IMPLEMENTATION OF WIRELESS SECURITY ON VIRTUALWiFi MOHAMMAD YASIN ARASHPOUR DISSERTATION SUBMITTED IN FULFILLMENT OF FULL REQUIREMENT FOR THE DEGREE OF MASTER OF INFORMATION TECHNOLOGY FACULTY OF COMPUTER SCIENCE & INFORMATION TECHNOLOGY UNIVERSITY MALAYA KUALA LUMPUTR FEBRUARY 2011
Abstract From early 21 st century with improving wireless platforms and increasing number of wireless Access Points (APs), there have been several solutions assessed to use multiple APs at the same time. VirtualWiFi (previously known as MultiNet) is one of these investigations which uses one wireless card and virtualizes it into more than one card. This helps the wireless card to connect to a number of APs at the same time. It creates virtual adapters as many number as wireless domains which are connected to it. Then, the driver assigns each virtual adapter to the specific AP. VirtualWiFi was implemented as an NDIS (Network Driver Interface Specification) driver which is an intermediate level between Data Link layer and Network layer. It is an Application Programming Interface (API) for network cards in Windows platforms. Previous works accomplished connecting one wireless card to multiple APs simultaneously and they focused on reducing the switching time between APs and aggregation of bandwidth to gain more throughput. However, wireless security had not been implemented until the new version of VirtualWiFi (Version 1.0) was released in 2006. In this new version, simple kind of wireless security, known as WEP (Wired Equivalent Privacy), was implemented to protect the system from simple attacks which indentified by WEP. Wired Networks send signals and data through cables whereas wireless networks propagate signals through air. As a result, IEEE 802.11 specified several services to provide secure environment such as WEP and WPA. According to the vulnerability of WEP, WPA2 is recommended to make wireless network more secured. In this research, NDIS 5.1 (which is related to the Windows XP) is used to implement and add wireless security (WEP and WPA together) to VirtualWiFi driver. This driver was written in C++ language. The IEEE 802.11 wireless LAN (WLAN) object identifiers (OIDs) which can be used in C++ language are supported by NDIS. The new driver is evaluated using testbed implementation. After implementing new NDIS in the driver, it can be examined in a real testbed which is checked with networks containing different wireless security such as WEP or WPA. i
Acknowledgments I would like to take the opportunity to thank people who guided and supported me during my study. First, I would like to thank my supervisor Dr. Miss Laiha Mat Kiah, for her guidance, support and encouragement throughout my dissertation work. I would also like to thank my fellow graduate students, especially Amir Reza Bagheri, and the staff at Faculty of Computer Science and Information Technology, who have offered their help and their suggestions and comments encouraged me a lot. And at the end, I would like to express my sincere gratitude to my family specially my mother, for her forever emotional support and love, and my father, for his guidance and showing me the path of success. Without their encouragements, I could never be strong enough to overcome difficulties. ii
Table of Contents Abstract... i Acknowledgments... ii Table of Contents... iii List of Figures... vi List of Tables... vii List of Abbreviations... viii Chapter One: Introduction... 1 1.1 Overview... 1 1.1.2 Virtual Wi-Fi... 2 1.1.3 Wireless security... 2 1.2. Problem statement... 4 1.3. Research Aims and Objectives... 6 1.4 Significance of the Research... 7 1.4. Research Methodology... 8 1.5 Thesis Layout... 9 Chapter Two: Literature Review... 10 2.1 Wireless Security... 11 2.1.1 Introduction... 11 2.1.2 WEP... 12 2.1.3 WEP vulnerability... 14 2.1.4 WPA... 16 iii
2.1.5 IEEE 802.11i... 18 2.1.6 Comparison of WEP Mechanism, WPA and 802.11i... 19 2.2 Virtual Wi-Fi... 22 2.2.1 Connecting to Multiple APs... 22 2.2.2 AP Selection... 24 2.3 Summary... 25 Chapter Three: Research Methodology... 26 3.1 Overview... 26 3.2 Literature Review... 26 3.3 System Development... 29 3.4 Enhance Safety Factor of VirtualWiFi Driver... 31 3.5 Data Collection and Analysis... 32 3.6 Prepare Report on Output Result... 32 3.7 Summary... 32 Chapter Four: Driver Implementation... 33 4.1 Overview... 33 4.2 NDIS... 34 4.3 802.11 Wireless LAN Objects... 39 4.3.1 OID_802_11_BSSID... 41 4.3.2 OID_802_11_SSID... 42 4.3.3 OID_802_11_BSSID_LIST_SCAN... 43 4.3.4 OID_802_11_BSSID_LIST... 44 iv
4.3.5 OID_802_11_AUTHENTICATION_MODE... 49 4.3.6 OID_802_11_ENCRYPTION_STATUS... 51 4.3.7 OID_802_11_ADD_WEP... 54 4.3.8 OID_802_11_REMOVE_WEP... 55 4.3.9 OID_802_11_ASSOCIATION_INFORMATION... 55 4.4 Summary... 57 Chapter Five: Testing and Result... 58 5.1 Overview... 58 5.2 Result and discussion... 59 5.2.1 First scenario (Open System Authentication)... 60 5.2.2 Second scenario (Wired Equivalent Privacy)... 61 5.2.3 Third scenario (WiFi Protected Access)... 63 5.2.4 Fourth Scenario (Both WEP and WPA)... 65 Chapter Six: Conclusion... 67 6.1 Overview... 67 6.2 Thesis summary... 67 6.3 Contribution and Future Work... 69 References... 71 Appendix... 76 Appendix A... 76 v
List of Figures Figure 2.1 : WEP frame. Length of fields measured in bytes (Moen, 2004)... 13 Figure 2.2 : Encryption/Decryption using WEP (AirTight Network, 2010)... 14 Figure 2.3 : Key mixing and data encryption in TKIP (bulbul, 2008)... 18 Figure 2.4 : Relationship between WEP, WPA and WPA2... 21 Figure 3.1 : Research methodology progress model... 28 Figure 4.1 : The modified Windows network stack (Chandra, 2006)... 35 Figure 4.2 : New Generation of TCP/IP Stack (Windows Network Stack)... 36 Figure 4.3 : General NDIS Architecture (Microsoft Corporation, 2010)... 37 Figure 5.1 : Testing open system authentication... 61 Figure 5.2 : Testing WEP... 62 Figure 5.3 : Testing WPA... 64 Figure 5.4 : Testing WEP and WPA... 66 vi
List of Tables Table 2.1: WEP Mechanism, WPA and 802.11i Security Protocols (Bulbul, 2008)... 20 Table 4.1: IEEE 802.11 wireless LAN (WLAN) object identifiers (OIDs)... 39 Table 4.2: Encryption status in NDIS miniport driver (Microsoft Corporation, 2010).. 53 Table 5.1: List of instruments for testing... 60 vii
List of Abbreviations AES AP BSS BSSID CCMP EAP FIPS ICV IE IV MAC MIC MMD MPD NDIS OID PMKID PSK RSN SSID TK TKIP WEP Wi-Fi WLAN WMI WPA Advanced Encryption Standard Access Point Basic Service Set Basic Service Set IDentifier Counter Mode CBC MAC Protocol Extensible Authentication Protocol Federal Information Processing Standards Publications Integrity Check Value Information Element Initialization Vector Media Access Control Message Integrity Check Multinet Miniport Driver Multinet Protocol Driver Network Driver Interface Specification Object IDentifier Pairwise Master Key Identifier Pre-Shared Key Robust Security Network Service Set IDentifier Temporal Key Temporal Key Integrity Protocol Wired Equivalent Privacy Wireless Fidelity Wireless LAN Windows Management Instrumentation Wi-Fi Protected Access viii
Chapter One: Introduction 1.1 Overview The term wireless refers to computers that can communicate with each other without using any wire. Unlike LAN (Local Area Network) which connects computers with kind of cabling like UTP (unshielded twisted pair); in wireless network, no data cabling is required. The users in this type of network can share data files and other resources without any requirement to connecting to each other physically. The noticeable advantages of a wireless network are easily seen when considering the needs of users of mobile devices, i.e. handheld PC s, mobile phones and laptops. The term Wi-Fi (Wireless Fidelity) defined as a wireless networking technology which works with no physical connection between sender and receiver by using radio frequency (RF) technology. The term Wi-Fi is often used as a synonym for IEEE 802.11 technology. Wi-Fi allows devices like personal computer to connect to the Internet when they are in the range of wireless network. (WiFi Alliance, 2010) Each wireless network has a limitation of covering area for transmission of data. Therefore, the transmission distance decides the possible distances between an AP (Access Point) and any wireless devices in its relative domain. But the possible range of transmission area can be extended by using multiple access points which they conclude different types of local networks. It means that if the number of access point increases, the coverage area of data transmission will be extended. Covering the overlapping areas is an important thing in designing and managing APs. This makes authorized users to roam around the covered area easily. The access areas which provide Internet access through wireless local area network (WLAN) are called "hot spots". Most Wi-Fi users access the internet through home or 1
work networks. In addition, there are over thousand Wi-Fi Hot Spots worldwide in cafes, airports, and hotels. Some of them provide accessing to the Internet freely but most of them charge a fee. Most people are, by now, quite comfortable with Internet & Email access from their own homes, offices or Internet cafes. They also use Virtual Private Networks, operated over existing public wired systems. The future development of wireless technologies will aim to give anyone with a wireless device, immediate connection to a wireless access point, allowing high-speed Internet, Email & VPN capabilities. 1.1.2 Virtual Wi-Fi VirtualWiFi is virtualization architecture for wireless LAN (WLAN) cards. It abstracts a single WLAN card to appear as multiple virtual WLAN cards to the user. The user can then configure each virtual card to connect to a different wireless network. VirtualWiFi (previously known as MultiNet) allows users to simultaneously connect their computers to multiple wireless networks using just one WLAN card. The VirtualWiFi virtualization architecture exposes multiple virtual adapters, one for each wireless network to which connectivity is desired. It then implements a network hopping scheme which switches the wireless card across multiple virtual wireless network cards. The goal is to make the switching transparent to the users, so that they feel connected on all the wireless networks. (Microsoft research centre, 2010) 1.1.3 Wireless security Network security in a wireless LAN environment is a unique challenge. In Local Area Networks, users or computers connect to each other using wired media which sends electrical signals through cables but Wireless LAN (WLAN) propagates signals 2
through the air. Therefore, it is very simple to intercept wireless signals. Hence, network administrators should implement extra level of security to accomplish this challenge. If wireless networks become open and are not secured, they will be encountering a number of exceptional serious risks and dangers. Some of these risks and attacks are Interception and Monitoring wireless traffic, insertion attacks, jamming and misconfiguration as well as client-to-client attacks. Insertion attack happens when unauthorized users access the network without going through security process. Jamming or Denial of Service (DoS) attacks are going to happen when legitimate data cannot reach to the clients because the traffic which destroys the related frequencies. The IEEE 802.11 specification identifies several services to provide a secure operating environment. The security services of wireless networks are provided largely by the Wired Equivalent Privacy (WEP) protocol. WEP is invented to let users have equivalent security in comparison with wired network especially LAN. WEP is an algorithm which uses RC4 to encrypt and decrypt data. It combines 40-bit WEP key with 24-bit Initialization Vector (IV) to encode the data but WEP does not provide end-to-end security. This means that the main problem of this algorithm is key management. If the key which every user employs it for association part is compromised in consequence of any attacks or risks that are mentioned above, they have to change the key. WPA (Wi-Fi Protected Access), introduced in 2003, avoids most of defenselessness of WEP. (Barken, 2004) WPA uses Temporal Key Integrity Protocol (TKIP) to solve the flaws of key reused in WEP. TKIP uses same encryption algorithm RC4 as WEP in order to support compatibility with existing networks. In comparison with WEP, TKIP changes the key in every 10000 packets to decrease the chance of finding it. (Wong, 2005) WPA uses some other features which are described briefly in chapter two. 3
