unit1 wirless netwrok
TRANSCRIPT
-
8/9/2019 unit1 wirless netwrok
1/23
WIRELESS NETWORK:
Unit I
MEDIUM ACCESS ALTERNATIVES
SESSION TITLE
Session 1.1. Fixed access for voice oriented networks- TDMA,FDMA
Session 1.2. Code division multiple access
Session 1.3. Comparison of cdma ,tdma and fdma
Session 1.4. Comparison of cdma ,tdma and fdma
Session 1.5. Random access for data oriented networks
Session 1.6. Hand off
Session 1.7. Channel assignment schemes
Session 1.8. Roaming support
Session 1.9. Security & Privacy
MULTIPLE RADIOACCESS
Medium Access Alternatives: Fixed-assignment for Voice Oriented NetworksRandom Access for Data Oriented Networks , Handoff and Roaming Support,
Security and Privacy
-
8/9/2019 unit1 wirless netwrok
2/23
Classification of Multiple Access Protocols
1. Fixed-Assignment Access for Voice-Oriented Networksa.Frequency Division Multiple Access (FDMA)
b.Time Division Multiple Access (TDMA)
c.Code-Division Multiple Access (CDMA)
2. Random Access for Data-Oriented Networksa.ALOHA-Based Wireless Random Access Techniques
b.CSMA-Based Wireless Random Access Techniques
Multiple access protocols
Contention-based Conflict-free
Random access Collision resolution
FDMA,
TDMA,
CDMA,
Token Bus,
DQDB, etc
ALOHA,CSMA,
BTMA,
ISMA,
etc
TREE,WINDOW,
etc
BTMA: Busy Tone Multiple Access
ISMA: Internet Streaming Media Alliance DQDB: Distributed Queue Dual Bus
-
8/9/2019 unit1 wirless netwrok
3/23
Fixed-Assignment Access for Voice-Oriented Networks
Theavailablespectrumbandwidthforourwirelesscommunicationislimited.
Multipleaccesstechniquesenablemultiplesignalstooccupyasinglecommunicati
onschannel.
Major Types
Frequency division multiple access (FDMA)Time division multiple access (TDMA)
Code division multiple access (CDMA)
Frequency division multiple access (FDMA)
Itassignsindividualfrequencytoindividualusers.(i.e)accommodatesoneuseratatime.
EachuserisseparatedbyGuardBands.
ThecomplexityofFDMAmobilesystemsislowerwhencomparedtoTDMAsystems
Aguardbandisanarrowfrequencybandbetweenadjacentfrequencychannelstoavoidinterferenc
efromtheadjacentchannels
-
8/9/2019 unit1 wirless netwrok
4/23
henumberofchannelsthatcanbesimultaneouslysupportedinaFDMA
systemisgivenby
BT->totalspectrumallocation,
BGUARD->theguardband
BC->thechannelbandwidth
Key Features
IfanFDMAchannelisnotinuse,thenitsitsidleandcannotbeusedbyotherusers
ThebandwidthsofFDMAchannelsarenarrow(30kHz)
Intersymbolinterferenceislow
Itneedsonlyafewsynchronizationbits
De Merits
FDMAsystemsarecostlierbecauseofthesinglechannelpercarrierdesign,
Itneedtousecostlybandpassfilterstoeliminatespuriousradiationatthebasestation.
TheFDMAmobileunitusesduplexerssinceboththetransmitterandreceiveroperat
eatthesametime.ThisresultsinanincreaseinthecostofFDMAsubscriberunitsandbasestations.
FDMArequirestightRFfilteringtominimizeadjacentchannelinterference.
Time Division Multiple Access
-
8/9/2019 unit1 wirless netwrok
5/23
TDMA vs FDMA
Timedivisionmultipleaccess(TDMA)systemsdividetheradiospectrumintotimes
lots
Eachuseroccupiesacyclicallyrepeatingtimeslot
AsetofNslotsformaFrame.
Eachframeismadeupofapreamble,aninformationmessage,andtailbits
TDMAsystemstransmitdatainabuffer-and-burstmethod
TDMAsharesasinglecarrierfrequencywithseveralusers,whereeachusermakesu
seofnon-overlappingtimeslots
TDMAusesdifferenttimeslotsfortransmissionandreception
AdaptiveequalizationisusuallynecessaryinTDMAsystems,sincethetransmissio
nratesaregenerallyveryhighascomparedtoFDMAchannels
HighsynchronizationoverheadisrequiredinTDMAsystemsbecauseofbursttrans
missions
GuardBandsarenecessarytoensurethatusersattheedgeofthebanddonot"bleedove
r"intoanadjacentradioservice.
