between different nodes and serves as the link between the wireless lan networks.
Some of the IEEE Wireless lan standards:
IEEE 802.11 data rates up = 2mbps in 2.4ghz
IEEE 802.11A data rates up = 54mbps in 5ghz ism band
IEEE 802.11b data rates up = 11mbps in 2.4ghz ism band
General Protocol stack of IEEE 802.11
An 802.11 frame is shown in the figure. It contains these fields:
Protocol Version field - Version of 802.11 frame in use
Type and Subtype fields - Identifies one of three functions and sub functions of the frame: control, data, and management
To DS field - Set to 1 in data frames destined for the distribution system (devices in the wireless structure)
From DS field - Set to 1 in data frames exiting the distribution system
More Fragments field - Set to 1 for frames that have another fragment
Retry field - Set to 1 if the frame is a retransmission of an earlier frame
Power Management field - Set to 1 to indicate that a node will be in power-save mode
More Data field - Set to 1 to indicate to a node in power-save mode that more frames are buffered for that node
Wired Equivalent Privacy (WEP) field - Set to 1 if the frame contains WEP encrypted information for security
Order field - Set to 1 in a data type frame that uses Strictly Ordered service class (does not need reordering)
Duration/ID field - Depending on the type of frame, represents either the time, in microseconds, required to transmit the frame or an association identity (AID) for the station that transmitted the frame
Destination Address (DA) field - MAC address of the final destination node in the network
Source Address (SA) field - MAC address of the node the initiated the frame
Receiver Address (RA) field - MAC address that identifies the wireless device that is the immediate recipient of the frame
Transmitter Address (TA) field - MAC address that identifies the wireless device that transmitted the frame
Sequence Number field - Indicates the sequence number assigned to the frame; retransmitted frames are identified by duplicate sequence numbers
Fragment Number field - Indicates the number for each fragment of a frame
Frame Body field - Contains the information being transported; for data frames, typically an IP packet
FCS field - Contains a 32-bit cyclic redundancy check (CRC) of the frame
2.VULNERABILITIES OF IEEE 802.11 WLAN
Accessing the network without wires are the central appeal in the development , but there is a problem in security aspects when compared to wired lans.some of the wireless network vulnerabilities are discussed as below.
Invasion and Resource Stealing:
To attack a network , firstly the attacker searches the network parameters like MAC addresses.
Hacking techniques such as MAC spoofing is used to attack the wireless lan .
If we take an ex. If the network parameter consisting the MAC address , then the attacker needs to know all about the MAC address and the IP address of the user. The attacker all needs to wait for the user signs off the network and then start using the resources of the valid user.
The attacker can change the direction of the traffic and the packet bound to a particular laptop Can be redirected to attacking station.
Denial of services:
There are two types of dos attacks in WLAN.
Excessive interface in the network
When the attacking station send disassociate message to the targeted station which causes continous disconnections.
Rogue access points:
Rogue access point is installed by attacker to receive the traffic from wireless users for whom it appears as a valid authenticator and if this is installed by the user then the packets of the user is attacked by the attacker and also the sensitive data is captured.
3.2I EEE 802.11b vulnerabilities:
MAC Address Authentication:
The attacker manages to steal a laptop with a registered MAC address which will appear to the network as a original user.
One way WEP authentication:
It's a one way authentication centre where the user has to prove its identity to AP to access further but not vice versa. This is a kind of Rogue AP by which the client s packets is captured which was sent by the station through the access point.
SSID is usually found in the message header which provides a little security.
WEP Key Vulnerability:
WEP key encryption gives the same data assurance as in the wired network. some of the useful points of WEP key are
Manual Key Management:
Keys need to be entered on all the Access Points and users. such key management overhead results in WEP keys which aren't changed often.
The IEEE 802.11 design community urge suing 104 or 128 bitRC4 keys instead of 40 bit RC4keys.which advantages a bit by increasing the work of attacker as larger bit size.
Initialization vector is used to avoid encrypting two similar texts with the same key and thus results in the same cipher text. By combining a random generated IV with the key , the probability of identical plain texts being encrypted into identical cipher texts is reduced.
In repeated re keying and frames with same initialization vector result in huge collection of frames encrypted with the same key streams. These are called as the decryption dictionaries. Further if the secret key is not known, and extra information is grabbed about the unencrypted frames and may ultimately leads to the exposure of the secret key.
