Wireless Network Security Technical

aurorabellyNetworking and Communications

Nov 21, 2013 (3 years and 4 months ago)





DeVry University

Kansas City, Missouri


Current Topics in

Spring 2003

802.11 Standard:

Comparison and Security

Jason Gibson

April 23, 2003




802.11 Standard Comparison

Wireless: Brief History

Wireless device
s have been a part of everyday life since the early
1980’s. Wireless devices communicate with one another without the
use of any cabling or physical connection. We use these devices every
time we use a remote control to turn on the television or make a c
from a cordless or cellular phone. Much of today’s technology has
come from the evolution of the cellular phone network. Cellular phone
communication is the number one application for wireless technology.
The expansion of the Internet has also affec
ted the use of wireless
communications. Businesses everywhere are implementing wireless as
the medium of communication on their networks.

IEEE and 802.11

To insure compatibility of software and hardware, manufacturers must
follow specific standards. Th
e standards allow devices from different
manufacturers and vendors to communicate. The Institute of Electrical
and Electronic Engineers (IEEE) defines the standards implemented in
these areas of technology. This paper will discuss the standards for
ess communications, how wireless communications work and will
define some of the security issues that have surfaced since the
implementation of the wireless local area network (WLAN).

The IEEE bases wireless communications on the 802.11 standard.

are currently two supplements to the 802.11 standard, 802.11a
and 802.11b (802.11g is still being finalized). Other improvements
are still being developed, but have not reached the level of IEEE


802.11 was designed in June of 1997 speci
fically to support
applications that required a higher rate of data across a wireless
network. It was intended for wireless transmissions to communicate
at a rate of 1 to 2 Mbps. 802.11 operates in the 2.4 GHz band. This
band is known as the Industrial,

Scientific, and Medical (ISM) band. It
is heavily used by electronic products and therefore has a high amount
of interference. This makes transmitting high
end applications like
streaming video or voice difficult due to a limited amount of
bandwidth. T
he 802.11 standard was implemented to place
specifications on the parameters of both layers 1 and 2 of the OSI




Layer 1 can use either a frequency hopping spread spectrum (FHSS)
system with 2 or 4 Gaussian frequency
shift keying modulation or
t sequence
spread spectrum (DSSS) system with differential
binary phase
shift keying or differential quadrature phase
shift keying
base band modulation. The third alternative for transmission on the
physical layer is using an infrared transmission system,

but this paper
will keep within the scope of radio frequency transmissions.

Layer 2 protocols are responsible for maintaining shared medium
access. 802.11 stipulates carrier sense multiple access with collision
avoidance (CSMA/CA). The CSMA/CA protocol

determines when a
node can transmit. The node will “listen” to the medium to make sure
the medium is free. If the medium is busy the node will wait a
specified amount of time before attempting to transmit again. Once
the medium is clear the source node

will transmit a ready to send
packet, the destination node will reply with an acknowledgement.
Within the acknowledgement is header information that lets the source
node know what parameters to stay within while sending its data
payload. The source node

responds acknowledging the destination
nodes instructions in its header and data packets follow the header
accordingly. This is what’s known as the “three
handshake”. The
protocol insures the source node is notified when the destination node
is busy
, thus minimizing collisions within the network.


802.11b passed IEEE tests in 1999 and is intended to be an extension
to 802.11 using DSSS. It supports higher data rates than 802.11 at
5.5 to 11 Mbps and many businesses have implemented it on

networks. 802.11b also operates in the 2.4 GHz band. Competition
for bandwidth in this range with other products such as cordless
phones, microwaves, and other networks makes 802.11b vulnerable to
interference. The bandwidth of a spread
channel is 22 MHz;
the ISM band has only three non
overlapping channels 25 MHz apart.
802.11b uses hopping mode for three non
overlapping channels at 10
MHz apart.

Using the 2.4 GHz band for transmission gives 802.11b a higher
range. Typically 802.11b

will perform at ranges of up to 300 feet
using a minimal number of access points. 802.11b is a good choice for
networks located in a warehouse, store or any expansive business with
sparsely populated users. The fewer users competing for an access
s bandwidth the better the performance of the network. For
companies with users who do not use high
end applications, 802.11b
is a popular choice.