-
8/9/2019 unit1 wirless netwrok
6/23
Frame Structure
Thepreamblecontainstheaddressandsynchronizationinformationthatboththebasestationandthesubscribersusetoidentifyeachother.
Trialbitsspecifythestartofadata.
Synchronizationbitswillintimatethereceiveraboutthedatatransfer.
GuardBitsareusedfordataisolation.
Effi ciency of TDMA
where
b0Hno over head bits per frame
br- no of overhead bits per
bp- no overhead bits per preamble in each slot
bg- no equivalent bits in each guard time interval
r- reference bursts per frame,
t- traffic bursts per frame
-
8/9/2019 unit1 wirless netwrok
7/23
TheefficiencyofaTDMAsystemisameasureofthepercentageoftransmitteddatath
atcontainsinformationasopposedtoprovidingoverheadfortheacssscheme
The total number of bits per frame, bT, is
bT= TfR
Tfis the frame duration, andR is the channel bit rate
Then the frame efficiency is
And the no of frames
m-maximum number of TDMA users supported on each radio channel
Spread spectrum multiple access (SSMA)
Frequency Hopped Multiple Access (FHMA)
Direct Sequence Multiple Access (DSMA)
Direct sequence multiple access is also called code division multipleaccess (CDMA).
Frequency Hopped Multiple Access
Thecarrierfrequenciesoftheindividualusersarevariedinapseudorandomfashion
withinawidebandchannel
Thedigitaldataisbrokenintouniformsizedburstswhicharetransmittedondifferent
carrierfrequencies
FastFrequencyHoppingSystem->therateofchangeofthecarrierfrequencyisgreaterthanthesymbolrate
SlowFrequencyHopping-
>thechannelchangesataratelessthanorequaltothesymbolrate
-
8/9/2019 unit1 wirless netwrok
8/23
Code Division Multiple Access (CDMA)
Thenarrowbandmessagesignalismultipliedbyaverylargebandwidthsignalcalled
thespreadingsignal(pseudo-noisecode)
Thechiprateofthepseudo-noisecodeismuchmorethanmessagesignal.
Eachuserhasitsownpseudorandomcodeword.
Message
PN sequence
CDMA uses CO-Channel Cells
Alltheusersusethesamecarrierfrequencyandmaytransmitsimultaneouslywithou
tanyknowledgeofothers.
Thereceiverperformsatimecorrelationoperationtodetectonlythespecificdesired
codeword.
All other code word appears noise
Multipathfadingmaybesubstantiallyreducedbecausethesignalisspreadoveralar
gespectrum
Channel data rates are very high in CDMA systems
CDMAsupportsSofthandoffMSCcansimultaneouslymonitoraparticularuserfro
mtwoormorebasestations.TheMSCmaychosethebestversionofthesignalatanytimewit
houtswitchingfrequencies.
In CDMA, the power of multiple users at a receiver determines the noise
floor.
-
8/9/2019 unit1 wirless netwrok
9/23
InCDMA,strongerreceivedsignallevelsraisethenoiseflooratthebasestationdem
odulatorsfortheweakersignals,therebydecreasingtheprobabilitythatweakersignalswill
bereceived.ThisiscalledNear-Farproblem.
TocombattheNear-Farproblem,powercontrolisusedinmostCDMA
Random Access for Data-Oriented Networks
InallwirelessnetworkssuchascellulartelephonyorPCSservicesallvoice-orientedoperationsusefixed-assignmentchannelaccess.
AnddatarelatedtrafficiscarriedoutusingRandomAccessTechniques.
Randomaccessmethodsprovideamoreflexibleandefficientwayofmanagingchannelaccessforcommunicatingshortburstymessages.
Itprovideseachuserstationwithvaryingdegreesoffreedomingainingaccesstothenetworkwheneverinformationistobesent.
ALOHA-Based Wi reless Random Access Techniques
TheoriginalALOHAprotocolisalsocalledpureALOHA. ALOHAProtocolisdevelopedbyUniversityofHawaii.ThewordALOHAmeans"
hello"inHawaiian.
