Wireless Security - Encryption


In general, encryption is the process of transforming the data, into some kind of cyphertext that would be non-understandable for any 3rd party that would intercept the information. Nowadays, we use encryption every single day, without even noticing. Every time you access your web bank or mailbox, most often when you log in to any type of web page, or create a VPN tunnel back to your corporate network.

Some information is too valuable, not to be protected. And, to protect the information efficiently, it must be encrypted in a way that would not allow an attacker to decrypt it. To be honest with you guys - there is no fully secure encryption scheme. All the algorithms that we use every day may be broken, but what is its likelihood of this happening with current technology and time?

For example, it might take around eight years to break encryption "X" using new super-fast computers. Is that risk big enough, to stop using algorithm "X" for encryption? I doubt it, the information to be protected might be outdated at that point of time.

Types of Wireless Encryption

To start speaking about wireless encryption, it is worth saying that there are 2 types of encryption algorithms: Stream Cipher and Block Cipher.

  • Stream Cipher − It converts plaintext into cyphertext in a bit-by-bit fashion.

  • Block Cipher − It operates on the fixed-size blocks of data.

The most common encryption algorithms are collected in the following table −

Encryption Algorithm Type of encryption algorithm Size of data block
RC4 Stream cipher ---
RC5 Block cypher 32/64/128 bits
DES Block cypher 56 bits
3DES Block cypher 56 bits
AES Block cypher 128 bits

The ones that you will most likely meet (in some form) on the wireless networks are RC4 and AES.

WEP vs WPA vs WPA2

There are three widely known security standards in the world of wireless networking. The biggest difference between those three, are the security model they can provide.

Security Standard Encryption algorithm user Authentication methods Possibility of breaking the encryption
WEP WEP (based on RC4) Pre-Shared Key (PSK)
  • Initialization Vector (IV) collision attack
  • Weak Key Attack
  • Reinjection Attack
  • Bit flipping attack
WPA TKIP (based on RC4) Pre-Shared Key (PSK) or 802.1x - cracking the password during initial 4-way handshake (assuming that it's relatively short password <10 characters)
WPA2 CCMP (based on AES) Pre-Shared Key (PSK) or 802.1x

WEP was the first wireless "secure" model that was supposed to add authentication and encryption. It is based on RC4 algorithm and 24 bits of Initialization Vector (IV). This is the biggest drawback of the implementation that leads to WEP being crack able within a few minutes, using the tools that anyone can have installed on their PCs.

In order to enhance the security, WPA2 was invented with strong encryption model (AES) and a very strong authentication model based on 802.1x (or PSK). WPA was introduced just as a staging mechanism for smooth transition to WPA2. A lot of wireless cards did not support the new AES (at that time), but all of them were using RC4 + TKIP. Therefore WPA was also based on that mechanism, just with a few advancements.

Weak Initialization Vectors (IV)

Initialization Vector (IV) is one of the inputs to the WEP encryption algorithm. The whole mechanism is presented in the following diagram −

Weak Initialization Vectors

As one can notice, there are two inputs to the algorithm, one of which is a 24-bit long IV (that is also added to the final ciphertext in a clear text) and the other is a WEP key. When trying to crack this security model (WEP), one has to collect a large number of wireless data frames (large number of frames until the frame with duplicate IV vector value is found).

Assuming that for WEP, the IV has 24 bits. This means that it could be any number from two frames (if you are lucky enough) to 224 + 1 (you collect every single possible IV value, and then, the very next frame must be a duplicate). From the experience, I can say that, on a rather crowded wireless LAN (around 3 clients sending the traffic all the time), it is a matter of 5-10 minutes to get enough frames, to crack the encryption and derive the PSK value.

This vulnerability is only present in WEP. WPA security model uses TKIP that solved weak IV by increasing its size from 24 bits to 48 bits, and making other security enhancements to the diagram. Those modifications made the WPA algorithm much more secure and prone to this type of cracking.