There are three important points about WiFi security:
Authentication: the network must identify the entities that wish to use WiFi
Encryption: WiFi data must be encrypted to make them unreadable because the interception of WiFi frames is very easy to do and very difficult to identify and geo-locate
Availability: The infrastructure must be protected against external attacks because it is also relatively easy to do. Let's look at each of these points in detail.
Security for WiFi has evolved over time, ranging from setting a simple WEP key to WPA to nowadays to WPA2. We will detail this evolution to understand its purpose.
First of all, to secure your WLAN network, it is quite possible to define a “white” list of authorized MAC addresses within the WiFi terminal. We say “white” list for a list containing legitimate MAC addresses. Conversely, a “black” list will contain addresses which will be considered as illegitimate and therefore to be prohibited. You fill in this whitelist with all the MAC addresses of the WiFi cards of your laptops, iPhone, Android, iPad, tablets, only these MAC addresses will have the right to communicate with the WiFi terminal. It's that simple!
We see two important ones:
All the MAC addresses that will be allowed must be identified. It is simple for home but very hard to set up for a company that integrates hundreds or even thousands of equipment. Without communicating directly with the access point, a hacker can listen to WiFi traffic passing through the air. By listening to this traffic, it can quite easily retrieve the MAC addresses which are chatting with the access point. It then knows a MAC address which belongs to the whitelist. What will he do with it? He will spoof this MAC address by configuring it on his own WiFi card using specific software that allows you to change the MAC address of his WiFi network card.
Collecting all MAC addresses and putting them in a whitelist is as secure as closing a door with the key under the doormat. No one can open the door until some smart person lifts the doormat. So we forget about filtering by MAC address in the business world, but we retain it as being a possible answer for the individual.
On some WiFi hotspots, you have the option of hiding the SSID. The SSID - Service Set Identifier - is the identifier of your WLAN. When you want to connect to a WLAN, your WiFI card shows you different WLANs that are nearby. The name of each is called SSID. And this SSID is broadcast regularly in the air by the terminal to warn of its presence. This SSID is contained in a WiFi message called a “Beacon”.
You can enable an option so that the SSID is not broadcast in the air. So only those who know the exact name of your WLAN can connect by manually configuring the SSID in their laptop. In Cisco WiFi controllers, this option is called “Broadcast SSID” and must be unchecked. To configure a WLAN on his computer when the SSID is hidden, select “Manually create a network Profile” (example on Windows Seven). Then in “Network Name” enter the name of your SSID. If you have security settings (WEP, WPA), then you must also configure them.
Not at all! Hiding your SSID allows you to hide your WLAN for the majority of people new to WiFi and that's not bad! By using a sniffer like Wireshark, you can recover the frames exchanged between a legitimate client and an access point. And within these frames is the value of the SSID. So by looking a little, you will quickly find the SSID value of the network which wants to be invisible. All you have to do is manually configure the WLAN on your computer, as explained in the images above.
We have a possibility to restrict access to the WiFi terminal as well as to make communications illegible between legitimate customers and the access terminal: this is the use of encryption. If we define a common password between the clients and the access point, then only the clients who know the password can pass through the WiFi terminal. This same password will be used to encrypt WiFi frames to make them unreadable during transport in the air.
The first application of this concept of encryption for the WLAN is called the WEP key - Wired Equivalency Privacy. We define a password that we (wrongly) call WEP key and we configure it on the access point and on the WiFi clients. During communication, only those who have the correct WEP key are accepted by the terminal.
To use the example of a house door, it is as if the access point is the house door and the WEP key is the key to the lock, you distribute the key to the lock to every legitimate customer. Whoever does not have this key cannot open the door. Logical and efficient! Even if we will see that it is no longer a good security solution today.
If we make a simplified diagram of the operation of the encryption used for a WEP key, it would contain the following elements:
IV for Initialization Vector: to add a little more complexity to your password, the computer concatenates a random number to the secret key which is calculated automatically
Generator: the algorithm (here RC4) will generate a key sequence from the secret key and the IV. Tell yourself it's a mega password.
User data: here is the user data (the Ethernet frame) to be transferred in the air
XOR: it is the “exclusive OR” logical function which takes the key sequence and the user data and performs an XOR between them
The result of this XOR gives a binary message called “encrypted” because it is incomprehensible
Once the XOR is calculated, the WiFi card sends the data in the air by encapsulating the encrypted message in the WiFi header, or more precisely in the 802.11 headers for purists.
You will notice that the IV is added in the clear next to the encrypted message.
This is quite logical: the IV is calculated automatically by the one who will encrypt the message, for example, your WiFi card. The access point that will receive this message must be able to decrypt it. And to decrypt, it needs 2 parameters, the secret key that you have manually configured on both sides and the IV that the customer's WiFi card has generated automatically. This is why the IV is transmitted in the clear; it is for the recipient.
The XOR is a reversible function:
[key sequence] XOR [plain message] = encrypted message
[key sequence] XOR [encrypted message] = plain message
So we can see that as soon as we know the key sequence, then we can decrypt an encrypted message!
So to summarize:
- WEP encryption is a protocol responsible for the encryption of frames and uses the RC4 symmetric algorithm
- The secret key is 40 or 104 bits long.
- This secret key must be declared at the level of the access point and the clients
- To this is added 24 bits of IV (hence the fact that we often see in the configuration, WEP key of 40 + 24 = 64 bits or 104 + 24 = 128 bits)
Today, WEP is no longer used because the fact that its IV is only 24 bits in size allows hackers to calculate all the possible values of this IV very quickly. And yes, 24 bits is “only” 2 ^ 24 possibilities and with today's computers, it takes a few seconds.
