Wireless Security by Allied Journals

International Journal of Engineering, Management & Sciences (IJEMS) ISSN-2348 –3733, Volume-2, Issue-5, May 2015

Wireless Security Ganesh Pandey, Dipendra Kumar Tripathi, Dheerendra Yadav, Anil Chaudhary  Abstract— The goal of this work is to point out some important facts in the establishment of wireless connection, where network infrastructure is less complex than wired media. Security needs to be enabled on wireless devices during their installation in enterprise environments. In wireless security, encryption is used to secure the network. In this work the author will discuss: • Existing mode of wireless LAN products • Existing solution to security using identifiers & authentication • Encryption methods for secure connection • Possibility of secure media access Index Terms— IEEE, Protocol, Authentication, Access Point.

I. INTRODUCTION By default, wireless security is nonexistent on access points and clients. The original 802.11 committee just didn’t imagine that wireless hosts would one day outnumber bounded media hosts, but that’s truly where we’re headed. Also, and unfortunately, just as with the IPv4 routed protocol, engineers and scientists didn’t add security standards that are robust enough to work in a corporate environment. So we’re left with proprietary solution add-ons to aid us in our quest to create a secure wireless network. A good place to start is by discussing the standard basic security that was added into the original 802.11 standards and why those standards are way too flimsy and incomplete to enable us to create a secure wireless network relevant to today’s challenges. II. OPEN ACCESS All Wi-Fi Certified LAN products are shipped in “open-access” mode, with their security features turned off. While open access or no security may be appropriate and acceptable for public hot spots such as coffee shops, college campuses, and maybe airports, it’s definitely not an option for an enterprise organization, and likely not even adequate for your private home network. Security needs to be enabled on wireless devices during their installation in enterprise environments. It may come as Manuscript received May 03, 2015. Ganesh Pandey, Department of Electronics & Communication Engineering , Buddha Institute of Technology, Gida, Gorakhpur. Dipendra Kumar Tripathi, Department of Electronics & Communication Engineering , Buddha Institute of Technology, Gida, Gorakhpur. Dheerendra Yadav, Department of Electronics & Communication Engineering , Buddha Institute of Technology, Gida, Gorakhpur. Anil Chaudhary, Assistant Professor, Department of Electronics & Communication Engineering , Buddha Institute of Technology, Gida, Gorakhpur.

quite a shock, but some companies actually don’t enable any WLAN security features. Obviously, the companies that do this are exposing their networks to tremendous risk! The reason that these products are shipped in open access mode is so that anyone-even someone without any IT knowledge, can just buy an access point, plug it into their cable or DSL modem, and voila—they’re up and running. It’s marketing, plain and simple, and simplicity sells, But that doesn’t mean we should leave it like that- unless we want to allow that network to be open to the public, we definitely shouldn’t. III. SSIDs, WEP & MAC ADDRESS AUTHENTICATION What the original designers of 802.11 did to create basic security was include the use of service set identifiers (SSIDs), open or shared-key authentication, static Wired Equivalency Privacy (WEP), and optional Media Access Control (MAC) authentication. Sounds like a lot, but none of these really offer any type of serious security solutionall they may be close to adequate for is use on a common home network. But we’ll go over them anyway. SSID is a common network name for the devices in a WLAN system that creates the wireless LAN. An SSID prevents access by any client device that doesn’t have the SSID. The thing is, by default, an access point broadcasts it SSID in it beacon many times a second. And even if SSID broadcasting is turned off, a bad guy can discover the SSID by monitoring the network and just waiting for a client response to the access point. Because, that information, as regulated in the original 802.11 specifications, must be sent in the clearhow secure. Two types of authentication were specified by the IEEE 802.11 committee: open authentication and shared-key authentication. Open authentication involves little more than supplying the correct SSIDbut it’s the most common method in use today. With shared-key authentication, the access point sends the client device a challenge-text packet that the client must then encrypt with the correct Wired Equivalency Privacy (WEP) key and return to the access point. Without the correct key, authentication will fail and the client won’t be allowed to associate with the access point. But shared-key authentication is still not considered secure because all an intruder has to do to get around this is detect both the clear text challenge and the same challenge encrypted with a WEP key and then decipher the WEP key. Shard key is not used in today’s WLAN because of clear text challenge, which presents vulnerability to a known-plain-text cryptographic attack. With open authentication, even if a client can complete authentication and associate with an access point, the use of WEP prevents the client from sending and receiving data from the access point unless the client has the correct WEP key. A WEP key is composed of either 40 or 128 bits and, in its basic form, is usually statically defined by the network

