Chapter 7
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson
2

Drive-By Hackers
◦ Sit outside the corporate premises and read
network traffic
◦ Can send malicious traffic into the network
◦ Easily done with readily downloadable software

War Drivers
◦ Merely discover unprotected access points—
become drive-by hackers only if they break in
◦ War driving per se is not illegal
© 2013 Pearson
3

Unprotected Access Points
◦ Drive by hackers can associate with any
unprotected access point.
◦ They gain access to the local area network
without going through the site firewall.
© 2013 Pearson
4

Rogue Access Points
◦ Unauthorized access points that are set up by a
department or an individual
◦ Often have very poor security, making drive-by
hacking easier
◦ Often operate at high power, attracting many
hosts to their low-security service
© 2013 Pearson
5
Core security protocols protect communication between
a wireless client and a legitimate access point.
They provide encryption for confidentiality and other
cryptographic protections.
© 2013 Pearson
6
802.11 core security
protocols protect
only wireless client–
access point
communication.
© 2013 Pearson
7

Provide Security Between the Wireless
Station and the Wireless Access Point
◦ Client (and perhaps access point) authentication
◦ Encryption of messages for confidentiality
© 2013 Pearson
8

Wired Equivalent Privacy (WEP)
◦ Initial rudimentary security provided with 802.11
in 1997.
◦ Everyone shared the same secret encryption key,
and this key could not be changed automatically.
◦ Because secret key was shared, it did not seem to
be secret.
 Users often gave out freely
◦ Key initially could be cracked in 1 to 2 hours; now
can be cracked in 3 to 10 minutes using readily
available software.
© 2013 Pearson
9

Wireless Protected Access (WPA)
◦ The Wi-Fi Alliance
 Normally certifies interoperability of 802.11
equipment
 Certified equipment may display the Wi-Fi
name on their boxes
 Created WPA as a stop-gap security standard
in 2002 until 802.11i was finished
© 2013 Pearson
10

Wireless Protected Access (WPA)
◦ Designed for upgrading old equipment
 WPA uses a subset of 802.11i that can run on
older wireless NICs and access points.
 WPA added simpler security algorithms for
functions that could not run on older machines.
◦ Equipment that cannot be upgraded to WPA
should be discarded.
© 2013 Pearson
11

802.11i (WPA2)
◦ Uses AES-CCMP with 128-bit keys for
confidentiality and key management.
◦ 802.11i is the gold standard in 802.11 security.
◦ But companies have large installed bases of WPAconfigured equipment, so they are hesitant to
upgrade.
◦ WPA has now been partially cracked, and this is
leading many firms to upgrade.
© 2013 Pearson
12
WEP
Initial core security standard.
Easily cracked today.
WPA
Has been partially cracked.
Large installed base makes upgrading
the entire network to 802.11i
expensive.
802.11i
(WPA2)
Today’s preferred standard.
Extremely strong.
© 2013 Pearson
13

Both WPA and 802.11i have two modes of
operation.
◦ 802.1X mode
 For large organizations
 Uses a central authentication server for
consistency
 Authentication server also provides key
management
 Wi-Fi Alliance calls it Enterprise Mode
© 2013 Pearson
14

Both WPA and 802.11i have two modes of
operation.
◦ 802.1X mode
 802.1X standard protects communication with
an extensible authentication protocol.
 Several EAP versions exist with different
security protections.
 Firm implementing 802.1X must choose one.
 Protected EAP (PEAP) is popular because
Microsoft favors it.
© 2013 Pearson
15

Both WPA and 802.11i have two modes of
operation.
◦ Pre-Shared Key mode for homes or small firms
 For homes or small businesses with a single
access point.
 Access point does all authentication and key
management.
 All users must know an initial pre-shared key
(PSK).
 Each, however, is later given a unique key.
© 2013 Pearson
16

Both WPA and 802.11i have two modes of
operation.
◦ Pre-Shared Key mode
 If the pre-shared key is weak, it is easily
cracked.
 Pass phrases that generate keys must be at
least 20 characters long.
 Wi-Fi Alliance calls this personal mode.
© 2013 Pearson
17
Can use
Can use PSK
802.1X mode? mode?
WPA
Yes
Yes
802.11i
Yes
Yes
Both WPA and 802.11i use both modes.
This is not surprising because WPA was
derived from 802.11i.
© 2013 Pearson
18
© 2013 Pearson
19

802.1X Mode (See Figure 7-5)
◦ 802.1X in WPA and 802.11i protects client-access point
communication with an extensible authentication protocol.
EAP must be protected.
No problem with UTP.
Big problem for wireless.
For wireless, EAP had to
be extended.
© 2013 Pearson
20

802.1X Mode (See Figure 7-5)
◦ 802.1X standard protects communication with an
extensible authentication protocol.
 Several EAP versions exist with different security
protections.
 Firm implementing 802.1X must choose one.
 Protected EAP (PEAP) is popular because
Microsoft favors it.
© 2013 Pearson
21
© 2013 Pearson
22
© 2013 Pearson
23

WEP
◦ Used the same shared key for everyone.
◦ It was used for a great deal of traffic.
◦ This made the key easy to break.

