"Security & Privacy in WLAN - A Primer and Case Study"
The objective of this paper is to illustrate a primer on Wireless Local Area Network (WLAN) security issues along with an experiment on WLAN penetration test in a live network.
This is a power point Presentation about wifi and the various standards of IEEE used for the transmission of data over the wireless network.
You must have encountered with term 802.11.a/b/g/n of your wireless network device.
This presentation will break the ice for your knowledge about those terms, their standards and how they get connected.
Let's Get Started.
This is a power point Presentation about wifi and the various standards of IEEE used for the transmission of data over the wireless network.
You must have encountered with term 802.11.a/b/g/n of your wireless network device.
This presentation will break the ice for your knowledge about those terms, their standards and how they get connected.
Let's Get Started.
Frame relay is a packet-switching telecommunication service designed for cost-efficient data transmission for intermittent traffic between local area networks (LANs) and between endpoints in wide area networks (WANs). The service, once widely available and implemented, is in the process of being discontinued by major Internet service providers. Sprint ended its frame relay service in 2007, while Verizon said it plans to phase out the service in 2015. AT&T stopped offering frame relay in 2012 but said it would support existing customers until 2016.
WLAN is a wireless computer network that links two or more devices (using-spectrum or OFDM radio) within a limited area such as a home, school, computer laboratory, or office building.
WLAN is a marketed under the Wi-Fi brand name.
Wireless LANs have become popular in the home due to ease of installation and use.
We all use Wifi today. You know how much money it saves for your smart-phone data usage band-width. Connecting all your computers and gadgets with cables is not just history, even if you attempt it would be impractical!
Wifi being so pervasive, also brings along tremendous security implications. Come join us to look into details of Wifi security. How to secure your wifi network? How certain wifi encryption technologies can be hacked? We would prove that with live demos!
Join us to reflect on the security aspect of this technology, discuss about it and leave with more confidence about how 'secure' your WiFi access is?
Frame relay is a packet-switching telecommunication service designed for cost-efficient data transmission for intermittent traffic between local area networks (LANs) and between endpoints in wide area networks (WANs). The service, once widely available and implemented, is in the process of being discontinued by major Internet service providers. Sprint ended its frame relay service in 2007, while Verizon said it plans to phase out the service in 2015. AT&T stopped offering frame relay in 2012 but said it would support existing customers until 2016.
WLAN is a wireless computer network that links two or more devices (using-spectrum or OFDM radio) within a limited area such as a home, school, computer laboratory, or office building.
WLAN is a marketed under the Wi-Fi brand name.
Wireless LANs have become popular in the home due to ease of installation and use.
We all use Wifi today. You know how much money it saves for your smart-phone data usage band-width. Connecting all your computers and gadgets with cables is not just history, even if you attempt it would be impractical!
Wifi being so pervasive, also brings along tremendous security implications. Come join us to look into details of Wifi security. How to secure your wifi network? How certain wifi encryption technologies can be hacked? We would prove that with live demos!
Join us to reflect on the security aspect of this technology, discuss about it and leave with more confidence about how 'secure' your WiFi access is?
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignPratum
A thorough penetration testing campaign involves social engineering, vulnerability scanning, and the manual hacking of computer systems, networks, and web applications. Follow this infographic to learn more about the various elements of a complete penetration test.
LokiPi: Small form factor wireless auditing and penetration testing toolkitJonathan O'Brien
Academic Title: Small form factor Wireless Auditing and Penetration Kit
Commercial Title: LokiPi
The wireless penetration test has become a staple of the information technology security audit. It is a systematic measurement and evaluation of a company’s network security posture, helping to provide a service to expose potential vulnerabilities that arise from incorrect system configuration, software flaws and operational weaknesses.
This project offers a penetration tester or security auditor, a small form factor portable concealable wireless auditing kit. Although small this implementation still retains enough power to host a full- fledged Linux security distribution with its accompanying flexibility. By controlling and interfacing with the kit through a mobile device or initiating an automated attack directly from an on-board LCD interface, the auditor can draw less attention from security employees onsite by concealing obvious wireless equipment.
The device incorporates methods for circumventing SSL encryption and trust exploitation with rouge access points, man in the middle attacks, deep packet inspection, and automatic vulnerability assessment and exploitation. It can also be utilized as a network tap creating a backdoor into an organization through an automated reverse SSH tunnel.
During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.
Composition Assistance - Topic Gun ControlAssignment 2 Your R.docxdonnajames55
Composition Assistance - Topic Gun Control
Assignment 2: Your Research Paper's Annotated Bibliography
Revisit the topic that you listed in your research proposal from Module 1, and do some research. If you have some trouble, you may need to narrow it a bit to find appropriate academic source material. Your selected topic will be the topic for your final paper in this class.
For this assignment, you need to complete an annotated bibliography of the sources you are finding for your research paper. As you continue to work on your project, add to your list, so that when you are ready for your final draft you can remove the unused citations and all annotations. After these things are removed, and your page is re-titled “References,” it will be ready to submit as part of the final paper. Here are the things you should look for in a good annotated bibliography:
· You use at least three university-level resources that are authoritative, correct, unbiased, current, and coherent.
· Your title is “References,” not “Bibliography.” Your authors are listed in alphabetical order, and there is a short explanation after every citation.
· Your citations are APA formatted (with hanging indent) and each needed block of annotation text is in the appropriate order.
· The work is formatted in 12 point, Times New Roman font, with one inch margins all around.
· You offer a description of the source’s usefulness: statistics, clever quote, graph, table, fact, or other relevant information. If a source is not useful, you note that it is not going to be used in your paper.
5
Table of Contents
Wireless Network Security 3
Introduction 3
Overview of Wireless Technologies 4
Standards of Wireless Specification: 6
Security Features 6
Wireless Threats 7
Wireless Networks Attacks 8
Conclusion 9
References 10
Wireless Network SecurityIntroduction
The wireless technology has been under threat in terms of security because of hacking aspect, the wireless technology has been under threat as the same as the wired network, but on the other hand they are vulnerable to additional risk( Silva, Santos & Nogueira,2015). The wireless network usually transmits data via the radio frequencies that enhance the possibility of tapping the information by threaten invaders if it is not properly protected. The threaten invaders have founded a way to get the access to the wireless system to steal or destroy the original information, the attackers launch strikes which are related to network bandwidth and prevent the authorized users to use their desired services, and they also keep an eye on the conversations that are taking place. For instance, the hackers or threaten invaders successfully get into wireless systems to have access to important information. The project mainly focuses on the IEEE802.11 and IEEE802.16 which are group of standards for wireless local area networks (WLANs) and metropolitan area networks (WMANs) respectively.Overview of Wireless Technologi.
