Security in Wireless Local Area Networks (WLANs)

Major research domains in the WLAN security include: access control & data frame protection, lightweight authentication and secure handoff. Access control standard like IEEE 802.11i provides flexibility in user authentication but on the other hand fell prey to Denial of Service (DoS) attacks. For Protecting the data communication between two communicating devices—three standard protocols i.e., WEP (Wired Equivalent Privacy), TKIP (Temporal Key Integrity Protocol) and AES-CCMP (Advanced Encryption Standard—Counter mode with CBC-MAC protocol) are used. Out of these, AES-CCMP protocol is secure enough and mostly used in enterprises. In WLAN environment lightweight authentication is an asset, provided it also satisfies other security properties like protecting the authentication stream or token along with securing the transmitted message. CAPWAP (Control and Provisioning of Wireless Access Points), HOKEY (Hand Over Keying) and IEEE 802.11r are major protocols for executing the secure handoff. In WLANs, handoff should not only be performed within time limits as required by the real time applications but should also be used to transfer safely the keying material for further communication. In this chapter, a comparative study of the security mechanisms under the above-mentioned research domains is provided.


Introduction
Wireless Local Area Networks (WLANs) provide an extension to the wired network.The wireless stations (STAs) connect to an Access Point (AP) for communication.The messages involved in the communication between STA and AP are visible to other STAs lying in the communication range.This makes WLANs insecure and hence WLANs requires protection.
As with any other computer network, the major security goals in WLANs are: confidentiality, integrity and availability (termed as CIA triad).Prominent techniques that help in attaining these goals include: access control, authentication, encryption, message authentication codes (MAC).Under Access control domain, the entity authentication is performed initially.Depending upon the entity authentication results, access into the WLAN network is controlled.For controlling access into the WLANs IEEE 802.11i (WPA2) is the main standard [1].This standard though provides flexibility in user authentication but has several issues under the Denial of Service (DoS) attacks [2].For providing protection to individual WLAN data frames encryption mechanisms like WEP (Wired Equivalent Privacy), are done.Also, no extra messages are required.Their improvement is more useful under frequent key refreshing situations where users are joining and leaving the wireless environment frequently like in a short duration conference/workshop or in lounge of railway station/airport.The improved technique provides a secure authentication mechanism and no explicit synchronization is required in case of loss of frames.The timings analysis done in the work shows that this technique is effective while security analysis shows that it enjoys almost equivalent security as compared with 4-way handshake of 802.11i.Removal of handshake ensures that the attacks conducted in the 4-way handshake are also removed.
Another improvement in the 802.11i standard is proposed by Singh and Sharma [8] wherein a novel sequence number based scheme is proposed to reduce the MIC field overhead in the WLANs.The existing security frameworks (WPA, 802.11i) provide MIC for maintaining the integrity and authentication for each data frame.MIC is kept in separate field in the frame, and hence adds to the communication overhead.The scheme of Singh and Sharma [8] introduces the notion of authentication token (AT).This AT is calculated based upon the existing sequence number of the WLAN frame.The AT serves both frame integrity and frame authentication purposes.After calculation, it is placed instead of sequence number in the sequence number field of the WLAN frame which means no extra bit or field overhead involvements.As MIC field is removed and AT placement requires no overheads, the scheme is effective as far as WLAN communication overheads and space managements are considered.In addition, the authors have shown that their method is resistant against replay attacks and also provided details on how to attain synchronization in case of frame loss.
In October 2017, a new and major weakness was documented in WPA2 WLAN standard termed as Key Reinstallation AttaCK or KRACK [9].It was noted that this affected all kinds of WLAN security and hence the reputation of WPA2 got decreased.The WPA2 standard also suffered under DoS attacks.Hence, Wi-Fi Alliance comes up with the improvement.The improvement is termed as WPA3.Its main features involve: (1) ease of use (2) natural password selection (3) an improved and robust handshake and, (4) forward secrecy.The WPA3 is backward compatible with WPA2 which means the upgraded devices can work in WPA2 or WPA3 modes [10].The market adoption of this standard is now picking and it will take some more time for getting stabilized.Thus, this work on WLAN security considers the present widespread standard i.e., WPA2.
Li et al. proposed an initial entity authentication scheme termed as fast WLAN initial access authentication protocol (FLAP) [11].FLAP is targeted towards making access authentication faster by reducing the number of initial authentication messages.It is assumed in the protocol that STA and AS share common secret key which simplifies the entire mechanism.Overall, this method involves 6 messages (approx.Two round trip times, Figure 1), proves STA authentication at the AS via shared key, has key hierarchy equivalent to 802.11i and protects the messages by MIC.Through practical measurements it is shown that FLAP can improve the efficiency of EAP-TLS by 94.7 percent.It is suggested that this method is compatible with 802.11i and can coexist with existing 802.11i standard.Depending upon circumstances either 802.11i or FLAP can be chosen from suite selector.Like standard 802.11isecurity protocol, FLAP scheme also depends upon MIC for frame integrity and authentication despite of the fact that MIC verification is computation intensive.This protocol hence may fall an easy prey to Denial of Service (DoS) attacks wherein the attacker may send large number of frames having incorrect MICs.The successive MIC failures on the receiver results in a kind of DoS attack termed as computation DoS attack [12].