TheinitialsystemusedgroundbasedUHFradiostoconnectcomputersonseveraloftheislandcampuseswiththeuniversit
y'smaincomputercenteronOahu,byuseofarandomaccessprotocolwhichhassincebeenk
nownastheALOHAprotocol
Basic Concept
Amobileterminaltransmitsaninformationpacketwhenthepacketarrivesfromtheu
pperlayersoftheprotocolstack.
Auseraccessesachannelassoonasamessageisreadytobetransmitted.
Eachpacketisencodedwithanerror-detectioncode.
Afteratransmission,theuserwaitsforanacknowledgmentoneitherthesamechanneloraseparatefeedbackchannel.
TheBScheckstheparityofthereceivedpacket.Iftheparitychecksproperly,theBSsendsashortacknowledgmentpackettotheMS.
collision Themessagepacketsaretransmittedatarbitrarytimes,sothereisapossibilityofcolli
sionsbetweenpackets. Aftersendingapackettheuserwaitsalengthoftimemorethantheround-
tripdelayforanacknowledgmentfromthereceiver.
Ifnoacknowledgmentisreceived,thepacketisassumedlostinacollision,anditistra
nsmittedagainwitharandomlyselecteddelaytoavoidrepeatedcollisions.
Asthenumberofusersincrease,agreaterdelayoccursbecausetheprobabilityofcoll
isionincreases
-
8/9/2019 unit1 wirless netwrok
10/23
Pure ALOHA
MERITS:
TheadvantageofALOHAprotocolisthatitisverysimple,anditdoesnotimposeany
synchronizationbetweenmobileterminals
DEMERITS Itshaslowthroughputunderheavyloadconditions.
ThemaximumthroughputofthepureALOHAis18percent.
Slotted ALOHA
ThemaximumthroughputofaslottedALOHAis36percent.
InslottedALOHA,timeisdividedintoequaltimeslotsoflengthgreaterthanthepack
etdurationt.
Thesubscribershavesynchronizedclocksandeachuserwillbesynchronizedwithth
eBSclock. Theusermessagepacketisbufferedandtransmittedonlyatthebeginningofanewti
meslot.Thispreventspartialcollisions.
New transmissions are started only at the beginning of new slot
-
8/9/2019 unit1 wirless netwrok
11/23
Application;
InGSMtheinitialcontactbetweenBSandMSforvoicecommunicationiscarriedout
byslottedALOHA.
De-Merit;
EventhoughthethroughputishigherthanpureALOHAitisstilllowforpresentdaywirelesscommunicationneeds.
Reservation ALOHA ReservationALOHAisthecombinationofslottedALOHAandtimedivi
sionmultiplexing.
Inthiscertainpacketslotsareassignedwithpriority,anditispossibleforus
erstoreserveslotsforthetransmissionofpackets.
Forhightrafficconditions,reservationsonrequestoffersbetterthroughp
ut.
Packet Reservation Multiple Access (PRMA)
PRMAisamethodfortransmittingavariablemixtureofvoicepacketsanddatapacke
ts.
Thisallowseachtimeslottocarryeithervoiceordata,wherevoiceisgivenpriority.
PRMA merges characteristics of slotted ALOHA and TDMA protocols.
Itisusedforshort-rangevoicetransmissionwhereasmalldelayisacceptable.
ThetransmissionformatinPRMAisorganizedintoframes,eachcontainingafixedn
umberoftimeslots.
Eachslotasnamedaseither"reserved"or"available
Onlytheuserterminalthatreservedtheslotcanuseareservedslot.
Otherterminalsnotholdingareservationcanuseanavailableslot.
Terminalscansendtwotypesofinformation,referredtoasperiodicandrandom.
Speechpacketsarealwaysperiodic.Datapacketscanberandom.
Reservation ; Aterminalhavingperiodicinformationtosendstartstransmittingincontentionfort
henextavailabletimeslot.
Aftercompletionoftransmissionthebasestationgrantsthesendingterminalareserv
ationforexclusiveuseofthesametimeslotinthenextframe.
Thisframeisreservedtilltheterminalcompletesitstransmission.
