Wireless security part 2
1 / 34

Wireless Security Part 2 - PowerPoint PPT Presentation

  • Updated On :

Wireless Security Part 2. Contents. Wireless Security issues Explore various security feature available on Access Points Look at Encryption and Authorisation with WEP, WPA, WPA2 (802.11i) Look at 802.1x Authorisation Discuss on Hotspot and it’s security

Related searches for Wireless Security Part 2

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Wireless Security Part 2' - guthrie

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Wireless security part 2

Wireless Security

Part 2

Part 2


  • Wireless Security issues

  • Explore various security feature available on Access Points

  • Look at Encryption and Authorisation with WEP, WPA, WPA2 (802.11i)

  • Look at 802.1x Authorisation

  • Discuss on Hotspot and it’s security

  • Share wireless security needs/issues of your schools

Part 2


Teens charged with breaking into School computer (Jan 2009)

Jonathan To, 18, and another teen were charged with computer theft after a routine audit discovered a discrepancy between grade reports and school transcripts

Kid hacks school comp on teacher's dare (Jan 2001)

Fifteen-year-old Washington State high school student Aaron Lutes defeated filtering/security software on a school computer system after his teacher dared the class to try it

US school cheat hack suspect faces 38 years jail (June 2008)

Tanvir Singh, 18, allegedly conspired with Khan in an abortive attempt to break into school and steal a test. The dynamic duo were caught by a school caretaker in the process of trying to log onto a teacher's computer.

Hong Kong student hacks prizes in McDonald's contest (Nov 2008)

Hong Kong student has been convicted for hacking into MacDonald's website to claim all the prizes on an online competition

Part 2

Wireless Weakness or Hazard

Access point weaknesses

  • Physically insecure installation location

  • Omni-directional antenna that sends signals in every direction

  • Signal power level too high allowing radio signals to leak outside of your building

  • MAC address controls that are easily circumvented

  • WEP, WPA, or WPA2 not being used or not being used properly

  • Management interfaces that are publicly-accessible -- often with weak or no administrator password protection

    Wireless client weaknesses

  • Windows systems not protected by a personal firewall that are sharing drives, providing various types of remote connectivity and missing critical software patches

  • Dual-homed systems that are connected to both the wired and wireless networks at the same time

  • Wireless clients with ad-hoc mode enabled

  • Printers installed on the wired network with wireless connectivity left enabled

Part 2

Security needs

  • Ensure no unauthorised access

    • Protect the network from illegal client connect to your network using your resources

    • “Man in the middle” placed in your network to capture your network related

    • Several techniques

      • SSID, MAC Address, Authorisation with Passphrase, Digital certificate, RADIUS server

Part 2

SSID – Service Set Identifier

  • Name given to identify a wireless network

  • All devices this same name to communicate

  • Can be up to 32 characters

  • Broadcast at predetermined time and client seeks for SSID when joining the network

Disable SSID broadcasting – “Invisible network”

Part 2

Workshop – SSID security

  • AP - set up an SSID (ITEDxx where xx = 01 - 08) and inform your team member the full SSID name

  • Client – Use Windows “Windows Zero Configuration” connect to the available wireless network via “available wireless network”

  • Repeat the above but hide (disable broadcasting) the SSID

  • Can clients connect and is your network protected?

Part 2

MAC Address filter

  • A MAC (Media Access Control) address (physical address) is 12 Hex characters. Example 02-00-54-55-4E-01

  • Can use MAC address filter to control which clients can access the wireless network

  • Administrator enters the list of MAC addresses into AP

Part 2

Workshop – Mac Address filtering

  • Group members determine the MAC address of your wireless network card

  • AP- Administrator enter the list of MAC into the AP and set the AP with “Open” security

  • Client - Use Windows “Wireless Zero Configuration” connect to your wireless network

  • AP- disable MAC address filtering

  • Client – repeat step 3

  • Were you able to connect successfully?