1.2. Problem statement There has been extraordinary growth in wireless networks at homes, cafes, airports, offices and even across cities. Despite of this growth, it is not possible to connect with more than one network (AP) at the same time. The current version of VirtualWiFi (Version 1.0), which is released by Microsoft research centre produces an 802.11 driver which abstracts one WLAN card to be seemed as multiple virtual cards. The user can connect each virtual card to a different Access Points (wireless networks). Hence, the VirtualWiFi driver permits users to connect to multiple wireless networks simultaneously (Chandra, 2006). Since releasing VirtualWiFi driver (version 1.0) in 2005 several applications have been made. Client Conduit is one of them which is useful for diagnosing faults and recovering them in wireless networks (Adya, 2004). Slotted Seeded Channel Hopping (SSCH) is another application which uses orthogonal channels to increase capacity of wireless ad hoc networks (Bahl, 2004). WiFiProfiler tries to find and resolve root cause of wireless problems by leveraging the collaboration users within the same domain (Chandra, 2006). Kandula (2008) introduces FatVAP as an improved VirtualWiFi driver which combines available bandwidth at reachable Access Points and also splits the traffic by balancing their loads. It assigns traffic to available APs based on their calculated bandwidth. It allows users to control unused bandwidth at multiple access points to maximize its throughput. As mentioned above, all previous works focused only on the driver itself, or tried to provide a method in order to decrease switching time between access points. However, no attempts have been done on improving its security aspects. It is true that a simple security, like a WEP (Wired Equivalent Privacy) based one, was implemented in the first and only version of the VirtualWiFi driver (Chandra, 4
2006). Despite of the fact that using simple WEP is better than lack of any wireless security, Dynamic WEP (WEP with variable key) and WPA are two improved wireless security which have been suggested for secured wireless networks. In order to implement confident wireless security like dynamic WEP and WPA on VirtualWifi driver, this research proposed a method based on NDIS. NDIS (Network Driver Interface Specification) is a miniport driver which sits between layer two (Data Link Layer) and layer three (IP Layer). This miniport driver creates number of virtual MAC and IP addresses to help wireless card to be connected to more than one network at one time. Applying wireless security on this miniport driver is helpful to implement WEP and Dynamic WEP as well as WPA on VirtualWiFi driver. NDIS corroborates the Object Identifiers (OIDs) of IEEE 802.11 wireless LAN (WLAN). It has many versions that each of them is supported by specific Windows versions. NDIS 5.0, which is related to Windows XP, is used to prepare sufficient objects to make WPA algorithm in VirtualWiFi driver. VirtualWiFi driver is written in C++ programming language. NDIS prepares objects which are useful in C++ to implement our proposed method or algorithms. So, the problem can be stated as follow: The current version of VirtualWiFi (version 1.0) can only support simple WEP. Using same key for all packets (static key), being detectable Initialization Vector, unauthorized authentication and poor key management are some problems of using simple WEP. Due to the known vulnerabilities of WEP, we aim to provide an alternative method for security by implementing WPA (Wi-Fi Protected Access) technique (algorithm) which is proved to be more secure than WEP. 5
1.3. Research Aims and Objectives This research aims to make VirtualWiFi driver more secure. The main challenge is how to implement WPA and WEP in this driver. At first, we are trying to scrutinize VirtualWiFi driver and find out how it works, and then we have to study about secure algorithms on wireless network. Furthermore, we should look for a proper method to implement on VirtualWiFi driver. The main aim of this research is to improve security issue upon VirtualWiFi driver. In particular, the objectives of this research are to: 1. Study and scrutinize VirtualWiFi, find out how it works and review algorithms which are developed to make wireless networks secure like WEP and WPA. 2. Propose a method or service which can be utilized in Windows XP to make VirtualWiFi driver more secure than simple WEP which is implemented in its last version (version 1.0). 3. Test the proposed technique by designing a testbed which contains more than one AP, and examine new proposed driver with both WEP and WPA. 6
1.4 Significance of the Research The study of security is important in wireless networks because today with improvement of access points and wireless domains in the world, threats and unauthorized access menace our systems. As well known, Wi-Fi Alliance, which is the group that has WiFi trademark, lay down some standard protocols to secure wireless computer networks. One of the most important algorithms which is used to secure wireless network is WEP (Wired Equivalent Privacy) but researchers found several serious weaknesses on this protocol that make it to be cracked easily (Bittau, 2006). After that, Wi-Fi Alliance developed a new standard protocol which is called WPA (Wi-Fi Protected Access) and improved it by WPA2 to those problems found in WEP. VirtualWiFi is an advanced wireless driver that can connect to more than one access points or wireless domains with only one wireless card. However, according to the last version of this driver (version 1.0), it can support only simple WEP. As mentioned before, WEP can be broken easily, Due to this problem, this research tries to make this driver secure. Despite the many problems that the WEP has, the fact that it will continue to be applied in order to provide security to wireless networks is undeniable. We add WPA along with WEP to achieve the ability of connecting to both security systems. Finally, this research can claim that it has added immunity against threats as a new specification along with other specifications of this driver. 7
1.4. Research Methodology The research methodology concept talks about the acts of working to create a new system. In this section, the required activities to gain the aim of this research are listed according to each objective as follow: 1. Study previous work about: 1.1 VirtualWiFi 1.2 Wireless Security 1.3 NDIS (Network Driver Interface Specification) 2. Learn about how the VirtualWiFi driver works. 3. Adding required C++ code to implement wireless security in the driver. 4. Compare suggested method with the only version of this driver (version 1.0): Scenarios: Creating a testbed which is built from D-Link and/or NetGear APs to evaluate level of security of proposed driver. We will discuss about research methodology in Chapter Three in detail. 8
1.5 Thesis Layout The remainder of the thesis is organized as follows: Chapter 2: In this chapter we introduce VirtualWiFi as a driver which can connect one wireless card to more than one access point or wireless networks. It gives a good background on existing wireless security algorithms and how it works. The introduction of NDIS (Network Device Interface Specification) which is Windows device driver that enables single NIC (Network Interface Card) to supply multiple network protocols is given later in fourth chapter. Chapter 3: The methodology of designing and implementing proposed improved VirtualWiFi driver are discussed in Chapter Three. Chapter 4: This chapter provides a technical outlook of the design of NDIS. It gives number of Object Identifiers (OIDs) of IEEE 802.11 wireless LAN (WLAN) which is used to prepare WEP and WPA in the VirtualWiFi driver. Chapter 5: It contains the testing scenario to prove the proposed driver and reach the goal. This chapter gives a discussion about those results and a comparison. Chapter 6: At the end, the last chapter will sum up the steps taken; contribution, the limits and difficulties encountered and indicate the path for future work. 9
Chapter Two: Literature Review Progressively, computers in residential areas, coffee shops like Starbucks branches, and most office environments can connect multiple open access points (APs). For example, cafes and restaurants provide free WiFi Internet, cities provide metropolitan networks and many residential users connect to the Internet through the access points. The connection rate to these access points through wireless link is often 30Mbps with 80.11a as a high speed one and it can be connected with the newer 802.11n. Nevertheless, the throughput of network bandwidth of wireless connection is relatively low in comparison with DSL or cable modem links which connect access points to the Internet (Yang et. al, 2006). Preferably, a user would want to use all reachable access points at the same time and gain sum of their bandwidth. Past works on this area presented that it is possible to connect one wireless card to more than one access point simultaneously but we cannot maintain concurrent TCP connections across them and also we cannot collect or mix the AP bandwidth. Although previous works on this specific subject prepared software and improved driver like MultiNet, they cannot support all features in wireless network such as advanced wireless security like dynamic WEP and WPA. (Kandula et al, 2008) WEP is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard. WPA is introduced in 2003 to solve WEP problems like static key, key distribution and also insufficient key size. The VirtualWiFi kernel module has support for multiple WLAN cards but the VirtualWiFi service does not support it yet. The mechanism of switching and buffering are implemented in the kernel, while the logic and policies are implemented as a user level 10
service. Finally, the first and only version of VirtualWiFi driver which has not yet included support for dynamic WEP and WPA. (Ranveer Chandra, 2007) The literature review is divided into two parts. In the first part we are going to describe about wireless security and the second part previous works on virtualwifi are explained and NDIS (Network Driver Interface Specification) as a service of Windows will be described in Chapter Four. 2.1 Wireless Security 2.1.1 Introduction The main difference between wired network and wireless one is the way that how they send or receive data. Concerning to the security risks, the main difference between wired and wireless networks is how they can access to the data that is transmitted through media of network. In wired networks, the only possible way to access the data is to tap the media which is used for the network communication; whereas in wireless networks the media used for communication is air. The data which is transmitted via the radio frequency can be accessed by equipment that is available in the market for a low price (Bulbul, 2008). From the initial development stages of wireless technology and its security needs, experts knew that security would be the main issue. In a comparison between wireless and wired Networks, Wireless Networks are less secured than traditional wired networks, since wireless transmit information through the air and anyone who has or knows the range and with the suitable device can intercept those transmissions easily. It is certain that matching all security needs of a wireless network is not an easy task. There are a number of security issues that makes securing a WLAN difficult. Since WEP is the first and initial WLAN security mechanism, it is aimed to be used in the most of wireless networks than WPA/WPA2 and 802.11i. Although the enormous 11
popularity of WEP, it has several serious weaknesses identified by cryptanalysts; therefore it was replaced by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard RSN (also known as WPA2) in 2004 ratified. (Bulbul, 2008) 2.1.2 WEP WEP is the protocol initially developed to secure wireless transmissions (Hytnen, R. and Garcia, M. 2006). Wired Equivalent Privacy (WEP) is one of the algorithms which is used to provide wireless security for users implementing 802.11 wireless networks. A group of volunteer IEEE members has developed WEP as an encryption algorithm. Considering the data is transmitted from one end point to another one through radio waves in wireless networks, the aim of developing WEP was to provide security through an 802.11 wireless network. WEP used had three main characteristics: confidentiality and access control as well as data integrity. It provides confidentiality with protecting wireless communication from eavesdropping. Preventing unauthorized access to a wireless network is one of the responsibilities of WEP that prepares access control. Data integrity is provided by preventing tampering with transmitted messages. (Wong, 2003) WEP uses the RC4 stream cipher to encrypt the data. In this algorithm, both end points should set an equal key known as shared key to set a connection between them. WEP algorithm combines a forty bit WEP key with a twenty four bit random number which is called an Initialization Vector (IV). The sender XORs the stream ciphers with the real data to produce cipher text. The stream cipher is a coder that encrypts text (cipher text). This method applies an algorithm and cryptographic key to each bit on data stream. The packet which is the combination of IV and cipher text is sent to the receiver. The receiver decrypts the packet using the stored shared key (WEP key) and the at- 12
