6727 A 2018
6727 A 2018
6727 A 2018
Article History: Over the past few years, the IEEE 802.11 standard has been the focus of a large amount of
th research with respect to its security architecture and mechanisms. Our own research has
Received 9 February, 2018 shown a huge deficiency in the 802.11 standard with regard to security, as well as
Received in revised form 26th deficiencies in 802.11 network implementation and deployment. Furthermore, while
March, 2018 Accepted 17th April, 2018 several technologies have been (and continue to be) developed to either augment or replace
Published online 28th May, 2018 the standard’s flawed portions, the difficulty of managing wireless networks has created a
complex situation for network administrators even when they use the latest technologies.
Key words: Like most advances, wireless LAN poses both opportunities and risks. The evolution of
wireless network in few years has raised many serious security issues. In this Paper to fix
WLAN, Wireless LAN, Security, IEEE802.11
security loopholes a public key authentication and key-establishment procedure has been
proposed which fixes security loopholes in current standard. The public key cryptosystem
is used to establish a session key securely between the client and Access point. A client -
Agent based Rouge Access point detection system was developed to counter the threat of
Rouge Access points in wireless LANs and are difficult to handle at the protocol level.
Hence a centralized RAP was developed for organization where the area is quite large to
cover manually or form a single location. An algorithm was also developed to detect Evil-
Twin Access points, which cannot be detected by traditional methods. The algorithm works
on fact that the evil-twin is placed at a distance from the good-twin to prevent direct
detection.
Copyright©2018 Kirti Kaushik and Nidhi Sewal. This is an open access article distributed under the Creative Commons Attribution License, which
permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
INTRODUCTION station within the specific boundary of the network. The initial
standard includes three Physical layers, FHSS (Frequency
WLAN standard and security services is IEEE 802.11 become Hopping Spread Spectrum), DSSS (Direct Sequence Spread
top priority in installation of wireless technology-based Spectrum) and Infrared. Later on two other transmission
information infrastructure because of its economic feasibility technologies were included OFDM (Orthogonal Frequency
and high ability over several wireless technologies available Division Multiplexing) and HR-DSSS (High Rate Direct
today such as microwave, Wi-Fi or IEEE 802.11 and Wi- Sequence Spread Spectrum).
MAX. Apart from the low cost, IEEE 802.11 technology is
relatively easy, quick to install, and operating on an unlicensed IEEE802.11 MAC layer consists of Channel Access
frequency of 2.4 GHz which can be built independently by the Mechanism. IEEE802.11 MAC provides two channel access
individual or organization without reliance on operator. A controls, DCF (Distributed Coordination Function) and PCF
Wireless LAN always uses the electromagnetic waves to (Point Coordination Function). PCF provides contention free
transmit the data signals from one end to another end in the channel access and aims at supporting real-time traffic. DCF
network and it is implemented on the physical layer. IEEE works based on CSMA/CA (Carrier- sense Multiple Access
802.11 wireless LAN has two types of network architectures: with Collision Avoidance) with the consideration of the
complexity in wireless environment; for example, stations can
1. Ad-Hoc Network not listen to the channel for collisions while transmitting.
2. Infrastructure Network
IEEE 802.11 Specifications
IEEE group started work on IEEE 802.11 project in year 1997,
in order to design a Medium Access Control (MAC) and The 802.11 Standard is a group of networking standards that
Physical layer (PHY) which provides benefits to wireless cover the physical layer specifications of technologies from
connectivity to fixed stations, portable stations and moving Ethernet to wireless. IEEE 802 is subdivided into 22 parts that
cover the physical and data-link aspects of networking. The
*Corresponding author: Kirti Kaushik better known specifications include 802.3 Ethernet, 802.11
Department of Computer Science and Engineering, of Wi-Fi, 802.15 Bluetooth/ZigBee, and 802.16. All the 802.11
DPGITM, Maharshi Dayanand University, Haryana, India specifications use the Carrier Sense Multiple Access and
A Research Paper on Security of Wireless Network
Ethernet protocol with Collision Avoidance (CSMA/CA) for parameters for the WEP i.e. access control, data privacy and
path sharing. The original modulation used in 802.11 was data integrity.
