cryptography paper

Journal of Computing and Information Technology - CIT 15, 2007, 3, 237–255doi:10.2498/cit.1000877

237

A Survey of Wireless Security

Radomir Prodanovic1 and Dejan Simic2

1Air Forces and Aircraft Defense, Serbian Army, Serbia2Faculty of Organizational Sciences, University of Belgrade, Serbia

Constant increase in use of wireless infrastructure net-works for business purposes created a need for strongsafety mechanisms. This paper describes WEP (WiredEquivalent Privacy) protocol for the protection of wire-less networks, its security deficiencies, as well as thevarious kinds of attacks that can jeopardize securitygoals of WEP protocol: authentication, confidentialityand integrity. The paper also gives a summary of secu-rity improvements of WEP protocol that can lead to ahigher level of wireless network infrastructure protection.Comparative analysis shows the advantages of the new802.11i standard in comparsion to the previous securitysolutions.

Keywords: authentication, confidentiality, integrity,WEPprotocol, deficiencies of WEP, security threats to 802.11,TKIP, 802.1x, WLAN safety improvements, RC4, AES

1. Introduction

Wireless networks are becomingmore and morepopular today. Big corporations are using themmore and more often due to their advantages.Popularity of localwireless networks owesmuchto their advantages, such as: user mobility, fastand simple installation, flexibility, scalabilityand relatively low price. WLAN (Wireless Lo-cal Area Network) enables users to access re-sources no matter of the place they occupy. Byusing mobile computers, users can have the ac-cess to the resources no matter of their loca-tion within the wireless network. All the abovementioned advantages come from the mediumthat transfers the data – with the wireless net-works, it is the air. Data are transferred via ra-dio waves spreading throughout the space andthus the information reaches anyone with theappropriate radio receiver. Therefore, there is aproblem of the protection of information. Tra-ditional mechanisms for the physical protectionof wired networks (firewalls and shields) can-not be applied to the protection of wireless net-works. It was necessary to create mechanisms

for the protection of the wireless networks inorder to enable users to use wireless networksand feel sure about the accuracy of informationand their privacy. 802.11i standard for wire-less local networks introduces WEP protocolto try to solve the problems of protection andto make the level of protection of wireless localnetworks similar to the protection level of wiredlocal networks.

The remainder of the paper is organized as fol-lows. Section 2 specifies various kinds of at-tacks that can jeopardize security goals of WEPprotocol: authentication, confidentiality and in-tegrity. Section 3 describes WEP protocol forthe protection of wireless networks. Section4 deals with the basic security deficiencies ofthe WEP protocol. Significant safety improve-ments of WEP protocol that can lead to a higherlevel of wireless network infrastructure protec-tion are described in Section 5. This section alsogives the comparative analysis of WEP proto-col and WPA and WPA2 solutions with clearlyidentified advantages of the new IEEE 802.11istandard in comparison to previous safety so-lutions. Section 6 describes two symmetricalcryptographic algorithms, RC4 and AES, usedfor wireless protocols in order to maintain dataconfidentiality and integrity. The conclusion isgiven in Section 7.

2. Security Threats to 802.11 WirelessNetworks

Protection of wireless networks means protec-tion from attacks on confidentiality, integrityand availability. There are four attack tech-niques that can violate confidentiality or privacy

238 A Survey of Wireless Security

[1]: traffic analysis, passive eavesdropping, ac-tive eavesdropping with partially known plain-text and active eavesdroppingwith known plain-text. One of these techniques can be applied toviolate both confidentiality and integrity or onlyconfidentiality and only integrity.

Traffic analysis. It is a very simple techniquethat enables an attacker to take over a packet dur-ing its transmission. This technique enables theattacker to have access to three types of informa-tion. The first type of information is related toidentification of activities on the network. Thesecond type of information important to the at-tacker is identification and physical location ofAP in its surroundings. The third type of in-formation an attacker can get by traffic analysisis information about the communication proto-col. An attacker needs to gather the informationabout the size and number of the packet over acertain period of time.

Passive eavesdropping. This technique is usedto watch over an unlimited wireless session.The only condition to be fulfilled is that theattacker has the access to the area of emission.With a decrypted session the attacker is able toread the data during its transmission and gatherthem indirectly by surveying the packets. Thiskind of attack is not based on violation of pri-vacy, but information gathered in this way canbe used for more dangerous kinds of attacks.

Active eavesdroppingwith partially knownplain-text. During this type of attack, the attackerwatches over a wireless session and actively in-jects his own messages in order to reveal thecontent of the messages in the session. Precon-dition for this type of attack is access to commu-nication area and some knowledge on the part ofthe message, such as IP address. The attacker isable to modify the content of the packet so thatthe integrity of the message remains preserved.Usually the attacker changes final IP or TCPaddress.

Active eavesdropping with known plaintext. Inthis type of attack, the attacker injects messagesknown only to him into the traffic in order tocreate conditions for decryption of the packetsthat should be received by other wireless users.These conditions are created by creating IV se-quence and message for each single messagethat is sent. After some time, when a packetwith the same IV as in the database appears,the attacker is able to decrypt the message. Theonly way to prevent this kind of attacks is tochange WEP key often enough.

There are three techniques that can violate theintegrity of the traffic [1]: unauthorized access,highjacking attack and replay attack. In orderto successfully implement these techniques, it isnecessary to apply attack techniques for privacy.

Unauthorized access. The above mentioned at-tacks are directed towards the network in gen-eral, not towards users. But, once the attackergets access to the network, he is able to initi-ate some other types of attacks or use networkwithout being noticed. Some may think thatunauthorized use of the network is not a signifi-cant threat to the network since the access rightsallocated to resources will disable the attackers.However, usually, an unauthorized access is thekey to initialization of ARP (Address Resolu-tion Protocol) attack.

VPN (Virtual Private Network) and IPsec so-lution can protect users from the attacks thatdirectly influence the confidentiality of appli-cation data, but it cannot prevent attacks thatindirectly ruin confidentiality. Man in the mid-dle, highjacking and replay attacks are the bestexamples of these kinds of attacks.

Man-in-the-middle-attack. This attack enablesdata reading from the session or modificationsof the packets which violate integrity of the ses-sion. There are several ways to implement thistype of attack. One is when an attacker disruptsthe session and does not allow the station tore-establish communications with the AP. Thestation tries to establish session with the wire-less network through AP, but can do that onlythrough the workstation of the attacker pretend-ing to be AP. At the same time, the attackerestablishes connection and authentication withthe AP. Now there are two encrypted tunnelsinstead of one: one is established between theattacker and AP, while the second is establishedbetween the attacker and the station. This en-ables the attacker to get access to the data ex-changed between the workstation and the restof the network.

ARP attacks. This is the sub-type of the man-in-the-middle attack since these attacks are di-rected towards one component ofwired network[2] and towardswireless clients [3]. The attackerescapes authentication or provides false accred-itations. By geting the false accreditations, theattacker becomes a valid user and gets the accessto the network as authenticated user.