tached IV (Douglas, 2002). WEP was proposed in 1999 in the IEEE standard 802.11 to provide security which is same as a wired Ethernet. This algorithm should insure confidentiality by comparing the shared key which both end points are proposed and integrity of the frames on the wireless network by implementing sequence numbers for packets. A Cyclic Redundancy Check (CRC) is used to compute an Integrity Check Value (ICV) on the message. ICV is a function that is used to create secret key from variable length of inputs. The ICV is then concatenated on the message before encrypting with the stream cipher RC4. (Borisov, 2006) The WEP-frame is illustrated in Figure 2.1. Figure 2.1 : WEP frame. Length of fields measured in bytes (Moen, 2004) RC4 is a symmetric key algorithm which is used to encrypt and decrypt the data. RC4 like most of ciphers initialized from secret key and it is basically a pseudo random number generator. In order to produce cipher text stream, RC4 generates a key stream, then XOR it with plaintext (data). The encryption key is a per-packet key which is obtained by linking an Initialization Vector (IV) with the user key. The decryption process uses the same secret key which is exactly used in encryption process. It means that both sender and receiver use the same secret key to encrypt or decrypt the data in RC4 algorithm. Due to export regulations, the standard specifies 64-bit keys where IV part has 24 bits but due to security issues and for more difficult to discover the encryption key, many vendors have also implemented 128-bit keys where 24 bits are the IV. (Moen et al, 2004) The data transmission in WEP works in the following way. A secret key K is shared between two communicating parties. Given a message M, the sender (either the station 13
or the AP) first computes a CRC checksum c (M), and then concatenates them into a plaintext. The sender chooses an initialization vector (IV) and uses the RC4 algorithm to generate a keystream RC4 (IV, K), which is a long sequence of pseudo random bits. The length of IV is 24 bits. The key length has two popular choices; 40-bit or 104-bit keys, in the so-called 64-bit and 128-bit versions respectively (the difference in the notations can be explained by the 24-bit IV). The sender XORs the plaintext with the keystream to obtain the ciphertext. Finally, the sender transmits the IV and the ciphertext C. The WEP-encoded data frame is illustrated in Fig. 2.2. Figure 2.2: Encryption/Decryption using WEP (AirTight Network, 2010) 2.1.3 WEP vulnerability Unfortunately, the encryption protocol had not been subjected to a significant amount of peer review before released (B. Nikita, 2001). Serious security flaws were present in the protocol. Although the application of WEP may stop casual sniffers, experienced hackers can crack the WEP keys in a busy network within 15 minutes. In general, WEP is considered as a broken protocol. (Barnes, 2002) 14
The vulnerability of WEP can be attributed to the following: 1. WEP key recovery - WEP uses the same WEP key and a different IV to encrypt data. The IV has only a limited range (0 to 16777215) to choose from. Eventually, the same IVs may be used over and over again. By picking the repeating IVs out of the data stream, a hacker can ultimately have enough collection of data to crack the WEP key. 2. Unauthorized decryption and the violation of data integrity Once the WEP key is revealed, a hacker may transform the ciphertext into its original form and understand the meaning of the data. Based on the understanding of the algorithm, a hacker may use the cracked WEP key to modify the ciphertext and forward the changed message to the receiver. 3. Poor key management A proper WEP key is typed into a wireless device associated in a wireless network to enable the WEP. Unfortunately, there are no mechanisms to renew the stored WEP key. Once the WEP key is compromised, for example, an employee leaves a company; the key has to be changed in order to maintain the security. Changing keys may be applicable in a home or small business environment. However, in an enterprise environment with thousands wireless mobile devices associated with the wireless network, the use of this method is almost impossible. (Wong S., 2003) 4. No access point authentication WEP only provides a method for network interface cards (NICs) to authenticate access points. There is no way for access points to authenticate the NICs. As a result, it is possible for a hacker to reroute the data to access points through an alternate unauthorized path. 15
2.1.4 WPA Wi-Fi Protected Access is a wireless encryption standard based on a subset of IEEE 802.11i that replaces instead of WEP (Bulbul, 2008). Designed to run on some existing WEP-based hardware as a software upgrade, Wi-Fi Protected Access is derived from and will be forward compatible with the upcoming WPA2 standard. When properly installed, it will provide wireless LAN users with a high level of assurance that their data transmitted over the radio link will remain protected through the WPA encryption method and only authorized users can access the network. WPA utilizes the Temporal Key Integrity Protocol (TKIP). TKIP provides data encryption enhancements through a per-packet key mixing function and Message Integrity Check (MIC), an enhanced Initialization Vector (IV) with sequencing rules, and a session derived re-keying mechanism. As to strengthen user authentication, WPA implements 802.1X and the Extensible Authentication Protocol (EAP). Together, these mechanisms provide a framework for strong user authentication, including mutual authentication. Wi-Fi Protected Access 2, or WPA2, is also based on 802.11i. It adds additional security features, the most important of which are pre-authentication, which enable secure fast roaming, and AES (Advanced Encryption Standard) the new FIPS standard for data encryption. In response to the security flaws in WEP, a new security standard for WLANs, WPA, was released by Wi-Fi Alliance in October 2002. Today, most Wi-Fi products in the market are WPA-compliant, or can be easily upgraded to support WPA (Bulbul, 2008). The primary goal of WPA is to revise the known security flaws in WEP yet retain backward compatibility with legacy WEP devices. Thus, WPA addressed the security flaws in WEP through the following primitives: 16
Temporal Key Integrity Protocol (TKIP), a new data encryption protocol that defeats the keystream reuse and weak key attacks; Message integrity codes (MICs), which defeat the message forgery attacks; 802.1x authentication, which achieves strong authentication, authorization, and key management. TKIP: Similar to WEP, TKIP also XORs the plaintext with a random keystream to obtain the ciphertext. However, it derives the keystream in a way different from WEP, as shown in Fig.3. TKIP uses a 128-bit temporal key (TK) and a 48-bit IV. IV is reset to 0 whenever TK is changed, then incremented by one after each transmission. The 48-bit length guarantees that IVs will not be reused with the same TK, as it takes 600+ years to exhaust the IV space even at 54Mb/s. As shown in Figure 2.3, TKIP uses a two-phase key mixing operation to derive the per-packet keystream, and each phase fixes one particular flaw in WEP. Phase 1 mixes TK with the first 4 bytes of IV and the sender s MAC address, and generates an intermediate key P1K. This prevents keystream reuses due to cross-station IV collision. Phase 2 takes input P1K with TK and the last 2 bytes of IV to generate a unique 128-bit RC4 key. This separates the known association between IV and the key; thus preventing exploiting weak keys to recover TK. Finally, the RC4 key is used to generate the keystream, which is then XORed with the plaintext. (Yang, H. et al, 2006) 17
Figure 2.3: Key mixing and data encryption in TKIP (bulbul, 2008) 2.1.5 IEEE 802.11i 802.11i that has been emerged in 2004 uses the concept of a Robust Security Network (RSN), where wireless devices need to support additional capabilities. This new standard and architecture utilizes the IEEE 802.1X standard for access control and Advanced Encryption Standard (AES) for encryption. It uses a pair-wise key exchange (four way handshake) protocol utilizing 802.1X for mutual authentication and key management process. 802.11i allows various network implementations and can use TKIP but by default RSN uses AES (Advanced Encryption Standard) and CCMP (Counter Mode CBC MAC Protocol) which provides a stronger, scalable solution. (Bulbul, H et al, 2008) IEEE 802.11i uses dynamic negotiation of authentication and encryption algorithms between access points and mobile devices. The authentication schemes proposed in the 18
draft standard are based on 802.1X and Extensible Authentication Protocol (EAP). The encryption algorithm is Advanced Encryption Standard (AES). Dynamic negotiation of authentication and encryption algorithms let RSN evolves with the state of the art in security. Using dynamic negotiation, 802.1X, EAP and AES, RSN is significantly stronger than WEP and WPA. However, RSN would run very poorly on legacy devices. Only the latest devices have the capability required to accelerate the algorithms in clients and access points, providing the performance expected from today s WLAN products. (Wong, 2003) 2.1.6 Comparison of WEP Mechanism, WPA and 802.11i WEP has been regarded as a failure in wireless security, as it has been accepted by the IEEE that WEP was not aimed to provide full security. The original WEP security standard, using RC4 cipher is widely considered to be vulnerable and broken due to the insecure IV usage. It uses 40 bits of encryption key RC4 cipher by default, and then it concatenates this key with IV values per packet sent over the air. Vulnerabilities of RC4 can be summarize in three main parts; having no key management mechanism embedded, no automatic or periodic key change attribute associated with it, causing re-use and easy to capture small sized IVs that leads to key deciphering to the third parties. The data integrity check mechanism of WEP is not cipher protected and uses CRC-32, ICV providing no header integrity control mechanism and lack of replay attack prevention mechanism. WPA, an interim solution to the WEP vulnerability, uses a subset of 802.11i features and generally believed as a major security improvement in wireless environment. In the light of critics done towards WEP, WPA has numerous enhancements over WEP such as TKIP encryption cipher mechanism, 128 bits of key size, mixed type of encryp- 19
tion key per packet usage, 802.1X dynamic key management mechanism, 48 bits of IV size and implementation of 802.1X. WPA also supports EAP usage for authentication, providing data integrity and header integrity, ciphering aspect via MIC that is inserted into TKIP and IV sequence mechanism to prevent replay attacks and support for existing wireless infrastructures (Wong S., 2003). Table 2.1: WEP Mechanism, WPA and 802.11i Security Protocols (Bulbul, 2008) Features of Mechanism WEP WPA 802.11i Encryption Cipher Mechanism RC4 (Vulnerable IV Usage) RC4 / TKIP AES /CCMP CCMP /TKIP Encryption Key Size 40 bits * 128 bits 128 bits Encryption Key Per Packet Concatenated Mixed No need Encryption Key Management None 802.1x 802.1x Encryption Key Change None For Each Packet No need IV Size 24 bits 48 bits 48 bits Authentication Weak 802.1x - EAP 802.1x -EAP Data Integrity CRC 32 ICV MIC (Michael) CCM Header Integrity None MIC (Michael) CCM Replay Attack Prevention None IV Sequence Sequence (*) Some vendors apply 104 and 232 bits key, where the 802.11requires a 40 bits of encryption key. 20
IEEE 802.11i seems to be the strongest security protocol for wireless networks as far as all previously declared vulnerabilities and drawbacks pertaining to WEP and WPA concerned. After the confirmation of 802.11i standard, RSN is accepted as the final solution to wireless security, expected to provide the robust security required for wireless environments. RSN provides all the advantages of WPA in addition to stronger encryption through the implementation of AES, roaming support and CCM mechanism for data and header integrity. WPA supports existing wireless infrastructures. WPA deployments over current WEP installations provide cost effective and hassle free shifts where vendors can transit to the WPA standard through a software or firmware upgrade. For RSN, this is not the case. It requires extra hardware upgrade in order to implement AES (Bulbul, H et al, 2008). Table 2.1 shows the comparison between these three wireless security protocols in details. Classified security of wireless networks which are mentioned above can be summarized as follows: Figure 2.4: Relationship between WEP, WPA and WPA2 21