Evaluation of enhanced security solutions inIJNSA Journal
Traditionally, 802.11-based networks that relied on wired equivalent protocol (WEP) were especially
vulnerable to packet sniffing. Today, wireless networks are more prolific, and the monitoring devices used
to find them are mobile and easy to access. Securing wireless networks can be difficult because these
networks consist of radio transmitters and receivers, and anybody can listen, capture data and attempt to
compromise it. In recent years, a range of technologies and mechanisms have helped makes networking
more secure. This paper holistically evaluated various enhanced protocols proposed to solve WEP related
authentication, confidentiality and integrity problems. It discovered that strength of each solution depends
on how well the encryption, authentication and integrity techniques work. The work suggested using a
Defence-in-Depth Strategy and integration of biometric solution in 802.11i. Comprehensive in-depth
comparative analysis of each of the security mechanisms is driven by review of related work in WLAN
security solutions.
Evaluation of Enhanced Security Solutions in 802.11-Based NetworksIJNSA Journal
Traditionally, 802.11-based networks that relied on wired equivalent protocol (WEP) were especially vulnerable to packet sniffing. Today, wireless networks are more prolific, and the monitoring devices used to find them are mobile and easy to access. Securing wireless networks can be difficult because these networks consist of radio transmitters and receivers, and anybody can listen, capture data and attempt to compromise it. In recent years, a range of technologies and mechanisms have helped makes networking more secure. This paper holistically evaluated various enhanced protocols proposed to solve WEP related authentication, confidentiality and integrity problems. It discovered that strength of each solution depends on how well the encryption, authentication and integrity techniques work. The work suggested using a Defence-in-Depth Strategy and integration of biometric solution in 802.11i. Comprehensive in-depth comparative analysis of each of the security mechanisms is driven by review of related work in WLAN security solutions.
A comparitive analysis of wireless security protocols (wep and wpa2)pijans
Wireless local area networks (WLANs) are become popular as they are fast, cost effective, flexible and easy
to use. There are some challenges of security and for IT administrators the choice of security protocol is a
critical issue. The main motive of this paper is to make the non-specialist reader knowledgeable about
threats in the wireless security and make them aware about the disadvantages of wireless security
protocols. WEP (Wired Equivalent privacy), WPA (Wi-Fi Protected Access) and RSN (Robust Security
Network) security protocols are defined and examined here. This security protocols are compared with the
common.
This paper is a comparative analysis of WEP, WPA and WPA2. We have tried to perform and check
authentication of all 3 protocols by implying the legendary attack vector scripts i.e. Air crack set of tools.
The test was conducted on Back Track operating system which is considered as dedicated pentesting
operating system. In the test result, we found out that WEP is the weakest, to which WPA was a temporary
solution and WPA2 is a very solid and long term solution.
This paper is a mixture of wireless security weaknesses and counter measures to the problems faced until
recently. After reading this paper the non specialist reader will have complete review and awareness about
the wireless security and vulnerabilities involved with it.
1
Table of Contents
Wireless Network Security3
Introduction3
Overview of Wireless Technologies4
Standards of Wireless Specification:6
Security Features6
Wireless Threats7
Wireless Networks Attacks8
Conclusion9
References10
Wireless Network SecurityIntroduction
The wireless technology has been under threat in terms of security because of hacking aspect, the wireless technology has been under threat as the same as the wired network, but on the other hand they are vulnerable to additional risk( Silva, Santos & Nogueira,2015). The wireless network usually transmits data via the radio frequencies that enhance the possibility of tapping the information by threaten invaders if it is not properly protected. The threaten invaders have founded a way to get the access to the wireless system to steal or destroy the original information, the attackers launch strikes which are related to network bandwidth and prevent the authorized users to use their desired services, and they also keep an eye on the conversations that are taking place. For instance, the hackers or threaten invaders successfully get into wireless systems to have access to important information. The project mainly focuses on the IEEE802.11 and IEEE802.16 which are group of standards for wireless local area networks (WLANs) and metropolitan area networks (WMANs) respectively.Overview of Wireless Technologies
The wireless technologies make the gadgets to have communication without any connection physically, implying that they do not need peripheral or network cabling. The wireless range from the complicated environments, for instance mobile networks that includes 3G mobile phones and local area networks, to less complicated gadgets such as microphones without wire, earphones and other gadgets which will not save or process data and usually used for small range procedures like infrared or communications via Bluetooth (BT) (Egners, Herrmann & Meyer,2015).
Typical IP network wireless devices or infrastructure
Access points or base stations
· Station wireless
· Router wireless
Retransmission devices (Sun, Yan, Zhang & Rong, 2015).
· Repeater wireless
· Network bridge wireless
End points
· Cards or adapters wireless
· Laptops
· PDAs
· Mobile telephones
Infrared devices, such as cordless computer keyboards, remote controls and mice all needs a direct line of sight between the receiver and transmitter to complete the link. Even though the infrared communication replaced by BT technology in most of the gadgets, some legacy standard gadgets still use IR for short range communication (Illiano, & Lupu, 2015).
Network classification of wireless networks
Wireless networks act as date transmitter mechanism between other wireless communications and the traditional wired networks. Wireless network can be structured in different ways but they are frequently categorized into 4 main categories based on their coverage range.
· Wireless wide area network (WWAN)
Which invol ...
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK IJNSA Journal
Nowadays Wireless local area networks (WLANs) are growing very rapidly. Due to the popularity of 802.11 networks, possibilities of various attacks to the wireless network have also increased. In this paper, a special type of attack De-Authentication/disassociation attack has been investigated. In a normal scenario, a wireless client or user sends a de-authentication frame when it wants to terminate the connection. These frames are in plain text and are not encrypted. These are not authenticated by the access point. Attackers take advantage of this, and spoof these packets and disable the communication between the connected client and access point. In this paper, an algorithm based on radio-tap header information is suggested to identify whether there is a De-Authentication attack on the client or not.