A Survey of Wireless Security 239

Highjacking attacks. By this type of attack,the attacker deprives the real owner of the au-thorized and authenticated session. The ownerknows that he has no access to the session anymore, but is not aware that the attacker has takenover his session and believes that he has lost thesession due to ordinary failures in network func-tioning. Once the attacker takes over a validsession, he can use it for various purposes overa certain period of time. Such attack could becombined with DoS attack [4]. It happens in areal time.

Replay attack. This type of attack is used toaccess the network through authorization. Thesession under attack does not change or disruptin any way. The attack does not happen in a realtime. The attacker gets the access to the networkafter the original session expires. He comes tothe authentication of one or more sessions, andthen replies to the session after a certain periodof time or uses a couple of sessions to composethe authentication and reply to it.

There are several types of DoS (Denial of Ser-vice) attacks that can violate availability of thenetwork. Jamming and attack on 4-way hand-shake are only some of the DoS attacks.

Jamming. Jamming [5,6] is one of DoS attackson network availability. It is performed by ma-licious attackers who use other wireless devicesto disable the communication between users ina legitimate wireless network.

Attack on 4-way handshake. The last phasein the authentication process, 4-way handshakeprocess, proved to be unsafe for DoS attacks,though some of the attacks start in the first phaseof the authentication process, but appear duringthe 4-way handshake process. In order to pre-vent the processor and the waste of memoryresources, static and dynamic 4-way handshakesolutions for protection from DoS attacks [7],as well as solutions for early detection of DoSattacks in the first phase of the authentication[8] have been introduced.

3. WEP Protocol

WEP protocol is the basic part of IEEE 802.11(IEEE – Institute of Electrical and Electron-ics Engineers) standard for the protection ofWLAN networks. The basic function of WEPprotocol is to provide data security in wirelessnetworks in the same way as it is in the wirednetworks. Lack of physical connection amongusers and wireless networks enables all userswithin the network range to receive data if theyhave appropriate receivers. The only possibleway to protect this kind of network was to createa protocol that would work on the second layerof OSI model and, in this way, provide the dataprotection during the transmission. In order toprotect data transmitted among the communi-cating parties, WEP uses shared secret key of

Figure 1. WEP protocol execution.


40 to 140 bits. WEP protocol is applied throughthe following three steps [9]:— CRC (Cyclic Redundancy Code) message is

calculated and added to the originalmessage.— The second step in WEP protocol applica-

tion is encryption (as shown in Figure 1).The message is encrypted by RC4 algo-rithm. Encryption is d one in three phases.First, pseudo-random data sequence of threebytes is generated (IV – Initialization Vec-tor) to extend the key. Then RC4 algo-rithm generates keystream based on the newkey. Encryption ends with the applicationof exclusive or function (XOR) betweenkeystream and message thus resulting in en-crypted message.

— The last step is to transmit sequence IV andencrypted message.

Once the message has come to its final destina-tion, the reverse procedure is applied. Again,the extended key is generated on the basis oftransferred IV and shared key; then RC4 al-gorithm generates keystream, XOR function iscalculated between keystream and message thatarrived, and, as a result of XOR function, de-crypted message is received. The accuracy ofCRC sum for a decrypted message is calculatedby CRC of the decrypted message. Then itis compared to the sent CRC. If the decryptedmessage CRC is the same as the sent CRC, themessage received matches the message sent.

WEP protocol should achieve three main safetygoals [10]:

Authentication. It is the procedure used to con-firm identity of the communication participants.According to IEEE 802.11 specification, thereare Open System Authentication and Shared-key Authentication. Open System Authentica-tion enables mobile stations to access the ac-cess point without confirmation of the station’sidentity. This is a one-way authentication sincemobile stations believe to communicatewith theright access point. Open System Authenticationis very sensitive to attacks and allows unau-thorized access. Shared-key Authentication isbased on encryption technique and on questionsand answers procedure between a station andthe access point. The authentication process isended when the access point decrypts the sta-tion’s answer by shared key and thus enablesthe access of the workstation only if decryptionresult is equal to the question that has been sent.

Confidentiality. In 802.11 standards the confi-dentiality is realized by encryption technique.WEP protocol for the protection of confiden-tiality uses RC4 algorithm and symmetrical keytogether with pseudo sequence. In general, ev-ery increase in key length brings the increase inprotection. However, recent brute-force attackson wireless local networks are jeopardizing pri-vacy. This means that WEP protocol is sensitiveto attacks no matter of the key length.

Integrity. WEP protocol provides integrity ofmessages transmitted between stations and ac-cess point by using CRC technique. Integrity ofmessage received is violated when the check-sum differentiates. In this case, the messagereceived is rejected.

4. Security Deficiencies of WEP Protocol

Although WEP protocol uses RC4 algorithmthat is highly reliable, there are several safetydeficiencies. This section describes WEP pro-tocol deficiencies.

The risk of keystream reuse. In [11,12] WEPprotocol a key is extended by IV stream in or-der to get different keystreams for encryption ofeach of the transferred frames. However, thereare some deficiencies in using the keystreams.The deficiency is in the result that we get whencalculating XOR function with the argumentsthat represent two messages encrypted by thesame keystream – the result is the same as ifthe XOR was calculated between plaintext en-crypted by the same keystream. If the resultgenerated by the XOR function applies to oneplaintext we can then decrypt the second en-crypted message.

The risk of keystream reuse is security defi-ciency ofWEPprotocol. This problem is causedby repeating IV sequence since:— The key is changed rarely, so when the same

IV is generated together with the same keythat has not been changed, we get a repeatedkeystream. Attackers can very easily accessthe IV since it is not encrypted during thepacket transmission.

— Some of the PCMCI cards reset IV to 0 eachtime they are initiated.

— WEP standard proscribes the length of IVthat cannot be changed.


Key management. A standard does not spec-ify in what way the key distribution is done.Globally shared key of 4 streams was in use forsome time. Each message contained a field forthe identification of a key that is in use. How-ever, this principle was not sustainable, so nowwe have mainly one key in a wireless network.This means that if one key is used by morethan one user, chances for key decryption areincreased. Administrators set user workstationconfigurations alone, in order to solve this prob-lem. The best way is to change the key oftenenough. This, however, requires reconfigura-tion of wireless network driver on the each ofthe workstations each time the key is changed.The problem may occur with the large scalenetworks since it is time consuming. Wirelessnetworks without key management enable at-tackers to analyze the data transmitted throughthe network easily and make IV base for mes-sage decryption.

WEPprotocol uses checksumgenerated byCRC-32 algorithm to check if the message is changedduring the transmission. Checksum alone can-not prevent attackers from falsifying the mes-sage being made to detect accidental errors inthe message and not to prevent message mod-ifications. Therefore, the attackers are able tomodify the message or inject some other mes-sage.

Message modification. Message modificationmeans modification of messages in the processof transmission. The message receiver will notnotice that the message was modified. Thissecurity deficiency takes origin from the WEPchecksum that is linear function of the message.Due to linear characteristics of the checksum,there is a possibility to control modificationsin the encrypted message without changing thechecksum. This means that it is possible todo any modifications in an encrypted messagewith no fear that the receiver will notice thesemodifications.

Message injection. This security deficiency ofWEP protocol comes from two WEP protocolcharacteristics:— WEP checksum is an unlocked function, and— It is possible to apply the old IV functions

with no detection by receiver.