phase-shift keying (PSK). Another schemes, such as
CCMP- CCMP is an encryption algorithm of IEEE 802.11i.
complementary code keying (CCK), are used in some of the
CCMP performs in a particular mode of operation that is AES.
newer specifications. The latest modulation methods provide
In other words the mode of operation is known as the
higher data speed and reduced vulnerability to interference.
algorithm, whose purpose is to change the cipher text to
802.1- LAN/MAN bridging and management. Covers plaintext and vice versa. The main purpose of using the
the lower sub-layers of OSI Layer 2, including MAC- encryption technique is to provide the confidentiality to data
based bridging (Media Access Control), virtual LANs and hence it is proved that previous encryption technique is
and port-based access control. failed to provide the data integrity. In order to provide the
802.2- LLC or Logical Link Control specification. The integrity to data, a new message authentication code is
LLC is the top sub-layer in the data-link layer, OSI appended with the original message. The message
Layer 2. Interfaces with the network Layer 3. authentication code is useful for keyed cryptographic function
802.3- "Granddaddy" of the 802 specifications. in order to generate the integrity value (ICV).
Asynchronous networking uses "carrier sense, multiple In IEEE 802.11i standard is divided the CCMP in to two parts:
access with collision detect" (CSMA/CD) over coax,
twisted-pair copper, and fiber media. Current speeds Counter mode “CTR-Mode”. The counter mode is
range from 10 Mbps to 10 Gbps. used in AES to encrypt the data
802.4- Disbanded Cipher block chaining- MAC mode “CBC-MAC
802.5- The token-passing standard for twisted-pair, Mode”. CBC-MAC mode is used to create a MIC
shielded copper cables. Supports copper and fiber code that provides integrity to data.
cabling from 4 Mbps to 100 Mbps. Often called "IBM Parameters studied- Following parameters are undertaken in
Token-Ring." order to compare the results which are obtained to determine
802.6- "It incorporates and supersedes published the Security of IEEE 802.11 Wireless Local Area networks
standards 802.1j and 802.6k. Superseded by 802.1D- under WEP and CCMP Security Protocols.
2004."
802.7- Withdrawn Standard. Withdrawn Date: Feb 07, Throughput (bit/sec): The total number of bits (in
2003. No longer endorsed by the IEEE. bits/sec) sent to the higher layer from the MAC layer.
802.8- Withdrawn PAR. Standards project no longer The data packets received at the physical layer are
endorsed by the IEEE. sent to the higher layer if they are destined for this
station.
802.9- Withdrawn PAR. Standards project no longer
endorsed by the IEEE. Average Jitter: Jitter is defined as a variation in the
Delay of received packets.
802.10- Superseded **Contains: IEEE STD 802.10b-
1992. Average End-to-End Delay: It indicates the Length of
time taken for a packet to travel from the CBR
802.11- Wireless LAN Media Access Control and
(Constant Bit Rate) source to the destination. It
Physical Layer specification. 802.11a, b, g, etc. are
represents the total Delay between creation and
amendments to the original 802.11 standard. Products
reception of an application packet.
that implement 802.11 standards must pass tests and are
referred to as "Wi-Fi certified. Security Analysis
Security in IEEE 802.11 Networks The complete analysis of authentication has been done
considering possible threats. Since the management frames are
Various security solution measures of network performance
not protected in a WLAN, an adversary is capable of
that reflects the network's transmission quality and service
interfering with initially step of AP discovery and IEEE 802.11
availability for IEEE 802.11 standard like WEP, CCMP, etc
association and authentication. Spoofed security capabilities
and which one is considered to be best in which environment.
and topological views of the network can be sent to a
Wired Equivalent Privacy (WEP) – WEP is a first security supplicant on behalf of an authenticator by an adversary. Once
technique that is used in IEEE 802.11 standards. WEP this occurs, the supplicant will be forced to use inappropriate
provides the security to WLAN like the wired LAN. WEP security parameters to communicate with the legitimate
helps to make the communication secure and provide the authenticator, or associate with a malicious AP, if no further
secret authentication scheme between AP and the end user protections are used, an adversary can forge association
which is going to access the WLAN. Basically WEP requests to the authenticator with weak security capabilities,
implemented on initial Wi-Fi networks so that the user can not which might cause problems. Fortunately these threats are
access the network without the correct key. WEP uses eliminated in IEEE 802.1X authentication if a strong mutual
symmetric key encryption that ranges from 64 to 128 bit long authentication is implemented. The main purpose of
encryption key. Usually, the same encrypted key is used for all authentication is to prevent an intruder from modifying, and
the nodes in the network and manually forwarded to each node forging authentication packets.
