A Comparison of Wireless Encryption Schemes Sean Fisk This paper presents a comparison of different schemes for securing wireless traffic and the technology on which they are based. An analysis of cryptographic techniques used in these schemes is also covered. Grand Valley State University CIS654 Computer Networking Dr. Andrew Kalafut 1/31/2011 A Comparison of Wireless Encryption Schemes The invention of wireless networking has heralded a new age of mobile communication. All manner of electronic devices can now communicate wirelessly through the air. With the explosion of this new technology, wireless security has become an increasingly important topic. Wireless networks are inherently more insecure than wired networks because anyone with a capable device can receive the radio waves transmitted through the air. As such, many efforts have been made to add security to wireless communication schemes, only some of which have been successful. This paper discusses the different types of encryption available for non-wired networks and the algorithms which are used to implement them. Before discussing the encryption schemes, it is important to explain the two types of keys used in the field of cryptography. The first type is symmetric key cryptography, which was the only type of cryptography known and used until 1976. This age-old technique relies on a shared secret known between the two parties attempting to communicate securely. A cipher is applied to a message, which is then sent over an insecure method of transport. When the encrypted message is received, the recipient can now decrypt the message with the same key. While this method achieves very strong security, a secure exchange of the keys must occur or the entire communication link may be compromised. A leak of the key may also compromise the encryption. Under the umbrella of symmetric key cryptography, two types of symmetric key ciphers exist. These are called block ciphers and stream ciphers. Block ciphers are ciphers which operate on a fixed length of plain text and produce and output with a length the same as the input. Typically, multiple blocks are used and are joined in various ways. In contrast to block ciphers, stream ciphers can operate on arbitrarily long amounts of data. Changes in the stream are caused by variables which are modified as the stream cipher continues to operate. January 31, 2011 A relative newcomer to the cryptography field is the use of asymmetric keys, more specifically known as public key cryptography. Public key cryptography was introduced by Diffie and Hellman in 1976 and was a major breakthrough in the field. In this type of encryption, the receiving end of a communication possesses a public and private key. Messages encrypted with the public key can only be decrypted by the private key. Therefore, a message is encrypted by the sender using the receiver’s public key, sent over the insecure network to the receiver, and then decrypted by the receiver to plain text. This type of cryptography revolutionized the field because two parties now did not need to exchange a key over a secure network. The first public key implementation was the Diffie-Hellman protocol, which used the discrete logarithm problem to ensure security. This was followed shortly by the algorithm proposed by Rivest, Shamir, and Adleman, called RSA, which used the integer factorization problem to guarantee security. Both of these algorithms operate on the computational complexity of their respective problems, meaning that it would be infeasible to crack them with current computational power. Symmetric key cryptography and public key cryptography are not necessarily mutually exclusive. Due to the relative simplicity of the algorithms, symmetric key encryption and decryption is far less expensive on resources than equivalent operations using public key cryptography. Therefore, it is common to see a shared secret exchanged using public key encryption and then used for subsequent encrypted messages. The Diffie-Hellman protocol, called the Diffie-Hellman Key Exchange, was designed for this explicit purpose. RSA may also be used in this way. The first attempt at wireless security was called WEP. “The main intention of the WEP was not to provide a level of security superior to or higher than that of a wired LAN, but equivalent to it.” (Bulbul, Batmaz and Ozel) WEP passes each packet through the RC4 stream cipher. The RC4 (Rivest’s Cipher 4) stream cipher was invented by Ron Rivest of RSA. The clear packet is XORed with the RC4 cipher, which uses a 64-bit key. The 64-bit key is composed of a 24bit initialization vector, which can be periodically changed by the client, and the 40-bit WEP key. WEP also uses a 32-bit Cyclic Redundancy Code (CRC) as a checksum algorithm to ensure message integrity. Sean Fisk | A Comparison of Wireless Encryption Schemes Since its inception in 1997, many flaws have been in WEP identified. First, although CRC-32 is a good function for checksums to detect transmission errors, it is “not intended to be used in place of message digest or hash functions.” (Bulbul, Batmaz and Ozel) Therefore, the addition of CRC to WEP does not accomplish its intended purpose. Many of WEP’s vulnerabilities stem from