- Wireless Security Tutorial
- Wireless Security - Home
- Wireless Security Basics
- Wireless Security - Concepts
- Wireless Security - Access Point
- Wireless Security - Network
- Wireless Security - Standards
- Wi-Fi Authentication Modes
- Wireless Security - Encryption
- Wireless Security Break an Encryption
- Wireless Threats
- Wireless - Access Control Attacks
- Wireless Security - Integrity Attacks
- Wireless - Confidentiality Attacks
- Wireless Security - DoS Attack
- Wireless Security - Layer 1 DoS
- Wireless Security - Layer 2 DoS
- Wireless Security - Layer 3 DoS
- Authentication Attacks
- Rogue Access Point Attacks
- Client Misassociation
- Misconfigured Access Point Attack
- Ad-Hoc Connection Attack
- Wireless Hacking Methodology
- Wireless Traffic Analysis(Sniffing)
- Launch Wireless Attacks
- Crack Wireless Attacks
- Wireless Security Tools
- Wireless Security RF Monitoring Tools
- Wireless Security - Bluetooth Hacking
- Wireless Security - Bluetooth Stack
- Wireless Security - Bluetooth Threats
- Wireless - Bluetooth Hacking Tools
- Wireless Security - Bluejack a Victim
- Wireless Security - Tools
- Wireless Security Pen Testing
- Wi-Fi Pen Testing
- Pentesting Unencrypted WLAN
- WEP Encrypted WLAN
- Pentesting WPA/WPA2 Encrypted
- Pentesting LEAP Encrypted WLAN
- Wireless Security Useful Resources
- Wireless Security - Quick Guide
- Wireless Security - Useful Resources
- Wireless Security - Discussion
Wireless Security - Encryption
In general, encryption is the process of transforming the data, into some kind of cyphertext that would be non-understandable for any 3rd party that would intercept the information. Nowadays, we use encryption every single day, without even noticing. Every time you access your web bank or mailbox, most often when you log in to any type of web page, or create a VPN tunnel back to your corporate network.
Some information is too valuable, not to be protected. And, to protect the information efficiently, it must be encrypted in a way that would not allow an attacker to decrypt it. To be honest with you guys - there is no fully secure encryption scheme. All the algorithms that we use every day may be broken, but what is its likelihood of this happening with current technology and time?
For example, it might take around eight years to break encryption "X" using new super-fast computers. Is that risk big enough, to stop using algorithm "X" for encryption? I doubt it, the information to be protected might be outdated at that point of time.
Types of Wireless Encryption
To start speaking about wireless encryption, it is worth saying that there are 2 types of encryption algorithms: Stream Cipher and Block Cipher.
Stream Cipher − It converts plaintext into cyphertext in a bit-by-bit fashion.
Block Cipher − It operates on the fixed-size blocks of data.
The most common encryption algorithms are collected in the following table −
| Encryption Algorithm | Type of encryption algorithm | Size of data block |
|---|---|---|
| RC4 | Stream cipher | --- |
| RC5 | Block cypher | 32/64/128 bits |
| DES | Block cypher | 56 bits |
| 3DES | Block cypher | 56 bits |
| AES | Block cypher | 128 bits |
The ones that you will most likely meet (in some form) on the wireless networks are RC4 and AES.
WEP vs WPA vs WPA2
There are three widely known security standards in the world of wireless networking. The biggest difference between those three, are the security model they can provide.
| Security Standard | Encryption algorithm user | Authentication methods | Possibility of breaking the encryption |
|---|---|---|---|
| WEP | WEP (based on RC4) | Pre-Shared Key (PSK) |
|
| WPA | TKIP (based on RC4) | Pre-Shared Key (PSK) or 802.1x | - cracking the password during initial 4-way handshake (assuming that it's relatively short password <10 characters) |
| WPA2 | CCMP (based on AES) | Pre-Shared Key (PSK) or 802.1x |
WEP was the first wireless "secure" model that was supposed to add authentication and encryption. It is based on RC4 algorithm and 24 bits of Initialization Vector (IV). This is the biggest drawback of the implementation that leads to WEP being crack able within a few minutes, using the tools that anyone can have installed on their PCs.
In order to enhance the security, WPA2 was invented with strong encryption model (AES) and a very strong authentication model based on 802.1x (or PSK). WPA was introduced just as a staging mechanism for smooth transition to WPA2. A lot of wireless cards did not support the new AES (at that time), but all of them were using RC4 + TKIP. Therefore WPA was also based on that mechanism, just with a few advancements.
Weak Initialization Vectors (IV)
Initialization Vector (IV) is one of the inputs to the WEP encryption algorithm. The whole mechanism is presented in the following diagram −
As one can notice, there are two inputs to the algorithm, one of which is a 24-bit long IV (that is also added to the final ciphertext in a clear text) and the other is a WEP key. When trying to crack this security model (WEP), one has to collect a large number of wireless data frames (large number of frames until the frame with duplicate IV vector value is found).
Assuming that for WEP, the IV has 24 bits. This means that it could be any number from two frames (if you are lucky enough) to 224 + 1 (you collect every single possible IV value, and then, the very next frame must be a duplicate). From the experience, I can say that, on a rather crowded wireless LAN (around 3 clients sending the traffic all the time), it is a matter of 5-10 minutes to get enough frames, to crack the encryption and derive the PSK value.
This vulnerability is only present in WEP. WPA security model uses TKIP that solved weak IV by increasing its size from 24 bits to 48 bits, and making other security enhancements to the diagram. Those modifications made the WPA algorithm much more secure and prone to this type of cracking.