Just a concept paper

1. After conducting a study and analysis of the
Wi-Fi Security vulnerabilities of current Wi Fi Security
industrial standards, we consider the
possibility a new security architecture for
with Wi-Fi Wi Fi which we call Wi Fi P+. Wi-Fi P+ is not
a complex security architecture. It act as an
additional security layer implemented over
Protection WPA/WPA2. It also implements some
already available features that are not built
in with WPA/WPA2.
Plus Vulnerabilities in
Ajin Abraham, Joseph Sebastian Current Wi-Fi Security
Vimal Jyothi Engineering College.
ajin25@gmail.com
Standards
+91-9633325997
josephs_18@live.com
The current Wi-Fi Security standards are
+91-9495587202
 WEP – Wired Equivalent Privacy
Abstract  WPA– Wi-Fi Protected Access
Current Industrial standards of Wi-Fi  WPA2 – Wi-Fi Protected Access 2
security are found to have security loop
holes, making it possible for hackers to Vulnerabilities in WEP
break it. So we consider the possibility of a
new technology for Wi-Fi security. We call it WEP (Wired Equivalent Privacy) is based on
Wi-Fi P+ or Wireless Fidelity Protection Plus the RC4 encryption algorithm, with a secret
Introduction key of 40 bits or 104 bits being combined
with a 24-bit Initialization Vector (IV) to
Wi-Fi is common nowadays. Every encrypt the plaintext message M and its
educational institutions and business checksum – the ICV (Integrity Check Value).
organizations has got their perimeter The encrypted message C was therefore
covered in Wi-Fi. All the confidential data determined using the following formula:
being transmitted through Wi-Fi, makes it a
target for Hackers. To secure it, some Wi-Fi C = [ M || ICV(M) ] + [ RC4(K || IV) ]
security standards like WEP, WPA, and
WPA2 are introduced. Each of them is Where || is a concatenation operator and
introduced when the previous security + is a XOR operator. Clearly, the
architecture was found to be a failure. But initialization vector is the key to WEP
in present situation all of these industrial security, so to maintain a decent level of
standard Wi Fi security architectures are security and minimize disclosure the IV
found to have vulnerabilities so that a should be incremented for each packet so
hacker can hack into the Wi Fi network. that subsequent packets are encrypted with
Wi-Fi Security with Wi-Fi Protection Plus | Ajin Abraham

2. different keys. Unfortunately for WEP
security, the IV is transmitted in plain text
and the 802.11 standard does not mandate Vulnerability in WPA and
IV incrimination, leaving this security
measure at the option of particular wireless
WPA2
access point implementations. The most practical vulnerability is the attack
against WPA/WPA2’s PSK key. The PSK (Pre-
Shared Key) same as PMK (Pairwise Master Key) is a
string of 256 bits or a passphrase of 8 to 63
characters used to generate such a string
using a known algorithm: PSK = PMK =
PBKDF2(password, SSID, SSID length, 4096,
256), where PBKDF2 is a method used in
encryption, 4096 is the number of hashes
and 256 is the length of the output. The PTK
The WEP protocol was not created by (Pairwise Transient Key) is derived from the PSK
experts in security or cryptography, so it using the 4-Way Handshake and all infor-
quickly proved vulnerable to RC4 issues mation used to calculate its value is
described by David Wagner four years transmitted in plain text. The strength of
earlier. Then a lot of vulnerabilities were PTK therefore relies only on the PSK value,
discovered during the later years. Some of which for PSK effectively means the
them are: strength of the passphrase. The second
message of the 4-Way Handshake could be
Date Description
September Potential RC4 vulnerability (Wagner)
subjected to both dictionary and brute
1995 force offline attacks. The cowpatty utility
October First publication on WEP weaknesses: was created to exploit this flaw, and its
2000 Unsafe at any key size; An analysis of
the WEP encapsulation (Walker) source code was used and improved by
May 2001 An inductive chosen plaintext attack Christophe Devine in Aircrack to allow PSK
against WEP/WEP2 (Arbaugh)
July 2001 CRC b it flipping attack – Intercepting dictionary and brute force attacks on WPA.
Mob ile Communications: The Insecurity
August
of 802.11 (Borisov, Goldberg, Wagner)
FMS attacks – Weaknesses in the Key
Threats on Wi-Fi
2001 Scheduling Algorithm of RC4 (Fluhrer,
Mantin, Shamir)
August Release of AirSnort Ad-hoc networks
2001 Ad-hoc network can pose to high security
February Optimized FMS attacks by h1kari
2002 threat. Ad-hoc networks are defined as
August KoreK attacks (unique IVs) – release of peer-to-peer networks between wireless
2004 chopchop and chopper
July/August Release of Aircrack (Devine) and computers that do not have an access point
2004 WepLab (Sanchez ) implementing KoreK in between them. While these types of
attacks networks usually have little protection,
encryption methods can be used to provide
The WEP Cracking tool released on 2004, security.
Aircrack was able to crack 128 bit WEP key.
Wi-Fi Security with Wi-Fi Protection Plus | Ajin Abraham

