ACEEE Int. J. on Network Security , Vol. 03, No. 02, April 2012
Attack Robustness and Security Enhancement with Improved Wired Equivalent Protocol Mr. S.M.K.M. Abbas Ahmad1, Dr. E.G. Rajan2 and Dr. A. Govardhan3 Corresponding Author: S.M.K.M. Abbas Ahmad) (1)
Associate Professor, Dept. of E.C.E., Hi-Tech College of Engg & Tech, Hyderabad, India, Phone: +918985042004, Email: smkmabbas@rediffmail.com (2) President, Pentagram Research Centre, Hyderabad, India, Phone: +919849164747, Email: rajaneg@yahoo.co.in (3) Professor of CSE, JNTUH, Hyderabad, India, Phone: +919440887733, Email: govardhan_cse@yahoo.co.in
Abstract: With the widespread use of wireless networks, securing Data transmission becomes a basic requirement. The IEEE 802.11 standard which defines wireless networks communication, has proposed in its second version, IEEE 802.11b, a new protocol to offer some wired-like security services, such as: data privacy, data integrity, and authentication. In this paper, we analyze Wired Equivalent Privacy(WEP) security holes and we propose an improvement over WEP which achieves, in addition to its security goals, another security service which is replay detection. Keywords: WEP; RC4; 802.11 Security; Communication; Authentication; Attacks.
in ad hoc networks which are decentralized environments. II. WEP ENCRYPTION The IEEE 802.11[1] standard defined Wired Equivalent Privacy (WEP) as a first line of defense for wireless networks. WEP, as defined by the 802.11 standard is intended to provide the level of data confidentiality that is equivalent to a wired network. The WEP provides both authentication, to protect against unauthorized access to network through the open system and shared key authentication, and encryption services to defeat eavesdroppers who may try to decrypt captured transmission. The encryption used in implementing this protocol is the RC4 symmetrical stream cipher with either a 40-bit or 104-bit encryption key.
Wireless
I. INTRODUCTION Research has been done in the field of ad hoc networking since the 1970s. Wireless networking devices were not easily available at this time, therefore ad hoc networking stayed theoretical for a while. Few years ago, IEEE 802.11 has been defined as a new standard for wireless networking. In a short period of time, many manufacturers provided Wi-Fi networking devices at a low cost. This facilitated the building of real ad hoc networks. Today, many ad hoc networking test beds are using Wi-Fi technology. The security in 802.11 networks is handled by the Wired Equivalent Privacy (WEP) protocol that has been part of the 802.11 standard since initial ratification in 1999. WEP relies on RC4 stream cipher [1,2]. However, security experts [8] revealed several weaknesses in the key scheduling algorithm of RC4, showing that RC4 is completely insecure in the common mode of operation which is used in WEP. This has been illustrated with an implementation [9] which permitted to retrieve the WEP secret key by passively collecting enough data over the wireless network. IEEE 802.11 established the Task Group (TGi) to solve the security problems of WEP. The 802.11 security protocol is so seriously flawed that TGi has decided to create a new security protocol from scratch, not constrained by WEP design. However, many WEP- based wireless networking adapters have already been shipped and deployed. TGi has proposed the Temporal Key Integrity Protocol (TKIP), a collection of algorithms wrapping WEP, to improve security for already deployed 802.11 devices operating in infrastructure mode (involving access points). This solution uses an authentication server: It cannot apply Š 2012 ACEEE DOI: 01.IJNS.03.02.3
A. Authentication Process WEP security involves two parts, Authentication and Encryption. Authentication in WEP as described n Figure: 1, involves authenticating a device when it first joins the LAN. The authentication process in the wireless networks using WEP is to prevent devices/stations joining the network unless they know the WEP key.
Figure1: WEP Authentication
In WEP-based authentication, wireless device sends authentication request to the wireless access point, then wireless access point sends 128 bit random challenge in a clear text to the requesting client. The wireless device uses the shared secret key to sign the challenge and sends it to the wireless access point. Wireless access point decrypts the signed message using the shared secret key and verifies the challenge that it has sent before. If the challenge matches, then authentication succeeds otherwise not. Unfortunately, in WEP, no secret key is exchanged after authentication. The same secret key or shared key is used for both authentication and encryption. So there is no way to tell whether the subsequent messages come from the trusted device or from an impostor. This kind of authentication is 42
ACEEE Int. J. on Network Security , Vol. 03, No. 02, April 2012 prone to man in the middle attack. This authentication is really not a best effort here. In the Wi-Fi specification, authentication was completely dropped, despite being in the IEEE 802.11 standard.