Due to the first characteristic, anyone knowingthe message can calculate the checksum field.This allows escaping access control measures.

The second characteristic enables attackers toinject their message in case they know IV se-quence and keystream. An attacker encryptshis own message by knowing the keystreamand sends it to the receiver. Since the messagecomes with the IV sequence, the receiver willbe able to decrypt the message without noticingthat the message was injected.

Message decryption. Possibility of modifyingencrypted packets without being noticed can beapplied for decryption of the messages sent tousers. WEP uses keystream that is presumablysafe (RC4), which means that direct attack onencryption will not succeed. Recipients can de-crypt the message only if they have the secretkey. Access point with IP router role could beused for decryption. Encrypted packet could bemodified during transmission by a new Internetaddress of the attacker’s locations. The accesspoint would then decrypt the packet and send itto the new destination where it could be read bythe attacker.

5. Safety Improvements of WEP

Safety improvements ofWEPprotocol are basedon the improvements of the mechanisms forpreservation of WEP security goals. It has beennoticed that it is not RC4 encryption algorithmcausing WEP protocol deficiencies, but the rep-etition of the encryption keystream. The firstsolution used to overcome this problem wasRSA patch for WEP that enabled each pack-age to have a different key. The new im-provement appeared as Wi-Fi Protected Access(WPA), a temporary solution that did not re-quire any upgrades or hardware replacements.In order to improve data confidentiality and in-tegrity, WPA2 applies a new encryption algo-rithm, AES (Advanced Encryption Standard).Introduction of the new algorithm requires newequipment and creates incompatibility with theexisting wireless equipment. WPA2 introducessafe “mixedmode” that supportsWPAandWEPworkstations. IEEE group designs a safetyauthentication mechanism via 802.1x networkport, known as Robust Security Network As-sociation (RSNA) in order to improve the au-thentication mechanism in wireless networks.Introduction of IEEE 802.1x and specificationdefines two kinds of safety algorithms: RSNA


and pre-RSNA. Pre-RSNA is the connectionwith the old WEP protocol and the old wayof authentication. The development process ofWEP safety improvements is shown in Figure 2.

RSNA provides two protocols for data confi-dentiality, TKIP (Temporal Key Integrity Pro-tocol) and AES-CCMP (Counter-mode/CBC-MAC Protocol). TKIP protocol provides com-patibility with WPA and WPA2, while AES-

Figure 2. WEP protocol safety improvements.

5.1. RSA Patch for WEP

RSA Security and Hifn have discovered a newway of fast generation of keys unique for eachof RC4 algorithm packets. The new solution isnamed Fast Packet Keying and it uses hash tech-nique of fast generation of a unique keystreamfor each packet. The solution is based on thefollowing rules [13]:— A128 bit RC4 key named temporal key (TK)

is used for encryption and decryption,— A keystream generated by RC4 algorithm is

used for encryption and decryption, and— Initial vector value cannot be used more than

once.

RSA uses a special hash function applied in twophases. In the first phase, transmitter address(TA) is injected into the temporal key provid-ing thus a different key for each packet. Thismeans that in the process of data transmissionfrom workstations to access point, a set of keysdifferent from the set of keys used during datatransmission from the access point to the work-

CCMP protocol provides higher confidential-ity and compatibility with WEP2 mechanism.RSNA also provides improved 802.1x authenti-cation and protocol for key management.

Improvements are adjusted to the existing net-work equipment without any significant perfor-mance malfunctions. The new 802.11i standardintroduces a new mechanism for message en-cryption, integrity check and authentication.

station will be used. In the second phase, thereis a combination of the first phase output withIV, generating thus a unique keystream for eachof the packets.

In comparison to WEP protocol, Fast PacketKey solution seems to be more complex sinceit takes more time for key generation. But thefirst phase output can be cashed once the secondphase has ended. First phase cash and gener-ated 16 bits IV will generate key for the nextpackets.

Many manufacturers of wireless networks haveaccepted this patch for their products in orderto raise the level of safety. There are four keyelements for which this patch is significant inthe wireless equipment market:— Low price,— Easy implementation for both new and old

products,— Possibility of distribution via e-mail, and— Increased safety.


5.2. Wi-Fi Protection

IEEE studied all details of WEP security prob-lems and focused on the design of new safetymechanisms for wireless networks. The solu-tions are offered in 802.11i standard. However,standard issuance and ratification can take a fewyears and the market makes a pressure on man-ufacturers so that they are not in a position towait for standard issuance and ratification tobe finished. In order to solve this problem,Wi-Fi defines WPA (Wi-Fi Protected Access)standard to improve the protection of wirelessdevices. WPA has contributed to the increasedprotection of wireless communications throughthe increased level of data protection and ac-cess control of current and future solutions towireless networks. WPA is designed to be thesoftware upgrade to the existing devices and iscompatiblewith the new IEEE802.11i standard.WPA has several purposes:— To be a strong protective mechanism for

wireless networks,— To be interoperable,— To replace WEP,— To enable the existing Wi-Fi wireless de-

vices to be upgraded with the new softwaresolution,

— To be applicable in small, as well as in largewireless networks, and

— To be applicable immediately.

The first improvement [14] offered by WPA isdata encryption by TKIP (Temporal Key In-tegrity Protocol). This protocol provides astrong encryption mechanism whose character-istics are:— A unique stream for encryption of each of

the packets,— Message integrity check (MIC, Michael),— IV extension, and— Repeated key mechanism.

The second improvement is related to the strongsecurity authentication of the users through802.1x andEAP (ExtensibleAuthentication Pro-tocol).In large networks, WPA uses authenticationserver RADIUS to secure centralized manage-ment and control of the access. In small SOHO(Small Office/Home Office) networks, thereis no centralized authentication server so thatWPA is initiated by a special mode. This modeis also called Pre-Shared Key (PSK) and it en-ables users to authenticate by a password or a

key. Users have to enter a password (or a key)to the access point, otherwise home networkreaches each of the workstations included inthe Wi-Fi wireless network. Devices with ap-propriate password can be networked and thusprotected from eavesdropping and other unau-thorized users.

5.3. TKIP

TKIP is a collection of algorithms created toimprove and solve security problems of WEP.Majority of cryptographic functions is realizedthrough hardware inwireless networks adapters,thus it is not possible to improve the hardware.RC4 is an encryption device implemented inhardware of wireless network adapters and isnot replaceable. To solve this problem TKIPuses RC4 device in the way that changes themethods of use of the shared key. In WEP,shared key is used directly in encryption, whilein TKIP it is used for generation of other keys.TKIP algorithms can be applied in the currentwireless equipment without significantly ruin-ing the performance.

TKIP gives WEP four new improvements [15]:— Encrypted message integrity code to prevent

message falsifications,— Strict IV sequences to prevent replay attacks,— Key generation, and— Mechanism to refresh keys in order to pre-

vent attacks related to key repetition.

Encrypted message integrity code (MIC). MICis an encryptionmechanism based on hash func-tion design to work on existingwireless networkadapters in order to detect false messages. MICmechanism consists of three components:— authentication key (Michael key, both the

sender and the receiver have the same key),— tag function, and— verification.