802.11a passed IEEE tests in September of 1999. Although it is costly
and expensive it has much mor
e to deliver for businesses that require
high amounts of bandwidth. 802.11a operates in the 5 GHz band,
which is known as the unlicensed national information infrastructure
(UNII) band. The standard can use 300 MHz of bandwidth because the
spectrum is di
vided into three smaller bands. The first 100 MHz is
restricted to a maximum output of 50 mW. The second 100 MHz has
250 mW of output and the third 100 MHz has a maximum output of
1.0 W.

802.11a uses orthogonal frequency division multiplexing (OFDM).

standard specifies eight non
overlapping channels in the lower two
bands, each divided into 52 sub
carriers. The upper band has four
overlapping channels. Modulation methods depend on the rate of
the data being supported by channel conditions be
tween source and
destination. There are four modulation methods used by 802.11a,
they are BPSK, QPSK, 16
QAM, and 64
QAM. Figure 1 represents
OFDM sub

802.11a can deliver data rates as high as 54 Mbps. The drawb
ack to
802.11a is range. The higher operating frequency gives 802.11a a
range of about 60 feet. To implement this standard in a large area
would require a larger number of access points. Densely populated
areas with users competing for the same access p
oint would make the
decision of choosing 802.11a or b an easier choice. If a business
requires high performance to send video, voice, or large images/files
then 802.11a would be the logical choice and worth the extra expense.

Figure 1: Spectra of OFDM sub





802.11g is scheduled

for approval by May of 2003. 802.11g will
expand 802.11b’s data rates to 54 Mbps within the same 2.4 GHz band
using OFDM (orthogonal frequency division multiplexing). 802.11g will
perform in the 2.4 GHz band using 1/3 of that band to transmit its

Just like 802.11b this will decrease the number of AP’s that will
not overlap to three. This creates problems with channel assignment
in heavily populated areas that cover expansive regions. The answer
to this problem is lowering the power of the AP’s.

802.11b users can
upgrade to 802.11g, but they will need to decrease the range of their
current AP’s or provide new AP’s to handle the high data rates. To
supply backward compatibility 802.11b technology will still interface
with 802.11g technology. “…
the 802.11 Task Group is looking to iron
out about 100 remaining editorial and technical questions at the next
meeting of the group in early July.” [McGarvey] One of these
questions is, “how will 802.11g deal with RF interference?”

Currently, the prob
lem with interoperability between 802.11a and b
has caused the need for improvements. An engineering company in
London has developed a dual 802.11a/b chipset. This new chip will
allow an end user device to sense if the access point is using 802.11a
or 80
2.11b. Vice versa, the access point can also send out 802.11a/b
allowing any end user to communicate accordingly.

Wireless Local Area Networks

Devices connect to the network using a Network Interface Card (NIC).
A NIC carries the devices MAC address. T
his identifies the device on
the network. In layer two, Address Resolution Protocol (ARP) converts
the MAC address to an address recognized by the network, an IP
address. This allows the device to communicate with other devices on
the network. In order
to connect to the network without any cabling,
a device must have a wireless NIC installed. The wireless NIC is used
to communicate with other devices within range or with an access
point. An AP communicates with devices equipped with wireless
network ad
aptors and connects to the wired network via an RJ
port. AP devices have an average range of 300 feet, this area is
known as a cell. Users can move within the cell freely without being
disconnected from the network.

Figure 2 on the next page is an
example of a wireless network.




Wireless networks function in either ad
hoc mode or infrastructure
mode. Ad
hoc mode is defined by the IEEE as Independent Basic
Service Set (IBSS). Infrastructure mode is described as Basic Service
Set (B

hoc Mode

hoc mode networks allow clients within the same transmission
range or cell to communicate directly with each other. If a client
needs to communicate with a client in another cell, another client in
the cell must act as a gateway to t
he destination cell. Ad
networks maintain random network configurations, relying on a
system of mobile routers connected by wireless links to enable devices
to communicate. Bluetooth, the primary standard among ad
groups, defines how wireless dev
ices should interconnect with other
devices. It encompasses personal computers, PDA’s, or cellular
phones for business or at home. Bluetooth operates in the 2.45 GHz
band and delivers data at up to 720 kbps. It has a wide variety of
applications includi
ng e
mail and internet access.