stream and form the cipher text of the packet. 6) The cipher text, the initialization vector IV and some additional header fields are used to build a packet, which is now send to the receiver. The packet being sent now contains the following header fields: Frame control It contains general information about the frame (is it a data, management, or control frame) and the transmission (has the station more packets to send.) Duration, ID It contains the expected duration of this transmission and some other values in special cases. Address 1,2,3 It contains the following addresses. The address of the AP the packet is send from/to, the address of the destination station and the address of the source station. In a special mode called WDS, where two APs communicate directly with each other, there is a fourth address, the address of the second AP. Sequence control It contains information about fragmentation. The IEEE 802.11 protocol is able to fragment packets before they are transmitted. WEP parameters contains the IV which was used to encrypt this packet, and a key index. The key index is used to identify the correct key, when more than one key is used in a network. Payload and ICV is the encrypted payload of the packet including a CRC32 checksum at the end of the payload which is called Integrity protection value (ICV). Payload and ICV are encrypted.
B. Working of RC4 Algorithm 1. RC4 Stream Cipher: RC4 is a stream cipher designed in 1987 by Ron Rivets for RSA Security[2]. It is a variable key-size stream cipher with byte oriented operations. The algorithm is based on the use of a random permutation. A variable-length key K, of size 1 to 256 bytes is used to initialize a 256-byte state vector S, with elements S0, S1 to S255. At all times, S contains a permutation of all 8-bit numbers from 0 to 255. Initially, the entries of S are set to the values 0 to 255 in ascending order. A temporary vector T, is also created. For a key of length keylen bytes, the first keylen elements of T, are copied from K, and then K is repeated as many times as necessary to fill out T. Next, we use T to produce the initial permutation of S. Once S is initialized, the input key is no longer used. The next step (stream generation) is to generate the key used for encryption. It involves starting with S0 and going through to S255, and, for each Si, swapping Si with another byte in S according to a scheme dictated by the current configuration of S. After S255 is reached, the process continues, starting over again at S0. For encryption, the value key is XORed with the next byte of plaintext. For decryption, the value key is XORed with the next byte of cipher text. C. WEP Encryption Process and Frame Every data frame sent by a station in a WEP protected network is encrypted integrity protected. Non-data frames, like beacon frames, acknowledgment frames and similar frames are not protected by WEP at all. When a station sends a packet, the following steps are executed. 1) The station picks a 24 bit value called initialization vector IV. The IEEE 802.11 standard does not specify how to choose this value. Beside some minor modifications, most vendors implemented one of the following two methods: a) The IV is chosen by a pseudo random number generator PRNG independently from all other packets send by this station. b) The station always remembers the last IV used. When a new IV needs to be chosen, the station interprets the last IV used as a number and adds 1 to this number. When the highest possible number is reached, the station starts again with 0. On startup, the IV counter either takes a fixed value or a random number is assigned to it. 2) The IV is prepended to the root key and form the per packet key K = IV||Rk. 3) A CRC32 checksum of the payload is produced and appended to the payload. This checksum is called Integrity Check Value (ICV). 4) The per packet key K is fed into the RC4 stream cipher to produce a key stream X of the length of the payload with checksum. 5) The plaintext with the checksum is XORed with the key Š 2012 ACEEE DOI: 01.IJNS.03.02.3
Figure 2 WEP Frame Format
D. WEP Vulnerability Several serious security flaws were discovered in the WEP[3] owing to which, the WEP failed to achieve its security goals. Some of its vulnerabilities are listed below: 1. The RC4 algorithm itself has a subtle weakness[4] that can be exploited to crack keys. 2. The presence of relatively short IVs and keys that remain static[5]. If an individual collects enough frames based on the same IV, he can determine the shared values among them, i.e., the key stream or the shared secret key. This of course leads to decrypting any of the 802.11 frames. 3. The 802.11 does not support the exchange of keys among stations nor does it provide any automatic way of changing keys. It depends on external key management for distribution. 4. The implementation has so far been based on 64-bit with 24-bit initialization vector resulting in only a 40-bit encryption, which is quite low. Improving the static nature of the IV and providing a stronger encryption at a higher layer could solve a major part of the WEP vulnerability. A stronger encryption 43
ACEEE Int. J. on Network Security , Vol. 03, No. 02, April 2012 could prevent brute force attacks and result in larger overheads during cryptanalysis.
generate a key stream KS using RC4. S concatenates the CRC to M1 which gives T1 = (M1, CRC), then he concatenates iv2 to T1. The all is Fig. 2. Ciphering principle in iWEP then XORed with KS1. S sends the XORed message to the receiver R. Knowing iv1, R decrypts the message, verifies CRC, and then stores iv2. iv2 will be used to decrypt the next frame sent by S. As a matter of fact, every frame contains the initialization vector used to encrypt the next one. So, the frame i encrypted using ivi contains ivi+1, which will be used to encrypt and decrypt frame i + 1. Initialization Vectors are all, except the first one, generated randomly by the sender. This makes no correlation between iv’s, and therefore enhances resistance to brute force attacks.