2.2 Virtual Wi-Fi Prior works on virtual Wi-Fi fall into two main areas that are described below: 2.2.1 Connecting to Multiple APs There has been much interest in connecting a wireless user to multiple networks. Most prior works use separate cards to connect to different APs or cellular base stations. A big, fat access point with a large antenna and a bunch of Wi-Fi cards that automatically connect to the strongest signals it can pick up. Then it would combine all these signals into one freeloading broadband canal for me to use (V. Boris, 2006). PERM connects multiple Wi-Fi cards to different residential ISPs, probes the latency via each ISP, and assigns flows to cards to minimize latency. PERM uses broadband Internet access diversity in residential area for better last-mile Internet connectivity, and can be immediately deployed at no additional cost (N. Thompson and G. He, 2006). On the other hand, Horde uses multiple cellular connections via different providers. In addition to aggregating bandwidth, Horde allows an application to modify network QoS for its streams. Moreover Horde s approach is useful mostly when different streams gain value from different aspects of network performance and when the available network channels have dissimilar and/or time-varying characteristics (A. Qureshi and J. Guttag, 2005). In contrast to this work which stripes traffic across independent connections, Kandula (2007) uses the same card to associate and exchange data with multiple APs. Further, FatVAP uses virtual connections to these APs that it ensures fast switching between them without losing packets already on queue. 22
The closest work to this project is the MultiNet project which was later named VirtualWiFi. MultiNet abstracts a single WLAN card to appear as multiple virtual WLAN cards to the user. The user can then configure each virtual card to connect to a different wireless network. MultiNet facilitates simultaneous connections to multiple networks by virtualizing a single wireless card. The wireless card is virtualized by introducing an intermediate layer below IP which continuously switches the card across multiple networks. The goal of the switching algorithm is to be transparent to the user who sees her machine as being connected to multiple networks (R. Chandra and P. Bahl, 2004). MultiNet applies this idea to extend the reach of APs to far-away clients and to solve the problem of poor connectivity. FatVAP also builds on this vision of Multi- Net but it has some distinctions in design and applicability. One of the most distinctions between them is that MultiNet works and runs in Windows operating systems, but FatVAP executes in Linux based systems. Two principal advantages of FatVAP in comparison of MultiNet are described as follows: First, MultiNet provides switching capabilities but it does not mention about which APs a client should toggle and how long it should remain connected to an AP to maximize its throughput. In contrast, FatVAP schedules AP switching to maximize throughput and balance load. The load balancer which is implemented in FatVAP assigns traffic to APs proportionally to the bandwidth which can be obtain from an AP. FatVAP also does not constrain the user from having multiple cards. If the user however happens to have multiple cards, it would allow the user to exploit this capability to expand the number of APs that it switches between and hence improves the overall throughput. Second, FatVAP can switch APs at a fine time scale and without dropping packets; this makes it the only system that maintains concurrent TCP connections on multiple 23
APs. Whereas, VirtualWiFi takes much longer time to switch between wireless networks, ranging from a few tens of ms to 600ms. (Ranveer Chandra, 2007) 2.2.2 AP Selection Current drivers select an AP based on signal strength. Prior research has proposed picking an AP with four main methods. First one based on load Sensitive. Under this algorithm, mobile hosts select an access point based on both the current signal-noise ratio as well as the current load at the access point. To avoid oscillation they introduce randomness and hysteresis (G. Judd and P. Steenkiste. 2002). Second one based on potential bandwidth. S. Vasudevan, D. Papagiannaki, and C. Diot. (2005) claimed that potential bandwidth between AP and end-host is an important metric in the process of AP selection. They described a methodology for estimating the potential bandwidth based on delays experienced by beacon frames from an AP. Beacon Frames are frames that have control information and are transmitted in each of the 11 channels and help a wireless station to identify nearby access point in passive scanning mode. Third one based on combination of metrics. This selection algorithm presented the design and implementation of Virgil, an automatic AP discovery and selection system. Virgil quickly associates to each AP found during a scan, and runs a battery of tests designed to discover the AP s suitability for use by estimating the bandwidth and roundtrip-time to a set of reference servers. Virgil also probes for blocked or redirected ports, to guide selection in favor of preserving application services currently in use (Nicholson et. al, 2006). 24
And the last one is fundamentally different from these techniques where it does not pick a single AP but rather multiplexes the various APs in a manner that maximizes client throughput. (Kandula, 2007) 2.3 Summary To put it in a nutshell, in this chapter we discussed about wireless security and compared it wired one. Then three protocols or algorithms which are used in wireless networks as a security issue are described. WEP is the protocol initially developed to secure wireless networks. It uses RC4 stream cipher to encrypt data. Serious security flaws have been identified in this algorithm. The vulnerabilities of WEP are explained later. In response to the security flaws in WEP, WPA was released. It utilized TKIP and MIC to provide data encryption enhancements. It also implements 802.1X and EAP to strengthen user authentication. After that all three algorithms were compared to each other. Then we went through the VirtualWiFi and discussed how it works. Prior works on VirtualWiFi are divided into two parts. Connecting to multiple APs is the first part and different algorithms and methods for selecting APs are the second part. 25
Chapter Three: Research Methodology 3.1 Overview The research methodology concept talks about the acts of working to create a new system. This chapter describes the research methods and evaluation methodology used for improving VirtualWiFi by adding two wireless security algorithms. There are some methods to use in order to come up with a new system (driver), including Waterfall model, Iterative model, Spiral model and some others. The first one is going to be used in this research is The Waterfall model. The Waterfall model is a sequential development process. In this model, the direction of these processes is downwards; each starts when the previous step is done completely. The flow of progress for this research is shown in figure 3.1, and each step is explained in more details as follows. 3.2 Literature Review In the literature review, all concepts which are related to wireless LAN (Local Area Network), are defined as standard algorithms that are used to make wireless LAN secure, all aspects of VirtualWiFi driver and different techniques and theories of connecting to more than one AP ( access point) by only one wireless card are studied. These could be used to approach the problem statement. In this part the previous related works are also reviewed. The Chapter Two of this research explained in detail how WEP works and then explained why user shouldn't use it. When the original IEEE 802.11 standard was published, Wired Equivalent Privacy (WEP) was included as a method to provide secure communications. However, as this chapter described, WEP fell short of real needs in a 26
number of areas. Understanding WEP's failings before moving on will help people understand why the next-generation security methods (WPA, WPA2) are so much stronger. This new generation of security methods will take over from WEP and finally meet the needs of both high security and scalability for large systems. All the major weaknesses of WEP have been addressed by TKIP, including weak key attacks, lack of tamper detection, lack of replay protection, and others. Furthermore, TKIP has been designed by some of the most eminent experts in the field and confidence in the integrity of the solution is high. TKIP has now been adopted as part of the WPA certification and also is included as part of RSN in IEEE 802.11i. VirtualWiFi (previously known as MultiNet) is a virtualization architecture for wireless LAN (WLAN) cards. It creates multiple virtual WLAN from one real adapter which users know it as their WLAN card. The user can then configure each virtual card to connect to a different wireless network. Therefore, VirtualWiFi allows a user to simultaneously connect his machine to multiple wireless networks using just one WLAN card. This new functionality introduced by VirtualWiFi enables many new applications, which were not possible earlier using a single WLAN card. VirtualWiFi is implemented on Windows XP. Hence, learning about different hidden services in Windows XP which is the platform of this driver is the next step after finding a problem. NDIS (Network Device Interface Specification) is one of these services. NDIS is an application programming interface (API) which is in logic link control layer (LLC) that acts between layer two and layer three in OSI (Open Systems Interconnection) model. It is a service that is used in this research to implementing wireless security in VirtualWiFi Driver. We discussed all about these points thoroughly in chapter two. 27
Literature Review Study about Wireless LAN (Local Area Network) Wireless Security Virtual WiFi NDIS (Network Device Interface Specification) System Development Requirement Analysis Design Implementation Test Enhance Safety Factor of VirtualWiFi Driver Data Collection and Analysis Evaluating and Testing the Proposed Driver Prepare Report on Output Result Figure 3.1: Research methodology progress model 28
3.3 System Development The development of this system consists of five phases: Requirements: The purpose of this phase is to determine what the system does and to specify its characteristics. It also puts the requirements together to develop the system. Like every system's requirements of this proposed driver has two main categories which are Functional and non-functional requirements. As it is mentioned before, the VirtualWiFi driver is implemented on Windows XP. Therefore implementing wireless security such as dynamic WEP and WPA can be done by services which are support by Windows XP. Due to increased APs, all changes have to be done in enduser systems. This system has to address all kind of wireless security methods and each user who works with Windows XP has to connect to more than one AP with different kind of security methods when this proposed driver is implemented. Functional requirements are determined according the applied model which is proposed. Security, Safety and Response time are three main non functional requirements that are more important than others attributes. Analysis: It deals with the analysis of the requirements and sees how the design and the implementation phases are going to reach them. In this part of research several steps were used to prepared final map of our proposed method. Understanding VirtualWiFi driver and analysis how it works is the main step of this process. VirtualWiFi was written by C++ language programming. A Windows DDK installation, with an XP build environment and a Windows Platform SDK installation are required on the machine used for building VirtualWiFi. 29
The other step of analysis process is to find how WPA and its contained protocols like TKIP can be implemented in the driver. Then NDIS as one of the hidden services in Windows XP is used to map all wireless security methods to VirtualWiFi driver. NDIS supports object identifiers (OIDs) of IEEE 802.11 wireless LAN (WLAN). Design: The logical part of the system is designed here. This includes which service of Windows XP should be used to overcome problem and make the driver secure. Also this stage defines how this service (NDIS) could do its task. Most part of this phase has been done in previous phase (analysis). In addition, the latest version of VirtualWiFi driver (version 1.0) is reviewed. Implementation: The next stage after Analysis and Design is Implementation phase. The main purpose of this stage is to develop secured VirtualWi- Fi driver, so that WEP (Wireless Equivalent Privacy) and WPA (Wi-Fi protected Access) are implemented on it. Using NDIS service as an application programming interface (API) to write codes in C++ which is the language of latest version of VirtualWiFi driver is one of the main activities of this phase. For dynamic WEP, we try to recreate a key in a period of time and for WPA, we built TKIP algorithms by some objects which are mentioned in next chapter. Test: In this phase the design, implementation and performance will be tested to check all the activities. This final stage is to check the system for both secure algorithms (protocols) that are used; WEP and WPA. Four scenarios are designed to show how our proposed method worked with different wireless security methods. In the first scenario open system au- 30
