WPA2-PSK Security
Measure
1
Shivam Singh
M.Tech. Cyber Security

TOPIC COVERED
1. Need of Wireless Security
2. Wired Equivalent Privacy (WEP)
3. Wi-Fi Protected Accesses (WPA)
4. Wi-Fi Protected Accesses 2 (WPA2)
5. Security Threats to Wireless Networks
6. Vulnerabilities of WPA2
7. Solution
2

NEED OF WIRELESS SECURITY
 Prevention of unauthorized access or damage to computers using wireless networks.
 Guard against unauthorized access to important resources.
 Protection from attacks on:
 Confidentiality: The protection of data from unauthorized disclosure.
 Integrity: The assurance that data received are exactly as sent by an authorized entity.
 Availability: Authorized users have reliable and timely access to information.
3

WIRED EQUIVALENT PRIVACY (WEP)
 Wired Equivalent Privacy (WEP) is an older encryption algorithm used to secure
transmitted data across wireless networks.
 WEP uses a security code chosen during configuration called a WEP key, which uses a
sequence of hexadecimal digits.
 This digit sequence must match on all devices trying to communicate on the wireless
network.
 WEP keys can be formed in different lengths depending on the type of WEP encryption
being utilized.
4

Advantages of WEP
1. One advantage to using WEP is that when users happen to see your network during
wireless detection, they will most likely be discouraged since it will require a key. This
makes it clear to the user that they are not welcome.
2. Another advantage that WEP offers is interoperability, since all wireless devices support
basic WEP encryption. This can be useful when trying to use older devices that need
wireless connectivity.
5

Disadvantages of WEP
1. Several weaknesses have been discovered using WEP encryption that allows an attacker
using readily available software to crack the key within minutes.
2. WEP encryption uses a shared key authentication and sends the same key with data
packets being transmitted across the wireless network. If malicious users have enough
time and gather enough data they can eventually piece together their own key.
3. Another disadvantage to using WEP encryption is that if the master key needs to be
changed, it will have to be manually changed on all devices connected to the network.
This can be a tedious task if you have many devices connected to your network.
6

WI-FI PROTECTED ACCESSES (WPA)
 WPA is a security protocol designed to create secure wireless (Wi-Fi) networks. It is
similar to the WEP protocol, but offers improvements in the way it handles security keys
and the way users are authorized.
 WPA uses the Temporal Key Integrity Protocol (TKIP), which dynamically changes the
key that the systems use. This prevents intruders from creating their own encryption key
to match the one used by the secure network.
 WPA also implements something called the Extensible Authentication Protocol (EAP) for
authorizing users. Instead of authorizing computers based soley on their MAC address,
WPA can use several other methods to verify each computer's identity. This makes it more
difficult for unauthorized systems to gain access to the wireless network.
7

Advantages of WPA
1. WPA uses much stronger encryption algorithms than its predecessor.
2. A rekeying mechanism, to provide fresh encryption and integrity keys, undoing the threat
of attacks stemming from key reuse.
3. WPA uses a Temporary Key Integrity Protocol (TKIP), which dynamically changes the
key as data packets are sent across the network.
4. Key is constantly changing, it makes cracking the key much more difficult than that of
WEP. If the need arises to change the global key, WPA will automatically advertise the
new key to all devices on the network without having to manually change them.
5. A cryptographic Message Integrity Code (MIC), called Michal, to defeat forgeries.
8

Disadvantages of WPA
1. Disadvantages to using WPA are few, with the biggest issue being incompatibility with
legacy hardware and older operating systems.
2. WPA also has a larger performance overhead and increases data packet size leading to
longer transmission.
9

WI-FI PROTECTED ACCESSES 2 (WPA2)
 WPA2 was introduced shortly after the 802.11i in 2004.
 WPA2 implemented the IEEE 802.11i amendment, adding strong encryption that uses the
CCMP algorithm and the widely-accepted AES block cipher.
 WPA2 encompasses both authentication and encryption using the AES block cipher for
encryption and Pre-Shared Key or 802.1X for authentication.
 Two Versions
1. Enterprise – Server Authentication 802.1x
2. Personal – AES Pre-Shared Key
10

