You are on page 1of 23

WIRELESS NETWORK:

Unit I
MEDIUM ACCESS ALTERNATIVES

SESSION

TITLE

Session 1.1.

Fixed access for voice oriented networks- TDMA,FDMA

Session 1.2.

Code division multiple access

Session 1.3.

Comparison of cdma ,tdma and fdma

Session 1.4.

Comparison of cdma ,tdma and fdma

Session 1.5.

Random access for data oriented networks

Session 1.6.

Hand off

Session 1.7.

Channel assignment schemes

Session 1.8.

Roaming support

Session 1.9.

Security & Privacy

MULTIPLE RADIO ACCESS


Medium Access Alternatives: Fixed-assignment for Voice Oriented Networks
Random Access for Data Oriented Networks , Handoff and Roaming Support,
Security and Privacy

Classification of Multiple Access Protocols

Multiple access protocols


Contention-based
Random access

Conflict-free

Collision resolution

ALOHA,

TREE,

FDMA,

CSMA,

WINDOW,
etc

TDMA,

BTMA,

CDMA,

ISMA,
etc

Token Bus,
DQDB, etc

BTMA: Busy Tone Multiple Access


ISMA: Internet Streaming Media Alliance

DQDB: Distributed Queue Dual Bus

1.

Fixed-Assignment Access for Voice-Oriented Networks


a.Frequency Division Multiple Access (FDMA)
b.Time Division Multiple Access (TDMA)
c.Code-Division Multiple Access (CDMA)

2.

Random Access for Data-Oriented Networks


a.ALOHA-Based Wireless Random Access Techniques
b.CSMA-Based Wireless Random Access Techniques

Fixed-Assignment Access for Voice-Oriented Networks

Theavailablespectrumbandwidthforourwirelesscommunicationislimited.

Multipleaccesstechniquesenablemultiplesignalstooccupyasinglecommunicati
onschannel.
Major Types
Frequency division multiple access (FDMA)
Time division multiple access (TDMA)
Code division multiple access (CDMA)

Frequency division multiple access (FDMA)

Itassignsindividualfrequencytoindividualusers.(i.e)accommodatesoneuseratatime.

EachuserisseparatedbyGuardBands.

ThecomplexityofFDMAmobilesystemsislowerwhencomparedtoTDMAsystems

Aguardbandisanarrowfrequencybandbetweenadjacentfrequencychannelstoavoidinterferenc
efromtheadjacentchannels


henumberofchannelsthatcanbesimultaneouslysupportedinaFDMA
systemisgivenby

BT->totalspectrumallocation,
BGUARD->theguardband
BC->thechannelbandwidth

Key Features
IfanFDMAchannelisnotinuse,thenitsitsidleandcannotbeusedbyotherusers
ThebandwidthsofFDMAchannelsarenarrow(30kHz)
Intersymbolinterferenceislow
Itneedsonlyafewsynchronizationbits

De Merits

FDMAsystemsarecostlierbecauseofthesinglechannelpercarrierdesign,

Itneedtousecostlybandpassfilterstoeliminatespuriousradiationatthebasestation.

TheFDMAmobileunitusesduplexerssinceboththetransmitterandreceiveroperat
eatthesametime.ThisresultsinanincreaseinthecostofFDMAsubscriberunitsandbasesta
tions.

FDMArequirestightRFfilteringtominimizeadjacentchannelinterference.

Time Division Multiple Access

TDMA vs FDMA

Timedivisionmultipleaccess(TDMA)systemsdividetheradiospectrumintotimes
lots
Eachuseroccupiesacyclicallyrepeatingtimeslot
AsetofNslotsformaFrame.
Eachframeismadeupofapreamble,aninformationmessage,andtailbits
TDMAsystemstransmitdatainabuffer-and-burstmethod

TDMAsharesasinglecarrierfrequencywithseveralusers,whereeachusermakesu
seofnon-overlappingtimeslots

TDMAusesdifferenttimeslotsfortransmissionandreception

AdaptiveequalizationisusuallynecessaryinTDMAsystems,sincethetransmissio
nratesaregenerallyveryhighascomparedtoFDMAchannels

HighsynchronizationoverheadisrequiredinTDMAsystemsbecauseofbursttrans
missions

GuardBandsarenecessarytoensurethatusersattheedgeofthebanddonot"bleedove
r"intoanadjacentradioservice.