Figure 2: Wireless Network

Figure 3: Ad
hoc Mode example




Infrastructure Mode

Infrastructure mode

networks use a central location or access point
(AP) to communicate. The cl
ients send information to the access point
and the access point forwards the information on to the appropriate
destination. Before the information can be exchanged the client and
the access point must establish an association. This is a two
involving three states: Unauthenticated and unassociated,
authenticated and unassociated, and authenticated and associated. All
access points transmit a signal known as a beacon management frame
at fixed intervals. A client listens for messages to identi
fy an access
point within its range. The client and access point then go through
authentication by exchanging management frames. Now the client is
authenticated but not associated. The client sends an association
request and waits for a response from th
e access point. Once the
association response is received the client is allowed access to the

Security Methods

The 802.11 standard had built in methods of providing security for the
network area. The default protocol is Open System Authenticati
This protocol will authenticate any device requesting access.
“Experimentation has shown that stations do perform mutual
authentication using this method when joining a network, and our
experiments show that the authentication management frames are
ent in the clear even when WEP is enabled.” [Arbaugh, Shankar,
Wan] The Wired Equivalent Protocol (WEP) provides confidentiality
over the network. WEP makes sure information being transported
over the network keeps its integrity in the event of a securit
y breach.
Three basic security measures have come from the 802.11 standard;
Authentication, Confidentiality, and Integrity.


Authentication can be performed by the default Open System
Authentication protocol as defined above, by
Closed Auth

Shared Key Authentication

Closed authentication uses a 0
32 byte string to identify the BSS of
the wireless network. Clients that respond with the proper SSID
(Service Set IDentifier) are allowed access. Open System and Closed
tication both use a non
cryptographic methodology. They are
both susceptible to attacks since they do not offer security against
unauthorized access.




Shared Key Authentication uses cryptographic methodology and a
response for authentication.
The device requesting to be
authenticated sends an authentication request management frame to
the responder (AP). The initiator informs the responder they will be
using Shared Key Authentication. The responder challenges the
initiator with an authenticati
on management frame carrying a “key”
(128 bits of encrypted text). The encrypted key uses a pseudo
random number generator with the “shared secret” and a random
initialization vector. Ron Rivest of MIT developed the algorithm used
in the cryptographic co
mputation of the “key”. The algorithm is known
as the RC4 stream cipher. The initiator copies the contents of the
challenge text into a new frame. The new frame is encrypted with
WEP using the “shared secret” and a new initialization vector chosen
by th
e initiator. The new frame is transmitted to the responder, who
decrypts the message while verifying the cyclical redundancy check
integrity value is valid and the challenge result matches the value of
the challenge transmitted. If the information is val
id then the
authentication process is half done. The initiator becomes the
responder and the process is repeated in the opposite direction. An
example of the management frame is provided below in figure 4.


nfidentiality is supported by the 802.11b standard by using
cryptographic techniques for the wireless interface. This is also done
using the RC4 symmetric
key. WEP ensures data is protected from
eavesdropping while traveling across the wireless link. WEP

can be
implemented with the normal 40
bit key and 24
bit initialization vector
or an extended version that offers a larger key that is harder to
decipher. The larger keys have a 104
bit key and the 24
initialization vector which results in a 128
key. Key sizes greater
than 80
bits are more secure because most current computers lack the
capacity to decipher a key size of more than 10
bits. Regardless of
Figure 4: Authentication Management Frame




key size 802.11b is vulnerable to certain attacks. 802.11b does not
specify how to manage the

keys. Key management is left to the
wireless network administrators and users. This includes generating,
distributing, storing, loading, archiving, and destroying the materials
used in developing the keys. WEP keys that are not unique or never
change r
esult in vulnerability. This poor management causes scaling
the network to be difficult. A large company with thousands of AP’s
would find it incredibly challenging to generate, distribute, store, load,
archive, and destroy keys on a reoccurring, yet ran
dom basis. Figure
five is a screen shot from the encryption settings screen.