www.alliedjournals.com

Wireless Security

administrator on the access point and all clients that communicate with that access point. When static WEP keys are used, a network administrator must perform the time-consuming task of entering the same keys on every device in the WLAN. Obviously, we now have fixes for this because this would be administratively impossible in today’s huge corporate wireless networks. Last, client MAC addresses can be statically typed into each access point, and any of them that show up without that MAC addresses in the filter table would be denied access. All MAC layer information must be sent in the clearanyone equipped with a free wireless sniffer can just read the client packets sent to the access point and spoof their MAC address. WEP can actually work if administered correctly in non secure areas. But basic static WEP keys are no longer a viable option in today’s corporate networks without some of the proprietary fixes that run on top of it. III. ENCRYPTION METHODS There are two basic types of encryption methods used in most wireless networks today: TKIP and AES A.Temporal Key Integrity Protocol (TKIP) Put up a fence, and it’s only a matter of time until bad guys find a way over, around, or through it. And true to form, they indeed found ways to get through WEP’s defenses, leaving our Wi-Fi networks vulnerablestripped of their Data Link layer security! So someone who had to come to the rescue. In this case, it happened to be the IEEE 802.11i task group and the Wi-Fi Alliance, joining forces for the cause. They came up with the solution called Temporal Key Integrity Protocol (TKIP) which is based on the RC4 encryption algorithm. TKIP first gained respect in the WLAN world due to the protections it affords the authentication process, but it is also used after that completes to encrypt the data traffic thereafter. The Wi-Fi Alliance unveiled it back in late 2002 and introduced it as a Wi-Fi Protected Access (WPA). This little beauty even saved lots of money because TKIPsay this like, “tee kip:  didn’t make us upgrade all our legacy hardware equipment in order to use it. Then in summer of 2004, the IEEE, put its seal of approval on it final version and added even more defensive muscle with goodies like 802.1X and AES-CCMP (AES-Counter Mode CBC- MAC Protocol) upon publishing IEEE 802.11i-2004, the Wi-Fi Alliance responded positively by embracing the now complete specification and debugging it WPA2 for marketing purposes. B. AES Both WPA/2 and the 802.11i standard call for the pone of 128 bit Advanced Encryption Standard (AES) for data representation. It’s widely considered the best encryption available today and has been approved by the National Institute of Standards and Technology (NIST). It’s also referred to as AES-CCMP or AES Counter Mode with CBC-MAC authentication. The only shortcoming off AES is that due to the computational requirements. A cryptographic processor is needed to run it. Still, compared to RC4, it’s a lot more efficient while at the same time seriously augmenting security over with RC4.

IV. WI-FI PROTECTED ACCESS (WPA) Wi-Fi Protected Access (WPA) is a standard testing specification developed in 2003 by the Wi-Fi Alliance, formerly known as the Wireless Ethernet Compatibility Alliance (WECA). WPA provides a standard for authentication and encryption of WLAN that’s intended to solve known security problems existing up to and including the year 2003. This takes into account the well-publicized Air Snort and man-in-the-middle WLAN attacks. WPA is a step toward the IEEE 802.11i standard and uses many of the same components, with the exception of encryption802.11i uses AES encryption. WPA’s mechanisms are designed to be implementable by current WEP-oriented hardware vendors, meaning that user should be able to implement WPA on their systems with only a firmware/software modification. WPA addressed the inherit weaknesses found in WEP by adding a stronger encryption algorithm, and per frame sequence counters. V. WPA OR WPA2 PRE-SHARED KEY This is another form of basic security that’s really just an add-on too the specifications. WPA or WPA2 Pre-Shared Key (PSK) is a better form of wireless security than any other basic wireless security method mentioned so far. The PSK verifies users via a password or identifying code (also called a passphrase) on both the client machine and the access point. A client gains access to the network only if it password matches the access point’s password. The PSK also provides keying material that TKIP (WPA) or CCMP (AES) uses to generate an encryption key for each packet of transmitted data. While more secure than static WEP, PSK still has a lot in common with static WEP in that the PSK is stored on the client station and can be compromised if the client station is lost or stolen, even though finding this key isn’t all that easy to do. It’s definite recommendation to use a strong PSK passphrase that includes a mixture of letters, numbers and non alphanumeric characters VI. WPA OR WPA2 ENTERPRISE WPA and WPA2 support an enterprise authentication method. This is called Extensible Authentication Protocol (EAP). EAP is a framework that enhances the existing 802.1x framework. This framework describes a basic set of actions that will take place, and each EAP type differs in the specifies of how it operates within the framework. These variables include things like whether they use passwords or certificates and the ultimate level of security provided. Most EAPs comprise three components:  The authenticator  The supplicant  The authentication server Since the authentication server will typically be a RADIUS server. Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that offers several nice security benefits:  Authorization

www.alliedjournals.com

International Journal of Engineering, Management & Sciences (IJEMS) ISSN-2348 –3733, Volume-2, Issue-5, May 2015 Implementation Authentication Encryption