PSK Mode in 802.11i
◦ Only uses the shared initial key for initial
communication, so can’t be cracked.
◦ Only a few people share this key so won’t give it out.
◦ Each host then gets a different shared session key.
◦ Too little traffic is sent with this key to be cracked.
© 2013 Pearson
24

Sits outside the premises or in a wireless hot spot
◦ A PC with software to emulate an access point
◦ Entices the wireless client to associate with it
© 2013 Pearson
25

Establishes a second connection with a legitimate
access point
◦ All traffic between the wireless client and network
servers passes through the evil twin.
© 2013 Pearson
26


This is a classic man-in-the-middle attack.
Attacks on confidentiality because evil twin
reads all traffic.
◦ Client encrypts traffic.
◦ Evil twin decrypts it and reads it.
◦ Evil twin reencrypts it and sends it on.

Evil twin can also send attack packets,
which do not pass through the border
firewall.
© 2013 Pearson
27

Virtual Private Networks (VPNs)
◦ End-to-end encryption with a pre-shared client-server
secret
◦ The secret is never transmitted so cannot be intercepted.
© 2013 Pearson
28




Usually just called WPS
Protocol to make it easier to connect clients
to access points
Very popular
Created by the Wi-Fi Alliance, not the 802
Committee
© 2013 Pearson
29


Designed poorly
Pre-shared keys can be cracked in about
5,500 attempts
◦ Easy to do with automated attacks

Only solution is to turn off WPS at the router
◦ Many routers cannot even turn it off

A problem for PSK but not 802.1X
© 2013 Pearson
30



Either overloads the access point with traffic
Or sends a command to get a client to
disassociate from an access point
Uncommon but dangerous
© 2013 Pearson
31
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson
32

Access Points Placement in a Building
◦ Must be done carefully for good coverage and to
minimize interference between access points.
◦ Lay out 30-meter to 50-meter radius circles on
blueprints.
◦ Adjust for obvious potential problems such as
brick walls.
◦ In multistory buildings, must consider
interference in three dimensions.
© 2013 Pearson
33

Access Points Placement in a Building
◦ Install access points and do site surveys to
determine signal quality.
◦ Adjust placement and signal strength as needed.
◦ In commercial access points, signal strength and
other configuration information can be actively
controlled.
© 2013 Pearson
34

Remote Access Point Management
◦ The manual labor to manage many access points
can be very high.
◦ They must be managed efficiently through
automation.
© 2013 Pearson
35
© 2013 Pearson
36

Remote Access Point Management
◦ Desired networking functionality:
 Notify the WLAN administrators of failures
immediately.
 Support remote access point adjustment.
 Should provide continuous transmission quality
monitoring.
 Allow software updates to be pushed out to all
access points or WLAN switches.
 Work automatically whenever possible.
© 2013 Pearson
37

Remote Access Point Management
◦ Desired security functionality:
 Notify administrator of rogue access points.
 Notify administrator of evil twin access points.
 Notify the administrator of flooding denial-ofservice attacks.
 Notify the administrator of disassociate
message denial-of-service attacks.
 Instantly deny access to selected stations under
selected conditions.
© 2013 Pearson
38
Box
© 2013 Pearson

Expressing ratios of transmission power
◦ Attenuation of signal during propagation (-)
◦ Amplification of signal so it will travel farther (+)

Multiples of 3 dB (decibels)
◦
◦
◦
◦
◦
+3 dB
+6 dB
+9 dB
-3 dB
-6 dB
© 2013 Pearson
X2 (times two) power
X4 power
?
½ power
?
40

Expressing ratios of transmission power
◦ Attenuation of signal during propagation (-)
◦ Amplification of signal so it will travel farther (+)

Units of 10 dB
◦ +10 dB
X10 power
◦ +20 dB ?
?
◦ -10 dB
?
◦ -20 dB
?
© 2013 Pearson
41

Power is measured in Watts (W)
◦ Milliwatt (mW) = 1/1000 of a Watt

Transmitted power is 12 mW
◦ Attenuation during travel is -6 dB
◦ Final transmission power: ?