means WEP is unable to provide the key management
If PSK is used instead of PMK, then the AP and the supplicant
function. WEP is using the shared key authentication method
can authenticate each other by verifying shared key (PSK or
in which the user needs two things in order to access the
cached PMK) and active and passive eavesdropping and
WLAN, one is SSID and second is WEP key generated by the
message interception can be eradicated. Session hijacking can
AP. The IEEE 802.11 standard defines the three different
be possible even if a strong authentication mechanism is
12812
International Journal of Current Advanced Research Vol 7, Issue 5(I), pp 12811-12815, May 2018
implemented. However, it does not pose any threat more than As shown in figure wireless nodes are scattered all over the
eavesdropping, because the adversary can disconnect a station organization. The shaded region depicts the area that can be
by forging de-authentication or disassociation messages and scanned for rogue Access Points. The details of all the Access
hijack the session with AP on the behalf of the legitimate Points present in the area will be available at a central location
station. In this case, the adversary can only accept packet (DHCP Server). Periodic scans can be scheduled that a more
which are encrypted using PTK, so he can’t know what is comprehensive coverage can be established. This can be done
inside the packet. without manual intervention hence enhancing the security of
the organization.
Man in the middle attack can be launched, if mutual
authentication mechanism not appropriately implemented. The As shown in figure the complete system consists of three
vulnerability is a weakness of the specific mutual major components; a DHCP server, a Master Agent program
authentication protocol instead of 802.11i and so the mutual having the database of all authentic APs and many wireless
authentication should be implemented carefully. The adversary nodes (Laptops used by the members of the organization).
can forward credentials between the AP and the station; but These Laptops act as client agents. They will execute a small
since the authentication packets cannot be used further like in program it all times which will listen for a query from the
replay attack, so an adversary can’t cause more damage than Master Agent and then send a list of Access Points in its
eavesdropping, he can only relay the packets. vicinity to the Master Agent. These lists are then consolidated
and a list of all detected Access point is generated. This list of
From the above discussion, the complete RSNA process seems detected Access Points is then analyzed for anomalies. It is
to be secure for authentication process. Since the adversary compared with the database of known Access Points. Also an
could interfere with IEEE 802.11 authentication and algorithm to detect Evil-Twin Access Points is run to detect
association step, it might be able to fool the authenticator and Evil-Twins in the list of detected Access Points.
the supplicant, and prevent completion of the RSNA. In
addition, some implementations might also allow a reflection
attack in the 4-way handshake protocol. Although the link
between the authenticator and the authentication server is
assumed to be secure, dictionary attacks will still be a threat
for the shared secret in Radius. When a 256-bit PSK is used
instead of PMK, this PSK could be derived from a passphrase,
which makes the PSK vulnerable to dictionary attacks. For
eliminating this vulnerability, a good passphrase or a 256-bit
random value should be chosen carefully.
Countering the Threats
Threat of Rogue Access Points in Wireless LANs
Client based RAP detection
The RAP Detector can be deployed in an organization with a
large number of wireless users, which are scattered all over the
organization The RAP Detector will be useful for such
organizations as it will require little additional infrastructure
and can be easily deployed as most organizations already have
a DHCP server on which the RAP Detector can be deployed. Algorithm for Detecting Evil Twin Access Points
The RAP detector can be configured to notify the system Evil Twin Access points are access points that have the MAC
administrator about suspicious Access Points, which can be address of a legitimate Access Point installed by the
investigated to confirm their purpose. organization. They spoof the MAC address to masquerade as a
legitimate Access Point. These Access points are very difficult
to detect. Most commercial Access points have methods to
detect Evil twin Access Points if they are in the range of the
Access Point they are trying to masquerade. This is easy as an
Access point can detect if another Access Point in its range has
the same MAC address. Hence most Evil Twin access points
are placed outside the range of their authentic twin. This fact is
used to detect the Evil Twin Access Point. To detect twin the
algorithm analyzes the context of each Access Point. It checks
that all the clients that detect a particular Access Point are
located in the same locality. This is to be expected since two
clients that are located far off should not detect an Access
Point. Two clients located far-off can detect the same Access
Point only if the Access Point has a twin located at a distance.