Tag function generates the tag based on the au-thentication key and message. Generated tag isan encryption for integrity check and is sent to-gether with a message. Receiver performs ver-ification and if the result is TRUE, that meansthat the message is original, if the result is notTRUE, that means that the message is false.MCI strength is in the number of tag bits (n).This means that if the attacker wants to send afalse message, 2n messages have to be sent [16].


MIC has a level of protection of n = 20, whilethe strongest attacks could generate 229 mes-sages. It is obvious that MIC with the abovegiven level of protection is not completely safe.Therefore, TKIP implements mechanisms fordetection of false messages and in case thereare two false messages in a second, it is consid-ered to be an attack. In that situation keys mustbe erased, session must be terminated and oneminute has to pass before the new session withthe new TKIP and Michael keys is established.

Strict IV sequences. False messages appearwhen the attacker meets the message and sendsit as his own. Usually, this problem is solvedby linking IV counter with the MIC key. Eachtime the MIC key is replaced, IV sequence isreinitialized. This strategy requires the trans-mitter to stop its transmission when the sameIV sequence repeats for one MIC key. Thishappens when communications ceases or MICkey changes. TKIP affects IV sequence. Trans-mitter and receiver set IV to zero each timeTKIP key is changed. Sender increments IVsequence for each packet that is sent. TKIP re-quires receiver to supervise all sequences of theIV sequence that has just arrived. If the newlyarrived IV sequence is smaller or even the sameas the previous IV sequence for the same TKIP

key, or if IV sequences arrive in no logical order,then it is a reason to dismiss these messages.

Key generation. In WEP protocol a unique keyfor each packet is based on concatenation of un-changed key and IV sequence. As a result ofthis key generation there is his often repetition.For each of the packets a new key is generatedby hash function based on TKIP key and IVsequence. It is called temporal key since its du-ration is temporal and it changes when its timeelapses.

Key generation in TKIP protocol has two phases(Figure 3):— In phase 1, hash function is calculated based

on the MAC address of the sender, tempo-ral session key and high 32 bits of IV. Thisphase is calculated only if temporal key ofthe session is changed.

— In phase 2, hash function is calculated by thephase 1 output and low 16 bits of IV. As anoutput, we have a key stream of 128 bits. Infact, the first 3 bits of phase 2 are compatiblewith IV in WEP, while the remaining 13 bitsare compatible with WEP. The purpose ofphase 2 is to make it difficult for the attackerto find correlation between IV and a key foreach of the packets.

Figure 3. WEP protocol safety improvements.


The analysis of C code that implements bothphases shows that some of the cryptographiccharacteristics of S-box have been applied [17].

Refresh key mechanism. TKIP mechanism hasthree keys:— Temporal key,— Encryption key, and— Master key.

Temporal keys. Temporal keys are 128 bit en-cryption key and 64 bit key for encryption ofdata integrity. TKIP uses separate key setson both sides of connection, so that there arefour temporal keys in total. TKIP identifiesthese sets of keys by 2 bit identification devicenamed WEP keyid. When first connection isestablished, the first set of keys is immediatelyconnected to one of the two sets of WEP keyid.When a new set of keys is created, a new keyid isdistributed to it. After the connection betweena new pair of temporal keys is established TKIPimplementationwill continue to receive packetson the old keyid and its keys. However, lateron, the transfer will be conducted only via newkeyid and its keys. New temporal keys are cre-ated with the first or repeated establishment ofconnection.

Encryption key. Encryption key protects tem-poral keys. There are two of these keys – one isused to encrypt the message to introduce tem-poral keys, while the other serves to protect themessage from being falsified.

Master key. Master key is exchanged amongworkstations and 802.1x authentication servers.This key is directly related to authentication andis used for secure distribution of key streams.Master key is created after a successful authen-tication and is related to one session only.

5.4. 802.1x

IEEE 802.1x [18] is standardized way to thenetwork secure access. By using security meth-ods in 802.1x standard it is possible to accessthe network securely, even when products ofdifferent manufacturers are in use. 802.1x isonly a part of security technology that disablesunauthorized access to the network and does notcontrol traffic of the authorized users. 802.1xdoes not require a specific authentication pro-tocol, but uses EAP for encapsulation of otherauthentication protocols (LEAP – Lightweight

Authentication Extension Protocol; EAP-TSL– Transport Layer Security; EAP-TTLS – Tun-neled TLS; EAP-PEAP – Protected EAP). Asuccessful authentication [19], both of a clientand authenticator, has to be completed beforeany traffic from the client is allowed. Be-fore authentication 802.1x logical component(PAE – Port Access Entry) prohibits any trafficexcept for the EAP request that is being for-warded to the authentication server. Based onthe EAP message, authentication server deter-mines whether a client has or does not have anaccess to the network. Then it sends a messageto the authenticator and, based on the message,the port is either in the position to prohibit orapprove the traffic.

Previous researches have showed that primaryauthenticationmethod [20] (open authenticationsystem and shared key authentication) and ac-cess control based on MAC control lists are notsecure mechanisms. In order to solve the prob-lem, IEEE group designed new security archi-tecture for wireless local networks – Robust Se-curity Network (RSN). RSN provides a mecha-nism for connecting to the network only throughan authorized 802.1x network port. Networkport represents a connection between the sta-tion and AP. RSN uses three entities definedby 802.1x standard: station, authenticator andauthentication server. The station is an entitythat wants to access the network through au-thenticator’s network port (access point). Thestation is authenticated through authenticator onauthentication server from which it receives ac-creditations.

RSN connection is performed in three phases[21, 22, 23]:

Phase 1: Request, authentication and associa-tion. The station looks for theAPwith appropri-ate SSID. All APs in the range answer with theProbe Request framework, as shown in Figure4. When the station identifies with which APit is connected and accepts its parameters, au-thentication is performed as well as connectionto the AP. At the end of phase 1 the workstationand the AP establish security rules and 802.1xauthentication port is locked. 802.1x networkport remains locked as long as the authentica-tion procedure has been completed.


Figure 4. Request, authentication and association.

Phase 2: 802.1x authentication. In this phasethe station is authenticated with the authenti-cation server. The station and the AP have toauthenticate mutually in order for the station toescape false access points and for the access

points to escape false stations. 802.1x standarduses EAP for different authentication mecha-nisms. In communications between the stationand the authenticator, EAP protocol uses fourmessages: EAP Request, EAP Response, EAPSuccess and EAP Failure. EAP can route mes-sages to the authentication server (such as RA-DIUS) through 802.1x port when it is locked.EAPpackets between the station and the authen-ticator encapsulated EAPOL (EAP over LAN)packets, while EAPmessages between authenti-cator and authentication server are encapsulatedin RADIUS packets. The station sends EAPOLstart message to the authenticator. Based on thismessage, the authenticator requires station iden-tification. The station then replies with identityparameters that are forwarded to the authenti-cation server by authenticator. Then the mutualauthentication between the station and authen-tication server is done as shown in Figure 5.If the mutual authentication is successful, theauthentication server generates Master Sessionkey (MSK) and forwards it to the authentica-tor and to the station. PMK (Pair-Wise MasterKey) is then generated by the station and au-thenticator based on the MSK.

