WLAN SECURITY

Name: ---- Guide By

H.T No: 12AB40000 ------
ABSTRACT
Wireless LAN is a flexible communication system implemented as an
extension to a wired LAN, using electromagnetic waves to transmit and
receive data over air, minimizing the need for wired connections. It is a
communication network that provides connectvity to wireless devices
within a limited geographic are such as home, school, single office, building
or campus. Wi-Fi is universal standard for wireless networks and is the
wireless equivalent of wired Ethernet networks.
WLAN and Architecture
WLAN: Linking of two or more computers without using wires which
uses spread spectrum technology based on radio waves
WLAN and Architecture
Basic security in WLAN
SSIDs, WEP, and MAC Address Authentication:

Service Set Identifiers: Prevents access by any client device that does
not have the SSID.

Open or shared-key authentication, static WEP key: Access point

sends the client device a challenge-text packet which client must
encrypt

Media Access Control authentication: clients MAC address

matches an address in an authentication table
Wi-Fi Protected Access (WPA)
There are two types of WPA authentication:
WPA and WPA2. WPA is designed to work with all wireless network
adapters, but it might not work with older routers or access points.
WPA2 is more secure than WPA, but it will not work with some older
network adapters. WPA is designed to be used with an 802.1X
authentication server.
Features of WPA
WPA Authentication
Pre-shared key (PSK)
every user given the same pass-phrase
less secure
preferred for Personal mode - homes, small offices

IEEE 802.1X authentication

server distributes different keys to each user
enhanced security and authentication
preferred for enterprise mode - business, government, education
Encryption
RC4 stream cipher using 128-bit key, 48-bit IV
larger IV defeats Key recovery attack

Key Management
Temporal Key Integrity Protocol (TKIP) - dynamically changes
encryption keys for each packet.

Payload Integrity
8 Byte Message integrity code( MIC)
Calculated by algorithm called Michael
MIC includes a frame counter to prevent replay attacks
Components of WPA2
802.1X Port-Based Network Access Control for authentication
Counter Mode with CBC-MAC Protocol (CCMP) for
confidentiality, integrity and origin authentication
Temporary Key Integrity Protocol (TKIP)
IEEE 802.1X
802.1X is an IEEE standard for port-based Network Access Control for
LANs
For WLANs, it is based on the EAP, Extensible Authentication Protocol
The authentication is usually done by a third-party entity, such as a
RADIUS server
TKIP - Temporal Key Integrity Protocol

RC4 stream cipher as in WEP

Keys used for encryption - 128-bit long
Keys used for authentication - 64 bit long
TKIP provides

Per-Packet Key Hashing to Mitigate "Weak IV" Attacks:

Each time a wireless station associates to an access point, a new
base key is created which is built by hashing base key with the IV.
Prevention of Collision attacks: Each packet transmitted
using TKIP has a unique 48-bit serial number which
incremented every time a packet is transmitted. This solves
another problem in WEP, called "collision attacks," which can
occur when the same key is used for two different packets.
CCMP (Counter Mode with CBC MACProtocol)

CCMP uses the counter mode (CTR) for data confidentiality and
the Cipher Block Chaining Message Authentication Code (CBC-
MAC) for data integrity.
It uses the Advanced Encryption Standard (AES) algorithm with
a 128-bit key and a 128-bit block size.
CCMP uses a 48-bit Packet Number (PN) to prevent replay
attacks and construct a fresh nonce for each packet.
 Smart cards
Some other solutions
Beneficial in environments requiring authentication beyond
simple username and password
User certificate and other information are stored on the cards
VPN
Provides secure data transmission across public network
infrastructures.
Use IPsec Protocol suite for ensuring private
communications.
Biometrics
For agencies needing higher levels of security, biometrics
such as fingerprint/palm-print scanners , optical scanner can
be integrated with wireless smart cards
Advantages of WLAN:
It's easier to add or move workstations.
Easier to provide connectivity in areas that are difficult to lay cable.
Installation is quick and easy.
Disadvantages of WLAN:
When the number of computers that use the network increases,
the data transfer to the computer each will be reduced.
The low bandwidth wireless.
Long-term cost benefits can be found in the static environment.
Conclusion
The optimal security solution for WLAN involves a combination of
security technologies.
A detailed threat risk assessment and analysis is essential to determine
which security measures or combination of measures are the most
effective.
References

en.wikipedia.org/wiki/Wi-Fi_Protected_Access
en.wikipedia.org/wiki/WPA2
http://en.wikipedia.org/wiki/IEEE_802.1x
en.wikipedia.org/wiki/TKIP
http://www.networkworld.com/reviews/2004/1004wirelesstkip.html
http://tldp.org/HOWTO/html_single/8021X-HOWTO/#p8021x
www.wi-fiplanet.com/tutorials/article.php/953561
www.drizzle.com/~aboba/IEEE/