thentication is tested. In the next scenario simple and dynamic WEP are tested. Connecting to the AP which is supported by WPA as a wireless security is the next scenario. In the last scenario, a wireless domain network with two APs is designed to show how our proposed method can connect to both WLAN which one of them supports WPA and the other one works with WEP. This is included in the last chapter along with the final results. 3.4 Enhance Safety Factor of VirtualWiFi Driver The latest version of VirtualWiFi (version 1.0) was implemented in Windows XP. Before installation of this driver, Windows DDK based on XP environment and Windows platform SDK are required on the machine used for building VirtualWiFi. Then, the driver is enhanced by adding TKIP (Temporal Key Integrity Protocol) algorithm and changing the key in a period of time in WEP method to the source code and to come up with a new driver (proposed driver) which overcomes lack of security in VirtualWiFi driver. This process includes both the design and implementation. After that the user should define an environment variable called SDK_INCLUDE_PATH, which should point to the include path of the SDK installation. Then all changes have been done in VirtualWiFi source code. Then install.cpp and virtualwifi.cpp have been combined together by serviceinstaller. At this point free build environment in DDK should be checked in windows XP and then all VirtualWiFi tree code has been run automatically by running built cez in command prompt interface. Implementing dynamic WEP and WPA which are known as most significant secure protocols for wireless networks in this specific driver (VirtualWiFi) are explained in the next chapter. 31
3.5 Data Collection and Analysis When the implementation of new VirtualWiFi driver is completed and the wireless security protocol is designed and implemented properly, the defined scenarios would be ready to perform the experiment. At first the testbed is going to be designed and the improved driver in different situations would be tested. Then the driver is going to be examined by the wireless networks which are designed by APs that support WPA and WEP as their wireless security. If the new driver works with access points (wireless networks), then connecting with two networks that each of them supports different secure protocol will be tested. 3.6 Prepare Report on Output Result In this phase, the results of the tests conducted in the last phase are evaluated. In this research, evaluation is done by justifying the output of the test in the last chapter. The latest driver of VirtualWiFi is supported by only simple WEP (Wireless Equivalent Privacy) which has a big risk because the shared secret key which is used in WEP algorithm is static and it cannot support any function to exchange the key. Therefore, comparison of the new proposed driver to the previous one is the best evaluation for this research. To achieve these goal four scenarios will be defined to check proposed driver. All these scenarios which will be discussed in details in chapter five has been designed in real time networks and any simulators have not been used. 3.7 Summary This chapter has emphasized the research methodology used to carry out the research. The explanation is grounded based on literature reviews, development methodology, and survey of comparison of the new proposed driver to the previous version of it to find out the affect of proposed model in system. 32
Chapter Four: Driver Implementation 4.1 Overview VirtualWiFi is implemented in most operating systems like Windows and Linux. VirtualWiFi is an old project, and Microsoft has started working on it in 2003. Microsoft Research Centre is actively working on this project since 2006 and from then the driver which is released is not supported by Microsoft Research but its code is available and it is an open source for researchers. In the new version of Windows (Windows 7), this driver has been implemented. In early 2008, Srikanth Kandula worked on this driver in Linux based systems but he could not perform wireless security in it. Reading the released driver which is written with C++ language indicates that it does not support advanced wireless security such as Dynamic WEP and WPA. Our suggestion method to prepare these security algorithms is to use one of the services which are implemented in Windows XP. NDIS (Network Driver Interface Specification) is a miniport driver which is working between layer two and layer three in TCP/IP protocol suite. It is possible to virtualized more than one address for specific wireless card and manages the packets with NDIS services which are being in layer 7. According to the structure of virtualwifi driver, implementing wireless security can be done with NDIS Object Identifiers (OIDs). This chapter contains what NDIS is and how it works, then explains each object which is used in the driver to implement wireless security. 33
4.2 NDIS NDIS is an acronym for Network Driver Interface Specification. The main reason for NDIS is to state a standard API for Network Interface Cards (NICs). Media Access Controller (MAC) contains the details of implementation of NIC s hardware. If the media and type of network are same, it can be accessed through common programming interface. NDIS also provides wrapper which has a library of functions. Higher level protocol drivers like TCP/IP and MAC driver can work with this library. Early versions of NDIS were jointly developed by Microsoft and the 3Com Corporation. Novell also presented a similar device driver for NetWare called Open Data-Link Interface (ODI). NDIS is a windows device driver interface where a single NIC (Network Interface Card) can support multiple network protocols like TCP/IP and IPX connections. Also it can be used by ISDN (Integrated Services Digital Network) adapters. There is a protocol manager inside NDIS that accepts requests from transport layer (Network Driver) and gives them to the NIC in the data link layer (layer 2). So if a computer has more than one NIC and connects to multiple networks, NDIS can manage and route traffic to proper card. As shown in Fig. 5, NDIS is a virtual driver which contains two parts: Multinet Protocol Driver (MPD) and Multinet Miniport Driver (MMD). MPD ties up the lower edge to the network card miniport driver together and MMD binds at the upper edge to the network protocols, such as TCP/IP (Chandra, 2006). MPD sets a virtual adapter for each network that is connected to the wireless cards. So it means that each virtual adapter should have unique NIC to connect to specific network. The MPD also manages and controls the state of virtual adapters. It also buffers the packets which are not matched with the SSID which is busy sending or receiving procedure. 34
Figure 4.1: The modified Windows network stack (Chandra, 2006) According to Fig. 4.1, modified parts which are MultiNet (VirtualWiFi) Driver and its service have been added to the Windows network stack (specified Windows XP). However, Windows network stack come from OSI model which has seven parts. Network Driver Interface Specification (NDIS) is a discrimination part that is used in new architecture of Windows stack. It plays and intermediate role in connection of new generation of TCP/IP which is depicted in Fig. 4.2 and Network Interface Cards (NICs) (Chereddi, 2007). 35
Figure 4.2: New Generation of TCP/IP Stack (Windows Network Stack) Wireless card can only communicate with the network which is associated to it. Therefore, if packets are not related to the current network, it will be remained and send it to the virtual adapter. Then the adapter sends it to the up layer when the related wireless card is active. MPD also maintains the information about currently active virtual driver. The MMD keeps the state of each virtual adapter. So, different IP addresses for each network can be assigned to one wireless card by this architecture (NDIS). It is also responsible for handling query and set operations meant for the underlying wireless adapter (Chandra, 2006). The general architecture of NDIS which is implemented in Windows based Operating Systems (OS) is depicted in Figure 4.3. 36
Figure 4.3: General NDIS Architecture (Microsoft Corporation, 2010) NDIS wrapper is a software driver that allows users to connect to the network devices by implementing NDIS interfaces and Windows kernel. NDIS as a miniport driver located between an upper layer and lower layer of TCP/IP stack. For upper layer, NDIS supports driver which receives packets from application layer or user kernel and it also supports lower layer which gets data from physical layer (media) and then passes it to the upper layers. Therefore, as shown in Fig 4.3, NDIS wrapper can communicate with Transport layer of TCP/IP stack from one side and to Network Interface Card (NIC) from the other side. NDIS is a service that has a library in windows directory. There are many objects inside it that can be used by users. The area of using these objects conceptually related to layer two and three. As it mentioned before, WEP and WPA or other wireless security methods work in presentation layer but for controlling packets and due to authentication process, Object Identifiers (OIDs) work in the layer between two and three to control and manage them. NDIS library pre- 37
pares OIDs for WLAN, so that these objects are used in this research to add Dynamic WEP and WPA in VirtualWiFi driver. NDIS.dll is a library file of Network Driver Interface Specification in Windows. It can be configured to creating new driver or customizing existing driver. NDIS corroborates the Object Identifiers (OIDs) of IEEE 802.11 wireless LAN (WLAN). It has many versions where each of them is supported by specific Windows versions as follows: NDIS 2.0: MS-DOS, Windows for Workgroups 3.1, OS/2 NDIS 3.0: Windows for Workgroups 3.11 NDIS 3.1: Windows 95 NDIS 4.0: Windows 95 OSR2, NT 4.0 NDIS 5.0: Windows 98, 98 SE, Me, 2000 NDIS 5.1: Windows XP, Server 2003, CE NDIS 5.2: Windows Server 2003 SP2 NDIS 6.0: Windows Vista NDIS 6.1: Windows Vista SP1, Server 2008 NDIS 6.20: Windows 7, Server 2008 R2 38
4.3 802.11 Wireless LAN Objects The 802.11 wireless LAN (WLAN) object identifiers (OIDs) are supported by versions 6.0 and later of the Network Driver Interface Specification (NDIS). Miniport drivers that support the 802.11 interface for IEEE 802.11 network interface cards (NICs) must support all compulsory 802.11 OIDs. For some OIDs, support is recommended but it is optional. The WLAN OIDs must be defined in one of the header files which have to be named as Ntddndis.h where they are available through Windows Management Instrumentation (WMI). The WLAN OIDs are listed in the following table (Table 4.1). The full name of each object is placed in Appendix A. In this table, an X in the respective column indicates that the OID supports query (Q), set (S), or indication (I) operations. The table also indicates mandatory (M), recommended (R), or optional (O) support requirements for different operating systems and for Wireless Privacy Authentication version 1 (WPA) and Wireless Privacy Authentication version 2 (WPA2) (Microsoft Corporation, 2010). Table 4.1: IEEE 802.11 wireless LAN (WLAN) object identifiers (OIDs) Shortcut Name Q S I Windows 2000 and ME Windows XP and Later WPA WPA2 Shortcut X X M M M M BSSID X X M M M M SSID X R R M M Net.Type.Support X X O M M M Net.Type.In.Used X X O O O O Power.Level X X O M M M RSSI X X O O O O RSSI.Trigger X X R M M M 39
Infra. Mode X X O O O O Num. Antennas X X O O O O RX.Antenna.Selected X X O O O O TX.Antenna.Selected X O M M M Configuration X R R R R Disassociate X X R R R R Power.Mode X R M M M BSSID.List.Scan X R M M M BSSID.List X X O O O O Privacy.Filter X R M M M Reload.Default X X R M M M Auth.Mode X X R M M M Encryp.Status X M M M M Add.WEP X R M M M Remote.WEP X O O M M Add.Key X O O M M Remote.Key X O O M M Assoc.Info X O O M M Test X O O O M Capability X X O O O M PMKID X X X R R R R The OIDs listed above are all identifiers which can be used in IEEE 802.11 Wireless LAN in NDIS miniport driver. Some of these OIDs which are listed bellow have been used in Virtual Wi-Fi driver to make it secure: BSSID, SSID, BSSID List Scan, BSSID List, Authentication mode, Encryption Status, Add and Remove WEP,PMKID, Capability and Association Information. 40
