A History of Wireless Network Protocols

By David Pierre

We can’t get started with the history of WPA2 without talking about its predecessors, WEP and WPA.  In the following article, we are going to talk more about these wireless networking protocols.

First, what is the reason a wired or wireless network needs to be encrypted?  Whenever you send a message or any data over the Internet, you have no power over it once you send it.  This means anybody can access the data while it is in transit.  As a result, you need a way to make your data unreadable to unauthorized users.

WEP

In September 1999, WEP was ratified and provided confidentiality for data sent over the Internet.  WEP stands for Wired Equivalent Privacy.  It is an IEEE 802.11 wireless network security protocol.  WEP uses Stream Cipher RC4 for encryption (encrypting data one bit at a time).  WEP uses 64 or 128-bit key sizes.  The key is static and is entered manually into Wireless Access Points (WAP) or network devices.

In 2001, WEP was compromised and is now deprecated.  As a result, WEP should never be used for network security concerns.

WPA-TKIP & WPA-PSK

In 2003, another encryption method for wireless network security was introduced called WPA.  WPA stands for Wi-Fi Protected Access, a protocol implementing a more secure IEEE 802.11i standard.  WPA uses a 128-bit key size with TKIP (Temporal Key Integrity Protocol) and a 256-bit key with PSK (pre-shared key).  WPA uses Steam Cipher RC4 for encryption.

Temporal Key Integrity Protocol (TKIP) was developed alongside WPA to provide a per-packet-key that dynamically creates a new 128-bit key for each packet.  TKIP thwarted the type of attacks that previously compromised WEP.

In 2006, WPA2 officially replaced WPA-TKIP and WPA-PSK as a more secure wireless networking protocol. WPA-TKIP/PSK has been compromised and was deprecated in 2012.  It should not be used for network security concerns any longer.

WPA2

Wi-Fi Protected Access 2 is the most recent and secure wireless authentication protocol used to protect personal and enterprise networks.  It was developed in 2004, but was officially adopted as the standard in March 2006.  WPA2 supports Advanced Encryption Standard (AES) with available key sizes of 128, 192, and 256-bit.

Recently, it has been discovered that WPA2 is vulnerable to a Key Reinstallation Attack (KRACK), a replay or playback attack. Additional details on this vulnerability is detailed in the article written by Victor Joel Harvey entitled “Wi-Fi Protected Access 2 (WPA2) Vulnerability Exposed.”

 

October 27, 2017

Wi-Fi Protected Access 2 (WPA2) Vulnerability Exposed

By Victor Joel Harvey

 

OVERVIEW

A vulnerability in Wi-Fi Protected Access 2 (WPA2), considered to be the most secure method of wireless communications to date, has been discovered. The vulnerability was discovered in 2016 by Belgian security researchers Mathy Vanhoef and Frank Piessens from the Dutch University of Leuven. Details of the vulnerability were made available to the public in October, 2017.

WHAT IS THE VULNERABILITY? HOW DOES IT WORK?

The vulnerability occurs as part of the four-way handshake that occurs as a device connects to a WPA2 protected Wi-Fi network. Following confirmation that the connecting device is providing the correct password for the Wi-Fi router/access point, the four-way handshake begins.  The four-way handshake is designed to allow the connecting device and the router/access point to agree on a shared encryption key. In order to better understand where the vulnerability occurs, it is important that you understand the process that occurs when a device connects to a router/access point using WPA2.

 

 

 The WPA2 Four-Way Handshake

  1. The router/access point sends a value called a nonce (meaning a shared secret that should only be used once) to the device. This nonce is derived from the pre-shared key (PSK) used to connect to the access point.
  2. The device uses the provided nonce code to create another nonce code called a Pairwise Transient Key (PTK). This Pairwise Transient Key (PTK) value is sent along with the device’s message authentication code back to the access point.
  3. Upon receiving the Pairwise Transient Key (PTK) and message authentication code from the device, the access point then responds to the device with its message integrity code and the Group Temporal Key (GTK) that is used to receive broadcast and multicast messages.
  4. The device responds with an acknowledge (ACK) and the device is connected using the newly created keys created in step 2 and 3 above.

The vulnerability in WPA2 can be exploited by using a Key Reinstallation Attack (KRACK) that exploits a router/access point encryption flaw. A Key Reinstallation Attack is a type of replay attack.

For purposes of speed and continuity, the WPA2 standard provides for quick re-connections to the Wi-Fi network when temporary disconnections occur. It does this by allowing the same previously-used key for the third step in the four-way handshake. The fact that this same key can used to re-

connect to the Wi-Fi network creates the vulnerability to a KRACK or replay attack.

Wikipedia explains how this Key Reinstallation Attack can occur:

“An attacker can repeatedly re-send the third handshake of another device’s communication to manipulate or reset the WPA2 encryption key. Each reset causes data to be encrypted using the same values, so blocks with the same content can be seen and matched, working backwards to identify parts of the keychain which were used to encrypt that block of data. Repeated resets gradually expose more of the keychain until eventually the whole key is known, and the attacker can read the target’s entire traffic on that connection.”1

In order to carry out a WPA2 attack, the hacker needs to be within physical range of your router or access point. It has been found that Linux and Android devices are the most susceptible to these types of attacks as it only requires that the key transmitted in Step 3 of the handshake be reset.

WHAT ARE THE RISKS?

A successful WPA2 Key Reinstallation Attack may result in the disclosure or theft of data or information contained on a connecting device. Such information may include passwords, bank or credit card information, trade secrets, and other personal information.

 

PREVENTION

The researchers have found that this WPA2 vulnerability can be patched to stop this type of attack. Most router and access point manufacturers are currently creating backward-compatible firmware patches to eliminate this discovered vulnerability.

It is strongly recommended that you update the firmware on your router/access point as soon as the patch becomes available from the manufacturer.

1Information cited can be found at found at https://en.wikipedia.org/wiki/KRACK