The pseudo-code for the algorithm is given in figure:
Basic system architecture
1. For each AP in AP List[]
2. For each CLIENTi that detected A
12813
A Research Paper on Security of Wireless Network
3. For each CLIENTj that detected AP (i != j) To simulate the performance of the Evil-Twin Access point
4. Compare APs detected by CLIENT i and CLIENT j detection algorithm it was tested in a virtual environment.
5. If both lists completely mismatch Flag CLIENTi and Since it was not feasible to deploy such a large number of
CLIENTj as ABNORMAL. clients and access points the algorithm was tested on a virtual
6. IF ABNORMAL clients for AP> Threshold i. AP has grid of l000xl000. Although Access Points operate in a 3-D
twins space, a 2-D space was used instead for simplicity. The
7. END positions of 20 Access Points were randomly generated in a
coordinate grid of 1000x1000. Various numbers of client
The Experimental Scenario
positions were generated. The number of clients varied from
To test the RAP detection system, it was tested in a hostel 20 to 100.Out of the 20 Access Points two was twins. The
LAN with two clients and a master agent. For experimental algorithm was then used to detect the twins.
purposes the two clients were located at opposite ends of the
For each client-set size the simulation was performed 100
building to provide maximum coverage. The IP addresses of
times and the results were noted. The accuracy was calculated
the clients were manually entered in the database. Some of the
as follows:
Access Points were manually entered into the database of
known APs. The two clients were placed at a distance to Accuracy = (Number of Times Evil-twins were correctly
provide maximum coverage. Query packets were sent to the detected) x 100
clients at regular intervals to the clients. Total number of simulations
The Master-Agent gathered and processed the response front False Positive Rate = (Number of times other Access Points
the different clients and built a list of Access Points in the were wrongly detected) x 100 Total number of Simulations
building. The Access Points entered manually were flagged as
A very high rate of success was observed. The algorithm
Authentic Access Point whereas the Access Points that were
detected the Access Point with twins with a high success rate.
not present in the database were flagged as Rogue Access
The results for various client-set sizes are shown in figure It
Points. The System was kept running for a period of 30
was observed that accuracy increased with increasing number
minutes during which it provided real-time information about
of wireless client- agents. With 20 clients the accuracy was
all the Access Points in the building. The following parameters
54% while with 100 clients it increased to 81%. Although
were collected about the Access Points in the building:
some false positives were detected it was very low and always
MAC ID of the Access Point remained under 2%. As is clear from the results the accuracy
List of clients that detected the Access Point for the algorithm is quite high whereas the false positive rate
Last time when the Access Point was detected. remained very low throughout all client-set sizes.
RESULTS CONCLUSIONS
Results of RAP Detector Security is very important in Wireless LANs since they
operate in a broadcast medium.
The RAP detector was test in a building with 25 Access points
and only two client agents. The two client agents were able to From the obtained results the following can be concluded
provide information about almost all the access points in the about the public-key based authentication scheme:
building. Only one Access Point was outside the range of both 1. The authentication scheme will successfully stop DOS
the clients. 17 Access points were added to the database of attacks by providing a secure key-establishment
known Access Points and hence were detected as authentic mechanism.
APs whereas the rest were flagged as Rogue Access Points. 2. Both unicast and multicast management frames will be
The list of all detected access points was built within a time protected from eavesdropping and modification since
period of 1 minute. The clients were queried at an interval of they will be signed with the public key of the Access
10 seconds and the replies were received almost instantly. In Point.
comparison the manual auditing took 30 minutes to scan the 3. Insider Attacks will be stopped by providing each client
building and compare the results with the list of known Access with a secure session key.
points. Table shows the various results obtained from the 4. Public-key based authentication mechanisms are
experiment. feasible in wireless LANs without introducing much
Result of RAP detection in the Experimental setup delay in the authentication procedure. It was seen from
Parameter Value the results that while EAP (Extended Authentication
Total Access points 25 Procedure) takes about 2.5 ms, a session key
Known Access points 16 establishment will take around .4 ms with 10 concurrent
Total Access points Detected 24 clients.