It is noteworthy that dynamic WEP uses a WEP key that changes periodically (dynamically) for better security. The latest version of VirtualWiFi supports only simple WEP so that when the WEP key is installed by dynamic WEP, it is used in the standard way with the same number of bits, same IV and same RC4 algorithm until the key is changed. Configuring this structure can be done easily in C++ language. Random number from 10 to 100 second is set for periodic time of key changing. Implementing TKIP algorithm is the main part of WPA method that is configured to achieve connecting to wireless networks which support WPA. Some OIDs of NDIS 5.1 library are appropriate to perform TKIP algorithm in any driver like VirtualWiFi which works in Windows XP operating system. More details of how these objects have been used in this research are described as below: 4.3.1 OID_802_11_BSSID This object can be set and when it sets, the object sends a request to the miniport driver to set the Media Access Control (MAC) address of the associated access point. After that, the device associates with specific AP with the requested BSSID. When the desired BSSID is set, one of the following actions should be taken: If the device is associated with an AP that has the same BSSID, the device must reassociate with the AP. If the device is associated with an AP that has a different BSSID, the device must disassociate from that AP. The device must then attempt to associate with an AP with the specified BSSID within the current Extended Service Set (ESS). If the device is not associated with any AP, the device must attempt to associate with an AP that has the specified BSSID within the current ESS. 41
When BSSID is defined, the device should connect with the desired BSSID and cannot disconnect from it or roam to the other BSSID.When BSSID sets to the broadcast MAC address (0xFFFFFFFFFFFF), it becomes clear, and after it is cleared, the device can search and connect to any BSSID within the appropriate SSID. The object sends a request for the MAC address of AP to the miniport driver. If the device being in ad hoc mode, the driver returns the IBSS MAC address. And if the device is neither connected to any AP nor operating in ad hoc mode, the miniport driver returns NDIS_STATUS_ADAPTER_NOT_READY as an error code. The data type for this OID is the NDIS_802_11_MAC_ADDRESS array type, which is defined as follows: typedef UCHAR NDIS_802_11_MAC_ADDRESS[6]; 4.3.2 OID_802_11_SSID This Object can be set and when it sets, it sends a request to the miniport driver to set SSID (Service Set Identifier) of the BSS which the device can connect. If the device connects to the SSID, then the miniport driver returns zero for the SsidLength_member. The data type for this OID is the NDIS_802_11_SSID structure, which is defined as follows: typedef struct _NDIS_802_11_SSID { ULONG SsidLength; UCHAR Ssid[32]; } NDIS_802_11_SSID, *PNDIS_802_11_SSID; 42
4.3.3 OID_802_11_BSSID_LIST_SCAN This object identifier requests that the miniport driver direct the 802.11 NIC to request a survey of BSSs and SSIDs in the network. No data is associated with this object identifier. After it scans, it gets query of scan results with OID_802_11_BSSID_LIST. If the device has any problem where it cannot scan or finish the request, the miniport driver sends NDIS_STATUS_ADAPTER_NOT_READY as an error in return. If the radio which receives the signals from APs is turned off, then the driver should return NDIS_STATUS_SUCCESS. When the device asks a query of OID_802_11_BSSID_LIST, the driver should set the NumberOfItems member to zero in the returned NDIS_802_11_BSSID_LIST_EX. The driver may get a set of request for this OID, so the device can use three methods to encounter this problem. It can use active or passive methods or a combination of these two methods together to scan all BSSIDs and SSIDs. When the list of nonbroadcast SSIDs which are in driver s cached list is empty, the driver must use active scanning methods. Minimizing the response time for this Object is compulsory for the underlying NIC and miniport driver. For performing this job, active scanning is preferred. When this happens, the device sets some parameters which are defined in IEE802.11 specifications. These parameters are as follows: BSSType: indicates that both the infrastructure BSS and independent BSS are used. BSSID and SSID: indicate that the BSSID or SSID is broadcast. ScanType: This one indicates which method of scanning is used, i.e. active, passive or combination of them. 43
ChannelList: This parameter indicates all frequency channels which are permitted. For the NIC that supports both 802.11a and 802.11b, a set of request of this OID should scan both 802.11a and 802.11b channels. Therefore, the device should scan all channels between scan periods and sends full scan list when queried. The device can also select and sort the order of channels to know which channels are scanned first. There is a cache where a miniport driver saves the results. The list which is in the cache includes BSSIDs for all network (BSSs) that responding on frequency channels which the device can be operated. Then the driver sends it back as a result when queried by OID_802_11_BSSID_LIST. The miniport driver must manage this list which contains scanned BSSID in the following ways: The driver should clear the scan list before it starts the network scan. When the device scan the implicitly in the background, it should update the scan list with the list of new BSSIDs. If the device connects to the specified BSSID which is not inside the scan list, it should be added into the cached list of BSSID and SSID. The device calls this OID very often for example every 4 seconds, so the miniport driver should minimize the side effects of performing this OID. 4.3.4 OID_802_11_BSSID_LIST When this OID sends a request about a list of all detected BSSIDs and its details, the miniport driver should respond to this OID as soon as possible. This list contains all the BSSIDs which are detected in recent scan from available BSSs. 44
For all NICs that support both IEEE802.11a and 802.11b, the miniport driver should scan and save all IEEE802.11a and b BSSIDs in the list. The data type for this OID is the NDIS_802_11_BSSID_LIST_EX structure, which is defined as follows: typedef struct _NDIS_802_11_BSSID_LIST_EX { ULONG NumberOfItems; NDIS_WLAN_BSSID_EX Bssid[1]; } NDIS_802_11_BSSID_LIST_EX, *PNDIS_802_11_BSSID_LIST_EX; The structure that is mentioned above has members and each of them contains the following information: NumberOfItems The numbers of items contained in the BSSID array are defined below. It contains the length of BSSID and the MAC address of AP. This array must contain at least one item. If there are no BSSIDs detected, NumberOfItems must be set to zero. BSSID BSSID mentions an array NDIS_WLAN_BSSID_EX structures. This structure is defined as follows: typedef struct _NDIS_WLAN_BSSID_EX { ULONG Length; NDIS_802_11_MAC_ADDRESS MacAddress; UCHAR Reserved[2]; NDIS_802_11_SSID Ssid; ULONG Privacy; NDIS_802_11_RSSI Rssi; NDIS_802_11_NETWORK_TYPE NetworkTypeInUse; 45
NDIS_802_11_CONFIGURATION Configuration; NDIS_802_11_NETWORK_INFRASTRUCTURE InfrastructureMode; NDIS_802_11_RATES_EX SupportedRates; ULONG IELength; UCHAR IEs[1]; } NDIS_WLAN_BSSID_EX, *PNDIS_WLAN_BSSID_EX; This structure has some members and each of them contains some information that is defined as follows: Length The length of this structure is in Bytes and it must be aligned to a 4 Byte address boundary. Consequently, Length must contain a value that is a multiple of 4 bytes. MacAddress This parameter is same as BSSID. Each access point has a unique address that is called Media Access Control (MAC). Reserved This parameter should not be used. It keeps the DWORD alignment of NDIS_WLAN_BSSID_EX structure. Ssid The Ssid is a string which is case-sensitive and is not null-terminated. When this string is empty (the Ssid length set to zero), it sends a request where the device can connect to any available SSID. 46
Privacy This parameter states the encryption mode, whether WEP or WPA or WPA2. When it sets to zero it means that the privacy is disabled and vice versa. Rssi The measure unit of RSSI (Received Signal Strength Indication) is in dbm. The normal range is between -10 dbm through -200 dbm. NetworkTypeInUse This parameter is defined as in the NDIS_802-11-NETWORK-TYPE enumeration. It can be defined as one of types which listed below: Ndis802_11FH: Indicates the physical layer for the frequency-hopping spread-spectrum radio. Ndis802_11DS: Indicates the physical layer for the direct-sequence spread-spectrum radio. Ndis802_11OFDM5: Indicates the physical layer for 5-GHz OFDM radios. Ndis802_11OFDM24: Indicates the physical layer for 2.4-GHz OFDM radios. Ndis802_11Automode: Indicates that the NIC will operate on all supported and enabled physical layers. For IBSS nodes or access points that support IEEE 802.11g, the driver should set this parameter to Ndis802.11OFDM24. Configuration This parameter is used for setting radio parameter configuration in NDIS_802_11_Configuration structure. 47
InfrastructureMode The network mode is defined in this parameter. It can be of these: Ndis802_11IBSS: States independent basic service set (IBSS) network mode. This mode is also known as ad hoc mode. Ndis802_11Infrastructure: States infrastructure network mode. This mode is also known as extended service set (ESS) mode. Ndis802_11AutoUnknown: States automatic network mode. In this mode, the device can switch between ad hoc and infrastructure networks as required. SupportedRates: This parameter is defined in the NDIS_802_11_RATES_EX array. This array is defined as UCHAR and it contains set of 16 bytes which each of them has a data rate in units of 0.5Mbps. If any field of this array is unused, then it should be zero. IELength: This parameter shows the number of bytes in IEs array. If there is no element in the array, the driver should set this parameter to zero. IEs: IE is a short term for Information Element. These IEs contain information from beacon or probe response messages. The IEs must be from the last beacon or probe response received from the BSSID. If there is only one message and IE is available in it, the driver should combine this IE with other IEs which found in the last beacon or probe response messages. The list of information elements of a member should have following: The three fixed-size IEs (timestamp, beacon interval, and capability information), from the last received beacon or probe response message. 48
All variable-length IEs in the order that they were received in the last received beacon or probe response and any variable-length IEs that were not in the last received beacon or probe response. If the last message is the beacon message and SSID is blank, then the SSID must be added from the last probe message received. The NDIS_802_11_FIXED_IEs structure are used to list the fixed-length information elements: typedef struct _NDIS_802_11_FIXED_IEs { UCHAR Timestamp[8]; USHORT BeaconInterval; USHORT Capabilities; } NDIS_802_11_FIXED_IEs, *PNDIS_802_11_FIXED_IEs; 4.3.5 OID_802_11_AUTHENTICATION_MODE When this object sends a request, the miniport driver sets the 802.11 authentication mode with the mode which is specified. When it gets an invalid data, the driver returns NDIS_STATUS_INVALID_DATA as a result and if it is not supported, the driver returns NDIS_STATUS_NOT_SUPPORTED. The data passed to this object can be one of this: Ndis802_11AuthModeOpen Defines the open system s authentication. In this mode there is no checking performing for IEEE 802.11 authentication. Ndis802_11AuthModeShared This mode defines Shared Key authentication mode in IEEE 802.11. pre-shared Wired Equivalent Privacy (WEP) key is required for 802.11 authentication. 49
Ndis802_11AuthModeAutoSwitch In this mode the device first attempt to use IEEE802.11 Shared Key authentication. And if it fails, the device tries IEEE 802.11 Open System authentication mode. Ndis802_11AuthModeWPA This mode defines WPA version 1 security for infrastructure network mode. If the network is set to ad hoc the driver should return NDIS_STATUS_NOT_ACCEPTED. In this mode the authentication is fulfilled between authentication server and authenticator and also supplicant over IEEE 802.11X. When the network is set to infrastructure mode and the device finds access points, it will be connected to an access point which supports WPA type 1 ( 802.1X ). Ndis802_11AuthModeWPAPSK This mode defines WPA security type 1 for infrastructure networks. In this mode the encryption keys (Dynamic) have been made through a pre-shared key which is accepted between supplicant and authenticator. The device can only be connected to the AP which supports authentication suite of type 2 (pre-shared key). This mode is used only in infrastructure networks and if network mode is ad hoc, the driver should return NDIS_STATUS_NOT_ACCEPTED. Ndis802_11AuthModeWPANone This mode defines WPA security type 1 for ad hoc networks. In this mode the encryption keys (Static) have been made through pre-shared key without any IEEE 802.1X authentication. This mode is used only in ad hoc networks and if network mode is infrastructure, the driver should return NDIS_STATUS_NOT_ACCEPTED. 50