Helpful survey for researchers and students who are intended to investigate in the Internet of things field in term of security and privacy side. This survey has general overview in security issues with the solutions addressed these issues.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Security & Privacy in WLAN - A Primer and Case Study
1. A Primer & Case Study
Presented By Mohammad Mahmud KabirPresented By Mohammad Mahmud Kabir
Security & Privacy in
Wireless Local Area Network
[ Prepared As the Presentation on Term Paper Prepared for BIM PGDCS Course 2015 ]
2. 2
Security & Privacy of Wireless Area Network
A Primer & Case Study
Warning: Hacking is a crime and this document is not responsible for the way it may got used.
Disclaimer
All data and information provided on this document/Paper/ Presentation
are for informational and educational purpose only and is about Ethical
Hacking, Security and Penetration Testing.
3. 3
Security & Privacy of Wireless Area Network
A Primer & Case Study
About Me
Mohammad Mahmud Kabir
Participant,
PGDCS Course
(Post Graduate Diploma in Computer Science)
BIM
(Bangladesh Institute of Management)
Student ID
15 CS 013
Session
2015
Career Track:
Information security & Assurance
Profession:
Information Audit, ICCD
Currently Deputed as
Deputy Team Lead, Quality Assurance Track,
Core Banking System Transformation Project, CBT
AB Bank Limited
4. 4
Security & Privacy of Wireless Area Network
A Primer & Case Study
PAPER Introduction
Objective
The objective of this paper is to
illustrate a primer on Wireless Local
Area Network (WLAN) security issues
along with an experiment on WLAN
penetration test in a live network.
Scope
The study will focus on the theoretical
and practical perspectives of today’s
wireless local area networks.
Limitations
The paper is limited to the concepts of
“WLAN Security” with a sample
experiment. However, the “WLAN
Security” is vast and has different
perspectives.
The Problem & Background
Wireless Lan Security and Privacy
specifically on WPS vulnerability
scopes.
Paper Supervisor
Ms. Farkhunda Dorin
Management Counsellor
Computer Science Division
BIM, Dhaka
5. 5
Security & Privacy of Wireless Area Network
A Primer & Case Study
PAPER Introduction
Paper Structure
There are two parts in this paper, as the
title says,
(1) A Primer in Part A
A theoretical overview and a
practical experiment that projects a
primer on the Basic Computer
Networking, WLAN, Wireless
Technologies & standards, WLAN
security threats, Countermeasures
etc.
(2) A case study in Part B
This Part portrays a real life case
study based on an experimental
penetration testing in a local
organization.
6. 6
Security & Privacy of Wireless Area Network
A Primer & Case Study
Content Summary
PARTA : The Primer
• Computer Networking
(Definition, Classifications and Types, OSI layers, LAN)
• WLAN Basics
(Definition, Benefits, Classification & Types, Components, Basic Operation, Standards)
• WLAN security
(Security Concepts, Threats /Vulnerabilities, Countermeasure /Defense, Encryption Methods)
• WPS
(About: “WPS”, WPS authentication, WPS implementation flaw, Security Context)
7. 7
Security & Privacy of Wireless Area Network
A Primer & Case Study
COMPUTER NETWORKING
Definition
Classifications and Types
OSI layers
LAN
8. 8
Security & Privacy of Wireless Area Network
A Primer & Case Study
COMPUTER NETWORKING
A computer network or data
network is a telecommunications
network which allows computers
to exchange data system of
interconnected computers and
computerized peripherals is called
computer network. This
interconnection among computers
facilitates information sharing
among them. The connections
between nodes are established
using either cable media or
wireless media.
”
“
Definition
Classifications and Types
OSI layers
LAN
9. 9
Security & Privacy of Wireless Area Network
A Primer & Case Study
COMPUTER NETWORKING
Computer Networks
Geographical span
PAN
LAN
WAN
MAN
Internet
Inter-connectivity
Point-to-Point
Bus Topology
Star Topology
Ring Topology
Mesh Topology
Tree Topology
Daisy Chain
Hybrid Topology
Administration
Private
Network
Public
Network
Architecture
Client-Server
Peer-to-peer
Hybrid
Definition
Classifications and Types
OSI layers
LAN
10. 10
Security & Privacy of Wireless Area Network
A Primer & Case Study
COMPUTER NETWORKING
Definition
Classifications and Types
OSI layers
LAN
1
2
3
4
5
6
7
7Layers
OfOSI
11. 12
Security & Privacy of Wireless Area Network
A Primer & Case Study
COMPUTER NETWORKING
A computer network spanned
inside a building and operated
under single administrative system
is generally termed as Local Area
Network (LAN). Usually, it connects
systems from as least as two to as
much as 16 million.
LANs mostly operates on private IP
addresses. LAN works under its
own local domain and controlled
centrally.
LAN can be wired , wireless, or in
both forms at once.
”
“
Definition
Classifications and Types
OSI layers
LAN
12. 13
Security & Privacy of Wireless Area Network
A Primer & Case Study
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards (IEEE 802.11)
13. 14
Security & Privacy of Wireless Area Network
A Primer & Case Study
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards
Wireless Local Area Networks
(WLANs) are groups of wireless
networking nodes within a limited
geographic area, such as an office
building or campus that are
capable of radio communications.
WLANs are usually implemented as
extensions to existing wired local
area networks to provide
enhanced user mobility.