Figure 5. 802.1x/EAP and 4-way handshake.


Phase 3: 4-Way Handshake. The station andthe authenticator have to mutually confirm thecurrent PMK in order to complete successfullyRSNA (as shown in Figure 5). After success-ful confirmation a PTK (Pair – Wise TransientKey) is generated to be used for a secure transferof session data. Now 802.1x port is unlocked.

802.1x authentication has several advantages:— Administrators can define users’ responsi-

bilities in the network, they do not have topair manually users’ names with MAC ad-dresses, and can easily find mistakes andsupervise the network,

— Administrators allow access to the networkaccording to the manufacturer standards,

— An authorized port cannot be compromisedby a non-802.1x client,

— The authenticator waits for a certain periodof time for a client to re-authenticate beforethe port is locked,

— A continuity of authentication procedure isallowed in case the client was temporarilyunable to respond to authenticator’s request,

— It is allowed for more devices to access thenetwork by a shared mediator (such as hub),and

— Protection is imposed to all users of the ac-cess point.

— In addition to the advantages mentioned be-fore, 802.1x authentication has also somedeficiencies. These deficiencies result fromthe mistakes in 802.1x and EAP protocols[24, 25] that the attackers have used for at-tacks.

5.5. WPA, WPA2 and 802.11i

IEEE 802.11i [16], an IEEE standard ratified onJune 24, 2004, is an addition to IEEE 802.11standard that deals with the protection of smalland large wireless networks. IEEE 802.11iis designed to provide enhanced security inthe Medium Access Control (MAC) layer for802.11 networks. WPA2 is a product of Wi-Fi alliance that guarantees that all the equip-ment with WPA2 installed can support the mostimportant characteristics of 802.11i. Wi-Fialliance enables AP usage supported only byWPA2 mode and AP supported by mixedWPA2/WPA mode. This means that WPA2equipment is compatible with WPA. Due to

WEP security problems WPA2/WPA mode isnot allowed in WPA2 equipment.

WPAandWPA2/802.11i specify new standardsfor authentication, encryption and message in-tegrity.

Authentication. WPA and WPA2/802.11i use802.1x/EAP for authentication and key exchan-ge. 802.1x authentication model requires theexistence of 802.1x client, authenticator (accesspoint) and authentication server (RADIUS).WPA and WPA2 use 802.1x for the authenti-cation in large networks, while a shared key au-thentication is used in small networks. 802.11iintroduces pre-authentication [26] in order toescape re-authentication and reduce all late ar-rivals caused by 802.1x. Reduced lateness of802.1x would enable faster roaming betweenwireless station and APs. This is very impor-tant for the application sensitive to lateness.

Key Management. The process of managementand creation of the key is the same for theTKIP and AES-CCMP (Advanced EncryptionStandard – Counter Mode with Cipher BlockChaining message Authentication Code Proto-col). Both TKIP and AES-CCMP are definedby 802.11i standard, but there is a difference inthe number of keys. AES-CCMP uses the samenumber of keys for message encryption and dataintegrity while TKIP uses two keys. This differ-ence is the result of the fact that TKIP is based onRC4 encryption technique while AES-CCMPuses advanced encryption standard.

WPAand802.11i encryption and integrity. TKIPand AES-CCMP solution are introduced to im-prove bad WEP encryption mechanisms. Wi-Fialliance integrated TKIP into WPA in order touse it on the WLAN hardware. TKIP protocolcontains RC4, but introduces changes in the areaof message integrity, IV creation and key man-agement, all that with the purpose of increasingWEP safety.

AES-CCMP [27] is the core of 802.11i stan-dard and is mandatory in 802.11i standard whileTKIP is supported by 802.11i standard. FutureWLAN equipment will use AES-CCMP for en-cryption and message integrity. AES algorithm[28] uses encrypted key of 128, 192 and 256 bitsfor encryption and decryption of data in blocksof 128 bits. 802.11i standard requires the useof 128 bit AES-encrypted key. It means that amessage that cannot be divided into 128 bits has


Figure 6. AES encryption by counter.

to be converted in 128 bits blocks before encryp-tion. This is done by CCMP by adding randomdata in blocks to become 128 bit blocks. Whendecryption is completed, CCMP removes addeddata that are not a part of the original message.

CCMP in AES-CCMP is a combination of twoAES counter mode encryption and CBC-MAC(Cipher Block Chaining – Message Authentica-tion Code protocol) techniques [29].

The first technique adds nonce and counter onAES temporal key and encrypts a message byXOR. Nonce is MAC address of the sender andframe ordinal number. MAC address is usedin order to use the same increment in differentcommunications directions, thus providing dif-ferent encryption streams. Packet ordinal num-ber has a purpose to detect for the receiver in-jection of old packets. Receiver remembers theordinal number of the last packet and accepts allpackets with bigger ordinal number. A counteris changed for each of data encrypted blocks, asshown in Figure 6. An attacker can find out astarting value of the counter, but cannot knowwhich block applies to which increment.

For message security it is not enough only to en-crypt the message, but to preserve the integrity,too. CBC-MAC mechanism guarantees that themessage will not be modified during the trans-mission between two devices. CBC-MAC isbased on CBC algorithm of encryption. Thisalgorithm operates in a way that it calculatesXOR between unencrypted and previously en-crypted blocks, then it is encrypted by AES keyand XOR for that block is calculated by nextunencrypted block, as it is shown in Figure 6.

The procedure is repeated until the final 128 bitCBC-MACblock is generated. It is obvious thatCBC-MAC block value depends on the value ofall previous blocks and since all these blocks areencrypted, it is also obvious that CBC-MAC de-pends on the key. If a receiver finds some irreg-ularities with a CBC-MAC, it means that therewas message modification (message integrity isruined) or that the message was encrypted witha different key.

Figure 7 shows the procedure of calculatingCBC-MAC.

Figure 7. CBC-MAC calculation.

This section describes differences betweenWPAand WPA2/802.11i safety improvements. Ta-ble 1 gives a comparison of these safety im-provements in comparison to WEP as a firstsolution to achieve safety goals in WLAN net-works. Table also shows availability of safetysolutions in improvements of all three safetygoals.


WEP WPA WPA2/ 802.11i

Authentication

Open authenticationsystem and shared key

authentication (same keyas for encryption) – Pre-RSN

Shared key authenticationand strong authenticationbased on 802.1x and EAP

(RADIUS server)

Authentication based on802.1x and EAP

(RADIUS server) andpre-authentication, RSNA

Thoroughly researchedand documented

defficienciesRemoves all WEP

deficienciesRemoves WEP and WPA

deficiencies

40 bit key 128 bit key 128, 192, 256 bit keys

Encryption

Statical key distribution– all network users use

the same key

Dynamic key distribution – new keys for each user,session, packet

Manual key distribution– it is necessary to enterthe key into each device

Dynamic key distribution

Uses IV Does not use IV

RC4 algorithm encryption AES algorithm encryption

Integrity CRC MIC (64 bit key) CBC-MAC (the same keyas for encryption)

Table 1. Comparative analysis of WLAN safety improvements.