Ndis802_11AuthModeWPA2 This mode defines WPA security type 2 for infrastructure networks. In this mode the encryption keys (Dynamic) have been made through authentication process which is made between authenticator, supplicant and authentication server over IEEE 802.1X. This mode is used only in infrastructure networks and if network mode is ad hoc, the driver should return NDIS_STATUS_NOT_ACCEPTED. Ndis802_11AuthModeWPA2PSK This mode defies WPA security type 2 for infrastructure networks. This mode is same as Ndis802_11AuthModeWPA2 but encryption keys have been made through preshared key which is accepted by both authenticator and supplicant. 4.3.6 OID_802_11_ENCRYPTION_STATUS This object sends a request to the miniport driver to set or change the encryption mode. Encryption mode specifies which cipher suite is appropriate on 802.11 devices. There are three different cipher suites listed as follows: Encryption1 Wired Equivalent Privacy (WEP) is an algorithm that is enabled on the devices. In this encryption, devices do not support cipher suites like TKIP or AES. In some cases devices support these cipher suites but they are disabled. WEP is the first secure choice for wireless connections and it can be WEP-40 or WEP-104. These numbers related to the length of key in bits. 51
Encryption2 In this type of encryption WEP and TKIP are secured algorithms which are used to protect wireless connection from attacks. AES is not supported on devices or it is disabled. Encryption3 All three algorithms (WEP, TKIP and AES) are supported on the devices. The AES which is used in this type is AES-CCMP. So if the device supports other kind of AES, it cannot advertise and work in this kind of encryption. Some error messages that the miniport driver should send to the user are as follows: If the miniport driver cannot accept any type of encryption which is mentioned above, it should return NDIS_STATUS_NOT_ACCEPTED. If the requested mode is invalid, the miniport driver should return NDIS_STATUS_INVALID_DATA. If the device does not support TKIP (Temporal Key Integrity Protocol), the miniport driver should fail any request for enabling the encryption type 2 and encryption type 3 and it should return NDIS_STATUS_NOT_SUPPORTED. If the device does not support AES (Advanced Encryption Standard), the miniport driver should fail any request for enabling the encryption type 3 and it should return NDIS_STATUS_NOT_SUPPORTED. If WEP, TKIP and AES are enabled and the transmit key is not available, the device should allow unencrypted packets but it must prevent to send other types of packets. The following table (Table 4.2) shows what the miniport driver returns when it is queried by OID_802_11_ENCRYPTION_STATUS. Two main parameters are men- 52
tioned in this table. One of them is encryption mode and the other one specifies whether the key is absent or not. Table 4.2: Encryption status in NDIS miniport driver (Microsoft Corporation, 2010) Encryption mode returned AES status TKIP status WEP status Transmit key available Ndis802_11EncryptionNotSupported Not supported Not supported Not supported No Ndis802_11EncryptionNotSupported Not supported Not supported Not supported Yes Ndis802_11Encryption1KeyAbsent Disabled / not supported Disabled / not supported Disabled No Ndis802_11EncryptionDisabled Disabled / not supported Disabled / not supported Disabled Yes Ndis802_11Encryption1Enabled Disabled / not supported Disabled / not supported Enabled No Ndis802_11Encryption1Enabled Disabled / not supported Disabled / not supported Enabled Yes Ndis802_11Encryption2KeyAbsent Ndis802_11Encryption2Enabled Disabled / not supported Disabled / not supported Enabled Enabled No Enabled Enabled Yes Ndis802_11Encryption3KeyAbsent Enabled Enabled Enabled No Ndis802_11Encryption3Enabled Enabled Enabled Enabled Yes 53
4.3.7 OID_802_11_ADD_WEP The OID_802_11_ADD_WEP OID requests the miniport driver to set an 802.11 wired equivalent privacy (WEP) key to a specified value. A WEP key can be a "preshared" key (a key that is provided to the NICs before use) for authentication, encryption, or both. Per-client key and global key are two types of WEP keys. Per-client keys are used to send packets to the access point by devices (users). This kind of keys supports unicast, multicast and broadcast packets which are sent by devices to the access point. In the IEEE 802.11-1999 terminology, per-client keys are referred to as key mapping keys. The global keys are used to get packets from access point by devices (users). However, these keys can be used to send or receive packets from access point. In the IEEE 802.11 1999 terminology, global keys are referred to as default keys. The structure of WEP key is shown below: typedef struct _NDIS_802_11_WEP { ULONG Length; ULONG KeyIndex; ULONG KeyLength; UCHAR KeyMaterial[1]; } NDIS_802_11_WEP, *PNDIS_802_11_WEP; The parameters of this structure are as follows: Length: The length is in bytes and it is calculated as follows: FIELD_OFFSET (NDIS_802_11_WEP, KeyMaterial) + KeyLength 54
KeyIndex: Specifies which key to add or remove. The global keys are represented by values of zero to n. When the most significant bit is set to 1, it indicates the key used to transmit to the access point. KeyLength: The length of KeyMaterial array which is in bytes is nominated as KeyLength. KeyMaterial: This parameter is an array which contains WEP key. The length of this array is variable and it depends on KeyLength parameter. If the device does not support the length which mentioned in KeyLength, the driver should fail the OID request and return NDIS_STATUS_INVALID_DATA. One of the examples of this problem is related to WEP-40bit and WEP-104bit. The miniport driver does not accept two transmit keys at the same time, so it is not possible to set unicast and broadcast key to transmit key. 4.3.8 OID_802_11_REMOVE_WEP When this OID sends a request to the miniport driver, it takes out the specific WEP key which is assigned as a wireless security. The keys are specified as values from 0 through 255. Bit 31 must be zero. If bit 31 is not zero, the miniport driver must return NDIS_STATUS_INVALID_DATA. 4.3.9 OID_802_11_ASSOCIATION_INFORMATION The Information Elements (IE), which are used in the reassociation process or in the last association request and response to/from access point are returned by the miniport driver when this OID sends a request to it. 55
NDIS_802_11_ASSOCIATION_INFORMATION is the data type of this OID. The structure of this data type is specified as follows: typedef struct _NDIS_802_11_ASSOCIATION_INFORMATION { ULONG Length; USHORT AvailableRequestFixedIEs; struct _NDIS_802_11_AI_REQFI { USHORT Capabilities; USHORT ListenInterval; NDIS_802_11_MAC_ADDRESS CurrentAPAddress; } RequestFixedIEs; ULONG RequestIELength; ULONG OffsetRequestIEs; USHORT AvailableResponseFixedIEs; struct _NDIS_802_11_AI_RESFI { USHORT Capabilities; USHORT StatusCode; USHORT AssociationId; } ResponseFixedIEs; ULONG ResponseIELength; ULONG OffsetResponseIEs; }NDIS_802_11_ASSOCIATION_INFORMATION, *PNDIS_802_11_ASSOCIATION_INFORMATION; 56
4.4 Summary This chapter discussed about Network Driver Interface Specification (NDIS) and how it works as an embedded service in Windows operating system. As explained, real wireless network is used in order to achieve such a goal. NDIS is used to get some relative objects that they supported by Windows XP and useful in C++ programming language. Then, we explained the objects of the proposed driver code in detail. The concept of WPA and specially changing the key in each frame can be operated with these objects. Finally next chapter will test proposed driver with real time scenarios. 57
Chapter Five: Testing and Result 5.1 Overview As mentioned in chapter two, the VirtualWiFi driver is an improved wireless card driver which allows users to connect to more than one Access Point or wireless network domain at the same time with only one WLAN card. It virtualizes WLAN card and as it looks like that the machine has more than one card, then it can associate with more than one access point. In previous chapter we have implemented our proposed driver on Windows XP and in this chapter we are going to test it in a small scale of IEEE 802.11 wireless network. This proposed driver is used to make the VirtualWiFi driver secure, so we have created a testbed which contains one laptop as a user station and one access point. For an access point, two different brands have been used. Although the only version of VirtualWiFi driver supports simple WEP, it cannot communicate with any access point which uses Dynamic WEP or WPA as its security protocol. Therefore these two kinds of security algorithms are used in access points to test our proposed driver. This chapter is going to present the result of proposed improved driver and examine whether it can connect to wireless networks with WEP and WPA security individually or simultaneously. Due to working with real time network, it is difficult to show our results in graphical charts. Today, advanced simulators prepare graphical charts or diagrams to show how proposed systems or software work. However, lack of these tools view in real time projects cause a problem to show how they work. On the other hand, VirtualWiFi driver is organized in command prompt environment. Hence, we are going to present our results by putting some snapshots of command prompt window to proof our proposed method. 58
5.2 Result and discussion In this section, we show the test results for each of wireless security algorithms which are described in previous chapters and the final result is going to be tested by creating scenarios. These scenarios contain two access points that one of them supports WEP to secure its network and the other one supports WPA as a wireless security. As it is mentioned in chapter two, the main part of implementing WPA is TKIP (Temporal Key Integrity Protocol). It has been used to overcome the WEP vulnerabilities. It creates a key mixing function and before passing it to the RC4, it concatenates a key to the Initialization Vector (IV). Our proposed VirtualWiFi driver was deployed on one laptop as a user and two different brands of access point which are described in Table 5.1. 59
Table 5.1: List of instruments for testing Specification Laptop(user) Access Point (1) Access Point (2) DELL Inspiron 6400 CPU: Intel core 2 Duo 1 GB RAM WLAN Card: Intel PRO wireless 3945ABG Network connection WGT624v2 108 Mbps Wireless Firewall Router DWL-G700AP High-Speed 2.4GHz(802.11g) Wireless Access Point Three different scenarios which have been tested to prove our proposed method are described as follows: 5.2.1 First scenario (Open System Authentication) In this scenario the access point did not use any authentication. Neither WEP nor WPA has been applied to secure this wireless network. As it is depicted in Fig. 5.1, proposed driver detects open authentication system and user can connect to the access points and vice versa. To connect a network which used open authentication the follow command should be typed in command prompt: VirtualWiFi install -wep disable -auth open 60
Figure 5.1: Testing open system authentication 5.2.2 Second scenario (Wired Equivalent Privacy) In this scenario we tried to test our driver with a network which used WEP as wireless security. When the user (Laptop) wants to connect to the access point, the follow command should be written in command prompt: VirtualWiFi install -wep < enable/disable > -auth < open/share > -key < KEY > A key is a 10 character word which has been agreed between user and access point. 61
Fig. 5.2 is shows how our proposed method connected to a wireless network which has used WEP for securing its network. Figure 5.2: Testing WEP 62
5.2.3 Third scenario (WiFi Protected Access) In third scenario the main part of our proposed method has been tested. The first and only version of VirtualWiFi driver (version 1.0) supported limited version of WEP (Simple WEP). Though those two previous scenarios can be done by that version of VirtualWiFi driver, but connecting to the network with WPA wireless security is unique for our proposed driver. To apply WPA in our proposed driver, the follow command should be typed in command prompt window: VirtualWiFi install -wpa < enable/disable > -key < KEY > A key is an 8 to 63 character which has been agreed between user and access point. But this key is a dynamic key. As mentioned in chapter two, cracking WPA is a very difficult and time consuming process. If the key has been made by unique word or phrase, it would not be easy to hack and find it. Because attacking a network which is based on WPA security requires a 4-way handshaking which has authentication parameters. Fig. 5.3 illustrates how our proposed method connected to the WPA based security network. 63
Figure 5.3: Testing WPA 64