”
“
14. 15
Security & Privacy of Wireless Area Network
A Primer & Case Study
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards
• Scalability
• Reduced installation time• Range of coverage
• Mobility • Cost stability • Easy Installation in difficult-areas
15. 16
Security & Privacy of Wireless Area Network
A Primer & Case Study
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards
Basic WLAN Topology
1. IBSS (Independent Basic Service Set)
2. BSS (Basic Service Set)
3. ESS (Extended Service Set)
ESSBSS
BISS
16. 17
Security & Privacy of Wireless Area Network
A Primer & Case Study
The 802.11 Network’s 4 Major Components:
• Distribution system
• Access points (APs)
• Stations (STAs)
• Wireless medium
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards
17. 18
Security & Privacy of Wireless Area Network
A Primer & Case Study
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards
18. 19
Security & Privacy of Wireless Area Network
A Primer & Case Study
32
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards
WLAN Standards & IEEE 802.11
• Service Set Identifier (SSID)
• Media Access Control (MAC) Address Filters
• Wired Equivalent Privacy (WEP)
WEPMAC
Filter
SSID
1
19. 20
Security & Privacy of Wireless Area Network
A Primer & Case Study
31
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards
IEEE 802.11i
• Extensible Authentication Protocol (EAP) standard
• Robust Security Network (RSN)
protocols for RSNAs:
• Temporal Key Integrity Protocol (TKIP) and
• Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP).
• Wi-Fi Protected Access 2 (WPA2)2
20. 21
Security & Privacy of Wireless Area Network
A Primer & Case Study
21
WIRELESS LOCAL AREA NETWORK
Definition
Benefits
Classification & Types
Components
Basic Operation
WLAN Standards
3
IEEE 802.11 Vulnerabilities
• MAC Address Authentication
• One-way Authentication
• Static WEP Keys
• SSID
• WEP Key Vulnerability
• Manual Key Management
• Key Size
• Initialization Vector (IV)
• Decryption Dictionaries
21. 22
Security & Privacy of Wireless Area Network
A Primer & Case Study
WLAN SECURITY
Security Concepts
Threats /Vulnerabilities
Countermeasure /Defense
Encryption Methods
22. 23
Security & Privacy of Wireless Area Network
A Primer & Case Study
WLAN SECURITY
Security Concepts
Threats /Vulnerabilities
Countermeasure /Defense
Encryption Methods
Security Mechanics Mechanisms
Confidentiality Encryption (Symmetric and Asymmetric)
Integrity Digital Signatures (Using one-way hash functions)
Availability Defensive technologies to detect/guard against DoS attacks
Authentication 802.1x, RADIUS, PAP/CHAP, MS-CHAP, etc.
Authorization 802.1x (based on authentication), multiple levels and protocols
Access Control Based on authentication, encryption
Encryption WEP, CKIP, TKIP, AES
Decryption WEP, CKIP, TKIP, AES
23. 24
Security & Privacy of Wireless Area Network
A Primer & Case Study
WLAN SECURITY
WLAN Attacks
Passive Attacks
Eavesdropping
Traffic Analysis
Active Attacks
Network Access
Read Access
Write Access
DOS Attack
Security Concepts
Threats /Vulnerabilities
Countermeasure /Defense
Encryption Methods
24. 25
Security & Privacy of Wireless Area Network
A Primer & Case Study
WLAN SECURITY
Security Concepts
Threats /Vulnerabilities
Countermeasure /Defense
Encryption Methods
Eavesdropping
Unauthorized
Access
Key Cracking Wi-Phishing
Honeypots
External APs External Use
Rouge AP
Misconfigured
AP
Ad hoc
Connections
Wireless DoS
Firewall
Internet
25. 26
Security & Privacy of Wireless Area Network
A Primer & Case Study
WLAN SECURITY
Security Concepts
Threats /Vulnerabilities
Countermeasure /Defense
Encryption Methods
26. 28
Security & Privacy of Wireless Area Network
A Primer & Case Study
WLAN SECURITY
Security Concepts
Threats /Vulnerabilities
Countermeasure /Defense
Encryption Methods
27. 30
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
28. 31
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
Wi-Fi Protected Setup (WPS) is Wi-
Fi alliance’s specification for secure
association of wireless LAN devices
to mutually authenticate the
enrolling device with the Wi-Fi
network and to deliver network
access keys to these device by
having the enrolling device interact
with a device known as the
“registrar” which is responsible for
controlling the Wi-Fi network.
The registrar may be located in the
Wi-Fi access point itself.”
”
“
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
29. 32
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
WPS Setup Process
Push Button
Configuration
PIN entry
Internal Registrar
External Registrar
Out-of-Band
Push Button
Router Pin
Device Pin
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
1 2 3
30. 33
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
WPS Setup Process
Push Button Configuration
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
1 2 3
31. 34
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
WPS Setup Process
PIN entry
(In-band configuration)
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
1 2 3
32. 35
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
WPS Setup Process
Out-of-Band
1. Exchange of public key commitments
2. Unencrypted key transfer
3. Encrypted key transfer
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
1 2 3
33. 36
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
Option / Authentication Physical Access Web Interface PIN
Push-button-connect √
Internal Registrar √
External Registrar √ *
* Potentially Vulnerable to brute force attacks as the External Registrar option
does not require any kind of authentication apart from providing the PIN
WPS Options & Authentication type
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
34. 37
Security & Privacy of Wireless Area Network
A Primer & Case Study
8 Digit Security Key
1 2 3 4 5 6 7 0
Checksum
1st half of PIN 2nd half of PIN
WPS Wi-Fi Protected Setup
Authentication
(PIN – External Registrar)
IEEE 802.11/EAP
Expanded Type,
Vendor ID: WFA (0x372A),
Vendor Type: SimpleConfig (0x01)
* If the WPS-authentication fails at some point, the AP will send an EAP-NACK message
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
35. 38
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
8 Digit Security Key
1 2 3 4 5 6 7 0
Checksum
1st half of PIN 2nd half of PIN
Trial
Incorrect if
EAP-NACK message
received after
sending M4.
Incorrect if
EAP-NACK message
received after
sending M6.
Maximum possible
authentication attempts
108
=100,000,000
104 + 103
=10,000 + 1,000
=11,000
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
36. 39
Security & Privacy of Wireless Area Network
A Primer & Case Study
WPS Wi-Fi Protected Setup
Advantages of Attacking WPS
(over the direct attack on WPA/WPA2 )
1. Faster:
Cracking the WPS PIN is considerably faster and not as
luck-dependent.
2. Recovering of The Passphrase
Knowledge of PIN enables recovering of the passphrase
instantly even if the owner changes it. (with ‘wpscrack’ or
‘Reaver’).