6. RC4 and AES Cryptographic Algorithms

RC4 and AES cryptographic algorithms be-long to the group of symmetrical encrypting al-gorithms. Symmetrical encrypting algorithmsare algorithms that use the identical keys bothfor the processes of encryption and decryp-tion. These algorithms are completely pub-lic, meaning that their safety is not based onthe algorithm secrecy but on the secrecy of thekey. The model of symmetric encryption sys-tem consists of five elements: plaintext, en-cryption algorithm, secret key, ciphertext anddecryption algorithm. The encryption processtakes place at the sender’s by having encryptionalgorithm transform plaintext by K key into anon-comprehensible message. The process ofdecryption is the opposite: at the receiver’s, theciphertext is translated into a comprehensiblemessage by decryption algorithm and the key.

Symmetric cipher algorithms are divided intotwo categories:

Stream cipher. The main characteristic of thestream cipher is that the keystream is generated

from the initial value (secret key) and previ-ously agreed algorithm. This cipher system ac-cepts, at the start, a range of elements (bits orbytes) of the plaintext that has been encryptedimmediately. In these systems, the key rep-resents the input value into the pseudorandomnumber generator that generates keystream.Then, XOR function between each plaintext andkeystream bytes is calculated thus providing ci-phertext.

One of the deficiencies of this cipher system iscaused by the use of pseudorandom stream. Al-gorithm for generation of pseudorandom streamis determined, meaning that, statistically, it isnot random. Thus, the same keystream will ap-pear after some time. In order to improve thedesign of sequential stream cipher, it is neces-sary to consider the design issues of the streamcipher given in [ 30].

Block cipher systems. Block cipher systemsprocess plaintext blocks of fixed length and gen-erate ciphertext in blocks of the same length,usually of 64 bits. Ciphertext is generated fromthe plaintext by repeating the function F afterfew rounds. The F function depends on the pre-


vious round output and K key. This function isalso called round function as it has been appliedin each round.

These cipher systems use different cryptographicmodes as a technique for improvement of cryp-tographic algorithm efficiency. A recommenda-tion for block cryptographic modes [31] spec-ifies five cryptographic modes for symmetri-cal block cipher systems: Electronic Codebook(ECB), Cipher Block Chaining (CBC), CipherFeedback (CFB), Output Feedback (OFB) andCounter (CTR) mode. One of the algorithmsusing cryptographic modes is AES with speci-fication defined in FIPS Pub. 197 [32].

RC4 andAESbelong to different groups of sym-metrical cipher systems. RC4 belongs to thegroup of stream symmetrical cipher systems,while AES belong to the group of block sym-metrical cipher systems.

6.1. RC4

RC4 is the best known of all sequential ciphersystems. It was designed by Ron Rivest forRSA Security in 1987. It uses key of variablevalue and it is oriented on work with the bytes.This cipher system works very fast due to verysmall number of necessary operations. Thus, toobtain one output data (encrypted byte), 8 to 16mechanical operations are needed.

RC4 algorithm is very simple and easy to im-plement. The key of variable length of 1 to256 bytes is used for initializing 256 bytes Sarray. S array contains permutation of all 8-bitsnumbers from 0 to 255. Encryption and decryp-tion stream, K, is generated from the S array bychoosing one of 255 unique stream conditions.

RC4 algorithm execution phases:

Initialization of S array. S array is initializedby values of 0 to 255 in ascending hierarchy,i.e. S[0] = 0, S[1] = 1, ..., S[255] = 255. At thesame time, a temporary array, T, is created. Tarray fields are filled in by K key value depend-ing on the initialization point and key length. Ifa key length is keylen bytes, then the value ofthe i-field of the temporary T stream is equalto the K key value on i-filed in the key. Theinitialization is shown by the following lines ofcodes:

for i = 0 to 255 doS[i] = i;T[i] = K[i mod keylen];

Initial permutation of S array. T array is usedfor initial permutation of the S array by chang-ing the S[i] value with S[j] value, whereas j iscalculated by T array as shown in the followinglines of codes:

j = 0;for i = 0 to 255 doj = (j + S[i] + T[i]) mod 256;Swap (S[i], S[j]);

Cipher Stream Generation. Cipher stream goesthrough all the elements of S. Value of eachof the stream elements, S[i], is replaced by thevalue of the element S[j], whereas j is calculatedby S[i]. After replacement of the S[i] and S[j],t index is calculated, indicating the S streamelement whose value will be taken for cipherstream. The scheme of generation of cipherstream is shown by the following code:

i, j = 0;while (true)i = (i + 1) mod 256;j = (j + S[i]) mod 256;Swap (S[i], S[j]);t = (S[i] + S[j]) mod 256;k = S[t];

6.2. AES

In order to replace the “run out” DES, NIST(National Institute of Standards and Technol-ogy) has organized cryptographic competitionfor a new cryptographic algorithm, accordingto the requirements defined in [33], to be usedby government institutions. There were 15 pro-posals and 5 of them were selected as best ac-cording to the given requirements. In Octo-ber 2000 NIST chose Rijndael designed by twoBelgian researchers: Joan Daemen and VincentRijmen. Rijndael was much faster in compar-ison to its competitors (MARS, RC6, Serpent,Twofish) and required less memory in the pro-cess of encryption and decryption. NIST pub-licly released AES in 2001.

This algorithm belongs to the group of blockcipher algorithms. It supports keys and blocksof 128 to 256 bits in sequences of 32 bits. Thelength of the key and the length of the blockcould be chosen independently. AES requires


blocks of 128 bits and keys of 128, 192 and256 bits. This actually means that there are twotypes of AES, one of 128 bits block with 128bits key, and another one of 128 bits block with256 bits key.

But before we start with the encryption and de-cryption process, it is necessary to review inwhat way the input data and the key are pre-sented.

The plaintext is divided into 128 bit blocks thatare the starting point for encryption and decryp-tion algorithm. These blocks appear in the formof square matrix of bytes [28]. The startingblock of the plaintext is put into the two dimen-sional array of 4x4 bytes (state array) whosevalue is changed after each completed algorithmphase. After the final stage, state array is copiedto an output matrix.

The key of 128 bits is described in the sameway as starting blocks, with the square matrix ofbytes. Then the key is enlarged into the streamof 44 32 bit words whereas each of the wordsis equal to 4 bytes. Four words make the roundkey. It is obvious that there are 11 keys, but thework is conducted with 10 rounds. The first keyis used for initialization of encryption, while thelast key is used for initialization of decryption.The rest of the keys is used in encryption anddecryption rounds.

When 192 bit or 256 bit key is used in the AESalgorithm, 12 or 14 rounds take place and thekey is enlarged to 52 or 60 words accordingly.

The starting matrix of the data block for encryp-tion and decryption is filled in columns, mean-ing that the first four bytes of 128 bit block oc-cupy the first column of the matrix, the secondfour bytes occupy the second column, and so on.The same principle applies with the enlargedkey, meaning that the first four bytes make a

word that occupies the first column of the keymatrix.