Part 2

Two security features

  • Encryption

    • Prevent the content from read by unauthorised people

    • The network traffic is encrypted to a format that is understood by other party only

  • Authorisation

    • 2 usage

    • Authenticate the accessing device or person is the correct person

    • Used to verify that the information comes from a trusted source

Part 2

Encryption Standards

Wireless technology transmit information through space hence, security features have been design into the relevant protocols. Security consideration:

Message Protection

Access Authentication/Authorisation

  • WEP – Wireless Equivalent Privacy

  • WPA – WIFI Protected Access

  • WPA2 equivalent to IEEE 802.11i

Part 2

Wireless LAN authorisation

  • 2 basic information

  • SSID (aka Network Name or Network ID)

  • “Password” or Share key or “Passphrase”

    • WEP

    • WPA

    • 802.11i (WPA2)

  • Digital Certificate

    • Radius at backend

    • CA

Part 2

Infrastructure mode

SSID of the Access Point

Network Access Protection

To ensure only authorized clients, valid Security Set ID(SSID) must match

  • An Access Point is required

  • Select INFRSTRUCTURE setting

Part 2

WEP Encryption Key

  • Wired Equivalent Privacy security

  • WEP encryption is available on all 802.11a/b/n protocols

  • Standard required only 40-bit (64 bits key) but almost all vendors provide 104-bit (128 bits key) and some even provide 256-bit WEP key.

  • WEP uses the RC4 algorithm to encrypt the packet of information as they are sent out

Part 2

Example: 64 bit key

Pre-shared Password, supplied by the user (40 bits) = A7z9b

= 41377A3962











Encryption Explained

Each key (“Packet Key”) consist of two parts

Pre-shared Password – supplied by user

Initialised Vector (IV) – random generated

Initalised Vector, random generated by the system (24 bits) = 810

= 383130

Packet Key = Pre-shared Key + IV = A7z9b810

= 41377A3962383130

Part 2

Workshop – WEP security

  • AP – Administrator formulate a 5 character pre-shared key and enter pre-shared key in Key 1. Set security = “Static WEP”, share key.

  • Inform all team member of the SSID and pre-share key

  • Client – Connect with the given SSID and WEP pre-shared key

Part 2

What is WPA?

There is a MAJOR weaknesses in WEP

  • The Wi-fi Alliance look into alternative with IEEE

  • An interim security standard for replacing WEP

  • A sub set technology that is taken from the IEEE 802.11i

  • It is designed to secure all versions of 802.11, including a/b/g/n

  • New Temporal Key Integrity Protocol (TKIP) encryption is used

  • Employ 802.1X authentication with one of the standard EAP (Extensible Authentication Protocol) – digital cert, user name and password, smart card.

The encryption code be hacked very easily

Part 2

TKPI (Temporal Key Integrity Protocol)

  • Improvement to WEP

  • Longer key for encryption – 128bits

  • Key mixing function for EVERY packet

  • Each packet transmitted is assigned a 48bits serial number which increases with each new packet – to avoid fake AP’s create “replay attack”

  • A new base key for each wireless client associated with AP

Part 2


Part 2








How Does it Work? (in SOHO)

Step 1

Enter matching passwords into AP and Client

Step 2

AP checks client’s password. If match client joins network. If not a match client kept off network

Access Point/Router

Step 3

Keys derived & installed. Client and AP exchange encrypted data

Part 2

Workshop – WPA setup with Passphrase security

  • AP – Formulate a passphrase (pre-shared key) 8 - 63 characters

  • Inform all members of the passphrase and SSID

  • Client - Connect with the given SSID and WPA pre-shared key

  • Were you able to connect successfully?

Part 2

IEEE 802.111 (WPA2)

  • 802.11i is the official IEEE attempt to supply strong security for wireless links

  • 802.11i will use Temporal Key Integrity Protocol (TKIP) similar to WPA.

  • Additionally added AES (Advance Encryption Standard) offering 128 bits, 192 bits and 256 bits block encryption.