Rogue Access points Detected 8 The Client-Agent based Rogue Access Point detection system
It was very clear from the experiment that in organizations was tested and the following conclusions can be drawn from
where manual scanning for Rogue Access Points is time the results:
consuming, such a centralized client-based RAP detector is 1. The client-agent based RAP detection system will be
very useful. As our system requires almost no additional able to provide real time RAP detection capabilities in
hardware installation, it can be easily installed in organizations organizations that have a set of trusted wireless clients.
and can provide with real-time, centralized RAP detection. 2. As the results show using the proposed system, even
Simulation Results for detection of Evil Twin Access Points with a small number of trusted clients a very large area
12814
International Journal of Current Advanced Research Vol 7, Issue 5(I), pp 12811-12815, May 2018
can be covered and monitored. In our experiment with 3. Nikita Borisov, Ian Goldberg and David Wagner.
only 2 wireless clients an area of 100 sq meters was "Intercepting Mobile Communications: The insecurity
covered. of IEEE802.11", 7th Annual International Conference
3. The Evil-Twin detection algorithm also performed well on Mobile Computing and Networking. July 2001.
under the simulation environment. It showed 81% 4. EEE-SA. (2007). Wireless LAN Medium Access
accuracy when the number of clients is 100. The false- Control (MAC) and Physical Layer (PHY)
positive rate was as low as 1%. Specifications. Communications Magazine
5. A. Mishra and W.A. Arbaugh, An Initial Security
Future Scope
Analysis of the IEEE 802.1X standard, tech. report CS-
There is obviously scope for improvement and future work. TR-4328, Dept of Computer Science, Univ. of
The possible improvements to our work can be: Maryland, 2002.
6. ISO/IEC 8802-11 ANSI/IEEE Sta. 802.11, Wireless
1. Although the proposed authentication scheme has
LAN Medium Access Control and Physical Layer
been shown to mitigate existing attacks, it should be
Specifications, draft amendment, Int’l Org. for
evaluated by formal evaluation method and predicate
Standardization/ IEEE, 2003.
logic for the sake of completeness.
7. J.R. Walker: An Analysis of the WEP Encapsulation,
2. It was shown that public-key cryptosystem is feasible
IEEE 802.11 Task Group E IEEE 802.11/00- 362, Oct.
in Wireless LANs by simulating it on machine with
2000,http://grouper.ieee.org/groups/802/11/
CPU speed comparable to Access Points. As future
Documents/DocumentHolder/0-362.zip.
work the mechanism should be implemented on an
8. Stanley Wong, “The evolution of wireless security in
actual Access Point and tested for feasibility.
802.11 networks: WEP, WPA and 802.11 standards”,
3. The RAP detection system only detects Rogue Access
GSEC Practical v1.4b, 2007.
Points. A counter attack system can be incorporated
9. Muddassar Farooq, “Defence Against 802.11 DoS
into the Rogue Access Point system to block detected
Attacks Using Artificial Immune System”, Springer-
RAPs in the future. This can be done using SNMP to
Verlag Berlin Heidelberg, pp. 95-106, 2007.
block the port where the Rogue Access Points are
10. Chris Wullems, Kevin Tham, Jason Smith and Mark
connected.
Looi, “A Trivial Denial of Service Attack on IEEE
References 802.11 Direct Sequence Spread Spectrum Wireless
LANs”, 3rd IEEE Wireless Telecommunication
1. Les Owens, "Wireless Network Security: 802.11, Symposium (WTS) May 2004.
Handheld Devices and Bluetooth", National Institute of
Standard and Technology. November 2002.
2. IEEE Standard for local and metropolitan area
networks, “Wireless LAN Medium Access Control
(MAC) and Physical Layer Specifications, Medium
Access Control (MAC) Security Enhancements”.
ANSI/IEEE STD 802.11i, 2004 Edition.
*******
12815