its key. A key of only 40 bits may have been reasonable years ago, but with the advancement of computer hardware this is no longer enough. WEP also uses its master key (the WEP key) as a direct input to the RC4 cipher. Doing increases the chance that the cipher could be cracked and the key obtained. In addition, all devices on the network typically share the same key, making obtaining the key that much easier. WEP’s initialization vector also poses major problems. According to Bulbul, Out of the 16 million IV values available, about 9,000 are interesting. They indicate the presence of weak keys. The attacker captures "interesting packets" filtering for IVs that suggest weak keys, then analyzes them and only has to try a small number of keys to gain access to the network. Because all original IP packets start with a known value, it's easy to know when he/she has the right key. (Bulbul, Batmaz and Ozel) This weakness in WEP makes it somewhat easy to crack as long as interesting initialization vector values continue to be received. Many manufacturers have tried to avoid this limitation by purposefully choosing non-interesting initialization vectors. While somewhat practical, this does address the root cause of the problem. Eventually, values will be reused in the initialization vector, making cracking very easy. Worse still, WEP provides no standard way to change or update the initialization vector. Some implementations simply start at zero and increment, an extremely predictable pattern. Other implementations use randomly generated initialization vectors, which cause the chance of reuse to skyrocket. Because of WEP’s many flaws, the newly formed Wi-Fi Alliance decided to develop a new protocol, which they called Wi-Fi Protected Access, or WPA. WPA was designed to address the critical issues of WEP, but still be able to run on old WEP hardware. One of the biggest changes is the introduction of the Temporal Key Integrity Protocol, which hashes keys before they are used in encryption. Although WPA still uses the RC4 stream cipher, it has increased the length of the secret, shared key (called the Temporal Key) to 128 bits. It also requires the doubling of the initialization vector to 48 bits. WPA also standardizes the common WEP implementation practice of specifically avoiding weak initialization vector values. As a replacement for CRC, WPA adds the Message Integrity Code (MIC). This checksum algorithm is excellent both at detecting errors from noise ad dropped bits in addition to malicious changes of the contents. WPA also adds the completely new feature of user authentication to wireless security. For this, the Extensible Authentication Protocol (EAP) is used. Although WEP can restrict access based on MAC address, this can be read rather easily, in addition to MAC addresses being easily spoofed. EAP, however, uses a more secure public key encryption method to restrict access. In addition to adding authentication security, EAP also adds the possibility of authenticating to a Remote Authentication Dial In User Service (RADIUS) server. This is very useful for those who would like to use a single sign-on (SSO) type infrastructure to authenticate wireless users to an LDAP or Active Directory server through a RADIUS proxy server instead of using a shared secret. Unlike WEP, WPA also provides automatic key management. This means that if the key is updated, it will be easy to redistribute. January 31, 2011 Although WPA provides many, many improvements over WEP, it was really intended to be a temporary solution: WPA has, rightly, been admired as a masterpiece of retro engineering. It addresses the weaknesses of WEP and the result is a very secure security system that is backwardly compatible with most existing WiFi compliant equipment. WPA is a practical solution that will provide more than adequate security for most wireless network applications. However WPA is in the end a compromise solution. It still relies on the RC4 encryption algorithm and TKIP (Temporary Key Integrity Protocol). Although unlikely, the possibility of new weaknesses being discovered still exists. (dlaverty) The biggest weakness of WPA is the continuation of use of the RC4 cipher. In the paper by Fluhrer, Mantin, and Shamir, they describe that the first few bytes of an RC4 stream usually result in very non-random numbers. Sean Fisk | A Comparison of Wireless Encryption Schemes (Fluhrer, Shami and Mantin)These can continue to be exploited to ascertain the value of the secret key. In fact, this paper was a large catalyst for the abandonment of WEP and the drafting of WPA. As a result, new methods of security no longer use this stream cipher. The newest version of IEEE 802.11 security is Robust Security Networks (RSN), also known as Wi-Fi Protected Access 2 (WPA2). This protocol is a complete rewrite of the original WPA. This security protocol uses the all new Advanced Encryption Standard (AES) block cipher as adopted by the U.S. government. The block ciphers are joined using the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), which is designed to replace TKIP and WEP. It also continues the use of the Extensible Authentication Protocol as introduced by WPA. Using the key exchange technique mentioned