  • Authentication using 802.1x for port access authentication (EAP-TLS, PEAP, LEAP)

  • RADIUS for Authentication, Authorisation and Accounting with default port 1812 for authorisation and port 1813 for accounting

Part 2

Authentication Comparison

EAP –MD5 (Message-Digest Algorithm 5) : One way Authentication, Uses WEP encryption

EAP – TLS (Transport Layer Security): Digital cert used for client and Server authentication, Exchange is done in open

EAP – TTLS (Tunneled Transport Layer Service) : Digital Cert is used only at server side authentication. Client’s user id and password is sent in secure connection

PEAP (Protected EAP) : Ditial cert is used at server side. But support only EAP-MD5, EAP-MSCHAPv2

LEAP – Lightweight Extensible Authentication Protocol): Cisco’s version of 802.1x

Part 2








How Does it Work? (in Enterprise)

Step 1

Enter matching passwords into AP and Client

Step 2

AP passes the authentication ID to the RADIUS server instead of performing authentication by itself.

Wired Network

Access Point/Router


Step 3

Server checks the credential against it’s records. Grants or denies access accordingly. Group key is issued to ALL stations so that they can encrypt data for sending and receiving.

ID ?

RADIUS = Remote Authentication Dial In User Service

Part 2








Radius Workshop Network Plan

Step 1

Station is challenged to enter user ID and Password

Step 2

AP passes the authentication ID to the RADIUS server (

Wired Network

Access Point/Router


ID ?

Windows 2003 Server

A member of a Domain running Directory service

Part 2

Workshop – Radius Authentication

  • AP – set to use RADIUS server IP = for authentication

  • Set WEP as encryption protocol

  • RADIUS – set passphrase for the AP to logon

  • Client – Configure a wireless connection to use the trainer’s AP .

  • When connecting to the AP it will challenge user to enter user ID and Password ( user id and password = userxx where xx = 01-30)

Part 2

Security Summary



Part 2

Other Wireless Securities

  • VPN (Virtual Private Network)

    • Creating a virtual connection using IPsec or other VPN protocols to ensure the transmitted data is encrypted

    • Need VPN server

  • VLAN (Virtual LAN) with multiple SSID

    • Separate the users access to separate resources on the network

    • Need VLAN supporting switch and AP

Part 2

What wireless network is implemented what security issues you can foreseen


What wireless network is implemented


What security issues you can foreseen

Part 2

Wireless Testing Tools

Free Tools

  • NetStumbler quickly identifies basic wireless devices that will respond to an "anybody out there?" request.

  • Kismet roots out wireless devices that have their SSIDs hidden or otherwise won't respond to basic NetStumbler probes. If you're not into Linux or don't want to spend hours if not days setting up your wireless card drives in Linux, you can run Kismet directly from the BackTrack Live CD.

  • Aircrack is for WEP and WPA pre-shared key cracking.

  • FakeAP on the BackTrack Live CD mimics a legitimate access point and sets up an evil twin attack to see how your users carelessly connect to any old access point.

  • Wireshark Packet capturing tool

    Commercial Tools

  • AiroPeek wireless network analyzer to quickly and easily capture packets, look for top talkers, discover rogue systems, and more

  • AirMagnet Laptop Analyzer, among many other things, has a nifty signal strength meter for determining how close or far away a wireless device is when you're walking around trying to locate it.

  • CommView WiFi is for low-cost packet capturing, packet generation and more.

  • Wfilter an Internet monitoring tool, web, IM,

Part 2

Public WiFi and Hotspot

  • Hong Kong “A Wireless City”

    • HK Government has a vision

  • Current players

    • HK Government with about 3000 APs

    • Commercial operators with 5000 APs

    • FON, ??

    • Free WiFi shopping malls/resturants/café, etc.

  • Explore security control with public wifi operators

Part 2

Search For register WiFi AP

  • Registered public AP are registered with OFTA

  • You can find out where there are avaiable WiFi AP at:


  • Recommendation when using public WiFi


Part 2

PCCW and Airport


A commercial web base application that authenticates user

Once logged in it will allow user to connect to the WiFi network

Found in Hotel’s, Airport and shopping malls, etc.

Captive Portal

Part 2

Course Summary

  • Looked at Wireless LAN standards - IEEE 802.11 a/b/g/n

  • We have learn how to setup

    • Ah-hoc

    • Enterprise

  • Looked at various type of standard wireless security

    • SSID, MAC address filtering

    • Encryption – WEP, WPA, WPA2

    • Authorisation - 802.1x, RADIUS

  • Evaluated the advantages and disadvantages

Part 2