Before talking about WPA and WPA2 encryption, we must stop on an authentication method that is included in this two encryption, this is the 802.1x standard.
The 802.1x standard is a security solution, developed by the IEEE in June 2001, making it possible to authenticate (identify) a user wishing to access a network (wired or WiFi) using an authentication server. This server is often referred to as a RADIUS Server. In addition, this authentication is mutual in the sense that the client also identifies the network into which he enters.
When you go to the bank, you go to a branch of your bank and not to a branch of another bank; it's the same here. The 802.1x standard is based on Extensible Authentication Protocol (EAP) defined by the IETF whose role is to transport user credentials.
Because depending on your infrastructure, you may want to set up user authentication by a password, by digital certificates, by Tokens, these are different EAP protocols that will be used depending on the authentication mode wish:
EAP-LEAP
EAP-FAST
EAP-PEAP
EAP-TLS
Depending on the type of authentication, you choose this or that EAP protocol.
The operation of the 802.1x standard is actually very simple despite its barbaric name:
1. The client (your laptop) connects via WiFi to the access point.
2. This access terminal is configured to apply the 802.1x standard via the EAP protocol; the terminal asks you to enter your credentials.
3. In the Windows window that appeared, you enter your credentials (for example login = Mark and password = Mark Watson67878)
4. Once the terminal has received your identifiers, it transmits them to an authentication server, called RADIUS server.
5. It is this server which will validate or not your identifiers. Suppose it accepts your credentials, it notifies the access point that it can authorize you to enter the network.
6. You now have access to the network, and you can surf the intranet and the Internet.
Let's take an example in real life to make an explicit comparison:
- After an international flight, you disembark from the plane and arrive at immigration control
- the person asks you to identify yourself by asking for your passport, which you give them
- He scans the passport; your identity is transmitted to a server that checks if you are not on a blacklist
- he gives you back the passport, and you officially enter the country
In this example, the 3 components relating to the 802.1x standard are identified:
- the client: it's your laptop computer that wants to access the network (or you getting off the plane)
- the access point: it will ask you to identify yourself in order to let your frames pass through the network (this is the person in charge of immigration control)
- the authentication server Radius: This is the server that decides whether you are eligible or not to use the network (the server through customs with its blacklist)
For the record, when businesses realized that WEP encryption was ineffective, they stopped deploying WiFi. At that time, a task force called 802.11i was created to define higher security than WEP; this group released the standard of the same name. Today, the 802.11i standard is the benchmark for securing WiFi. But at the time, this group had not yet released their recommendations. So the WiFi alliance doubled them and preferred to release a temporary solution while waiting for 802.11i. This temporary solution is called WPA.
The WPA is a kind of patch pending 802.11i. He uses:
- the 802.1x for authentication (but is optional)
- The TKIP (Temporary Key Integrity Protocol) encryption algorithm, which is more robust than the RC4 algorithm of WEP. It allows the random generation of keys and offers the ability to change the encryption key multiple times for stronger security.
We have seen that the use of 802.1x requires the installation of a Radius server, which can pose a problem for small businesses because it remains expensive. We, therefore, have 2 operating modes of WPA (as for WPA2):
Personal mode: in this mode, a password is defined, which is shared between the client and the access point; this password is called PSK for Pre-Shared Key. It is almost the same principle as the WEP key but with a more powerful algorithm. No need for a Radius server.
Enterprise mode: in this mode, the 802.1x standard is used; therefore, the installation of a Radius server is necessary.
802.11i was ratified on June 24, 2004, in order to provide an advanced security solution for WiFi networks. It relies on the TKIP encryption algorithm, like WPA, but also supports AES (Advanced Encryption Standard) symmetric encryption, which is much more robust than TKIP.
The WiFi Alliance then created a new security system called WPA2 for new equipment supporting the 802.11i standard.
And as for WPA, you can use it depending on whether you want to set up a Radius server or not for 802.1x authentication:
Personal mode: use of a PSK
Enterprise mode: use of 802.11x, therefore, a Radius server
There are also attacks that impact WiFi, not in the sense of data theft and penetration into the network, but rather in the sense of the availability of the service.
The 802.11i standard incorporates protection mechanisms against external attacks aimed at bringing down the WiFi infrastructure. These mechanisms are called W-IDS for Wireless Intrusion Detection System.
Among other things, W-IDS can detect:
- Pirate kiosks posing as a legitimate kiosk
- Excessive client association requests on an access point (the famous drunk youngster who tries somehow to get into a nightclub).
- MITM attacks - Man In The Middle whose philosophy is for the hacker to be in the middle of communication between a legitimate client and the access point
- MAC address spoofing
- The denial of service against the access terminals
The prevention mechanisms are possible as well as to protect themselves:
- Perform a denial of service against a pirate terminal (the revenge of the counter-attack!)
- to blacklist (blacklist) the MAC address of a pirate customer
- reduce WiFi coverage to prevent neighbors from seeing the WiFi network
Security for WiFi is important because anyone can analyze level 2 frames, so you have to protect your wireless infrastructure according to the following principles:
- the filter MAC address is easily circumvented
- hiding the SSID is absolutely useless because by analyzing the traffic, it is found in clear in the WiFi frames
- WEP security is now to be banned because it can be broken in a few minutes with any laptop
- The 802.1x authentication is recommended today for mutual authentication (radius and client-server) and uses EAP protocols, i.e. EAP-PEAP
, EAP-Fast.
- WPA security is a temporary solution that uses robust 802.1x authentication but not optimal encryption
- WPA2 security which follows the 802.11i standard is the optimal solution
- protection against external attacks by setting up W-IDS
Our expert writers will write your essay for as low as
from $10,99 $13.60
Place your order now