Thereservationstatusisrevertedwhentheterminalsendsnothinginthatframe
-
8/9/2019 unit1 wirless netwrok
12/23
CSMA-Based Wireless Random Access TechniquesDe-Merits of ALOHA
1. ALOHAprotocolsdonotlistentothechannelbeforetransmission,theuserswillstarttransmittingassoonasthemessageisready.
2. Efficiencyisreducedbythecollisionandretransmissionprocess.
3. Therearenomechanismstoavoidcollisions.
CSMA-Carrier Sense Multiple Access
Inthiseachterminalwillmonitorthestatusofthechannelbeforetransmittinginform
ation.
Ifthereisanotherusertransmittingonthechannel,itisobviousthataterminalshould
delaythetransmissionofthepacket.
Ifthechannelisidle,thentheuserisallowedtotransmitdatapacketwithoutanyrestri
ctions.
TheCSMAprotocolreducesthepacketcollisionsignificantlycomparedwithALO
HAprotocol.Butnoteliminateentirely.
ParametersinCSMAprotocols1. Detectiondelay-
isafunctionofthereceiverhardwareandisthetimerequiredforaterminaltosensewhethero
rnotthechannelisidle
2. Propagationdelay-isarelativemeasureofhowfastittakesforapackettotravelfromabasestationtoamobileterminal.
Propagationdelayisimportant,sincejustafterauserbeginssendingapacket,anothe
rusermaybereadytosendandmaybesensingthechannelatthesametime.
Ifthetransmittingpackethasnotreachedtheuserwhoispoisedtosend,thelatteruserwillsenseanidlechannelandwillalsosenditspacket,resultinginacollisionbetweenthetwopackets.
-
8/9/2019 unit1 wirless netwrok
13/23
propagation delay(td)
where
tp-> propagation time in seconds,Rb-> channel bit rate
m -> expected number of bits in a data packet
Various strategies of the CSMA1. NON-PERSISTENTCSMAInthistypeofCSMAstrategy,afterreceivinganegativeacknowledgmentt
heterminalwaitsarandomtimebeforeretransmissionofthepacket.
2.
1-PERSISTENTCSMA
Theterminalsensesthechannelandwaitsfortransmissionuntilitfindsthechannelidle.Assoonasthechannelisidle,theterminaltransmitsitsmessage
withprobabilityone.
3.
p-PERSISTENTCSMA
Whenachannelisfoundtobeidle,thepacketistransmittedwithprobabilityp.Itmayormaynotbeimmediate.
4.
CSMA/CD
Inthistheusermonitorsthechannelforpossiblecollisions.Iftwoormoreterminalsst
artatransmissionatthesametimethetransmissionisimmediatelyabortedinmidwa
y.5. Datasensemultipleaccess(DSMA)-isaspecialtypeofCSMAthatisusedtoservethehiddenterminals.Cellularnetworksusesdifferentfrequenciesforforwardandreversechannel.EachMSmaynothavetheknow
ledgeaboutotherMSoperatinginthatarea.Soitmaynotknowwhenthechannelisidle.ForthistheBScanannouncetheavailabilityofthereversechannelthroughtheforwardco
ntrolchannel.TheBSusesBusy-Idlebittoannounce.
6. Busytonemultipleaccess(BTMA)-
thisisaspecialtypeoftechniquewherethesystembandwidthisdividedintomessagechannelandbusychannel.Wheneveraterminalsendsdatathroughmessagechanne
litwillalsotransmitsabusy-toneinbusychannel.Ifanotherterminalsensesthebusychannelitwillunderstandth
atthemessagechannelisbusyanditwillalsoturnsitsbusytone.Thisactsasanalarmforotherterminals.
-
8/9/2019 unit1 wirless netwrok
14/23
Handoff
When a mobile user is engaged in conversation, the MS is connected to a
BS via a radio link.
If the mobile user moves to the coverage area of another BS, the radio
link to the old BS is eventually disconnected, and a radio link to the new BSshould be established to continue the conversation.
This process is variously referred to as automatic link transfer, handover,or handoff.
Three strategies have been proposed to detect the need for handoff:
mobile-controlled handoff (MCHO)
network-controlled handoff (NCHO)
mobile-assisted handoff (MAHO)
Mobile-Controlled Handoff (MCHO)
The MS continuously monitors the signals of the surrounding BSs and
initiates the handoff process when some handoff criteria are met. MCHO isused in DECT and PACS.
Network-Controlled Handoff (NCHO)
The surrounding BSs measure the signal from the MS, and the network initiates
the handoff process when some handoff criteria are met. NCHO is used in CT-2
Plus and AMPS.
