Security Mode in Wireless Setup
Wireless connection is slowly becoming a necessity nowadays and because of this, there is an increasing need for security. Unlike wired networks, wireless networks use radio waves, and radio waves can "leak" outside of a building. As such wireless connection can be easily hacked from outside of a building unless proper security measures are implemented.
There are now many industry standard security procedures that can be used to secure wireless network so that no one can easily connect to the network and use the Internet without any permission. It also protects all data that is transmitted through the wireless network.
The different wireless security features of router ensure network access is guarded against possible instances of hacking. One of the easiest and most common methods of establishing security on wireless network is to set up wireless encryption protocol such as WEP, WPA or WPA2 as wireless security mode.
Wired Equivalent Privacy (WEP) provides encryption capabilities that the designers hoped would provide the same level of basic security as a hardwired local area network. It is widely in use and is often the first security choice presented to users in wireless router configuration tools. Although WEP is considered obsolete nowadays, it is important to understand how they work in order to fully understand the benefits of the new improved security procedures such as WPA and WPA2.
WEP encryption uses the Ron's Code 4 (RC4) Stream Cipher with 40-bit or 104-bit keys. The password entered takes up either 40 or 104 bits, and in both cases a 24 bit initialization vector (IV) is added, totaling 64 bit and 128 bit keys.
40 bits (encryption) + 24 bits (init. vector) = 64 bits Encryption.
104 bit (encryption) + 24 bits (init. vector) = 128 bits Encryption.
The WEP keys allow a group of devices on a local network to exchange encoded messages with each other while hiding the contents of the messages from easy viewing by outsiders.
RC4 is a symmetric algorithm because it uses the same key chosen by a network administrator for the encryption and the decryption of data.
When WEP is enabled, matching WEP keys must be set on Wi-Fi routers and each device connecting over Wi-Fi, for them all to communicate with each other. The key is used to scramble the data before transmission of the data through the airwaves. If a station receives a packet that is not scrambled with the appropriate key, the packet is discarded and never delivered to the host.
Unfortunately, WEP has been demonstrated to have numerous flaws as soon as wireless networks became popular. For example, WEP merely concatenated the IV to the root key, and passed this value to the RC4 function. This implementation resulted in vast majority of the RC4 based WEP related key being attacked.
The WEP technology is obsolete and no longer recommended for use on wireless networks.
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance in response to serious weaknesses found in WEP.
RC4 is still the encryption component of WPA. This enabled WPA to run on legacy WEP hardware with minor upgrades. However the Key was replaced by Temporal Key Integrity Protocol (TKIP).
Security issues encountered in WEP are addressed by features implemented in TKIP and related WPA standards. One of the problems with the WEP is that an attacker could recover WEP key after observing a relatively small amount of network traffic. This issue is addressed in TKIP by changing the key used in each packet. The key is created by mixing together a combination of things, including a base key (Pairwise Transient Key), the MAC address of the transmitting station, and the serial number for the packet.
Second, WPA implements a sequence counter to protect against replay attacks. Each packet transmitted using TKIP has a unique 48-bit serial number that is incremented every time a new packet is transmitted and used both as the IV and part of the key. Putting a sequence number into the key ensures that the key is different for every packet. Having the serial number of the packet also be the IV helps to reduce yet another WEP problem, called "replay attacks." A replay of old packets from a wireless connection will be detected as out of order and will be rejected by the access point.
Finally, TKIP implements a 64-bit Message Integrity Check (MIC). The transmission’s CRC, and ICV (Integrity Check Value) is checked. WPA will stop using the current keys and re-keys if the packet was tampered with. Key mixing increases the complexity of decoding the keys by giving an attacker substantially less data that has been encrypted using any one key.
There are two operating modes in WPA:
WPA-Enterprise: Enterprise mode requires 802.1x authentication infrastructure using an authentication server, generally a RADIUS server (which stands for Remote Authentication Dial-in User Service), and a network controller (the access point).
WPA-Personal: No authentication server is required in this mode. WPA-Personal rests on the use of a shared key, called PSK for Pre-shared Key, which is stored at both the access point and the client devices.
Although WPA looks like much secure than WEP, it is still a compromise solution. It still relies on the RC4 encryption algorithm and TKIP. TKIP was shown to be vulnerable to a packet injection exploit in 2008.
To address the weaknesses in WPA, a second generation standard known as WPA2 was developed. Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) which is intended to replace TKIP is supported in WPA2.
WPA2 uses the concept of a Robust Security Network (RSN). In RSN wireless devices need to support additional capabilities. This requires new hardware and software drivers making a fully compliant RSN network incompatible with existing WEP equipment. In the transitional period both RSN and WEP equipment will be supported, TKIP is still supported for backward compatibility.
While both WEP and WPA-TKIP use the RC4 stream cipher for encryption, WPA2 uses the Advanced Encryption Standard (AES) as an alternative to RC4. It can also use TKIP for backward-compatibility (so it would accept WPA connections). However, although not common, some later WPA certified cards support AES.
When a router is configured to use WPA2, usually there are options to use AES, or TKIP+AES. When your router is set to "WPA2 with TKIP+AES" it means that the client can connect using either TKIP or AES. The password for both WPA and WPA2 will be the same. This option allows users to easily transition from WPA to WPA2.
Wireless networks are very vulnerable to unauthorized users. Weaknesses of WEP and WAP have been widely publicized and information about exploiting them is readily available on the Internet. Any relatively sophisticated hacker can exploit these weaknesses to break into network easily. As such, it is highly recommended to implement the WPA2-Enterprise standard because of its superior capabilities and better protection against intruders. Older devices that cannot support WPA should ideally be replaced, but WEP security should be enabled on them if replacement is not an option. The basic WEP security is much better than nothing!