3. Multiple radios use the same WPS pin
Access points with multiple radios (2.4/5GHz) can be
configured with multiple WPA keys. Since the radios use
the same WPS pin, knowledge of the pin allows an
attacker to recover all WPA keys.
About: “WPS”
WPS authentication
WPS implementation flaw
Security Context
37. 40
Security & Privacy of Wireless Area Network
A Primer & Case Study
Content Summary
PARTB: The Case Study
• Theoretical Methodology
(Preface, Penetration Testing, WPS Review, Brute Force Methodology)
• Preparation & Testing
(Hardware & Software, Reaver, Test environment, Considerations)
• Live Operations
(Live environment, Operation in Area B1, Operation in Area M1)
• Observations and recommendations
(Observations, Recommendations)
38. 41
Security & Privacy of Wireless Area Network
A Primer & Case Study
Objective
Penetration Testing
WPS scope
Brute Force Methodology
THEORETICAL METHODOLOGY
39. 42
Security & Privacy of Wireless Area Network
A Primer & Case Study
The objective was to perform
successful penetration testing
through brute force attack
methodology against a WPS PIN
and describe the whole process
and to execute several tests on APs
in two different areas to find out
how many of the APs used there
were vulnerable to the attack.
”
“
THEORETICAL METHODOLOGY
Objective
Penetration Testing
WPS scope
Brute Force Methodology
40. 43
Security & Privacy of Wireless Area Network
A Primer & Case Study
1
Determine feasibility
-of a particular set of attack vectors
2
Identify high-risk vulnerabilities
-from a combination of lower-risk vulnerabilities exploited in a particular sequence
-that may be difficult to detect with automated vulnerability scanning software
3
Assess
the magnitude of potential business and operational impacts of successful attacks
4
Test
the ability of network defenders to detect and respond to attacks
5
Provide evidence
to support increased investments in security personnel and technology.
The goals of
penetration
tests
Def.
A software attack on a computer
system looking for security
weaknesses & gaining access on
system and data.
”
“
THEORETICAL METHODOLOGY
Objective
Penetration Testing
WPS scope
Brute Force Methodology
41. 44
Security & Privacy of Wireless Area Network
A Primer & Case Study
8 Digit Security Key
1 2 3 4 5 6 7 0
Checksum
1st half of PIN 2nd half of PIN
Trial
Incorrect if
EAP-NACK message
received after
sending M4.
Incorrect if
EAP-NACK message
received after
sending M6.
Maximum possible
authentication attempts
108
=100,000,000
104 + 103
=10,000 + 1,000
=11,000
THEORETICAL METHODOLOGY
Objective
Penetration Testing
WPS scope
Brute Force Methodology
42. 45
Security & Privacy of Wireless Area Network
A Primer & Case Study
802.11 Auth
802.11 Assoc
EAP Initiation
…
802.11 Deauth
Send M4
Increment
1st half PIN
Receive
Send M4
Receive
Dump AP
Configuration (M7)
Increment 2nd
half of PIN/ Fix
Checksum
M5
NACK
NACK
M7
THEORETICAL METHODOLOGY
Objective
Penetration Testing
WPS scope
Brute Force Methodology
43. 46
Security & Privacy of Wireless Area Network
A Primer & Case Study
PREPARATION & TESTING
Hardware & Software
About: Reaver
Test environment
Test Considerations
44. 47
Security & Privacy of Wireless Area Network
A Primer & Case Study
PREPARATION & TESTING
Reaver
Brute-force Attacking
AirCrack-ng
Monitoring
WireShark
Packet Monitoring
SOFTWARE
OS
Debian
HARDTWARE
Wireless Network Adapter
Atheros AR5B91
System/Laptop //
Acer Aspire 5738z
Hardware & Software
About: Reaver
Test environment
Test Considerations
45. 48
Security & Privacy of Wireless Area Network
A Primer & Case Study
PREPARATION & TESTING “Reaver is an
open source tool
for Linux
distributions
which
implements the
brute force
attack against
WPS PIN in
order to receive
the PSK. The
source and free
download can
be found in.
”
Factors influencing the length of the recovery process
AP type
Signal
strength
Lockout
policy
"Reaver has been
designed to be a robust
and practical attack
against WPS, and has
been tested against a wide
variety of access points
and WPS
implementations.”
Hardware & Software
About: Reaver
Test environment
Test Considerations
Reaver
Brute-force Attacking
Reaver
46. 49
Security & Privacy of Wireless Area Network
A Primer & Case Study
PREPARATION & TESTING
AP configured for WPA2-PSK with 14-60 characters passphrase
Hardware & Software
About: Reaver
Test environment
Test Considerations
47. 50
Security & Privacy of Wireless Area Network
A Primer & Case Study
PREPARATION & TESTING
The wireless card was put into monitor mode
Monitor the network traffic, the airodump-ng tool
Reaver performs a brute force attack against PIN
This provided us with the list of wireless
networks in range of our laptop. After
finding the BSSID of the targeted network,
Hardware & Software
About: Reaver
Test environment
Test Considerations
48. 51
Security & Privacy of Wireless Area Network
A Primer & Case Study
Example
// Frame exchange during the attacking process
49. 52
Security & Privacy of Wireless Area Network
A Primer & Case Study
Example
Successful attack shows PIN, PSK & SSID
50. 53
Security & Privacy of Wireless Area Network
A Primer & Case Study
PREPARATION & TESTING
Random amount of time taken for 10 different attacks
No. PSK Length Duration
1 14 96 minutes
2 14 77 minutes
3 63 226 minutes
4 63 119 minutes
5 47 204 minutes
6 47 112 minutes
7 25 84 minutes
8 25 265 minutes
9 20 189 minutes
10 20 106 minutes
“The time needed to successfully complete the attack in
same conditions is basically random; depends mostly
on how fast is the first half of PIN guessed.”
Hardware & Software
About: Reaver
Test environment
Test Considerations
51. 54
Security & Privacy of Wireless Area Network
A Primer & Case Study
PREPARATION & TESTING
Random amount of time taken for 10 different attacks
Ideal conditions for performing an attack:
• Maximum strength signal,
• Decent router CPUs capabilities, and
• No error messages (no lost frames, no timeouts occurred)
-resulted in very fast PIN attempts (a little less than 2
seconds per one).