Singh and Sharma [13] proposed an access control authentication scheme-SWAS (Secure WLAN Authentication Scheme).The scheme introduces the concept of delegation in WLANs and provides access to clients only upon authentication.SWAS provides authentication of all parties (STA, AP and AS) and evolves a fresh key for securing the data sessions.In addition, it provides security to all messages by utilizing cryptographic primitives, such as encryption and Message Integrity Code (MIC).The proposed scheme reduces the length and complexity compared to IEEE 802.11i authentication and key deriving process.The use of cryptographic techniques does not increase the authentication time of the proposed method.The scheme reduces the communication cost, network overhead and is also resilient against DoS attacks.Therefore, the main contribution of SWAS is to provide a secure and efficient authentication mechanism that evolves fresh communication keys.
The SWAS scheme involves three parties: STA, AP and AS.It has three phases: registration phase, request phase and authentication phase.Initially, STA registration is performed at AS and is required only once in a given network.In registration, AS utilizes delegation concept, and generates shared secret key ( σ ) for AS and STA [14].The registration phase is followed by the request phase, where the existing 802.11 probe requests, and the probe response messages are utilized by the STA to request the network connection and access.After the request phase, SWAS authentication is performed for authentication and to derive a new communication key that is used to protect the data packets in subsequent sessions.
Both online and offline authentications are used in the SWAS scheme.Online authentication provides authentication and security to all messages among STA, AP and AS.The online authentication utilizes three random numbers (r1, r2, r3) and a sequence number (s1) to ensure proper encryption, authentication and key freshness.In addition, it maintains a key hierarchy similar in purpose to 802.11i with a Master Session Key (MSK), Pairwise Master Key (PMK) and Pairwise Transient Key (PTK).The PTK evolved on the STA and AP during the authentication process is used to encrypt the data packets between them.A simplified view of the SWAS online authentication message exchanges (M1, M2, M3 and M4) is shown in Figure 2. In this figure it is clearly visible that each one among STA, AP and AS authenticates each other through various passcode/digital signature verification.The passcode is nothing but protected information (secured through cryptographic means) for the other party.Offline authentication is required whenever a new session key between the same STA and AP is required.This does not involve AS for authentication rather it uses prior stored information at STA and AP.The offline authentication is done via a re-association request and utilizes loosely synchronized sequence number scheme [15].
The salient features of SWAS include: (1) Resistance to DoS attacks in almost all the phases, (2) Less communication and computation time as compared with Security in Wireless Local Area Networks (WLANs) DOI: http://dx.doi.org/10.5772/intechopen.89857IEEE 802.11i standard, (3) authentication of all the associated parties i.e., STA, AP and AS by each other and, (4) authentication of all the messages used during all the protocol communication phases.The shortcomings include: (1) lack of practical demonstration of the protocol and (2) no extension of the scheme under the handoff situations is provided till date.
Authentication per frame and symmetric key based encryption is an implicit necessity for security in Wireless Local Area Networks (WLANs).Singh and Sharma [16] proposed a novel symmetric key based Access Control and per frame authentication scheme for WLANs termed as Key Hiding Communication (KHC) scheme.KHC scheme has two phases: initial phase and communication phase.Former is utilized for sharing and evolving the master key (MK) between STA and AP whereas latter is utilized for onwards data frame communication using the (refreshed) keys.The major establishment of this scheme is the introduction of novel concepts of refreshing the key, protecting the key and initial vector (IV) using different counters and then mixing the bytes of protected key and IV together for each communicating frame.The mixing is based upon the shared secret key and hence only the two communicating parties i.e., STA and AP can mix and separate the bytes of key and IV.The protected mixed bytes are termed as codeword while the concept of mixing the protected key and IV bytes is termed as key hiding.The codeword is added in the WLAN frame.This addition of codeword to the existing WLAN frame occupies extra space and hence the scheme has extra space overheads.Integrity to the frame is provided via MIC.A new key and new IV for the new frame to be transmitted is evaluated based upon existing secret key and existing IV.Evaluation of new key and new IV is termed as key and IV refreshing.The refreshed new key and new IV are first protected using incremented values of counters and then mixed together to form new codeword.The verification and separation of the key and IV from the transmitted codeword provides frame authentication.Once the frame is authenticated, its integrity is verified through MIC verification involving key.The frame authentication is lightweight in KHC as it involves trivial increment, XOR and modulus operations.Thus, KHC follows the notion of frame authentication first and then checking the frame integrity for protection against computation DoS attacks.The separated key and IV are used to decrypt the frame contents and are also used to confirm the frame integrity via MIC.The simplified overview of KHC communication process is shown stepwise in Figure 3.In nutshell, KHC introduces the concept of key hiding which involves protecting the key using counters followed by mixing of refreshed key & IV i.e., mapping of refreshed key & IV.Through this process of formation of the codeword, the secret symmetric key remains concealed from the attacker.The recipient extracts the key from the codeword, compares it with its own evaluated key, thereby authenticating the sender.Key along with IV, is then used to decrypt the data frame of the sender.Thus, KHC is a useful WLAN communication scheme that is not only secure but is also efficient.The major contributions made by KHC are: (1) lightweight WLAN communication methodology, (2) utilization of symmetric key based encryption/ decryption, (3) Per frame Key refreshment, (4) protection against computation DoS attacks and, (5) comparable security as that of 802.11i.