Frame Structure

Thepreamblecontainstheaddressandsynchronizationinformationthatboththeba
sestationandthesubscribersusetoidentifyeachother.

Trialbitsspecifythestartofadata.

Synchronizationbitswillintimatethereceiveraboutthedatatransfer.

GuardBitsareusedfordataisolation.

Efficiency of TDMA

where
b0H no over head bits per frame

br - no of overhead bits per


bp - no overhead bits per preamble in each slot
bg - no equivalent bits in each guard time interval
Nr - reference bursts per frame,
Nt- traffic bursts per frame


TheefficiencyofaTDMAsystemisameasureofthepercentageoftransmitteddatath
atcontainsinformationasopposedtoprovidingoverheadfortheacssscheme
The total number of bits per frame, bT, is
bT= TfR
Tfis the frame duration, and R is the channel bit rate
Then the frame efficiency is

And the no of frames

m-maximum number of TDMA users supported on each radio channel

Spread spectrum multiple access (SSMA)


Frequency Hopped Multiple Access (FHMA)
Direct Sequence Multiple Access (DSMA)
Direct sequence multiple access is also called code division multiple
access (CDMA).
Frequency Hopped Multiple Access

Thecarrierfrequenciesoftheindividualusersarevariedinapseudorandomfashion
withinawidebandchannel

Thedigitaldataisbrokenintouniformsizedburstswhicharetransmittedondifferent
carrierfrequencies
FastFrequencyHoppingSystem>therateofchangeofthecarrierfrequencyisgreaterthanthesymbolrate
SlowFrequencyHopping>thechannelchangesataratelessthanorequaltothesymbolrate

Code Division Multiple Access (CDMA)

Thenarrowbandmessagesignalismultipliedbyaverylargebandwidthsignalcalled
thespreadingsignal(pseudo-noisecode)

Thechiprateofthepseudo-noisecodeismuchmorethanmessagesignal.

Eachuserhasitsownpseudorandomcodeword.
Message

PN sequence

CDMA uses CO-Channel Cells

Alltheusersusethesamecarrierfrequencyandmaytransmitsimultaneouslywithou
tanyknowledgeofothers.

Thereceiverperformsatimecorrelationoperationtodetectonlythespecificdesired
codeword.

All other code word appears noise

Multipathfadingmaybesubstantiallyreducedbecausethesignalisspreadoveralar
gespectrum

Channel data rates are very high in CDMA systems

CDMAsupportsSofthandoffMSCcansimultaneouslymonitoraparticularuserfro
mtwoormorebasestations.TheMSCmaychosethebestversionofthesignalatanytimewit
houtswitchingfrequencies.

In CDMA, the power of multiple users at a receiver determines the noise


floor.


InCDMA,strongerreceivedsignallevelsraisethenoiseflooratthebasestationdem
odulatorsfortheweakersignals,therebydecreasingtheprobabilitythatweakersignalswill
bereceived.ThisiscalledNear-Farproblem.

TocombattheNear-Farproblem,powercontrolisusedinmostCDMA

Random Access for Data-Oriented Networks

InallwirelessnetworkssuchascellulartelephonyorPCSservicesallvoiceorientedoperationsusefixed-assignmentchannelaccess.

AnddatarelatedtrafficiscarriedoutusingRandomAccessTechniques.

Randomaccessmethodsprovideamoreflexibleandefficientwayofmanagingchan
nelaccessforcommunicatingshortburstymessages.

Itprovideseachuserstationwithvaryingdegreesoffreedomingainingaccesstothen
etworkwheneverinformationistobesent.
ALOHA-Based Wireless Random Access Techniques

TheoriginalALOHAprotocolisalsocalledpureALOHA.

ALOHAProtocolisdevelopedbyUniversityofHawaii.ThewordALOHAmeans"
hello"inHawaiian.

Theinitialsystemusedground
basedUHFradiostoconnectcomputersonseveraloftheislandcampuseswiththeuniversit
y'smaincomputercenteronOahu,byuseofarandomaccessprotocolwhichhassincebeenk
nownastheALOHAprotocol
Basic Concept

Amobileterminaltransmitsaninformationpacketwhenthepacketarrivesfromtheu
pperlayersoftheprotocolstack.