The processes of encryption and decryption ofAES algorithm take place in a certain numberof rounds, whereas each of the rounds consistsof one permutation and three substitutions:

Substitution of bytes. AES defines matrix of16x16 bytes containing permutation of all pos-sible 256 8 bit values. This matrix is calledS-box. Each of the bytes of the original matrixis mapped into the new byte in the followingway: the 4 most important bit bytes are orderindex of S-box, while 4 less important bit bytesare column index of S-box. According to thetwo mentioned indexes, the value of the matrixfield is replaced by the respective value fromthe S-box. Inverse substitution is conducted inthe same way by using inverse S-box. S-box isdesigned in a way that is resistant to the crypto-analytical attacks.

ShiftRows Permutation. This permutation isconducted according to the rows of the origi-nal matrix. The first row of the original matrixremains the same. There is 1-byte circular leftshift in the second row. In the third row, there is2-byte left shift, while in the fourth row, thereis 3-byte left shift. This permutation is shownin the Figure 8.

MixColumn Substitution. This substitution isconducted for each column. Each of the col-umn bytes is mapped into a new value used forall four column bytes. This transformation isshown in Figure 9. Each of the elements insubstitute matrix is the product of the elementof one of the rows of the transformation matrixand one of the columns of the original matrix.

Coefficients of transformation matrix are linearwith maximum distance between bytes of eachof the columns. Column substitution combinedwith the row permutation enables that, after few

Figure 8. ShiftRows permutation.


Figure 9. MixColumn substitution.

rounds, the value of the original matrix dependson all input bits at the very beginning [34].Output value is obtained by multiplication (*)andXORoperation (circled plus symbol). Mul-tiplication of the x value (in this case value 02,i.e. 02*y) is calculated in the following way:— if the most important bit y is equal to 0, then

1-bit left shifting is conducted. 0 is put inthe place of the last bit,

— if the most important bit y is equal to 1, then1-bit left shifting is conducted. 0 is put in theplace of the last bit. The new value is nowadded to (0001 1011) by XOR operation.

Inverse MixColumn substitution is conductedin the same way by using inverse matrix.

AddRoundKey Substitution. In this type of sub-stitution, the XOR function is applied betweenthe results of previous transformations and 128bit round key. The transformation is conductedin a way that each of the original matrix fieldsXORs with the suitable extended key field (thefields of the same index of the original matrixand extended key are summed up exclusively).Inverse transformation is identical asXORfunc-tion is inverse in itself. This substitution affectsevery bit of the original matrix.

The safety of the AES algorithm is secured dueto complexity of the key extension (each roundkey) and the complexity of the above mentionedtransformations.

7. Conclusion

WEP is the first protocol for data protectionin wireless networks. This mechanism is de-signed to achieve three safety goals: authen-tication, confidentiality and message integrity.

This mechanism is based on RC4 algorithm (analgorithm that can be trusted) but, still, WEPdoes not achieve safety goals completely. BasicWEPdeficiencies come from unsafe authentica-tion, repeated use and open transfer of IV, keymanagement system and a mechanism for theprotection of message integrity that is not ap-plied properly. All these deficiencies can leadto many threats to WEP safety goals.

WPA contributes to the increase of wirelesscommunication protection by Wi-Fi standardthrough increased level of data protection, ac-cess control and integrity. WPA standard isdefined by software upgrade of current devicesand is completely compatible with a new IEEE802.11i standard. WPA introduces TKIP groupof algorithms created to improve safety mecha-nisms of WEP and provide strong and safe au-thentication by 802.1x/EAP standard. 802.11iintroduces a new authentications standard, en-cryption and message integrity. 802.11i definesRobust Security Network Association (RSNA)procedure to provide mutually strong authenti-cation and key management procedure. AEScounter encryption contributes significantly tothe increase of data protection during commu-nication transmission, while CBC-MAC con-tributes to integrity preservation by mixing en-crypted and non-encrypted data blocks.

802.11i standard provides a high level of pro-tection from the attacks, but cannot solve all theproblems caused by some DoS attacks. One ofthese attacks is jamming, whereas an attackercan disable communications among wirelessnetworks users by using some devices.


References

[1] J. WELCH, S. D. LATHROP, A Survey of 802.11aWireless Security Threats and Security Mecha-nisms. United States Military Academy West Point,New York, (2003).http://www.itoc.usma.edu/Documents/ITOC TR-2003-101 (G6).pdf

[2] B. FLECK, J. DIMOV, Wireless access points andARP poisoning: wireless vulnerabilities that exposethe wired network. White paper by Cigital Inc.,(2001).http://www.cigitallabs.com/resources/papers/download/arppoison.pdf

[3] I. MARTINOVIC, F. A. ZDARSKY, A. BACHOREK, C.JUNG, J. B. SCHMITT, Phishing in the Wireless:Implementation and Analysis. Kaiserslauterer Uni-weiter Elektronischer Dokumentenserver, Universi-tatsbibliothek Kaiserslautern, (2006).http://kluedo.ub.uni-kl.de/volltexte/2006/2035/pdf/martinovic.pdf

[4] G. RUPINDE, S. JASON, C. ANDREW, Specification-Based Intrusion Detection in WLANs. 22nd AnnualComputer Security ApplicationsConference, MiamiBeach, Florida, (2006).

[5] AUSCERTAA-2004.02, Denial of Service Vulnera-bility in IEEE 802.11 wireless devices. (2004).http://www.auscert.org.au/render.html?it=4091

[6] C. WULLEMS, K. THAM, J. SMITH, M. LOOI, A Triv-ial Denial of Service Attack on IEEE 802.11 DirectSequence Spread Spectrum Wireless LANS. IEEEPress, (2004), pp. 129–136.

[7] F. RANGO, D. C. LENTINI, S. MARANO, Static andDynamic 4-Way Handshake Solutions to Avoid De-nial of Service Attack inWi-Fi Protected Access andIEEE 802.11i. EURASIP Journal on Wireless Com-munications and Networking, Hindawi PublishingCorporation, pp. 1–19, (2006).

[8] R. PRODANOVIC, D. SIMIC, Holistic Approach toWEP Protocol in Securing Wireless Network In-frastructure. Com SIS, Vol. 3, No. 2, pp. 97–113,(2006).

[9] White paper: Testing for Wi-Fi Protected Access(WPA) in WLAN Access Points. Net-O2 Technolo-gies, (2004).http://whitepapers.zdnet.co.uk/0,39025942,60152756p,00.htm

[10] N. BORISOV, I. GOLDBERG, D. WAGNER, Intercept-ing Mobile Communications: The Insecurity of802.11. DRAFT. (2002).http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf

[11] J. R. WALKER, Unsafe at any key size; An anal-ysis of the WEP encapsulation. IEEE Document802.11-00/362./, (2000).

[12] N. BORISOV, I. GOLDBERG, D. WAGNER, Intercept-ing mobile communications: the insecurity of802.11. In Proceedings of the 7th Annual Inter-national Conference on Mobile Computing andNetworking, Rome, Italy, (2001).