At this rate, even the worst possible scenario (11,000
possible trial) would take less than 6 hours to complete.
Hardware & Software
About: Reaver
Test environment
Test Considerations
52. 55
Security & Privacy of Wireless Area Network
A Primer & Case Study
LIVE Operation
Live environment & Client Profile
Operation in Area B1
Operation in Area M1
53. 56
Security & Privacy of Wireless Area Network
A Primer & Case Study
LIVE EXPRIMENT
- The Penetration testing was
operated more than one WLAN.
- Permission obtained from an
organization to perform attacks on
their two sister concerns.
- Two concerns office is located in two
different locations located in-
- Banani (B1) and
- Mohammadpur (M1)
- Due to security reasons the
operation was not permitted any
data (organization’s name, Location,
Technical particulars etc.) that may
indicate the identity of the
organization.
Live environment & Client Profile
Operation in Area B1
Operation in Area M1
54. 57
Security & Privacy of Wireless Area Network
A Primer & Case Study
LIVE EXPRIMENT
8wireless networks detected in the building.
- 4potential targets (using WPA/WPA2 in PSK mode)
- 3networks were encrypted by WEP
- 1was not using any encryption at all.
(Attacks performs from the public area of the
building caused considerably weaker signal strength
varied from 34%-76%.)
4
1
3
‘B1’ 8 Wireless Networks (APs)
Encrypted with WEP No encryption Not Targated
Live environment & Client Profile
Operation in Area B1
Operation in Area M1
55. 58
Security & Privacy of Wireless Area Network
A Primer & Case Study
Public Front
OfficeOffice Office Office Office
Office Office Office
Pantry
Office
OfficeMeetingRoom2
MeetingRoom1
Store
RestroomRestroom
RestroomMechanical
Attacker Aps
8
Secured AP
3
Target AP
3
Compr. AP
1
Public AP
1
56. 59
Security & Privacy of Wireless Area Network
A Primer & Case Study
LIVE EXPRIMENT
11wireless networks detected in the building.
- 6potential targets (using WPA/WPA2 in PSK mode)
- 2networks were encrypted by WEP
- 2potential targets (using WPA/WPA2 in enterprise mode)
- 1was not using any encryption at all.
6
2
2
1
‘M1’ 8 Wireless Networks (APs)
Targets WEP Encrypted
WPA/WPA2 Encrypted No Encryption
Live environment & Client Profile
Operation in Area B1
Operation in Area M1
57. 60
Security & Privacy of Wireless Area Network
A Primer & Case Study
Reception
Meeting Room
Store
Mechanical
Veranda
Restroom
Pantry
Dining
Meeting Room
Office
Office
OfficeOffice Space
Office
Office
Office
Office
Restroom
Restroom
Attacker APs Secured AP
6
Target AP
4
Compr. AP
2
Public AP
1
58. 61
Security & Privacy of Wireless Area Network
A Primer & Case Study
CASE OBSERVATIONS
59. 64
Security & Privacy of Wireless Area Network
A Primer & Case Study
CASE OBSERVATIONS
Majority of the WLAN users (people using any kind of LAN) can
connect and use the WLAN safely, since the biggest (and most
used) networks were being used in the Enterprise mode.
The small local WLANs, which were vulnerable to our attacks, are
being used only by small groups of users. It does not automatically
imply that there is low or no chance of capturing important data,
but it can be assumed that with more users being potential targets
the attacker’s chances would be considerably higher.
60. 65
Security & Privacy of Wireless Area Network
A Primer & Case Study
CASE OBSERVATIONS
Any attack in the network whether it is unsuccessful or not, it is most probably
caused by one of the following reasons:
Any AP should have a lockout policy, which makes a brute force attack
impractical/impossible.
(However, during our tests there was no such a device targeted. Either the
attack got going and did successfully end or it did not start.)
The target AP does not support WPS or it is turned off manually on the device.
Since the WPS is enabled by default on majority of devices which support WPS
and regular users would not turn it off, the unsuccessful attack is more likely
caused by the fact that the device is older and it does not support WPS at all.
AP was used in an Enterprise mode for enhanced security, which is not
vulnerable to WPS PIN brute force attack.
61. 66
Security & Privacy of Wireless Area Network
A Primer & Case Study
CASE RECOMMANDATIONS
The organization should be concerned that it is possible to abuse the WPS
implementation flaw to get full access to the wireless network.
The organization should also be concerned regarding the risk level as to
get into the network all the potential attacker needs minimal resource.
The organization is recommended to acknowledge the followings:
Any AP should have a lockout policy, which makes a brute force attack
impractical/impossible.
If The AP supports WPS, it may turn off manually on the device.
Any AP should be used in an Enterprise mode for enhanced security
62. 67
Security & Privacy of Wireless Area Network
A Primer & Case Study
FUTURE SCOPES
Future work should focus on some of the
following issues:
Detailed work in-
» WLAN standards
» WLAN Security flows
» Active attacks on WLAN
» Hardware and software
countermeasures on WLAN security
» WLAN Security Encryption methods
» WPS authentication mechanism
Other pentation testing from different
environments with different other
mechanisms.
Reducing and eliminating the risks attacks
that can be happened on WLAN networks
such as Man-in-the Middle attacks, Denial of
Service (DoS) attacks and Identity theft (MAC
spoofing).
Penetration testing from mobile devises (e.g.
Kali Linux/nethunter equipped Android
devices).
63. 68
Security & Privacy of Wireless Area Network
A Primer & Case Study
Security & Privacy of Wireless Area Network
A Primer & Case Study
Thank You
for your Time, passion and interest
» Questions
» Discussions
» Recap
Thank You
> Questions
> Discussions
> Recap
======================================================
This presentation is a part of the paper submitted for BIM
PGDCS 2015 Course. This presentation is also available in
www.MahmudKabir.com/pgdcsppt and also in the following sites:
> //
SlideShare.com || YouTube.com || MS PowerPoint Live
Editor's Notes
To counter security issues, the original IEEE802.11 specification defined two means to validate the identities of wireless devices attempting to gain access to a WLAN – open system authentication (Service Set Identifiers and Media Access Control address filtering) and shared key authentication (Wired Equivalent Protocol); neither of these is secure.