3. network and may even cause the network
to crash.
MAC Spoofing
MAC spoofing occurs when a cracker is able
to listen in on network traffic and identify
Caffe Latte attack
The Caffe Latte attack is another way to
the MAC address of a computer with
defeat WEP. It is not necessary for the
network privileges. Most wireless systems
attacker to be in the area of the network
allow some kind of MAC filtering to only
using this exploit. By using a process that
allow authorized computers with specific
targets the Windows wireless stack, it is
MAC addresses to gain access and utilize
possible to obtain the WEP key from a
the network. However, a number of
remote client. By sending a flood of
programs exist that have network “sniffing”
encrypted ARP requests, the assailant takes
capabilities. Combine these programs with
advantage of the shared key authentication
other software that allow a computer to
and the message modification flaws in
pretend it has any MAC address that the
802.11 WEP. The attacker uses the ARP
cracker desires, and the cracker can easily
responses to obtain the WEP key in less
get around that hurdle.
than 6 minutes.
Man-in-the-middle attacks War driving
A man-in-the-middle attacker entices
War driving is the act of searching for open
computers to log into a computer which is
Wi-Fi networks by a person in a moving
set up as a soft AP (Access Point). Once this
vehicle using a portable computer,
is done, the hacker connects to a real access
smartphone or PDA.
point through another wireless card
offering a steady flow of traffic through the
transparent hacking computer to the real
network. The hacker can then sniff the
Need for a New
traffic. One type of man-in-the-middle
attack relies on security faults in challenge
Security Architecture
and handshake protocols to execute a “de-
Wi-Fi is widely used in different institutions
authentication attack”. This attack forces
and terabytes of confidential data are being
AP-connected computers to drop their
transmitted through it. These data include
connections and reconnect with the
everything from contacts/clients
cracker’s soft AP.
information, patented data, trade secret,
legal and financial information. So it’s a
Denial of service target for hackers. Since the PSK
A Denial-of-Service attack (DoS) occurs vulnerability exists in WPA and WPA2, if the
when an attacker continually bombards a passphrase is not strong enough then it is
targeted AP (Access Point) or network with easy for a hacker to decrypt the key using
bogus requests, premature successful cowpatty or Aircrack. So the institution is
connection messages, failure messages, under the threat of confidential data theft.
and/or other commands. These cause So a new security architecture should be
legitimate users to not be able to get on the
Wi-Fi Security with Wi-Fi Protection Plus | Ajin Abraham

4. implemented that can safe guard from this  MAC Spoofing detection by wireless
attack and data theft. Intrusion Detection System.
 Logging Wi-Fi users. The IP address,
Solution is Wi-Fi P+ MAC addresses as well as computer
name and operating system name is
The WPA/WPA2 is vulnerable because all logged.
the information required for the generation
of Pairwise Transient Key (PTK) formed from  Network Encryption using simple
Pre-shared Key (PSK) is transmitted in plain random key. This encryption method
text. Hackers can do dictionary attack or doesn’t make your data transfer slow as
brute force attack on the plain text data to it uses simple and fast random key
get the password key. So here comes the encryption.
need of Wi-Fi P+. Wireless Fidelity
Protection Plus adds up an additional  Wi-Fi range limiting can be
security layer for WPA/WP2 by encrypting implemented with Wi-Fi P+.
the plain text information transferred from
PMK. It uses a simple but powerful  Controlling of Wi-Fi sharing by the users
encryption method given by the equation: who are under a Wi-Fi network.
Administrator can restrict peer to peer
P-PMK = PMK + (256 bit random protection Wi-Fi sharing by genuine users under
key) the Wi-Fi network.
Where P-PMK is the protected PMK and ‘+’  DOS attack discovery and blacklisting
is XOR operator. Here we are doing the XOR the attacker.
operation of plaintext information derived
from PMK and a randomly generated  Using Static IP instead of Dynamic IP.
number, simply generated using a random() Disabling at least the IP Address
function which makes this encryption assignment function of the network's
method simple, fast and almost solid secure DHCP server, with the IP addresses of
since it is almost impossible to decrypt 256 the various network devices then set by
bit random numbers even by performing a hand will also make it more difficult for
dictionary attack or brute forcing with a a casual or unsophisticated intruder to
super computer. Wi-Fi P+ also imparts log onto the network.
additional inbuilt security features like:
 Built-in Honey Pot for intrusion and
 MAC address filtering allows the attack detection. Honey Pots are traps,
administrator to restrict the access to a waiting for hackers, which seems to be
Wi-Fi network based on MAC address. vulnerable, but actually traps the
By implementing MAC address filtering, attacker and reveals his identity.
the computers with MAC addresses
allowed by the administrator can only  VPN (Virtual Private Network) for data
connect to the Wi-Fi network. security and privacy. It is a credible and
Wi-Fi Security with Wi-Fi Protection Plus | Ajin Abraham