Integrity is the assurance that the message will be transported from
sender to receiver without being compromised

or changed during
transmission. The 802.11b standard provides some integrity service.
The service rejects any modified messages that may have been
changed by an “outside attacker”. 32
bit Cyclical Redundancy Check
32) is the technique used to dete
rmine the integrity of the
message. A CRC
32 sequence is computed into the payload of a
message before transmitting. The packet is then encrypted with the
RC4 key to provide the cipher text message. The receiver decrypts
the packet and recomputes the CR
C. If the CRC does not match the
one from the original message there has been an integrity violation
Figure 5: Encryption settings screen




and the message is discarded. If the attacker is good enough they can
duplicate the original CRC, creating a match and the message is
received with possi
bly compromised or “previously viewed”
information. Newer standards being developed by the IEEE are
addressing these security issues.


The flaws in the current 802.11 standards are very evident to a
growing number of businesses implementin
g wireless networks. Poor
management and weak security measures make wireless networks an
easy target. The most common vulnerability is through human error,
in which authorized users make mistakes that cause losses. Wireless
networks create an environme
nt that users can access easily from any
point within range of an AP. This also makes easy access for hackers.
Security attacks are divided into two groups, passive and active.

Passive Attack

An unauthorized party gaining access to the network defines

a passive
attack. The unauthorized party does not change anything; they are
merely monitoring the transmissions on the network. This is also
known as

Another type of passive attack is
. The attacker looks for patterns of

communication to identify
where the information is going, such as a transmission to the
depository may contain banking account numbers.

Active Attack

These are attacks where the unauthorized party makes changes to the
information being delivered across t
he network. Network analysis
technology makes these types of attacks detectable, but it will not
prevent them from happening. The attacker may

as an
authorized user to use their privileges. Another type of attack is
of service.

An att
acker can transmit an endless ping from multiple
points to disable the medium due to the overload of traffic. The
attacker has interrupted normal use of the medium. This prevents
users from accessing the information flowing across the network. In
most c
ases an attacker must use a combination of these attacks to
gain access to the network.


The greatest solution an administrator can implement is getting
educated on how to defend the network. Administrators should utilize
more than one strateg
y in defense, just like attackers use more than
one type of attack. This way if one security measure is compromised
there is another measure to provide back up. Techniques such as




Virtual Private Networks, regular password updates, access point
ration, stiffening encryption settings, changing the SSID and
default cryptographic keys, and installing an intrusion detection
system will offer a more secure network. Networks can never be
completely secure, but creating as many road blocks and obstacle
s as
possible will deter most attackers simply because time is their ultimate
nemesis. The longer it takes them the more apt they are to get
caught. Some of the physical measures an organization may
implement are personnel identification and external per
protection. Personnel identification will limit the risk of an outsider
gaining access to the inside of the organization. External perimeter
protection could include the use of security camera placed in the
parking areas and outside of the actual
building. These cameras may
survey an attacker trying to gain access from outside the building
using a laptop computer with a wireless NIC. This is known as

and it has become a prevalent risk to many wireless

Software Solutions

operly configuring access points and updating software on a regular
basis can provide solutions to security breaches. Elimination of many
vendor software vulnerabilities can be done with properly configured
encryption settings, Ethernet Medium Access Cont
rol, Access Control
Lists, shared keys, and Simple Network Management Protocol agents.
Administrators should perform security audits to test the vulnerability
of their network. These audits can point out a weak spot before a
hacker has the opportunity to

compromise the network through that
hole in security.


The differences in the standards discussed in this paper will define the
basis for which administrators choose one standard over the other.
Wireless networks will require increasing data

rates in the office and at
home. The product market for WLAN technology will also continue to
grow as the demand for wireless networks increases. Not only will end
users require higher data rates, but also improved reliability and
security. Administrat
ors should also consider the ramifications of poor
security when making the decision about which standard to use. A
network is only as good as the security imposed upon it.




Works Consulted:

W. Arbaugh, N. Shankar, and J. Wan, “Your 802.11 Wireless N
Has No Clothes” Department of Computer Science, University of
Maryland. Mar. 2001

P. Mehta, “Wired Equivalent Privacy Vulnerability”, SANS Info See
Reading R
oom, Apr. 2001.

J. McGarvey, “802.11g: Ready or Not?”, 802.11 Planet. Jul. 2002.


J. Geier, “Making the Choice: 802.11a or 802.11g” 802.11 Planet.
Apr. 2002


R. Santalesa, “The War Over 802.11 Security”, Enterprise. Jul. 2001.


D. Pipkin,
Information Security
, Hewlett
Packard Company, pp 35