Service Set Identifier (SSID)
The SSID acts as a WLAN identifier; it allows STAs to distinguish one WLAN from another. All devices trying to connect to a WLAN must use the same SSID. A client device cannot communicate with an established wireless network unless it is configured with the correct SSID. Because the SSID is broadcast in plaintext by the AP by default, an attacking node can read the SSID from beacon frames and use it to join the network as a legitimate node. Even if the APs beacon frames are disabled, since the SSID is transmitted in cleartext in the message headers, any node listening to the traffic can sniff it.
Media Access Control (MAC) Address Filters
A MAC address is a unique 48-bit value that is assigned to a particular wireless network interface by the network card's vendor. Many WLAN implementations allow administrators to specify a list of authorized MAC addresses; the AP will permit devices with those MAC addresses only to use the WLAN. This is known as MAC address filtering. However, since the MAC address is not encrypted, it is simple to intercept traffic and identify MAC addresses that are allowed past the MAC filter. Unfortunately, almost all WLAN adapters allow applications to set the MAC address, so it is relatively trivial to spoof a MAC address, meaning attackers can gain unauthorized access easily.
Wired Equivalent Privacy (WEP)
According to the IEEE802.11 standard, WEP was supposed "to provide data confidentiality that is subjectively equivalent to the confidentiality of a wired local area network". WEP relies on the RC4 cipher and a static secret key that is manually shared between all of the nodes in a wireless LAN. WEP was plagued with security issues in relation to the actual implementation of the encryption algorithm, the key lengths, poor key management, authentication and message integrity. WEP has now been proven to be easily breached and cannot be relied upon to secure WLANs.
Extensible Authentication Protocol (EAP)
IEEE802.11i references the Extensible Authentication Protocol (EAP) standard, which is a means for providing mutual authentication between STAs and the WLAN infrastructure, as well as performing automatic cryptographic key distribution.
Robust Security Network (RSN)
The IEEE802.11i specification introduces the concept of a Robust Security Network (RSN), which is defined as a wireless security network that allows the creation of Robust Security Network Associations (RSNA) only.
A RSNA is a logical connection between communicating IEEE802.11 entities established through the IEEE802.11i key management scheme, called the 4-Way Handshake, which is a protocol that validates that both entities share a pairwise master key (PMK), synchronizes the installation of temporal keys, and confirms the selection and configuration of data confidentiality and integrity protocols.
To counter security issues, the original IEEE802.11 specification defined two means to validate the identities of wireless devices attempting to gain access to a WLAN – open system authentication (Service Set Identifiers and Media Access Control address filtering) and shared key authentication (Wired Equivalent Protocol); neither of these is secure.
Service Set Identifier (SSID)
The SSID acts as a WLAN identifier; it allows STAs to distinguish one WLAN from another. All devices trying to connect to a WLAN must use the same SSID. A client device cannot communicate with an established wireless network unless it is configured with the correct SSID. Because the SSID is broadcast in plaintext by the AP by default, an attacking node can read the SSID from beacon frames and use it to join the network as a legitimate node. Even if the APs beacon frames are disabled, since the SSID is transmitted in cleartext in the message headers, any node listening to the traffic can sniff it.
Media Access Control (MAC) Address Filters
A MAC address is a unique 48-bit value that is assigned to a particular wireless network interface by the network card's vendor. Many WLAN implementations allow administrators to specify a list of authorized MAC addresses; the AP will permit devices with those MAC addresses only to use the WLAN. This is known as MAC address filtering. However, since the MAC address is not encrypted, it is simple to intercept traffic and identify MAC addresses that are allowed past the MAC filter. Unfortunately, almost all WLAN adapters allow applications to set the MAC address, so it is relatively trivial to spoof a MAC address, meaning attackers can gain unauthorized access easily.
Wired Equivalent Privacy (WEP)
According to the IEEE802.11 standard, WEP was supposed "to provide data confidentiality that is subjectively equivalent to the confidentiality of a wired local area network". WEP relies on the RC4 cipher and a static secret key that is manually shared between all of the nodes in a wireless LAN. WEP was plagued with security issues in relation to the actual implementation of the encryption algorithm, the key lengths, poor key management, authentication and message integrity. WEP has now been proven to be easily breached and cannot be relied upon to secure WLANs.
Extensible Authentication Protocol (EAP)
IEEE802.11i references the Extensible Authentication Protocol (EAP) standard, which is a means for providing mutual authentication between STAs and the WLAN infrastructure, as well as performing automatic cryptographic key distribution.
Robust Security Network (RSN)
The IEEE802.11i specification introduces the concept of a Robust Security Network (RSN), which is defined as a wireless security network that allows the creation of Robust Security Network Associations (RSNA) only.
A RSNA is a logical connection between communicating IEEE802.11 entities established through the IEEE802.11i key management scheme, called the 4-Way Handshake, which is a protocol that validates that both entities share a pairwise master key (PMK), synchronizes the installation of temporal keys, and confirms the selection and configuration of data confidentiality and integrity protocols.
To counter security issues, the original IEEE802.11 specification defined two means to validate the identities of wireless devices attempting to gain access to a WLAN – open system authentication (Service Set Identifiers and Media Access Control address filtering) and shared key authentication (Wired Equivalent Protocol); neither of these is secure.
Service Set Identifier (SSID)
The SSID acts as a WLAN identifier; it allows STAs to distinguish one WLAN from another. All devices trying to connect to a WLAN must use the same SSID. A client device cannot communicate with an established wireless network unless it is configured with the correct SSID. Because the SSID is broadcast in plaintext by the AP by default, an attacking node can read the SSID from beacon frames and use it to join the network as a legitimate node. Even if the APs beacon frames are disabled, since the SSID is transmitted in cleartext in the message headers, any node listening to the traffic can sniff it.