There are now many industry standard security procedures that can be used to secure wireless network so that no one can easily connect to the network and use the Internet without any permission. It also protects all data that is transmitted through the wireless network.
The different wireless security features of router ensure network access is guarded against possible instances of hacking. One of the easiest and most common methods of establishing security on wireless network is to set up wireless encryption protocol such as WEP, WPA or WPA2 as wireless security mode.
Wired Equivalent Privacy (WEP) provides encryption capabilities that the designers hoped would provide the same level of basic security as a hardwired local area network. It is widely in use and is often the first security choice presented to users in wireless router configuration tools. Although WEP is considered obsolete nowadays, it is important to understand how they work in order to fully understand the benefits of the new improved security procedures such as WPA and WPA2.
WEP encryption uses the Ron's Code 4 (RC4) Stream Cipher with 40-bit or 104-bit keys. The password entered takes up either 40 or 104 bits, and in both cases a 24 bit initialization vector (IV) is added, totaling 64 bit and 128 bit keys.
40 bits (encryption) + 24 bits (init. vector) = 64 bits Encryption.
104 bit (encryption) + 24 bits (init. vector) = 128 bits Encryption.
The WEP keys allow a group of devices on a local network to exchange encoded messages with each other while hiding the contents of the messages from easy viewing by outsiders.
RC4 is a symmetric algorithm because it uses the same key chosen by a network administrator for the encryption and the decryption of data.
When WEP is enabled, matching WEP keys must be set on Wi-Fi routers and each device connecting over Wi-Fi, for them all to communicate with each other. The key is used to scramble the data before transmission of the data through the airwaves. If a station receives a packet that is not scrambled with the appropriate key, the packet is discarded and never delivered to the host.
Unfortunately, WEP has been demonstrated to have numerous flaws as soon as wireless networks became popular. For example, WEP merely concatenated the IV to the root key, and passed this value to the RC4 function. This implementation resulted in vast majority of the RC4 based WEP related key being attacked.
The WEP technology is obsolete and no longer recommended for use on wireless networks.
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance in response to serious weaknesses found in WEP.
RC4 is still the encryption component of WPA. This enabled WPA to run on legacy WEP hardware with minor upgrades. However the Key was replaced by Temporal Key Integrity Protocol (TKIP).
Security issues encountered in WEP are addressed by features implemented in TKIP and related WPA standards. One of the problems with the WEP is that an attacker could recover WEP key after observing a relatively small amount of network traffic. This issue is addressed in TKIP by changing the key used in each packet. The key is created by mixing together a combination of things, including a base key (Pairwise Transient Key), the MAC address of the transmitting station, and the serial number for the packet.
Second, WPA implements a sequence counter to protect against replay attacks. Each packet transmitted using TKIP has a unique 48-bit serial number that is incremented every time a new packet is transmitted and used both as the IV and part of the key. Putting a sequence number into the key ensures that the key is different for every packet. Having the serial number of the packet also be the IV helps to reduce yet another WEP problem, called "replay attacks." A replay of old packets from a wireless connection will be detected as out of order and will be rejected by the access point.
Finally, TKIP implements a 64-bit Message Integrity Check (MIC). The transmission’s CRC, and ICV (Integrity Check Value) is checked. WPA will stop using the current keys and re-keys if the packet was tampered with. Key mixing increases the complexity of decoding the keys by giving an attacker substantially less data that has been encrypted using any one key.
There are two operating modes in WPA:
WPA-Enterprise: Enterprise mode requires 802.1x authentication infrastructure using an authentication server, generally a RADIUS server (which stands for Remote Authentication Dial-in User Service), and a network controller (the access point).
WPA-Personal: No authentication server is required in this mode. WPA-Personal rests on the use of a shared key, called PSK for Pre-shared Key, which is stored at both the access point and the client devices.
Although WPA looks like much secure than WEP, it is still a compromise solution. It still relies on the RC4 encryption algorithm and TKIP. TKIP was shown to be vulnerable to a packet injection exploit in 2008.
To address the weaknesses in WPA, a second generation standard known as WPA2 was developed. Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) which is intended to replace TKIP is supported in WPA2.
WPA2 uses the concept of a Robust Security Network (RSN). In RSN wireless devices need to support additional capabilities. This requires new hardware and software drivers making a fully compliant RSN network incompatible with existing WEP equipment. In the transitional period both RSN and WEP equipment will be supported, TKIP is still supported for backward compatibility.
While both WEP and WPA-TKIP use the RC4 stream cipher for encryption, WPA2 uses the Advanced Encryption Standard (AES) as an alternative to RC4. It can also use TKIP for backward-compatibility (so it would accept WPA connections). However, although not common, some later WPA certified cards support AES.
When a router is configured to use WPA2, usually there are options to use AES, or TKIP+AES. When your router is set to "WPA2 with TKIP+AES" it means that the client can connect using either TKIP or AES. The password for both WPA and WPA2 will be the same. This option allows users to easily transition from WPA to WPA2.
Wireless networks are very vulnerable to unauthorized users. Weaknesses of WEP and WAP have been widely publicized and information about exploiting them is readily available on the Internet. Any relatively sophisticated hacker can exploit these weaknesses to break into network easily. As such, it is highly recommended to implement the WPA2-Enterprise standard because of its superior capabilities and better protection against intruders. Older devices that cannot support WPA should ideally be replaced, but WEP security should be enabled on them if replacement is not an option. The basic WEP security is much better than nothing!
Comments
Post a Comment