How It Works?
 Communication is established in four phases:
1. Access point and client agree on a security policy that is supported by both parties.
2. This phase is for Enterprise mode only: 802.1X authentication is initiated.
3. After successful authentication, temporary keys are created and then periodically updated.
4. Keys are used by AES Counter Mode Cipher Block Chaining Message Authentication Code
Protocol to ensure confidentiality and integrity of the communications.
11

Advanced Encryption Standard (AES)
Encryption
 AES comprises three block ciphers, AES-128, AES-192 and AES-256. Each cipher
encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128-, 192-
and 256-bits, respectively.
 Symmetric or secret-key ciphers use the same key for encrypting and decrypting, so both
the sender and the receiver must know and use the same secret key.
 All key lengths are deemed sufficient to protect classified information up to the "Secret"
level with "Top Secret" information requiring either 192- or 256-bit key lengths.
 There are 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-
bit keys -- a round consists of several processing steps that include substitution,
transposition and mixing of the input plaintext and transform it into the final output
of ciphertext.
12

Benefits of WPA2
1. WPA2 resolved vulnerabilities of WEP such as man-in the middle, authentication forging,
replay, key collision, weak keys, packet forging, and brute- force/dictionary attacks.
2. AES encryption and 802.1X/EAP authentication WPA2 further enhances the
improvements of WPA over WEPs imperfect encryption key implementation and its lack
of authentication.
3. WPA2 also adds two enhancements to support fast roaming of wireless clients moving
between wireless APs.
a) PMK caching support – allows for reconnections to APs that the client has recently been
connected without the need to re-authenticate.
b) Pre-authentication support - allows a client to pre-authenticate with an AP towards which it is
moving while still maintaining a connection to the AP its moving away from.
13

SECURITY THREATS TO WIRELESS
NETWORKS
 Traffic Analysis
 Eavesdropping
 Man in Middle Attack
 ARP Attack
 High-Jacking Attack
 Denial of Service (DoS)
 Dictionary Building Attacks
14

 Traffic Analysis: This technique enables the attacker to have the access to three types of
information.
1. Identification of activities on the network.
2. Get the identification and physical locations of access point in its surroundings.
3. Information about the size and the number of the package over a certain period of time.
 Eavesdropping: Attacker secretly listens to the private conversation of others without
their permission. It is use to watch over an unlimited wireless session, the attacker
watches over a wireless session an actively injects own message in order to reveal the
content of the messages in session.
15
Definitions

 Man in Middle Attack: It enables data reading from the session. Attacker disrupts the
session and does not allow for the station to establish communication again with the
Access Point; attacker pretending to the AP. At the same time attacker establishes
connection an authentication with the AP, now there are two encrypted tunnels instead of
one is established between attacker and AP, while the second one is established between
attacker and the station. This enables attacker to have the access to the data exchanged
between the working station and rest of the network.
 ARP Attack: It is a sub type of man in the middle attack since these attacks are directed
towards one component of the wireless clients. The attacker escapes authentication or
provide false accreditations by this kind of attack.
16

 High-Jacking Attack: Attacker deprives the real owner of the authorized and
authenticated session, the owner knows that he has no access to the session any more but
is not aware that the attacker has taken over his session and believe that he lost the
session due to ordinary lacks in network functioning once the attacker take over a valid
session he can use it for various purposes over a certain period of time.
 Denial of Service (DoS): An attacker tempers with the data before it is communicated
to the sensor node. It causes a denial of service attack due to wrong or misleading
information. Jamming is One of DoS attack on network availability. It is a performed by
malicious attackers who use other wireless devices to disable the communication of the
users in legitimate wireless network.
17

 Dictionary Building Attacks: In these types of attacks an attacker goes through a list
of candidate passwords one by one; the list may be explicitly enumerated or numerated or
implicitly defined, can incorporate knowledge about the victim, and can be linguistically
derived. Dictionary building attacks are possible after analyzing enough traffic on a busy
network.
18