Auseraccessesachannelassoonasamessageisreadytobetransmitted.

Eachpacketisencodedwithanerror-detectioncode.

Afteratransmission,theuserwaitsforanacknowledgmentoneitherthesamechann
eloraseparatefeedbackchannel.

TheBScheckstheparityofthereceivedpacket.Iftheparitychecksproperly,theBSs
endsashortacknowledgmentpackettotheMS.

collision

Themessagepacketsaretransmittedatarbitrarytimes,sothereisapossibilityofcolli
sionsbetweenpackets.

Aftersendingapackettheuserwaitsalengthoftimemorethantheroundtripdelayforanacknowledgmentfromthereceiver.

Ifnoacknowledgmentisreceived,thepacketisassumedlostinacollision,anditistra
nsmittedagainwitharandomlyselecteddelaytoavoidrepeatedcollisions.

Asthenumberofusersincrease,agreaterdelayoccursbecausetheprobabilityofcoll
isionincreases

Pure ALOHA

MERITS:

TheadvantageofALOHAprotocolisthatitisverysimple,anditdoesnotimposeany
synchronizationbetweenmobileterminals
DEMERITS

Itshaslowthroughputunderheavyloadconditions.

ThemaximumthroughputofthepureALOHAis18percent.
Slotted ALOHA

ThemaximumthroughputofaslottedALOHAis36percent.

InslottedALOHA,timeisdividedintoequaltimeslotsoflengthgreaterthanthepack
etdurationt.

Thesubscribershavesynchronizedclocksandeachuserwillbesynchronizedwithth
eBSclock.

Theusermessagepacketisbufferedandtransmittedonlyatthebeginningofanewti
meslot.Thispreventspartialcollisions.

New transmissions are started only at the beginning of new slot

Application;
InGSMtheinitialcontactbetweenBSandMSforvoicecommunicationiscarriedout
byslottedALOHA.
De-Merit;
EventhoughthethroughputishigherthanpureALOHAitisstilllowforpresentdayw
irelesscommunicationneeds.

Reservation ALOHA

ReservationALOHAisthecombinationofslottedALOHAandtimedivi
sionmultiplexing.

Inthiscertainpacketslotsareassignedwithpriority,anditispossibleforus
erstoreserveslotsforthetransmissionofpackets.

Forhightrafficconditions,reservationsonrequestoffersbetterthroughp
ut.
Packet Reservation Multiple Access (PRMA)

PRMAisamethodfortransmittingavariablemixtureofvoicepacketsanddatapacke
ts.

Thisallowseachtimeslottocarryeithervoiceordata,wherevoiceisgivenpriority.

PRMA merges characteristics of slotted ALOHA and TDMA protocols.

Itisusedforshort-rangevoicetransmissionwhereasmalldelayisacceptable.

ThetransmissionformatinPRMAisorganizedintoframes,eachcontainingafixedn
umberoftimeslots.

Eachslotasnamedaseither"reserved"or"available

Onlytheuserterminalthatreservedtheslotcanuseareservedslot.

Otherterminalsnotholdingareservationcanuseanavailableslot.

Terminalscansendtwotypesofinformation,referredtoasperiodicandrandom.

Speechpacketsarealwaysperiodic.Datapacketscanberandom.

Reservation ;

Aterminalhavingperiodicinformationtosendstartstransmittingincontentionfort
henextavailabletimeslot.

Aftercompletionoftransmissionthebasestationgrantsthesendingterminalareserv
ationforexclusiveuseofthesametimeslotinthenextframe.

Thisframeisreservedtilltheterminalcompletesitstransmission.

Thereservationstatusisrevertedwhentheterminalsendsnothinginthatframe

CSMA-Based Wireless Random Access Techniques


De-Merits of ALOHA
1.
ALOHAprotocolsdonotlistentothechannelbeforetransmission,theuserswillstar
ttransmittingassoonasthemessageisready.
2.
Efficiencyisreducedbythecollisionandretransmissionprocess.
3.
Therearenomechanismstoavoidcollisions.
CSMA-Carrier Sense Multiple Access
Inthiseachterminalwillmonitorthestatusofthechannelbeforetransmittinginform

ation.

Ifthereisanotherusertransmittingonthechannel,itisobviousthataterminalshould
delaythetransmissionofthepacket.

