Enhancing WiFi Security: Data-Oriented Wireless and Mobile Networks Overview

This article provides an overview of data-oriented wireless and mobile networks, focusing on security systems and protocols used to protect WiFi networks.

Data-Oriented Wireless Networks

Data-oriented wireless networks include:

• Wireless LAN (WLAN, 802.11)
• World Interoperability for Microwave Access (WiMAX, 802.16)
• Bluetooth (IEEE 802.15)

Security in WLAN

Security protocols used in WLAN include:

• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA, WPA 2 – IEEE 802.11i)

Key Establishment in 802.11

In 802.11 networks, key establishment relies on pre-shared keys between the mobile node or station (STA) and the Access Points (APs). However, this approach has several problems:

• Manual configuration of keys is prone to errors.
• Users may not choose strong keys.
• 802.11 allows each STA (and AP) in a Basic Service Set (BSS) to be configured with 4 different keys, but in practice, the same key is often used across BSSs over the whole Extended Service Set (ESS), making it more susceptible to compromise.

Anonymity in 802.11

In 802.11 networks, it is difficult to determine the identity of a subscriber due to:

• Dynamic IP address assignment using protocols like DHCP.
• NAT (Network Address Translation) creates two types of IP addresses (private and global).

Open System Authentication

Open System Authentication is the default authentication scheme in 802.11 networks, allowing any station to join the network without authentication.

Shared Key Authentication

Shared Key Authentication is based on a challenge-response mechanism, where two groups of STAs are defined:

• Group 1: access allowed – shared a secret key with AP.
• Group 2: access not allowed.

Pre-Shared Key

Pre-shared keys are used in WPA and WPA2 networks, providing better security than WEP.

Problems with 802.11 Authentication

Authentication with shared keys has several problems:

• No way for the AP to reliably determine the exact identity of STA.
• One-way authentication – STA cannot authenticate Network.
• Rogue APs can access virtually everything that the STA sends.

Pseudo Authentication

Pseudo authentication allows only stations that know the network’s SSID to join the network, but this poses minimal challenge since the SSID is often transmitted in the clear without encryption.

MAC Address Filtering

MAC address filtering allows stations with certain MAC addresses to join the network, but this is not a very secure authentication scheme since most wireless access cards used by stations can be easily spoofed.