Media Access Control (MAC) Address Filters
A MAC address is a unique 48-bit value that is assigned to a particular wireless network interface by the network card's vendor. Many WLAN implementations allow administrators to specify a list of authorized MAC addresses; the AP will permit devices with those MAC addresses only to use the WLAN. This is known as MAC address filtering. However, since the MAC address is not encrypted, it is simple to intercept traffic and identify MAC addresses that are allowed past the MAC filter. Unfortunately, almost all WLAN adapters allow applications to set the MAC address, so it is relatively trivial to spoof a MAC address, meaning attackers can gain unauthorized access easily.
Wired Equivalent Privacy (WEP)
According to the IEEE802.11 standard, WEP was supposed "to provide data confidentiality that is subjectively equivalent to the confidentiality of a wired local area network". WEP relies on the RC4 cipher and a static secret key that is manually shared between all of the nodes in a wireless LAN. WEP was plagued with security issues in relation to the actual implementation of the encryption algorithm, the key lengths, poor key management, authentication and message integrity. WEP has now been proven to be easily breached and cannot be relied upon to secure WLANs.
Extensible Authentication Protocol (EAP)
IEEE802.11i references the Extensible Authentication Protocol (EAP) standard, which is a means for providing mutual authentication between STAs and the WLAN infrastructure, as well as performing automatic cryptographic key distribution.
Robust Security Network (RSN)
The IEEE802.11i specification introduces the concept of a Robust Security Network (RSN), which is defined as a wireless security network that allows the creation of Robust Security Network Associations (RSNA) only.
A RSNA is a logical connection between communicating IEEE802.11 entities established through the IEEE802.11i key management scheme, called the 4-Way Handshake, which is a protocol that validates that both entities share a pairwise master key (PMK), synchronizes the installation of temporal keys, and confirms the selection and configuration of data confidentiality and integrity protocols.
Confidentiality
Ensure that communications cannot be read by unauthorized parties. Confidentiality "is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes".
Integrity
Detect any intentional or unintentional changes to data that occur in transit. Data integrity means maintaining and assuring the accuracy and completeness of data over its entire life-cycle
Availability
Ensure that devices and individuals can access a network and its resources whenever needed. For any information system to serve its purpose, the information must be available when it is needed.
Security Mechanics & Key Mechanisms
Definitions
Mechanisms
Confidentiality
Capability to protect information from unauthorized entities. The capability to send/receive data without divulging any information to unauthorized entities during the transmission of data.
Encryption
(Symmetric and Asymmetric)
Integrity
Capability to protect data content from unauthorized modifications. Capability to send/receive data such that unauthorized entities cannot change any part of the exchanged data without the sender/receiver detecting the change.
Digital Signatures (Using one-way hash functions)
Availability
Capability to send/receive data without disruption. Ensures that a system or data is accessible/available when needed.
Defensive technologies to detect/guard against DoS attacks
Authentication
Capability to validate the identity of the sender/receiver of information.
802.1x, RADIUS, PAP/CHAP, MS-CHAP, etc.
Authorization
Usually follows an authentication procedure, and establishes what capabilities and information a user can access.
802.1x (based on authentication), multiple levels and protocols
Access Control
Capability ensuring users see only the information for which they are authorized.
Based on authentication, encryption
Encryption
Capability to transform data (or plain text) into meaningless bytes (Cipher text) based on some algorithm.
WEP, CKIP, TKIP, AES
Decryption
Capability to transform the meaningless bytes (Cipher text) back to meaningful data (or plain text).
WEP, CKIP, TKIP, AES
Key Management
Process and capability of generating, storing, and distributing keys.
The standard emphasizes usability and security, and allows four modes in a home network for adding a new device to the network:
PIN method, in which a personal identification number (PIN) has to be read from either a sticker or display on the new wireless device. This PIN must then be entered at the "representant" of the network, usually the network's access point. Alternately, a PIN provided by the access point may be entered into the new device. This method is the mandatory baseline mode and everything must support it. The Wi-Fi Direct specification supersedes this requirement by stating that all devices with a keypad or display must support the PIN method.[7]
Push button method, in which the user has to push a button, either an actual or virtual one, on both the access point and the new wireless client device. On most devices, this discovery mode turns itself off as soon as a connection is established or after a delay (typically 2 minutes or less), whichever comes first, thereby minimizing its vulnerability. Support of this mode is mandatory for access points and optional for connecting devices. The Wi-Fi Direct specification supersedes this requirement by stating that all devices must support the push button method.[8]
Near field communication method, in which the user has to bring the new client close to the access point to allow a near field communication between the devices. NFC Forum–compliant RFID tags can also be used. Support of this mode is optional.
USB method, in which the user uses a USB flash drive to transfer data between the new client device and the network's access point. Support of this mode is optional, but deprecated.
The last two modes are usually referred to as out-of-band methods as there is a transfer of information by a channel other than the Wi-Fi channel itself. Only the first two modes are currently[when?] covered by the WPS certification. The USB method has been deprecated and is not part of the Alliance's certification testing.
Certain wireless access points have a dual-function WPS button, and holding this button for a long enough time will cause a factory-reset.[9]
Some manufacturers use a different logo and/or name for Wi-Fi Protected Setup such as Netgear;[10] the Wi-Fi Alliance recommends the use of the Wi-Fi Protected Setup Identifier Mark on the hardware button for this function.[11]
>>>>
Enrollee = AP
Registrar = Supplicant = Client/Attacker
PKE = Diffie-Hellman Public Key Enrollee
PKR = Diffie-Hellman Public Key Registrar Authkey and KeyWrapKey are derived from the DiffieHellman shared key.
Authenticator = HMAC{Authkey}(last message || current message)
E{KeyWrapKey} = Stuff encrypted with KeyWrapKey (AESCBC)
PSK1 = first 128 bits of HMACAuthKey(1 st half of PIN)
PSK2 = first 128 bits of HMACAuthKey(2nd half of PIN)
E-S1 = 128 random bits
E-S2 = 128 random bits
E-Hash1 = HMACAuthKey(E-S1 || PSK1 || PKE || PKR)
E-Hash2 = HMACAuthKey(E-S2 || PSK2 || PKE || PKR)
R-S1 = 128 random bits R-S2 = 128 random bits
R-Hash1 = HMACAuthKey(R-S1 || PSK1 || PKE || PKR)
R-Hash2 = HMACAuthKey(R-S2 || PSK2 || PKE || PKR)