3.3 IEEE 802.1x vulnerabilities:
Absence of Mutual Authentication:
Man-In-the-Middle Attack Setup
The user always trusts the Authenticator but not other way around. In the fig.2 there isn't EAP request message initiating from the supplicant or user. he only responds to the request sent by the authenticator. This is a one way authentication wide opens the door for MAN IN THE MIDDLE ATTACK. Attacker can easily know the packets of the user as message sent from authenticator as there is no integrity preserving information.
Session Hijack Attack:
If there is a lack of communication between the two state machines 802.11,802.1x and message authenticity session hijack is possible.
Consider Figure 3
From step 1 to 3 The supplicant and the authenticator engage in authentication process.
Attacker sends a MAC disassociate message with APs mac address
Then the supplicant will accept realizing it may be from authenticated user where the disassociate message sent by the attacker.
Thus RSN state machine transferred to un associated state .
The attacker then gains network access using the MAC address.
4. ALTERANTE SOLUTION FOR THE VULNERABILITIES OF STANDARD WLANS
The new IEEE 802.1i protocol is the best wireless lan standard used till now which is under development.
Alternate solutions for WLANs are given below:
1. Virtual Private Networks
2. Cisco LEAP
4.1 Virtual Private Networks (VPN)
Virtual private network is the mean to transmit the data between two network devices . this technology is been used successfully in wired networks and now the developers deploying this in wireless local area network. This works by creating a tunnel , on top of ip.
VPN provides three layers of security:
a. Authentication: A VPN server authorizes every individual user who logged on to a particular wireless station where the authentication is done by user based rather than machine based.
b. Encryption: VPN provides a secure tunnel .The traffic passing through the tunnel is encrypted by which the level of data confidentiality is maintained.
c. Data authentication: it assures the traffic is from authenticated devices.
4.2 CISCO LEAP (Lightweight EAP)
Cisco introduced LEAP in dec 2000 as a way to improve the overall security of wireless lan.
Cisco leap supports strong authentication between client and server.
It has described the 802.1x vulnerabilities with the LEAP and Cisco WEP enhancements ,such as
Message integrity check (MIC)
Per packet keying
1) Mutual Authentication between Client Station and Access Point
The problems in the rogue access point can be characterized to one side, client centered authentication between client and access point.
LEAP must have two-way authentication
Client should verify the identity of access point before proceeding the connection.
2) sharing of wired equivalent protocol keys on Per session Basis
LEAP protocol supports dynamic session keys , where the key is notcommunicated through air as both server and the client generates key independently.
4.3 SSL (Secure Socket Layer)
Secure socket layer is a level of protocol which allows the secure transaction of data up on keys and certificates.
The client who uses the SSl in wireless lans , once he starts communicating using WEP with an access point , a user will not be able to do anything on wireless connection until it is properly authenticated.this level of authentication is fulfilled by using the additional level of secured socket layer security encryption.
IEEE 802.11i: WLAN Security Standards
The security standard IEEE 802.11i is designed to provide secured path of communication for wireless lan when compared to all security standards.
IEEE 802.11i enhances the WEP (Wire line Equivalent Privacy), a technology used for many years for the WLAN security, in the areas of encryption, authentication and key management.
IEEE 802.11i is based on the WiFi Protected Access , which is a quick fix of the WEB weaknesses.
The IEEE 802.11i has the following key components:
1. Temporal Key Integrity Protocol :
Temporary key integrity protocol uses integrity code called Michael, which alert devices to authenticate that the packet coming from desired or known sources. thus , the data confidentiality is maintained.
TKIP also uses a mixing function to overcome weak key attacks.
2. Counter-Mode/CBC-MAC Protocol :
It is the data confidentiality protocol that handles authentication and encryption of data.
For confidentiality, CCMP protocol uses AES in counter mode.
Chipper block chaining message authentication code For authentication and integrity.
CCMP protects some fields that aren't encrypted.
4. EAP encapsulation over LANs :
It is the key protocol in IEEE 802.1x for key exchange.
Two main EAPOL key exchanges are defined in IEEE 802.11i.
The first key is the 4 way handshake
The second key is handshake.
Protocol Structure - IEEE 802.11i: WLAN Security Standards
IEEE 802.11i Components:
CCMP MPDU Format
CCMP CBC-MAC IV format
CCMP CTR Format
TKIP MPDU Format
In this paper, vulnerabilities in wireless local area network protocol is discussed and the best protocol security solution 802.11i when compared with the other security standards is examined.