earlier, a symmetric key is exchanged through EAP, which is then used to encrypt subsequent connections using AES. This arrangement has proved to be very secure and effective. Currently, WPA2 is seen as the best way to encrypt traffic through access points. The Advanced Encryption Standard cipher is central to the security of WPA2. AES’s predecessor was the Data Encryption Standard (DES), a cipher approved by the National Institute of Standards and Technology. DES is a symmetric, block cipher which uses a 56 bit key. It supports a block size of 64 bits. DES also makes use of the Feistel function to produce the encrypted text. Since becoming a standard in 1976, DES has since been shown to be insecure. This is mostly due to the size of its relatively small key, 56 bits. According to RSA Labs, “In 1999, the Electronic Frontier Foundation’s ‘Deep Crack’ machine, in combination with distributed.net, successfully solved RSA’s DES Challenge III in 22 hours and 15 minutes.” (RSA Labs) Currently, the only acceptable version of DES is called Triple DES. As one would think, Triple DES is simply the use of DES three times. According to Masadeh, 3DES is an improvement of DES; it is 64 bit block size with 192 bits key size. The encryption method is similar to the one in the original DES but applied 3 times to increase the encryption level and the average safe time. But a number of studies indicated that 3DES is slower than other block cipher methods in terms of performance. (Masadeh, Aljawarneh and Turab) Due to DES’s insecurity, however, NIST decided to host a public competition for the next standard. Major criteria for AES included both security and speed. In a five-year process involving fifteen different ciphers, the cipher Rijndael written by Joan Daemen and Vincent Rijmen was finally chosen. January 31, 2011 According to FIPS 197, “the AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.” (National Institute of Standards and Technology) AES encryption involves performing rounds of transformations on a 4 x 4 byte array, called the state. Because of its design, AES encryption and decryption may be performed efficiently in hardware and software. Soon after Rijndael was accepted officially as AES, NIST dropped DES as a secure standard. According to some, an encrypted link through only the wireless connection between a computer and an access point is simply not secure enough. For the very security minded, an end-to-end encryption or virtual private network is needed. End-to-end encryption means that a message is encrypted at the source and is not decrypted until the destination. This means that the message can traverse many untrusted networks without risking being read. Virtual private networks (VPN) which are used for this purpose work in a similar way. When encryption is used in the VPN, all traffic between two trusted endpoints is encrypted. This means that the traffic is encrypted while traveling over untrusted networks. One of the trusted endpoints is typically the sender or source. The other endpoint may be the destination or it may be a trusted gateway to the destination, such as a business’ VPN server which subsequently gives access to their internal network. Many people use VPNs when they are on public networks to secure business traffic. This is especially useful when utilizing an unencrypted wireless hotspot. In this way, the encrypted traffic may be passed over the insecure wireless network without the chance of being read. As wireless technology continues to become a more permanent fixture in our lives, security of wireless networks will become an increasingly important issue. In addition, as computing power increases and ciphers which were infeasible to crack begin losing their security, new algorithms and ciphers may need to be considered. This was seen with the transition from DES to AES, and many other ciphers may follow. To be certain, the issue of wireless security will remain under scrutiny for many years to come. Sean Fisk | A Comparison of Wireless Encryption Schemes Bibliography Bulbul, Halil Ibrahim, Ihsan Batmaz and Mesut Ozel. "Wireless network security: comparison of WEP (Wired Equivalent Privacy) mechanism, WPA (Wi-Fi Protected Access) and RSN (Robust Security Network) security protocols." Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop (e-Forensics '08). Brussels, Belgium: ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2008. dlaverty. WPA vs WPA2 (802.11i): How your Choice Affects your Wireless Network Security. 20 February 2009. 31 January 2011 <http://www.openxtra.co.uk/articles/wpa-vs-80211i>. Fluhrer, Scott, Adi Shami and Itsik Mantin. Weaknesses in the Key Scheduling Algorithm of RC4. Rehovot, Israel, 2001. Masadeh, S.R., et al. "A comparison of data encryption algorithms with the proposed algorithm: Wireless security." Networked Computing and Advanced Information Management (NCM), 2010 Sixth International Conference. IEEE, 2010. 341-345. National Institute of Standards and Technology. "FIPS 197 - Advanced Encryption Standard." Federal Information Processing Standards. 2001. January 31, 2011 RSA Labs. 2010. 31 January 2011 <http://www.rsa.com/rsalabs/node.asp?id=2100>. Sean Fisk | A Comparison of Wireless Encryption Schemes