Mobile-assisted handoff (MAHO)
The network asks the MS to measure the signal from the surrounding BSs. The
network makes the handoff decision based on reports from the MS. MAHO is usedin GSM and IS-95 CDMA.
Two types of handoff
The BSs involved in the handoff may be connected to the same MSC
(inter-cell handoff or inter-BS handoff)
The BSs involved in the handoff may be connected to two different MSCs
(intersystem handoff or inter-MSC handoff ).
Inter-BS Handoff
The new and the old BSs are connected to the same MSC.
Assume that the need for handoff is detected by the MS; the following actions
are taken:
-
8/9/2019 unit1 wirless netwrok
15/23
The MS momentarily suspends conversation and initiates the handoff procedure
by signaling on an idle (currently free) channel in the new BS. Then it resumes the
conversation on the old BS.
Upon receipt of the signal, the MSC transfers the encryption information to the
selected idle channel of the new BS and sets up the new conversation path to theMS through that channel. The switch bridges the new path with the old path and
informs the MS to transfer from the old channel to the new channel.
After the MS has been transferred to the new BS, it signals the network, and
resumes conversation using the new channel.
Upon receipt of the handoff completion signal, the network removes the bridge
from the path and releases resources associated with the old channel.
This handoff procedure is used with the mobile-controlled handoff strategy.
Inter-BS link transfer
Inter-BS Handoff
For the network-controlled handoff strategy, all handoff signaling messages
are exchanged between the MS and the old BS though the failing link.
The whole process must be completed as quickly as possible, to ensure that
the new link is established before the old link fails.
If the new BS does not have an idle channel, the handoff call may be dropped
(or forced to terminate).
The forced termination probability is an important criterion in the performance
evaluation of a PCS network.Forced termination of an ongoing call is considered less desirable than blocking
a new call attempt.
Most PCS networks handle a handoff in the same manner as a new call attempt.
That is, if no channel is available, the handoff is blocked and the call is held on the
-
8/9/2019 unit1 wirless netwrok
16/23
current channel in the old cell until the call is completed or when the failing link isno longer available.
This is referred to as the non-prioritized scheme.
Channel assignment schemes
To reduce forced termination and to promote call completion, three channel
assignment schemes have been proposed:
Reserved channel scheme.Queuing priority scheme.
Subrating scheme.
Intersystem Handoff
In intersystem handoff, the new and old BSs are connected to two different
MSCs.
We trace the intersystem handoff procedure of IS-41, where network-controlled
handoff (NCHO) is assumed.
In this figure, a communicating mobile user moves out of the BS served byMSC A and enters the area covered by MSC B.
Intersystem handoff requires the following steps:
Step 1. MSC A requests MSC B to perform handoff measurements on the call in
progress. MSC B then selects a candidate BS2, BS2, and interrogates it for signalquality parameters on the call in progress. MSC B returns the signal quality
parameter values, along with other relevant information, to MSC A.
Step 2. MSC A checks if the MS has made too many handoffs recently (this is
to avoid, for example, numerous handoffs between BS1 and BS2 a where the MS ismoving within the overlapped area) or if intersystem trunks are not available. If so,
MSC A exits the procedure. Otherwise, MSC A asks MSC B to set up a voicechannel. Assuming that a voice channel is available in BS2, MSC B instructs MSC
A to start the radio link transfer.
-
8/9/2019 unit1 wirless netwrok
17/23
-
8/9/2019 unit1 wirless netwrok
18/23
Registration Procedure
Visitor Location Register (VLR)
When the mobile user visits a PCS network other than the home system, a
temporary record for the mobile user is created in the visitor location register
(VLR) of the visited system.
The VLR temporarily stores subscription information for the visitingsubscribers so that the corresponding MSC can provide service.
In other words, the VLR is the "other" location register used to retrieve
information for handling calls to or from a visiting mobile user.
Home Location Register (HLR)
When a user subscribes to the services of a PCS network, a record is created
in the system's database, called the home location register (HLR).
This is referred to as the home system of the mobile user.
The HLR is a network database that stores and manages all mobile subscriptions
of a specific operator.Specifically, the HLR is the location register to which an MS identity is
assigned for record purposes, such as directory number, profile information, currentlocation, and validation period.
