802.11 Wireless, WEP, WPA lecture
-
Upload
martyn-price -
Category
Technology
-
view
412 -
download
1
description
Transcript of 802.11 Wireless, WEP, WPA lecture
![Page 1: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/1.jpg)
802.11
Wireless, WEP and WPA
![Page 2: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/2.jpg)
History
ALOHAnet - Hawaii
https://www.lib.utexas.edu/maps/us_2001/hawaii_ref_2001.jpg
![Page 3: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/3.jpg)
ALOHAnet
June 1971
Version 1
Pure ALOHA
data.send
if network.collision {
do wait(time=random)
data.send
}
![Page 4: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/4.jpg)
Pure ALOHA
http://upload.wikimedia.org/wikipedia/commons/thumb/3/35/Pure_ALOHA1.svg/800px-Pure_ALOHA1.svg.png
![Page 5: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/5.jpg)
Slotted ALOHA
Only 18.4% of transmission time used for
successful frame transmissions
Version 2
Slotted ALOHA
Used discreet time slots
Station can only send at the beginning of a
time slot
All collisions at the beginning of a frame
![Page 6: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/6.jpg)
Slotted ALOHA
http://upload.wikimedia.org/wikipedia/commons/thumb/7/7a/Slotted_ALOHA.svg/800px-Slotted_ALOHA.svg.png
![Page 7: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/7.jpg)
Slotted ALOHA
Low-data-rate tactical satellite comms by
military
Subscriber based satellite comms networks
Mobile telephony call setup
Set top box comms
RFID
36.8% of transmission time used for
successful frame transmissions
![Page 8: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/8.jpg)
Wireless
Range Max. Speed Frequency Year of release
Legacy 100m 2MB/s 2.4GHz 1997
802.11a 120m 54MB/s 5GHz 1999
802.11b 140m 11MB/s 2.4GHz 1999
802.11g 140m 54MB/s 2.4GHz 2003
802.11n 250m 150MB/s(per stream)
2.4GHz+5GHz 2009
802.11ac 866.7MB/s 5GHz 2014
![Page 9: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/9.jpg)
Channels
http://en.wikipedia.org/wiki/File:2.4_GHz_Wi-Fi_channels_(802.11b,g_WLAN).svg
1-11 – Anywhere
12&13 – Anywhere except USA
14 – Japan only
![Page 10: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/10.jpg)
WEP
Only used for legacy anymore
Neil still uses this at his home but shhhhh.
Very broken
![Page 11: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/11.jpg)
WEP
How is a WEP connection made?
Probe request Client >>> AP
Probe response AP >>> Client
Authentication request Client >>> AP
Challenge AP >>> Client
Challenge Response Client >>> AP
Association request AP >>> Client
Association reponse Client >>> AP
![Page 12: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/12.jpg)
How it works
24-bit IV (initialisation Vector)
Secret key (40Bit or 104Bit)
Result 64-Bit or 128-BitRC4 PRNG
Key StreamPlaintext Message
XOR’ed
CiphertextIV
![Page 13: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/13.jpg)
Whys that broken?
• Only 16million possible IV’s
• On a 11MB/s link, with packets of 1500 bytes, can exhaust all possible IV’s in 5~ hours
• More collisions, easier for statistical attacks to calculate the original keystream
• Once you have keystream, you already have the IV, not hard to work out the secret key
![Page 14: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/14.jpg)
WPA
• Replaced WEP
• Comes in 2 types, WPA and WPA2
• Each type has 2 flavours
– PSK (personal)
– Enterprise (802.1x + radius)
• WPA Had to use the same hardware as
WEP, only firmware updates allowed
• Used TKIP
![Page 15: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/15.jpg)
WEP Vs. WPA
WEP WPA
Static session keys (always same key used for session start)
Dynamic session keys (different keys used for every session start)
![Page 16: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/16.jpg)
WPA - PSK
Probe Request
Probe Response
Authentication Request
ANounce
Snounce + MIC
![Page 17: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/17.jpg)
To Wireshark
CAPTURE FILE
![Page 18: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/18.jpg)
The bigger picture
Pass phrase(8-63 chars)
Password Based Key Derivation Function (SSID)
Pre-shared Key (256-bit)
4-Way handshakeSnounceAnounceAP MAC
Client MAC
PTK (Pairwise transient key,
unique to session)
Pass phrase(8-63 chars)
Verify using MIC
![Page 19: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/19.jpg)
Crackable?
Yes
BUT
Takes forever
Really need to be desperate
But there is one major flaw
![Page 20: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/20.jpg)
WiFi Protected Setup
Security
Ease of UseFunctionality
![Page 21: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/21.jpg)
WPS
• Simplifies WPA security for users
• Gives us a better in ;)
• Router breaks the key down into 2 sets of
4 numbers
• Tells client if a set it correct, even if the
other is wrong
• So, we have a lot fewer possibilities
![Page 22: 802.11 Wireless, WEP, WPA lecture](https://reader033.fdocuments.net/reader033/viewer/2022052413/559a43401a28ab2a0a8b4598/html5/thumbnails/22.jpg)
Finally WPA-Enterprise