VULNERABILITIES OF WPA2
DoS (Denial of Service) attacks like RF jamming, data flooding, and Layer 2 session
hijacking, are all attacks against availability. None of the Wi-Fi security standards can
prevent attacks on the physical layer simply because they operate on Layer 2 an above.
Similarly none of the standards can deal with AP failure. Some of the other vulnerabilities are
on:
 Management Frames
 Control Frames
 Deauthentication
 Disassociation
19

 Management Frames: Report network topology and modify client behavior as are not
protected so they provide an attacker the means to discover the layout of the network,
pinpoint the location of devices therefore allowing for more successful DoS attacks
against a network.
 Control Frames: These are not protected leaving them open to DoS attacks.
 Deauthentication: The aim is to force the client to reauthenticate, which coupled with the
lack of authentication for control frames which are used for authentication and
association make it possible for the attacker to spoof MAC addresses.
 Disassociation: The aim is to force an authenticated client with multiple APs to is
associate from them therefore affecting the forwarding of packets to and from the client.
20
Explanations

SOLUTION
The proposed IEEE 802.11w will provide three types of protection.
1. The first is for unicast management frames used to report network topology and
modifying client behavior and it will achieved by extending the AES encryption to these
frames to protect them from forgeries while providing confidentiality.
2. The second is for generic broadcast management frames used to adjust radio frequency
properties or start measurements and it will achieved by appending a MIC (message
integrity code) to the non-secure frame protecting them from forgeries but not
confidentiality since this frames do not carry sensitive information.
3. The third one is for deauthentication and disassociation frames to be accomplished by
using a pair of related one-time keys (a secret one for the AP and the other one for the
client) which will allow the client to determine if the deauthentication is valid.
21

How It Works?
1. The access point sends a unicast 802.11k measurement request. The
sensitive results of this measurement are sent back by the client. In
both cases, the contents of the messages are hidden from the attacker.
2. The attacker tries to send a forged measurement request. But because
the attacker doesn’t know the key, it can’t properly encrypt the
measurement request, and the client drops it without harm.
3. The access point uses message integrity code to send a broadcast
frame to the client to adjust their power. The client verify the message
with the integrity key. The attacker also see the message and knows
the contents but cannot forge a new message from it.
4. The attacker tries to broadcast a deauthentication message. The client
receive the message and compare their onetime keys to the one in the
message. Because the attacker doesn’t know the one-time key to
access point, the keys won’t match, and the clients safely ignore the
message.
22

REFERENCES
1. Defta (Ciobanu) Costinela Luminita Wireless LAN Security - WPA2-PSK Case Study, 2nd World Conference on
Information Technology (WCIT-2011)
2. Paul Arana Benefits and Vulnerabilities of Wi-Fi Protected Access 2 (WPA2) INFS 612 Fall 2006
3. A.K.M. Nazmus Sakib Security Improvement of WPA 2 (Wi-Fi Protected Access 2), International Journal of
Engineering Science and Technology (IJEST)
4. Md. Waliullah and Diane Gan Wireless LAN Security Threats and Vulnerabilities (IJACSA) International Journal
of Advanced Computer Science and Applications, Vol. 5, No. 1, 2014
5. Prastavana and Suraiya Praveen ”Wireless Security Using Wi-Fi Protected Access 2 (WPA2)”, International
Journal of Scientific Engineering and Applied Science (IJSEAS) Volume-2, Issue-1, January 2016
6. Omar Nakhila, Afraa Attiah, Yier Jin and Cliff Zou ”Parallel Active Dictionary Attack on WPA2-PSK Wi-Fi
Networks”, IJEST
7. Mathy Vanhoef, Frank Piessens; Practical verification of WPA-TKIP vulnerabilities, The 8th ACM SIGSAC
symposium on Information, computer and communications security (2013): pp 427-435
23

24
spu15cs21@policeuniversity.ac.in