Ifthechannelisidle,thentheuserisallowedtotransmitdatapacketwithoutanyrestri
ctions.

TheCSMAprotocolreducesthepacketcollisionsignificantlycomparedwithALO
HAprotocol.Butnoteliminateentirely.

ParametersinCSMAprotocols
1.
Detectiondelayisafunctionofthereceiverhardwareandisthetimerequiredforaterminaltosensewhethero
rnotthechannelisidle
2.
Propagationdelayisarelativemeasureofhowfastittakesforapackettotravelfromabasestationtoamobileter
minal.

Propagationdelayisimportant,sincejustafterauserbeginssendingapacket,anothe
rusermaybereadytosendandmaybesensingthechannelatthesametime.

Ifthetransmittingpackethasnotreachedtheuserwhoispoisedtosend,thelatteruser
willsenseanidlechannelandwillalsosenditspacket,resultinginacollisionbetweenthetwo
packets.

propagation delay(td)

where
tp-> propagation time in seconds,
Rb-> channel bit rate
m -> expected number of bits in a data packet

Various strategies of the CSMA


1. NON-PERSISTENTCSMA
InthistypeofCSMAstrategy,afterreceivinganegativeacknowledgmentt
heterminalwaitsarandomtimebeforeretransmissionofthepacket.
2. 1-PERSISTENTCSMA
Theterminalsensesthechannelandwaitsfortransmissionuntilitfindsthec
hannelidle.Assoonasthechannelisidle,theterminaltransmitsitsmessage
withprobabilityone.
3. p-PERSISTENTCSMA
Whenachannelisfoundtobeidle,thepacketistransmittedwithprobability
p.Itmayormaynotbeimmediate.
4.
CSMA/CD
Inthistheusermonitorsthechannelforpossiblecollisions.Iftwoormoreterminalsst
artatransmissionatthesametimethetransmissionisimmediatelyabortedinmidwa
y.
5. Datasensemultipleaccess(DSMA)isaspecialtypeofCSMAthatisusedtoservethehiddenterminals.Cellularnetworksuse
sdifferentfrequenciesforforwardandreversechannel.EachMSmaynothavetheknow
ledgeaboutotherMSoperatinginthatarea.Soitmaynotknowwhenthechannelisidle.F
orthistheBScanannouncetheavailabilityofthereversechannelthroughtheforwardco
ntrolchannel.TheBSusesBusy-Idlebittoannounce.
6.
Busytonemultipleaccess(BTMA)thisisaspecialtypeoftechniquewherethesystembandwidthisdividedintomessage
channelandbusychannel.Wheneveraterminalsendsdatathroughmessagechanne
litwillalsotransmitsabusytoneinbusychannel.Ifanotherterminalsensesthebusychannelitwillunderstandth
atthemessagechannelisbusyanditwillalsoturnsitsbusytone.Thisactsasanalarmf
orotherterminals.

Handoff
When a mobile user is engaged in conversation, the MS is connected to a
BS via a radio link.
If the mobile user moves to the coverage area of another BS, the radio
link to the old BS is eventually disconnected, and a radio link to the new BS
should be established to continue the conversation.
This process is variously referred to as automatic link transfer, handover,
or handoff.
Three strategies have been proposed to detect the need for handoff:
mobile-controlled handoff (MCHO)
network-controlled handoff (NCHO)
mobile-assisted handoff (MAHO)
Mobile-Controlled Handoff (MCHO)
The MS continuously monitors the signals of the surrounding BSs and
initiates the handoff process when some handoff criteria are met. MCHO is
used in DECT and PACS.
Network-Controlled Handoff (NCHO)
The surrounding BSs measure the signal from the MS, and the network initiates
the handoff process when some handoff criteria are met. NCHO is used in CT-2
Plus and AMPS.
Mobile-assisted handoff (MAHO)
The network asks the MS to measure the signal from the surrounding BSs. The
network makes the handoff decision based on reports from the MS. MAHO is used
in GSM and IS-95 CDMA.
Two types of handoff
The BSs involved in the handoff may be connected to the same MSC
(inter-cell handoff or inter-BS handoff)
The BSs involved in the handoff may be connected to two different MSCs
(intersystem handoff or inter-MSC handoff ).
Inter-BS Handoff
The new and the old BSs are connected to the same MSC.
Assume that the need for handoff is detected by the MS; the following actions
are taken:

The MS momentarily suspends conversation and initiates the handoff procedure


by signaling on an idle (currently free) channel in the new BS. Then it resumes the
conversation on the old BS.
Upon receipt of the signal, the MSC transfers the encryption information to the
selected idle channel of the new BS and sets up the new conversation path to the
MS through that channel. The switch bridges the new path with the old path and
informs the MS to transfer from the old channel to the new channel.
After the MS has been transferred to the new BS, it signals the network, and
resumes conversation using the new channel.
Upon receipt of the handoff completion signal, the network removes the bridge
from the path and releases resources associated with the old channel.
This handoff procedure is used with the mobile-controlled handoff strategy.

Inter-BS link transfer

Inter-BS Handoff
For the network-controlled handoff strategy, all handoff signaling messages
are exchanged between the MS and the old BS though the failing link.
The whole process must be completed as quickly as possible, to ensure that
the new link is established before the old link fails.
If the new BS does not have an idle channel, the handoff call may be dropped
(or forced to terminate).
The forced termination probability is an important criterion in the performance
evaluation of a PCS network.
Forced termination of an ongoing call is considered less desirable than blocking
a new call attempt.
Most PCS networks handle a handoff in the same manner as a new call attempt.
That is, if no channel is available, the handoff is blocked and the call is held on the

current channel in the old cell until the call is completed or when the failing link is
no longer available.
This is referred to as the non-prioritized scheme.
Channel assignment schemes
To reduce forced termination and to promote call completion, three channel
assignment schemes have been proposed:
Reserved channel scheme.
Queuing priority scheme.
Subrating scheme.
Intersystem Handoff
In intersystem handoff, the new and old BSs are connected to two different
MSCs.
We trace the intersystem handoff procedure of IS-41, where network-controlled
handoff (NCHO) is assumed.
In this figure, a communicating mobile user moves out of the BS served by
MSC A and enters the area covered by MSC B.

Intersystem handoff requires the following steps:


Step 1. MSC A requests MSC B to perform handoff measurements on the call in
progress. MSC B then selects a candidate BS2, BS2, and interrogates it for signal
quality parameters on the call in progress. MSC B returns the signal quality
parameter values, along with other relevant information, to MSC A.
Step 2. MSC A checks if the MS has made too many handoffs recently (this is
to avoid, for example, numerous handoffs between BS1 and BS2 a where the MS is
moving within the overlapped area) or if intersystem trunks are not available. If so,
MSC A exits the procedure. Otherwise, MSC A asks MSC B to set up a voice
channel. Assuming that a voice channel is available in BS2, MSC B instructs MSC
A to start the radio link transfer.

Step 3. MSC A sends the MS a handoff order. The MS synchronizes to BS2.


After the MS is connected to BS2, MSC B informs MSC A that the handoff is
successful. MSC A then connects the call path (trunk) to MSC B and completes the
handoff procedure.
In this intersystem handoff process, MSC A is referred to as the anchor MSC,
and is always in the call path before and after the handoff, as illustrated in the four
cases in Figure 2.4.
This anchor approach is used in all existing mobile phone networks because the
re-establishment of a new call path (without involving MSC A) between MS and
the new MSC would require extra trunk release/setup operations in PSTN, which is
not available or is not cost-effective.

Roaming Management
Two basic operations in roaming management are
registration (or location update), the process whereby an MS informs the system
of its current location, and
location tracking, the process during which the system locates the MS. Location
tracking is required when the network attempts to deliver a call to the mobile user.
The roaming management strategies proposed in the IS-41 and GSM MAP
standards are two-level strategies in that they use a two-tier system of home
and visited databases.