WIRELESS SECURITY AND PRIVACY
Thebroadcastnatureofwirelesscommunicationsrendersitverysusceptibletomali
ciousinterceptionandwantedorunintentionalinterference.
Analogtechniquesareextremelyeasytotap. DigitalsystemssuchasTDMAandCDMAaremuchhardertotap.
Wirelesssecurityisnecessarytopreventtheunauthorizedaccessordamagetocomp
utersusingwirelessnetworks.
o There are two names you need to know in a wirelessnetwork:
Station (STA) -> is a wireless network clienta desktop computer, laptop,
or PDA
Access point (AP)-> is the central point (like a hub) that creates a basic
service set to bridge a number of STAs from the wireless network to other
existing networks.
-
8/9/2019 unit1 wirless netwrok
19/23
Modes of unauthorized access1. Accidental association
2.
Malicious association
3. Ad-hoc networks
4.Non-traditional networks
5.
Identity theft (MAC spoofing)
6. Man-in-the-middle attacks
7.
Denial of service
8.
Network injection
9. CaffeLatte attack
1.
AccidentalassociationViolationofsecurityperimeterofcorporatenetworkunint
entionally.
2. Maliciousassociationwhenwirelessdevicescanbeactivelymadebyattackerstoconnecttoacompanynetworkthroughtheircrackingcompanyaccesspoint(AP).
ThesetypesoflaptopsareknownassoftAPsandarecreatedwhenacybercriminalrunssomesoftwarethatmakeshis/herwirelessnetworkcardlooklikealegitimateacc
esspoint.Onceaccessisgained,he/shecanstealpasswords,launchattacksonthewirednetwork,orplantTrojans
3. Ad-hocnetworksAd-hocnetworksaredefinedaspeer-to-
peernetworksbetweenwirelesscomputersthatdonothaveanaccesspointinbetwee
nthem.Whilethesetypesofnetworksusuallyhavelittleprotection,encryptionmeth
odscanbeusedtoprovidesecurity.
4.
Non-traditionalnetworksNon-
traditionalnetworkssuchaspersonalnetworkBluetoothdevicesarenotsafefromcrackingandshouldberegardedasasecurityrisk.Evenbarcodereaders,handheldPD
As,andwirelessprintersandcopiersshouldbesecured
5.
Identitytheft(MACspoofing)IdentitytheftoccurswhenacrackerisabletolisteninonnetworktrafficandidentifytheMACaddressofacomputerwithnetworkprivile
ges.
6.
Man-in-the-middleattacksInthisthehackerwillincludeasoftAPintoanetwork.Oncethisisdone,thehackerconnectstoarealaccesspointthroughanotherwirelesscardofferingast
eadyflowoftrafficthroughthetransparenthackingcomputertoerealnetwork
-
8/9/2019 unit1 wirless netwrok
20/23
7.
DenialofserviceADenial-of-Serviceattack(DoS)occurswhenanattackercontinuallybombardsatargetedAcce
ssPointornetworkwithbogusrequests,prematuresuccessfulconnectionmessages,failuremessages,andothercommands.Thesecauselegitimateuserstonotbeableto
getonthenetworkandmayevencausethenetworktocrash
8.
NetworkinjectionInanetworkinjectionattack,acrackercanmakeuseofaccesspoi
ntsthatareexposedtonon-filterednetworktraffic.Thecrackerinjectsbogusnetworkingre-configurationcommandsthataffectrouters,switches,andintelligenthubs.
Awholenetworkcanbebroughtdowninthismannerandrequirerebootingorevenreprogrammingofallintelligentnetworkingdevices
9. CaffeLatteattackTheCaffeLatteattackisanotherwaytodefeatWEP.
Itisnotnecessaryfortheattackertobeintheareaofthenetworkusingthisexploit.
ByusingaprocessthattargetstheWindowswirelessstack,itispossibletoobtainthe
WEPkeyfromaremoteclientBysendingafloodofencryptedAddressResolutionProtocol(ARP)requests,theassailanttakesadvantageofthesharedkeyauthenticatio
nandthemessagemodificationflawsinWEP.
The Attack Methodology1. Footprintthewirelessnetwork-Locateandunderstandyourtarget.
2.
Passiveattack-AnalyzethenetworktrafficorbreaktheWEP.
3.
Authenticationandauthorization-
Determinewhatmethodsareenforcedandhowtheycanbecircumvented.
4.