 Centralized Access

Accounting supervision of the users and/or computers that connect to and access our network’s services. Once RADIUS has been authenticated, it allows us to specify the type of rights a specific user or workstation has.  Control over what a device or user can do within the network.  Creation of a record of all access attempts and

WEP

Open or Shared

RC4

Key WPA

PSK

TKIP

WPA2

PSK or 802.1x

TKIP or AES

802.11i

PSK or 802.1x

AES

actions. The provision of Authentication, Authorization, and Accounting is called AAA, or Triple A. The various types of EAPs are used in today’s networks.EAP normally uses a RADIUS server as the authentication server in the process. but the AP can be configured as both the authenticator and the authentication server. This process is an arrangement is called Local EAP. The IEEE 802.11i standard has been sanctioned by the Wi-Fi Alliance and is termed WPA version 2.

Table-1.2 VIII. CONCLUSION

Wireless technologies are here to stay, and for those of us who have come to depend on wireless technologies, it’s actually pretty hard to imagine a world without wireless networks. This research paper propose the exploring the essentials and fundamentals of how wireless networks function. Springing off VII. 802.11i that foundation, the basics of wireless RF and the IEEE Although WPA 2 was built with the upcoming 802.11i standards introduced. Discussion of 802.11 from its inception standard in mind, there was some feature added when the through it evolution to current and near future standards and standard was ratified: talked about the subcommittees who create them.  A list of EAP methods that can be used with the All of this leads into a discussion of wireless securityor rather, non-security for the most part, which logically directed standard. us towards the WPA and WPA2 standards, using PSK and  AES/CCMP for encryption instead of RC4. 802.1x authentication, and TKIP and AES encryption  Better key management. The master key can be methods. ACKNOWLEDGMENT cached, permitting a faster reconnect time for Author thanks to the following people:  This technical paper would not have been the station. possible without the support of my guide, Anil

Table 1.1 summarizes the WPA/WPA2/802.11i comparison. Table-1.1 WPA

WPA2

802.11i

SOHO

Enterprise

802.1x

authentication/PSK

authentication

128-bit

128-bit AES

RC4

AES

w/TKIP encryption

encryption

hoc

supported

not

hoc

chaudhary. A paper of this type need thorough & in depth knowledge, especially when to balance a paper, study & project. Anil sir provided endless encouragement to keep me writing when I was pressed to meet deadlines for the paper.  The team & faculty members at Buddha Institute of Technology, especially Ghanshyam Tiwari,

encryption not

Narendra Chaurasiya, Arun Mishra & S.N.

Allows ad hoc

Jaiswal. I owe a debt of gratitude to this team.

supported

Lastly, table 1.2 summarizes the implantation techniques and what authentication and encryption methods each use.

www.alliedjournals.com

Wireless Security

REFERENCES [1]www.sybex.com/go/ccie [2]www.tatamacgrawhill.com/ccna [3]www.trainsignal.com/faq.html Abbreviations and Acronyms EAP. Extensible Authentication protocol Wi-Fi. Wireless Fidelity LAN. Local Area Network IEEE. Institute of Electrical & Electronics Engineers IETE. Institution of Electronics & Telecommunication Engineers RADIUS. Remote Authentication Dial-In User Service

Ganesh Pandey B.Tech under Graduate in Electronics & Communication Engineering & has been interested to work in the field of telecommunication focusing on secure & reliable connection. Being a member of IETE, New Delhi, he continuously efforts to sharpen his knowledge by exploring related research work. In addition to earning a B.Tech in E.C.E from Buddha Institute of Technology,

.Dipendra Kumar Tripathi Dipendra is a Bachelor of Technology in Electronics & Communication Engineering from Buddha Institute of Technology. His area of interest is wireless communication & telecommunication. He has presented many technical papers, seminars on PLC & SCADA & completed specialized training in automation technology. Dheerendra Yadav B.Tech final year student in Electronics & Communication Engineering from Buddha Institute of Technology, Gida, Gorakhpur. Mr. Anil Chaudhary Anil Chaudhary is assistant professor in Electronics & Communication Engineering Department at Buddha Institute of Technology, Gida, Gorakhpur. He holds several industry certification and masterâ&#x20AC;&#x2122;s degree in Electronics Design & Technology. He has been a keen researcher in electronics field & has published many technical & research paper.