Registration Procedure
Visitor Location Register (VLR)
When the mobile user visits a PCS network other than the home system, a
temporary record for the mobile user is created in the visitor location register
(VLR) of the visited system.
The VLR temporarily stores subscription information for the visiting
subscribers so that the corresponding MSC can provide service.
In other words, the VLR is the "other" location register used to retrieve
information for handling calls to or from a visiting mobile user.
Home Location Register (HLR)
When a user subscribes to the services of a PCS network, a record is created
in the system's database, called the home location register (HLR).
This is referred to as the home system of the mobile user.
The HLR is a network database that stores and manages all mobile subscriptions
of a specific operator.
Specifically, the HLR is the location register to which an MS identity is
assigned for record purposes, such as directory number, profile information, current
location, and validation period.
WIRELESS SECURITY AND PRIVACY
Thebroadcastnatureofwirelesscommunicationsrendersitverysusceptibletomali
ciousinterceptionandwantedorunintentionalinterference.
Analogtechniquesareextremelyeasytotap.
DigitalsystemssuchasTDMAandCDMAaremuchhardertotap.
Wirelesssecurityisnecessarytopreventtheunauthorizedaccessordamagetocomp
utersusingwirelessnetworks.
o There are two names you need to know in a wireless
network:
Station (STA) -> is a wireless network clienta desktop computer, laptop,
or PDA
Access point (AP)-> is the central point (like a hub) that creates a basic
service set to bridge a number of STAs from the wireless network to other
existing networks.

Modes of unauthorized access


1.
2.
3.
4.
5.
6.
7.
8.
9.

Accidental association
Malicious association
Ad-hoc networks
Non-traditional networks
Identity theft (MAC spoofing)
Man-in-the-middle attacks
Denial of service
Network injection
CaffeLatte attack

1. AccidentalassociationViolationofsecurityperimeterofcorporatenetworkunint
entionally.
2. Maliciousassociationwhenwirelessdevicescanbeactivelymadebyattackerstoc
onnecttoacompanynetworkthroughtheircrackingcompanyaccesspoint(AP).
ThesetypesoflaptopsareknownassoftAPsandarecreatedwhenacybercriminalr
unssomesoftwarethatmakeshis/herwirelessnetworkcardlooklikealegitimateacc
esspoint.Onceaccessisgained,he/shecanstealpasswords,launchattacksonthewir
ednetwork,orplantTrojans
3. Ad-hocnetworksAd-hocnetworksaredefinedaspeer-topeernetworksbetweenwirelesscomputersthatdonothaveanaccesspointinbetwee
nthem.Whilethesetypesofnetworksusuallyhavelittleprotection,encryptionmeth
odscanbeusedtoprovidesecurity.
4. Non-traditionalnetworksNontraditionalnetworkssuchaspersonalnetworkBluetoothdevicesarenotsafefromcr
ackingandshouldberegardedasasecurityrisk.Evenbarcodereaders,handheldPD
As,andwirelessprintersandcopiersshouldbesecured
5. Identitytheft(MACspoofing)Identitytheftoccurswhenacrackerisabletolisteni
nonnetworktrafficandidentifytheMACaddressofacomputerwithnetworkprivile
ges.
6. Man-in-themiddleattacksInthisthehackerwillincludeasoftAPintoanetwork.Oncethisisdon
e,thehackerconnectstoarealaccesspointthroughanotherwirelesscardofferingast
eadyflowoftrafficthroughthetransparenthackingcomputertoerealnetwork

7. DenialofserviceADenial-ofServiceattack(DoS)occurswhenanattackercontinuallybombardsatargetedAcce
ssPointornetworkwithbogusrequests,prematuresuccessfulconnectionmessages
,failuremessages,andothercommands.Thesecauselegitimateuserstonotbeableto
getonthenetworkandmayevencausethenetworktocrash
8. NetworkinjectionInanetworkinjectionattack,acrackercanmakeuseofaccesspoi
ntsthatareexposedtononfilterednetworktraffic.Thecrackerinjectsbogusnetworkingreconfigurationcommandsthataffectrouters,switches,andintelligenthubs.
Awholenetworkcanbebroughtdowninthismannerandrequirerebootingorevenre
programmingofallintelligentnetworkingdevices
9. CaffeLatteattackTheCaffeLatteattackisanotherwaytodefeatWEP.
Itisnotnecessaryfortheattackertobeintheareaofthenetworkusingthisexploit.
ByusingaprocessthattargetstheWindowswirelessstack,itispossibletoobtainthe
WEPkeyfromaremoteclientBysendingafloodofencryptedAddressResolutionPr
otocol(ARP)requests,theassailanttakesadvantageofthesharedkeyauthenticatio
nandthemessagemodificationflawsinWEP.