5.2.4 Fourth Scenario (Both WEP and WPA) This forth and last is going to show how our proposed method improved VirtualWi- Fi driver connected to both wireless networks at the same time where one of the wireless networks used WEP for security and the other one used WPA. Assume that are two networks which are named Net A and Net B. Net A uses WEP and Net B supports WPA as their wireless security. At this point, user can connect to any of these two networks. Assume that it connects to Net A first (like second scenario), then the user should connect to Net B by writing this command in command prompt: VirtualWiFi addnetwork -ssid < ssid > -mode < mode > -wpa < enable/disable > -key < KEY> Reversely, the user can connect to Net B which supports WPA first. This scenario is almost same as the third scenario. After this, the user can connect to Net A with the command format which is defined below: VirtualWiFi addnetwork -ssid < ssid > -mode < mode > -wep < enable/disable > -auth < open/share > -key < KEY> Fig. 5.4 illustrates how our proposed improved VirtualWiFi driver connected to the WPA based security network and WEP based network. Connecting to more than two access points (wireless networks) can be possible in this scenario. With the release of Windows XP, Microsoft tried to make configuring and connecting to wireless networks easy for everyone. The Wireless Zero Configuration service is the main idea behind managing wireless connections with Windows. Unfortunately, it does not always make sane decisions, which can cause some errors that can be solve by refreshing or reconnecting. Line 13 to 16 of Fig. 5.4 show how Windows Zero Configuration makes an error but in Line 17 the driver checks again (reconnects) for new SSID in its network area and finally it creates device handle successfully. 65
Figure 5.4: Testing WEP and WPA 66
Chapter Six: Conclusion 6.1 Overview The popularity of wireless devices is growing nowadays in public places like cafes and metropolitan wireless networks and it also become larger in private places like offices. That s why the role of VirtualWiFi driver has been become more important. Number of users which connect to one access point, load balancing and bandwidth as well as speed rate of download and upload force users to connect to more than one access point at the same time in near future. Besides, wireless security is become one of the most important issue in wireless networks. Due to vulnerability of WEP as one of the wireless security algorithm, WPA was introduced in 2004 to solve the problems of WEP. Here, in this research an improved VirtualWiFi driver is proposed to make this driver more secure than previous version (version1.0). The first version of this driver only supported simple WEP which can be cracked very easy. The main idea of adding WPA on this driver was to use NDIS (Network Driver Interface Specification). NDIS is a miniport driver which seats between data link layer and IP layer in OSI model. It is a service that is embedded in Windows operating system and it supports some objects which can be used in C++ programming language to accomplish implementing WPA on this driver. 6.2 Thesis summary In this section an overview of what have been done in each chapter is given. The main ideas included in each chapter and the important issues that readers should understand are described. 67
The first chapter is the introduction of this report in which, the problem statement, objectives, significance of research and the methodology used, are stated. It first starts with an overview on Wireless LAN networks. This WLAN is standardized by IEEE institution and is called IEEE 802.11 and over the past few years it has seen some enhancements. After that, VirtualWiFi is introduced which is the driver that can connect user to more than one APs simultaneously. Then the brief description of wireless security and most important algorithms of them were introduced. The problem is that the current version of VirtualWiFi (version 1.0) can only support simple WEP. Due to known vulnerability of WEP, this research aim to provide an alternative method for security by implementing of WPA method of security which is proved to be more secure than WEP. The second chapter is the literature review. This section is divided into two parts. In the first part wireless security is described. WEP and its vulnerabilities, WPA and 802.11i are three algorithms which are scrutinized in second chapter. Then in the second part previous works on virtual Wi-Fi are explained. The third chapter introduced our methodology of research. It emphasized the research used to carry out the research. The explanation is grounded based on literature reviews, development methodology, and survey of comparison of the new proposed driver to the previous version of it to find out the affect of proposed model in system. In chapter four, using the NDIS as a miniport service in Windows XP to configuring our proposed methods is rationalized. NDIS.dll is a library file of Network Driver Interface Specification in Windows. It can be configured to creating new driver or customizing existing driver. Configuring the structure and algorithm of Dynamic WEP can be done easily in C++ language. Random number from 10 to 100 second is set for periodic time of key changing. 68
Implementing TKIP algorithm is the main part of WPA method that is configured to achieve connecting to wireless networks which support WPA. Some OIDs of NDIS 5.1 library are appropriate to perform TKIP algorithm in any driver like VirtualWiFi which works in Windows XP operating system. Chapter five shows the results of the testing done using the implementations in the previous chapter. These results are discussed completely in that section but to tell them in a nutshell, the new proposed driver can connect to any wireless networks whether they support WEP or WPA. And it can also connect to more than one of these networks at the same time. 6.3 Contribution and Future Work The main objective in this research is to improve VirtualWiFi driver to connect any access points or wireless networks. As it mentioned in this research, the latest version of VirtualWiFi were released by Microsoft research centre in 2006 and it can only support simple WEP. Due to vulnerabilities of WEP, this research proposed new VirtualWiFi that can communicate with wireless networks which support WEP and/or WPA as their wireless security. Implementing dynamic WEP by configuring periodic time of key changing and implementing WPA by configuring TKIP algorithms have done in VirtualWiFi source codes. To state the overall contribution of this research it can be said that adding Virtual- WiFi as a new service in Windows XP which can connect to more than one wireless network with any secure algorithms, has been reached. Although using WPA instead of WEP and the advantages of WPA, it can be cracked. Cracking it is also more time consuming and needs complete and comprehensive dictionary. Implementing WPA2 and AES (Advanced Encryption Standard) encryption algorithm and 802.1 x-based authentications can be assumed as future works to 69
make this driver more secure. Using this level of security needs time to apply which will be the main challenge in comparison of switching time in VirtualWiFi driver. 70
References [1] Adya, A. & Bahl, P. & Chandra, R. and Qiu, L. 2004 Architecture and techniques for diagnosing faults in IEEE 802.11 infrastructure networks, The 10th Annual international Conference on Mobile Computing and Networking (Philadelphia, PA, USA, September 26 October 01, 2004). MobiCom '04. ACM, New York, NY, 30-44 [2] Ahmed, N. 2006 A self-management approach to configuring wireless infrastructure networks, Master's Thesis, University of Waterloo (UW) [3] Bittau, A., Handley, M., and Lackey, J. 2006. The Final Nail in WEP's Coffin. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (May 21-24, 2006). SP. IEEE Computer Society, Washington, DC, 386-400. DOI= http://dx.doi.org/10.1109/sp.2006.40 [4] Borisov, Nikita. Goldberg, Ian. Wagner, David. Security of the WEP algorithm. February 02, 2001. [5] Bulbul, H. I., Batmaz, I., and Ozel, M. 2008. Wireless network security: comparison of WEP (Wired Equivalent Privacy) mechanism, WPA (Wi-Fi Protected Access) and RSN (Robust Security Network) security protocols. In Proceedings of the 1st international Conference on Forensic Applications and Techniques in Telecommunications, information, and Multimedia and Workshop (Adelaide, Australia, January 21-23, 2008) 71
[6] Chandra, R. 2006 A Virtualization Architecture for Wireless Network Cards, PhD Thesis, Cornell University, NY, USA [7] Chereddi, C. 2006 "System architecture for multichannel multi-interface wireless networks," M.S. thesis, University of Illinois at Urbana-Champaign [8] Chereddi, C., Kyasanur, P., and Vaidya, N. H. 2007 Net-X: a multichannel multiinterface wireless mesh implementation SIGMOBILE Mob. Comput. Commun. Rev. 11, 3 (Jul. 2007), 84-95 [9] Draves, R., Padhye, J., and Zill, B. 2004 Routing in multi-radio, multi-hop wireless mesh networks, Proceedings of the 10th Annual international Conference on Mobile Computing and Networking,Philadelphia, PA, USA, September 26 - October 01, 2004 [10] Everts, T., Editor, The Wireless LAN Book for Enterprises, Trapeze Networks, 2003. [11] Gast, M. S. 2005 802.11 Wireless Networks: the Definitive Guide, Second Edition. O'Reilly Media, Inc. [12] Hull, B., Bychkovsky, V., Zhang, Y., Chen, K., Goraczko, M., Miu, A., Shih, E., Balakrishnan, H., & Madden, S. 2006 CarTel: a distributed mobile sensor 72
computing system, The 4th international Conference on Embedded Networked Sensor Systems (Boulder, Colorado, USA, October 31 - November 03, 2006). SenSys '06. ACM, New York, NY, 125-138 [13] Hytnen, R. and Garcia, M. 2006 An analysis of wireless security. J. Comput. Small Coll. 21, 4 (Apr. 2006), 210-216 [14] Kandula, S., Lin, K. C., Badirkhanli, T., and Katabi, D. 2008 FatVAP: aggregating AP backhaul capacity to maximize throughput, The 5th USENIX Symposium on Networked Systems Design and Implementation (San Francisco, California, April 16-18, 2008). J. Crowcroft and M. Dahlin, Eds. USENIX Association, Berkeley, CA, 89-104 [15] Kang, M., Kang, D., Suh, J., and Lee, J. 2008 An energy-efficient real-time scheduling scheme on dual-channel networks, Inf. Sci. 178, 12 (Jun. 2008), 2553-2563 [16] Kim, K. & Shin, K. G. 2006 On accurate measurement of link quality in multihop wireless mesh networks, The 12th Annual international Conference on Mobile Computing and Networking (Los Angeles, CA, USA, September 23-29, 2006) MobiCom '06. ACM, New York, NY, 38-49 [17] Lee Barken, 2004, How Secure is Your Wireless Network? Safeguarding Your Wi- Fi LAN, Prentice Hall, New York City 73
[18] Moen, V., Raddum, H., and Hole, K. J. 2004. Weaknesses in the temporal key hash of WPA. SIGMOBILE Mob. Comput. Commun. Rev. 8, 2 (Apr. 2004), 76-83. [19] Nicholson, A. J., Chawathe, Y., Chen, M. Y., Noble, B. D., and Wetherall, D. 2006 Improved access point selection, The 4th international Conference on Mobile Systems, Applications and Services (Uppsala, Sweden, June 19-22, 2006). MobiSys '06. ACM, New York, NY, 233-245 [20] Ohrtman,F. & Roeder,K. 2003, Wi-Fi Handbook: Building 802.11b Wireless Networks, McGraw-Hill Professional, New York City [21] Qiu, L., Bahl, P., Rao, A., & Zhou, L. 2005 Troubleshooting multihop wireless networks, The 2005 ACM SIGMETRICS international Conference on Measurement and Modeling of Computer Systems (Banff, Alberta, Canada, June 06-10, 2005). SIGMETRICS '05. ACM, New York, NY, 380-381 [22] Shin, M., Ma, J., Mishra, A., and Arbaugh, W., 2006 Wireless network security and interworking, Proc. IEEE (Special Issue on Cryptography and Security Issues), vol. 94, no. 2, pp. 455 466, Feb. 2006. [23] Shorey, R. 2006, Mobile, wireless, and sensor networks : technology, applications, and future directions, John Wiley & Sons 74
[24] Vasudevan, S., Papagiannaki, K., Diot, C., Kurose, J., and Towsley, D. 2005 Facilitating access point selection in IEEE 802.11 wireless networks, The 5th ACM SIGCOMM Conference on internet Measurement (Berkeley, CA, October 19-21, 2005). Internet Measurement Conference. USENIX Association, Berkeley, CA, 26-26 [25] Wong, S. 2003 The evolution of wireless security in 802.11 networks: WEP, WPA and 802.11 standards GSEC Practical (volume 1, 4b) May 20, 2003 [26] Yang, H. Ricciato, F. Lu, S. Zhang, L. 2006 Securing a Wireless World Proceedings of the IEEE (Volume 94, Issue 2, Pages : 442-454) Feb.2006 Los Angeles, CA, USA [27] MSDN Library 2010, Microsoft Corporation, viewed January 2010, < http://msdn.microsoft.com/>. 75
Appendix Appendix A Real Name of Object OID_802_11_BSSID OID_802_11_SSID OID_802_11_NETWORK_TYPES_SUPPORTED OID_802_11_NETWORK_TYPE_IN_USE OID_802_11_TX_POWER_LEVEL OID_802_11_RSSI OID_802_11_RSSI_TRIGGER OID_802_11_INFRASTRUCTURE_MODE Shortcut BSSID SSID Net.Type.Support Net.Type.In.Used Power.Level RSSI RSSI.Trigger Infra. Mode OID_802_11_FRAGMENTATION_THRESHOLD Frag. Threshhold OID_802_11_RTS_THRESHOLD OID_802_11_NUMBER_OF_ANTENNAS OID_802_11_RX_ANTENNA_SELECTED OID_802_11_TX_ANTENNA_SELECTED OID_802_11_SUPPORTED_RATES OID_802_11_DESIRED_RATES OID_802_11_CONFIGURATION OID_802_11_STATISTICS OID_802_11_DISASSOCIATE OID_802_11_POWER_MODE OID_802_11_BSSID_LIST_SCAN OID_802_11_BSSID_LIST OID_802_11_PRIVACY_FILTER RTS. Threshhold Num. Antennas RX.Antenna.Selected TX.Antenna.Selected Supported.Rates Desired.Rates Configuration Statistics Disassociate Power.Mode BSSID.List.Scan BSSID.List Privacy.Filter 76
OID_802_11_RELOAD_DEFAULTS OID_802_11_AUTHENTICATION_MODE OID_802_11_ENCRYPTION_STATUS OID_802_11_ADD_WEP OID_802_11_REMOVE_WEP OID_802_11_ADD_KEY OID_802_11_REMOVE_KEY OID_802_11_ASSOCIATION_INFORMATION OID_802_11_TEST OID_802_11_CAPABILITY OID_802_11_PMKID OID_802_11_MEDIA_STREAM_MODE Reload.Default Auth.Mode Encryp.Status Add.WEP Remote.WEP Add.Key Remote.Key Assoc.Info Test Capability PMKID Media.Stream.Mode 77