Activeattack-Launchdenialofservice(DoS)attacks.
efense Mechanisms
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access(WPA)
Wi-Fi Protected Access-2 (WPA-2)
Wired Equivalent Privacy (WEP)
WEPis a standard network protocol that adds security to wireless
networks at the data link layer. WEP utilizes a data encryption scheme calledRC4for data protection.
RC4(also known asARC4orARCFOUR) is the most widely used
softwarestream cipherand is used in popular protocols.
RC4generatesapseudorandomstreamofbits.
Standard64-bitWEPusesa40bitkey(WEP-40)anda24bitinitializationvector.
-
8/9/2019 unit1 wirless netwrok
21/23
128-bitWEPprotocolusinga104-bitkeysize(WEP-
104)anda24bitinitializationvector.
Initializationvector(IV)isafixed-sizeinputwhichisusedforrandomizationofkey.ThepurposeofanIVistopreven
tanyrepetition.
Authentication TheclientsendsanauthenticationrequesttotheAccessPoint.
TheAccessPointreplieswithaclear-textchallenge.
Theclientencryptsthechallenge-
textusingtheconfiguredWEPkey,andsendsitbackinanotherauthenticationrequest.
TheAccessPointdecryptstheresponse.Ifthismatchesthechallenge-
texttheAccessPointsendsbackapositivereply.
DisAdvantages
Thesametraffickeymustneverbeusedtwice.
Buta24-bitIVisnotlongenoughtoensurethisonabusynetwork.
InAugust2001,ScottFluhrer,ItsikMantin,andAdiShamirpublishedacryptanalys
isofWEPthatdecodesthewaytheRC4cipherandIVisusedinWEP.
UsingapassiveattacktheywereabletorecovertheRC4keyaftereavesdroppingont
henetwork.
Asuccessfulkeyrecoverycouldtakeaslittleasoneminutedependingonthetraffic.
WEPisreplacedbyWPA(Wi-FiProtectedAccess)
Wi-Fi Protected Access(WPA)
TheWi-
FiAllianceintendedWPAasanintermediatemeasuretotaketheplaceofWEP.
WPAusesTemporalKeyIntegrityProtocol(TKIP)tobolsterencryptionofwireless
packets.
-
8/9/2019 unit1 wirless netwrok
22/23
Wi-Fi Protected Access(WPA)
TKIP
TKIPencryptionreplacesWEP's40-bitor104-
bitencryptionkeythatmustbemanuallyenteredonwirelessaccesspointsanddevicesandd
oesnotchange
TKIPusesa128-bitper-
packetkey,itdynamicallygeneratesanewkeyforeachpacketandpreventscollisions
Ithasanextendedinitializationvector(IV)withsequencingrules,andare-keyingmechanism.
WPAwithTKIPprovides3levelsofsecurity1.
TKIPimplementsakeymixingfunctionthatcombinesthesecretrootkeywiththeini
tializationvectorbeforepassingittotheRC4initialization.
2.
WPAimplementsasequencecountertoprotectagainstreplayattacks.Packetsrecei
vedoutoforderwillberejectedbytheaccesspoint.
3. TKIPimplementsa64-bitMessageIntegrityCheck(MIC)
Merits and Demerits TKIPusesthesameunderlyingmechanismasWEP,andconsequentlyisvulnerable
toanumberofsimilarattacks.
Butthemessageintegritycheck,per-
packetkeyhashing,broadcastkeyrotation,andasequencecounterpreventsmanyattacks.
ThekeymixingfunctionalsoeliminatestheWEPkeyrecoveryattacks
Beck-Tewsattackhassuccessfullyextractedthekeystream
Ohigashi-Moriiattack Japanese researchers Toshihiro Ohigashi and Masakatu Morii reported a
simpler and faster implementation of a similar attack.
It utilizes similar attack method, but uses a man-in-the-middle attack
-
8/9/2019 unit1 wirless netwrok
23/23
WPA 2 WPA2 (Wireless Protected Access 2) replaced the original WPA technology
on all certified Wi-Fi hardware since 2006.
WPA2 uses Pre-Shared Key(PSK) instead of TKIP
WPA2 Pre-Shared Key(PSK) utilizes keys with 256bits
There are two versions of WPA2
WPA2-Personal-protects unauthorized network access by utilizing
set-up password
WPA2-Enterprise-verifies network users through a server. WPA2 isbackward compatible with WPA.