Radio power is 2 mW
◦ Antenna amplifies signal by 9 dB
◦ Final transmission power: ?
© 2013 Pearson
42

In radio engineering, you often have to
express the ratio of two signal powers, P1
and P2.
◦ Amplification may make P2 larger than P1, the
original signal strength.
◦ Attenuation may make P2 smaller than P1, the
original signal strength.
◦ Connector loss may make transmitted power P2
smaller than P1, the original signal strength.
© 2013 Pearson
43



In general, simple ratios are easy to
understand.
However, P1 and P2 can vary by orders of
magnitude, giving numbers that are difficult
to interpret by reading.
Radio engineers express signal ratios in a
logarithmic scale, decibels (dB).
© 2013 Pearson
44


Suppose you have amplification, so that
while P1 is 20 milliwatts (mW), P2 is 80 mW.
Use the Excel LOG10() function.
If P2 > P1,
then the ratio
is greater
than 1,
and the dB value
is positive
45
© 2013 Pearson


Suppose you have attenuation, so that while
P1 is 30 milliwatts (mW), P2 is 1.3 mW.
Use the Excel LOG10() function.
If P2 < P1,
then the ratio
is less
than 1,
and the dB value
is negative
© 2013 Pearson
46

Suppose you have amplification, so that
while P1 is 20 milliwatts (mW), P2 is 30 mW.
◦ What is LdB?
© 2013 Pearson
47

Suppose you have a loss of power of 30% at
a coupler between the radio and the
antenna.
◦ How would you compute LdB?
© 2013 Pearson
48

A doubling of
power is 3.0103
dB
◦ This is almost
exactly 3.
◦ Use 3 in estimates.
◦ Fill in the two
missing dB values.
© 2013 Pearson
Ratio
N (as in
2N )
dB
16
8
4
4
3
2
9 dB
6 dB
2
1
1/2
1/4
1
0
-1
-2
3 dB
0 dB
-3 dB
-6 dB
1/8
-3
49

A factor of 10
increase is 10 dB
◦ This is exactly 10.
◦ Fill in the two
missing dB values.
© 2013 Pearson
Ratio
N (as in
2N )
dB
10,000
1,000
100
4
3
2
30 dB
20 dB
10
1
1/10
1/100
1
0
-1
-2
10 dB
0 dB
-10 dB
-20 dB
1/1,000
-3
50


dB gives power ratios.
dBm gives absolute power, relative to 1
milliwatt (mW).
◦ P1 = 1 mW

What is the dBm for 2 mW?

What is the dBm for 0.01 mW?

What is the dBm for 1 Watt?
© 2013 Pearson
51

Power ratios multiply
◦ Initial power = 1 Watt
◦ Loss of power at antenna coupler = .5
◦ Loss of power due to attenuation = 90%
◦ Loss of power due to wall = 75%
◦ What is the final power?
© 2013 Pearson
52

Decibels add
◦ Initial power = 1 Watt (30 dBm)
◦ Loss of power at antenna coupler = .5 (-3 dB)
◦ Loss of power due to attenuation = 90% (-10 dB)
◦ Loss of power due to wall = 75% (-6 dB)
◦ What is the final power?
© 2013 Pearson
53

Converting decibels back to power ratios
© 2013 Pearson
54

Converting decibels back to power ratios
◦ What is the power ratio for 30 dB?
◦ What is the power ratio for -8 dB? (Do it in a
spreadsheet.)
© 2013 Pearson
55
802.11 Security
802.11 LAN management
Other local wireless
technologies
© 2013 Pearson
56
Use
802.11i
Bluetooth
Near Field
Communication (NFC)
Ultrawideband
(UWB)
Wi-Fi Direct
gives direct
communication
between two
wireless
devices
Personal
area
networks
(PANs)
around a
desk or a
person’s
body
Very near
communication
between two
wireless hosts
Extremely high
speed, short
distance
communication
© 2013 Pearson
57
Wi-Fi
Direct
Bluetooth
Near Field
Ultrawideband
Communi(UWB)
cation (NFC)
Typical
Speed
Service
Range
20-300
Mbps
30-50 m
2 Mbps
10 m
106, 212,
100 Mbps
or 424 kbps
10 cm
10 m
Requires
Wall Power
Yes
No
No
Yes
Service
Band
2.4 and 5
GHz
2.4 GHz
13.56 kHz
UWB channels
typically span
multiple entire
service bands
© 2013 Pearson
58

For Personal Area Networks (PANs)
◦ Devices on a person’s body and nearby
(earphone, mobile phone, netbook computer,
etc.)
◦ Devices around a desk (computer, mouse,
keyboard, printer)
© 2013 Pearson
59