The Attack Methodology


1. Footprintthewirelessnetwork-Locateandunderstandyourtarget.
2. Passiveattack-AnalyzethenetworktrafficorbreaktheWEP.
3. AuthenticationandauthorizationDeterminewhatmethodsareenforcedandhowtheycanbecircumvented.
4. Activeattack-Launchdenialofservice(DoS)attacks.
Defense Mechanisms
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access(WPA)
Wi-Fi Protected Access-2 (WPA-2)

Wired Equivalent Privacy (WEP)


WEPis a standard network protocol that adds security to wireless
networks at the data link layer.
WEP utilizes a data encryption scheme calledRC4for data protection.
RC4(also known asARC4orARCFOUR) is the most widely used
softwarestream cipherand is used in popular protocols.
RC4generatesapseudorandomstreamofbits.
Standard64-bitWEPusesa40bitkey(WEP-40)anda24bitinitializationvector.

128-bitWEPprotocolusinga104-bitkeysize(WEP104)anda24bitinitializationvector.
Initializationvector(IV)isafixedsizeinputwhichisusedforrandomizationofkey.ThepurposeofanIVistopreven
tanyrepetition.

Authentication

TheclientsendsanauthenticationrequesttotheAccessPoint.
TheAccessPointreplieswithaclear-textchallenge.
TheclientencryptsthechallengetextusingtheconfiguredWEPkey,andsendsitbackinanotherauthenticationreque
st.
TheAccessPointdecryptstheresponse.IfthismatchesthechallengetexttheAccessPointsendsbackapositivereply.

DisAdvantages
Thesametraffickeymustneverbeusedtwice.
Buta24-bitIVisnotlongenoughtoensurethisonabusynetwork.
InAugust2001,ScottFluhrer,ItsikMantin,andAdiShamirpublishedacryptanalys
isofWEPthatdecodesthewaytheRC4cipherandIVisusedinWEP.
UsingapassiveattacktheywereabletorecovertheRC4keyaftereavesdroppingont
henetwork.
Asuccessfulkeyrecoverycouldtakeaslittleasoneminutedependingonthetraffic.
WEPisreplacedbyWPA(Wi-FiProtectedAccess)
Wi-Fi Protected Access(WPA)

TheWiFiAllianceintendedWPAasanintermediatemeasuretotaketheplaceofWEP.
WPAusesTemporalKeyIntegrityProtocol(TKIP)tobolsterencryptionofwireless
packets.

Wi-Fi Protected Access(WPA)

TKIP

TKIPencryptionreplacesWEP's40-bitor104bitencryptionkeythatmustbemanuallyenteredonwirelessaccesspointsanddevicesandd
oesnotchange

TKIPusesa128-bitperpacketkey,itdynamicallygeneratesanewkeyforeachpacketandpreventscollisions

Ithasanextendedinitializationvector(IV)withsequencingrules,andarekeyingmechanism.

WPAwithTKIPprovides3levelsofsecurity
1. TKIPimplementsakeymixingfunctionthatcombinesthesecretrootkeywiththeini
tializationvectorbeforepassingittotheRC4initialization.
2. WPAimplementsasequencecountertoprotectagainstreplayattacks.Packetsrecei
vedoutoforderwillberejectedbytheaccesspoint.
3. TKIPimplementsa64-bitMessageIntegrityCheck(MIC)

Merits and Demerits

TKIPusesthesameunderlyingmechanismasWEP,andconsequentlyisvulnerable
toanumberofsimilarattacks.

Butthemessageintegritycheck,perpacketkeyhashing,broadcastkeyrotation,andasequencecounterpreventsmanyattacks.

ThekeymixingfunctionalsoeliminatestheWEPkeyrecoveryattacks

Beck-Tewsattackhassuccessfullyextractedthekeystream
Ohigashi-Moriiattack

Japanese researchers Toshihiro Ohigashi and Masakatu Morii reported a


simpler and faster implementation of a similar attack.

It utilizes similar attack method, but uses a man-in-the-middle attack

WPA 2

WPA2 (Wireless Protected Access 2) replaced the original WPA technology


on all certified Wi-Fi hardware since 2006.

WPA2 uses Pre-Shared Key(PSK) instead of TKIP

WPA2 Pre-Shared Key(PSK) utilizes keys with 256bits


There are two versions of WPA2

WPA2-Personal-protects unauthorized network access by utilizing


set-up password

WPA2-Enterprise-verifies network users through a server. WPA2 is


backward compatible with WPA.

You might also like