III. ATTACKS A. Types of Attacks crafted on WEP 1. The FMS attack: The FMS attack was the first key recovery attack against RC4 in WEP-like operating modes and was published by Fluhrer, Mantin, and Shamir in 2001. We can summarize the FMS attack as follows: An attacker, who has access to an oracle OWEP CTR(3; 13; 1) can recover the internal key of the oracle with a success probability of 50% with about 9,000,000 queries to the oracle and negligible computational effort.
B. Procedure for selecting Initial Vector IV The process shown above requires that S and R agree on the initial iv. This can be done by many ways. We suggest here two methods that are enough secure and don’t produce an overhead. The first manner is to agree on iv1 using DiffieHellman (DH) algorithm[7]. This algorithm allows two entities to establish a secret (a key for example), based upon messages exchanged publicly. It will be sufficient to take as iv1 the first 24 bits of the key agreed on using DH. The second manner is to use a hash algorithm[5], [6] to compute iv. A hash algorithm is a one-way function that allows to compress some bit stream BS into a digest D of a given length. The principle is to compute D in each side by hashing a common secret information, such as k. Thus, S and R compute separately the digest of k, and take the first 24 bits as iv1. SHA-1 which is a secured well-known hash algorithm can be used to this end.
B. The KoreK key recovery attack This implementation uses 17 different attacks, which are able to determine K[l], if K[0] to K[l - 1] and the first two words of output X[0] and X[1] are known. An attacker, who has access to an oracle OWEP CTR(3; 13; 2) can recover the internal key of the oracle with success probability 50% with 700,000 queries to the oracle and negligible computational effort. C. Mantin’s second round attack It was the first key recovery attack on RC4, which made use of the so called Jenkins’ correlation which is also called Glimpse property or RC4 Glimpse. An attacker who has access to an Oracle OSKIPWEP (OWEP(liv; 16; 1); 256) can recover the secret key of Oracle OWEP with a probability of 80% by sending about 225 H” 3.3·107 queries to OSKIPWEP and by testing up to 248 H” 2.8·1014 different keys for correctness, even if he has not got direct access to OWEP . Different tradeoffs for CPU-time and number of queries are possible. liv must be large enough to generate 225 different IVs. The complexity decreases for shorter root keys.
V. INTEROPERABILITY WITH WEP A. Translating from WEP to iWEP The translation is carried out in two steps: I- Extraction of iv : it consists of separating ivs from their messages. Iv’s are already clear; II- Re-association of ivs: in this step, a given iv, ivi is used to encrypt the concatenation of Ti and ivi+1. B. Translating from iWEP to WEP In this case, the translator typically re-uses previous iv, ivi to decrypt current iWEP frame (i). I- Extraction of iv : using ivi for decryption, the clear text contains the message Ti, and ivi+1 which will be extracted (and to be used also for further decryption); II- Re-association of ivs: ivi is used to encrypt Ti and ivi. ivi+1 is used for decryption of next frame.