[13] WEP Fix using RC4 Fast Packet Keying. RSA Lab-oratories, (2002).http://www.comms.scitech.susx.ac.uk/fft/crypto/wep.pdf

[14] Wi-Fi Protected Access: Strong, standards-based,interoperable security for today’s Wi-Fi networks,Wi-Fi Alliance, (2003).http://www.wi-fi.org/opensection/pdf/whitepaper wi-fi security4-29-03.pdf

[15] J. R. WALKER, 802.11 Security Series (Part II: TheTemporal Key Integrity Protocol (TKIP)). IntelCorporation.http://cache-www.intel.com/cd/00/00/01/77/17769 80211 part2.pdf

[16] IEEE P802.11i/D10.0. Medium Access Control(MAC) Security Enhancements, Amendment 6to IEEE Standard for Information Technology –Telecommunications and information exchange be-tween systems – Local and metropolitan area net-works – Specific requirements – Part 11: WirelessMedium Access Control (MAC) and Physical Layer(PHY) Specifications, (2004).

[17] W. HAN, D. ZHENG, K. CHEN, Some Remarks onthe TKIP Key Mixing Function of IEEE 802.11i.Cryptology ePrint Archive, (2006).http://eprint.iacr.org/2006/129.pdf

[18] L. BLUNK, J. VOLLBRECHT, B. ABOBA, J. CARLSON,H. LEVKOWETZ, Extensible Authentication Proto-col (EAP). Internet Draft draft-ietf-eap-rfc2284bis-06.txt, (2003).

[19] J. ANTHON, Using IEEE 802.1x to Enhance Net-work Security. FoundryNetworks, (2002).http://www.foundrynet.com/solutions/appNotes/PDFs/802.1xWhite Paper.pdf

[20] M. ARUNESH, A. W. ARBAUGH, An Initial Analysisof the IEEE 802.1X Standard. Maryland, (2002).http://www.cs.umd.edu/∼waa/1x.pdf

[21] T. KARYGIANNIS, L. OWENS, Wireless Network Se-curity 802.11. Bluetooth and Handheld Devices,NIST, (2002).http://csrc.nist.gov/publications/nistpubs/800-48/nist sp 800-48.pdf

[22] J. C. CHEN, M. C. JIANG, Y. W. LIU, Wireless LANsecurity and IEEE 802.11i. IEEE Wireless Commu-nications, (2005), vol. 12, no. 1, pp. 27–36.

[23] C. HE, J. C. MITCHELL, Security Analysis andImprovements for IEEE 802.11i. Stanford, USA,(2004).http://www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/NDSS05-1107.pdf

[24] G. RUPINDE, S. JASON, C. ANDREW, Experiences inPassively Detecting Session Hijacking Attacks inIEEE 802.11 Networks. Proceedings of the 2006Australasian workshops on Grid computing ande-research, Vol. 54, pp. 221–230, (2006).


[25] L. HAN, A Threat Analysis of The Extensible Au-thentication Protocol. Honours Project, School ofComputer Science, Carleton University, (2006).http://www.scs.carleton.ca/ barbeau/Honours/Lei Han.pdf

[26] L. PHIFER, 802.11i: Robust and ready to go. (2004).http://searchmobilecomputing.techtarget.com/tip/1,289483,sid40 gci992741,00.html

[27] E. PEREZ, 802.11i (How we got here and where arewe headed). Orlando, (2004).http://www.giac.org/practical/GSEC/Elio Perez GSEC.pdf

[28] NATIONAL INSTITUTE OF STANDARDS AND TECH-NOLOGY, FIPS Pub197: Advanced EncryptionStandard (AES), (2001).

[29] D. WHITING, R. HOUSLEY, N. FERGUSON, Counterwith CBC-MAC (CCM). RFC 3610, (2003).

[30] I. KUMAR, Cryptology. Laguna Hills, CA: AegeanPark Press, (1997).

[31] M. DWORKIN, Recommendation for Block CipherModes of Operation – Methods and Techniques.NIST, (2001).

[32] FIPS PUBLICATION 197, AdvancedEncryptionStan-dard (AES). U.S. DoC/NIST, November 26,(2001).

[33] NATIONAL INSTITUTE OF STANDARDS AND TECH-NOLOGY, Request for Candidate Algorithm Nom-inations for the Advanced Encryption Standard.Federal Register, September 12, (1997).

[34] J. DAEMEN, V. RIJMEN, AES Proposal: Rijndael,Version 2. Submission to NIST, March (1999).http://csrc.nist.gov/ encryption/aes

Received: May, 2006Revised: March, 2007Accepted: April, 2007

Contact addresses:

Radomir ProdanovicSerbian Air Forces and Air Defense

Serbian ArmyGlavna 1, Zemun, Serbia

e-mail: [email protected]

Dejan SimicFaculty of Organizational Sciences

POB 52, Belgrade, Serbiae-mail: [email protected]

RADOMIR PRODANOVIC is a MSc student at FON – Faculty of Orga-nizational Sciences, University of Belgrade. He is working for SerbiaArmy, Air Forces and Aircraft Defense, as Designer of InformationSystems. He was Chief of Center for Computer Data Processing andworked on the design and implementation of several applications for hisCommand. He introduced several software applications in operationalwork, and designed computer network in the Command of Air Forcesand Aircraft Defense. His interests are design and security of computernetworks, implementation modern security tehnology in e-business, andmanagement of e-documents.

DEJAN SIMIC, PhD, is a professor at the Faculty of OrganizationalSciences, University of Belgrade. He received the B.S. in electricalengineering and the M.S. and the Ph.D. degrees in Computer Sciencefrom the University of Belgrade. His main research interests include:security of computer systems, organization and architecture of computersystems and applied information technologies.


Appendix A: Abbreviation

AES Advanced Encryption Standard

AES-CCMPAdvanced Encryption Standard – Counter Mode with Cipher BlockChaining Message Authentication Code Protocol

AP Access PointARP Address Resolution ProtocolCBC Cipher Block ChainingCBC-MAC Cipher Block Chaining – Message Authentication CodeCFB Cipher FeedbackCRC Cyclic Redundancy CheckCTR Counter ModeDES Data Encryption StandardDoS Denial of ServiceEAP Extensible Authentication ProtocolEAPOL EAP over LANECB Electronic CodebookGTK Group Transient KeyIEEE Institute of Electrical and Electronics EngineersIP Internet ProtocolIPsec IP SecurityIV Initialization VectorLAEP Lightweight Authentication Extension ProtocolMAC Medium Access ControlMIC Message Integrity CheckMSK Master Session KeyNIST National Institute of Standards and TechnologyOFB Output FeedbackOSI Open Systems InterconnectionPAE Port Access EntryPCMCI cards Personal Computer Memory Card International AssociationPEAP Protected Extensible Authentication ProtocolPMK Pair-Wise Master KeyPSK Pre-Shared KeyPTK Pair -Wise Transient KeyRADIUS Remote Authentication Dial In User ServiceRC4 A Stream Cipher AlgorithmRSA Rivesi, Shamir, Adleman AlgorithmRSN Robust Security NetworkRSNA Robust Security Network AssociationSOHO Small Office/Home OfficeSSID Service Set IdentifyTA Transmitter AddressTCP Transmission ControlProtocolTKIP Temporal Key Integrity ProtocolTLS Transport Layer SecurityTTLS Tunneled Transport Layer SecurityVPN Virtual Private NetworkWEP Wired Equivalent PrivacyWLAN Wireless Local Area NetworkWPA Wi-Fi Protected AccessXOR Exclusive OR