Cable Replacement Technology
◦ For example, with a Bluetooth phone, you can
print wirelessly to a nearby Bluetooth-enabled
printer.
◦ Does not use access points.
© 2013 Pearson
60
Classic
Bluetooth
High-Speed
Bluetooth
Low-Energy
Bluetooth
Principal
Benefit
Good
performance at
low power
High-speed
transfers
available when
needed
Ultra-long
battery life and
ultra-fast
setup times
Speed
Up to 3 Mbps
Up to about 24
Mbps
Up to 200 kbps
Expected Duty
Cycle
Low to High
Low to High
Very Low
High
~30 m
Not Given
Very Low
~15 m
< 3 ms
Power Required Low
Distance
~10 m
Setup Time
<6s
© 2013 Pearson
61
© 2013 Pearson
62
A device, in this case
the Desktop, can be
simultaneously a
master and a slave.
© 2013 Pearson
63
Headset
© 2013 Pearson
64

Bluetooth Profiles
◦ 802.11 did not have to develop application
standards.
 Many standards already existed.
◦ But standards did not exist for new short-distance
applications such as printing to a printer.
◦ The Bluetooth Special Interest Group had to
develop various standards in addition to radio
transmission standards.
◦ It called these Bluetooth profiles.
© 2013 Pearson
65
Bluetooth Profiles
© 2013 Pearson
66

Peering
◦ When two devices first encounter each other, they
must go through a negotiation process.
◦ This negotiation process is called peering.
◦ It involves the exchange of device information.
◦ It may involve authentication.
◦ It may also involve one or both of the device
owners explicitly deciding if the two devices
should be allowed to communicate.
© 2013 Pearson
67

Service Discovery Profile (SDP)
◦ Peering uses the Service Discovery Profile (SDP).
◦ Normally, a device is in discoverable mode.
◦ If it receives a Service Discovery Protocol request, it
will send information about itself:
 Name
 Device class
 Bluetooth profiles supported
 Technical information such as manufacturer’s
name
© 2013 Pearson
68

Binding
◦ After peering is complete, the two devices are
bound.
◦ They can begin communicating.
◦ If they are brought together later, they are still
bound.
◦ They will begin communication without the
peering process.
◦ This allows fast setup.
◦ The owner of either device can end the binding.
© 2013 Pearson
69



802.11 Wi-Fi uses 20 MHz or 40 MHz
channels in the 2.4 GHz and 5 GHz bands.
Bluetooth operates in the 2.4 GHz band.
Bluetooth divides the band into 79
channels, each 1 MHz wide.
© 2013 Pearson
70


Bluetooth radios hop among the frequencies up to
1,600 times per second.
These radios avoid channels where other devices
(including 802.11 devices) are active.
© 2013 Pearson
71
© 2013 Pearson
72

Payment of bus fares (already popular in some
countries)

Opening car doors

Turning on the ignition

Building door entry control

Sharing business cards

Continued…
© 2013 Pearson
73




Sharing webpages between mobile devices
Retail payments, including loyalty points
and coupons (beginning to be popular)
NFC posters with tap points for more
communication
Passive Radio Frequency ID (RFID) Tags
© 2013 Pearson
74





Radio frequency ID tags contain information about
an item.
A passive RFID tag has no internal power source.
When read by an NFC device, the power of the
reader request gives power for the response.
13.56 kHz was specified by ISO/IEC for passive
RFID tags long before NFC standards were created.
With sensitive antennas, NFC transmission can be
eavesdropped upon from a distance.
© 2013 Pearson
75



Enormously wide channels
Very low power per hertz to avoid interfering with
other transmissions
Very high speeds over short distances (~10 m)
© 2013 Pearson
76

Threats
◦ Eavesdropping
◦ Data modification
◦ Impersonation
◦ Denial-of-service attacks
© 2013 Pearson
77

Cryptological Security
◦ Some local wireless technologies have no
cryptological security.
◦ Example: Near field communication for
reading passive ID tags.
◦ They rely on short transmission distances
to foil eavesdroppers.
◦ Directional antennas and amplifiers can
defeat this.
© 2013 Pearson
78

Strength of Security
◦ Some have reasonably good security.
◦ Example: Bluetooth
◦ However, still not as strong as 802.11i
and WPA security.
© 2013 Pearson
79

Device Loss or Theft
◦ In this age of bring your own device
(BYOD) to work, this is a serious problem.
◦ Most devices are protected only by short
PINs.
© 2013 Pearson
80

Maturity
◦ In general, new security technologies take
some time to mature.
◦ During this period, they often have
vulnerabilities that must be fixed quickly.
◦ User companies must master security for
each new technology.
© 2013 Pearson
81
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson
82