IV. PROPOSED IMPROVEMENTS IN WEP The proposed approach aims to resolve WEP flows without changing the hardware while keeping a good interoperability with existing WEP. A. Encryption Process We propose a scheme similar to WEP. The difference is that in iWEP we encrypt both of the message T and iv with RC4. Encrypting iv aims to hide it from eavesdropping. As can be visualized, iWEP sender encrypt Ti concatenated to ivi+1 using ivi. Thus, it’s sufficient to the receiver to know the initial iv -iv1- to decrypt the first frame which contains iv2 used to decrypt the second frame and so on. To start the encryption process, the two nodes agree on some initial iv, this step is detailed in section B. After this, the sender S generates randomly a new iv. Let iv2 be the generated iv, and iv1, the initial iv. S uses his own key k and iv1 to © 2012 ACEEE DOI: 01.IJNS.03.02. 3
44
ACEEE Int. J. on Network Security , Vol. 03, No. 02, April 2012 VI. RESULTS
REFERENCES [1] S.M.K.M. Abbas Ahmad, Dr. E.G.Rajan,Dr.A.Govardhan, Mr. Juluru PEraiah, “Security Enhancement in WEP Mobility”, invited paper at International Conference on CNSA-2010, Springer-Verlog, July, 2010, Volume No: CCIS 90, pp 388-399. [2] Arash Habibi Lashkari, F. Towhidi, R. S. Hoseini,”Wired Equivalent Privacy(WEP)”, ICFCC Kuala Lumpur Conference, Published by IEEE Computer Society, Indexed by THAMSON ISI, 2009. [3] Donggang Liu, P. N., “Security for Wireless Sensor Networks”, Springer., November, 2006 [4]Garcia, R. H. a. M., “AN ANALYSIS OF WIRELESS SECURITY”, CCSC: South Central Conference. 2006 [5] Kempf, J., “Wireless Internet Security: Architecture and Protocols “,Cambridge University Press. October, 2008 [6] Hani Ragab Hassan, Yacine Challal, “Enhanced WEP: An efficient solution to WEP threats”, IEEE 2005 [7] Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas in Cryptography 2001, volume 2259 of Lecture Notes in Computer Science, pages 1{24. Springer, 2001. [8] David Hulton. Practical exploitation of RC4 weakness in WEP environments, 2002. presented at HiverCon 2002. [9] Wireless lan medium access control (MAC) and physical layer (PHY) specifications (IEEE Standard 802.11). L.M.S.C. of the IEEE Computer Society, 1999.
Figure3: Encryption Process of WEP and iWEP
AUTHORS’ PROFILE Figure4: iWEP and WEP compared when
Mr. S.M.K.M. ABBAS AHMAD did his B.E. from Gulbarga University, Karnataka, India in 1998, M.Tech. from V.T.U., Belgaum in 2004. He is pursuing Ph.D. at Jawaharlal Nehru Technological University, Hyderabad under the guidance of Dr. E.G. Rajan & Dr. A. Govardhan. He is presently an Associate Professor of ECE at Hi-Tech
decrypting data
College of Engineering & Technology, Hyderabad. He has 14 years of teaching experience. His areas of interest are Wireless Communications, Wireless Network Security & Digital Electronics. He is life member of Indian Society for Technical Education. He is the member of IAENG. Dr. E.G.Rajan did is B.Sc. in Physics Major from Madras University in 1970, DMIT in Electronics Engineering in 1974, M.E. in Applied Electronics from Madras University in 1983. He did his Ph.D. in Signal & Image Processing at Indian Institute of Technology, Kanpur, India in 1990.
Figure5: Throughput of iWEP and WEP for variable data length computa tional
CONCLUSION In this paper, we’ve reviewed security holes in WEP. Then we described our protocol iWEP which achieves security goals of the WEP. We also compared iWEP and WEP when decrytpting data. In this paper we also shown that throughput is greater for iWEP than WEP for variable data length computaions. It is important to note that iWEP can be directly deployed over any hardware using WEP.
© 2012 ACEEE DOI: 01.IJNS.03.02.3
He is the founder president of Pentagram Research Center (Pvt), Hyderabad, India He was categorized as Best Instructor of Dept. of Electrical Engineering, IIT, Kanpur for the years1990-91 & 199192. He has 34 years of industry & teaching experience. He worked as Electronic Warfare Officer/Signal Analyst, Aviation Research Centre, Cabinet Secretariat, Director of General of Security, Govt. of India from 1977-1986. He proposed the Transforms for Pattern Recognition known by his name Rajan Transforms. He is an elected member of International Federation of Systems Research, Kepler University, Austria. He has guided 7 Ph.D. scholars, 60 M.Tech. Projects. He Published more than 20 research papers in interna
45
ACEEE Int. J. on Network Security , Vol. 03, No. 02, April 2012 tional journals. His areas of interest are Communication Engineering, Cryptography, Pattern Recognition, Bioinformatics, Systemics, Image Processing, Signal Processing.
He is presently a Professor of CSE and and Director of Evaluations at Jawaharlal Nehru Technological University Hyderabad AP, India. He is a member on the Editorial Boards of International Journal of Emerging Technologies and Applications in Engineering Technologies and Sciences (IJ-ETA-ETS) and International Journal of Computer Applications in Engineering Technologies and Sciences (IJ-CA-ETS), International Journal of Advanced Computing, International Journal of Data Engineering and Computer Science, International Journal of Computational Intelligence and Information Security and Scientific and Technical.
Dr.A.Govardhan did his BE in Computer Science and Engineering from Osmania University College of Engineering, Hyderabad in 1992, M.Tech from Jawaharlal Nehru University, Delhi in 1994 and Ph.D from Jawaharlal Nehru Technological University, Hyderabad in 2003.
Š 2012 ACEEE DOI: 01.IJNS.03.02.3
46