5. a popular way for securing data in  LANs. April 2002. URL:
wireless transmissions. http://www.avaya.co.uk/Resource_L
ibrary/downloads/msn1710.pdf
 CERT. Configure firewall packet
Implementation of filtering. July 1999. URL: http://w
ww.cert.org/security-
Wi-Fi P+ improvement/practices/p058.html
Implementation of Wi-Fi P+ on an existing  Cisco. Wireless LAN security white
WPA/WPA2 is simple. It can act as an add- paper – Cisco Aironet 1200 series.
on for the router firmware. It can be  URL:
installed along with the router firmware. http://www.cisco.com/en/US/produ
cts/hw/wireless/ps430/products_w
hite_paper09186a00800b469f.shtml
Conclusion  Geier Jim. OptimumPath secure
Current dominant standards of wireless access wireless router. August 28,
security are found to be vulnerable even 2003.
with their complex security architecture  URL:
and here comes the importance of Wi-Fi P+ http://www.wifiplanet.com/reviews
with its flaw less secure layer along with /AP/article.php/3070111
other additional protective features, ease of  Kelley Diana, Phifer Lisa. 802.11
use and implementation makes it a good Planet - WLAN security tutorial. June
option for organizations, where secure data 2003.
transmission is a concern.  Marshall Trevor. Antennas Enhance
WLAN Security.
 URL:
 http://www.winncom.com/html/wir
References & eless-trevormarshall.shtml
 Roberts Paul. Expert releases Cisco
Bibliography wireless hacking tool. April 8, 2004.
 URL:
 Wi-Fi security – WEP, WPA and http://www.computerworld.com/se
WPA2 -Guillaume Lehembre curitytopics/security/hacking/story/
 Avaya. Configuration and 0,10801,92049,00.html
deployment of IPSec VPN security  Schafer Marlon. How to Pick the
for 802.11 wireless Right Antenna. 2001.
 The evolution of wireless security in  URL:
802.11 http://www.odessaoffice.com/wirel
 networks: WEP, WPA and 802.11 ess/antenna/how_to_pick_the_right
standards-SANS institute _antenna.htm
 Wireless Network Security  Symbol. Why ‘Not Broadcasting the
 802.11, Bluetooth and Handheld SSID' is not a Form of Security.
Devices- Tom Karygiannis, March 25,2003.
 Les Owens
Wi-Fi Security with Wi-Fi Protection Plus | Ajin Abraham

6.  URL: http://compnetworking.about.com/
http://www.symbol.com/products/ od/workingwithipaddresses/qt/stati
wireless/broadcasting_ssid_.html cipaddress.htm
 Wi-Fi Alliance. Wi-Fi protected  URL:
access overview. October 31, 2002. http://en.wikipedia.org/wiki/Wardri
 URL: ving
http://www.weca.net/OpenSection/
pdf/WiFi_Protected_Access_Overvie
w.pdf
 Deploying Wi-Fi Protected Access
(WPA™) and WPA2™ in the
Enterprise- Wi-Fi Alliance
 The State of Wi-Fi® Security
Wi-Fi CERTIFIED™ WPA2® Delivers
Advanced Security to Homes,
Enterprises and Mobile Devices- Wi-
Fi Alliance
 URL:
http://compnetworking.about.com/
cs/wirelesssecurity/g/bldef_wpa.ht
m
 URL:
http://www.labnol.org/internet/sec
ure-your-wireless-wifi-
network/10549/
 URL:
http://en.wikipedia.org/wiki/Pre-
shared_key
 URL:
http://compnetworking.about.com/
od/wirelesssecurity/tp/wifisecurity.
htm
 URL:
http://compnetworking.about.com/
cs/wirelessfaqs/f/adhocwireless.htm
 URL:
http://compnetworking.about.com/
cs/wirelessproducts/qt/macaddress.
htm
 URL:
http://en.wikipedia.org/wiki/Wirele
ss security
 URL:
Wi-Fi Security with Wi-Fi Protection Plus | Ajin Abraham