Comparisons of various WLAN access control mechanisms
A property wise comparison between prominent WLAN access control security mechanism is presented in Table 1.WEP is though deprecated but mentioned here for the sake of completeness.It can be noted that WEP provides weak authentication, integrity and encryption support.Further, WEP does not consider key and IV refreshing.IEEE 802.11i is a strong protocol as it maintains strong authentication, integrity and encryption.It involves large number of messages and hence consumes times during initial authentication.For key refreshing, it involves 4-way handshake having 4 message exchanges between STA and AP.This 4-way handshake is the major concern in 802.11i.It is prone to DoS attacks and KRACK attacks.FLAP and SWAS both enjoys features similar to that of 802.11i with a difference that the messages exchanged for symmetric key evaluation are less in FLAP and SWAS.In FLAP, very few i.e., approx.6 messages are exchanged for the key evaluation (including those between STA and AP).In SWAS, only four (4) initial messages are required during online authentication (including those between STA and AP) for sharing the PTK.During offline authentication for refreshing the shared symmetric key only two messages are required.The KHC scheme adopts an interesting methodology which is different from the other access control protocol.It does not use any third party like AS in the authentication process and hence involves less number of messages.It provides an implicit key hiding per frame authentication procedure that is capable of communicating the key to the other entity and is able to refresh not only the shared key but also the IV for encrypting each frame.Thus, least messages are required for key refreshing among all the access control WLAN security mechanisms.Also, the adopted methodology of key refreshing, protection and mapping makes the cracking of key difficult for the attacker.In contrast to WEP, IV is hidden and not visible to the attacker.Other access protocols do not have the notion of IV.
SWAS requires 2 frames whereas it is handled implicitly in KHC.In [11], the average authentication delays of the EAP-TLS and FLAP are evaluated as 260.253 and 13.884 ms, respectively.In [13], the total time for SWAS authentication is found to be of the order of 26.46 ms (including time for DoS protection).In [16] Key refreshing timings of 802.11i and KHC are shown as 13.5 ms and 7.5 ms, respectively.
The security comparison shown in Table 3 clearly indicates that SWAS and KHC scheme provides almost equivalent and better security.802.11i is prone to DoS attacks whereas FLAP is prone to replay and man-in-middle attacks.Obviously, security of FLAP is least and hence it is not much used presently.
In most of the WLAN access control mechanisms (except KHC), authenticity to the data frame is usually provided by MIC.The MIC based per frame authentication may lead to computation DoS.Hence, lightweight per frame authentication solution is required.It is discussed next.

Frame authentication
In WLANs, a two layer redundant security exists.One at the Medium Access Control (MAC) layer while other at the higher layer dealing with End to End security.In former, 802.11i provides security while in latter, higher layer protocols like IPSec, SSL-TLS etc. provides security.Hence, it is suggestive that lightweight authentication and symmetric key based cryptographic measures per frame should be used.
For providing individual frame level protection, two kinds of per frame authentication exist in WLANs: MIC based authentication and lightweight authentication.MIC based frame authentication for data frames is utilized by standard WLAN protocols like IEEE 802.11i,FLAP etc.In these protocols, each frame is accompanied by a unique MIC calculated using sender's shared secret key.The receiver verifies it by recalculating and matching using its share secret key.The MIC calculations and verification consume computation time of the order of 1.5 ms and as shown in Section 2 for FLAP protocol, computation DoS attacks are a possibility [12,17,18].Main reason for computation DoS attack is attributed to the fact that MIC is serving two purposes: authentication and message integrity.Instead, first lightweight authentication should be used.If it succeeds, frame integrity (MIC) should be checked only for those frames whose authentication has succeeded.This will reduce the DoS attacker chances.Thus, lightweight authentication techniques which uses less computation time may prove useful.
The lightweight authentication schemes [19][20][21][22][23][24][25] generate the random authentication bits at sender and receiver using random bit generator with commonly shared secret seed as input.These authentication bits are inserted into the WLAN frames.Upon verification of the authentication bits, the frame is accepted at the receiver.Though such schemes provides authentication but they usually lack other security measures like key freshness, secrecy and integrity.A brief tabulation of these schemes is presentation in Table 4, showing advantage and disadvantage of each.

Comparisons of various lightweight authentication mechanisms
All the schemes considered in Table 4 provide per frame continuous authentication.Schemes of Pepyne et al. [25] and Singh and Sharma [26] supports integrity.Former supports CRC based weak integrity while latter supports MIC based strong integrity.Schemes of Pepyne et al. [25] and Singh and Sharma [26] supports encryption.Former supports RC4 based weak encryption while latter supports TKIP/AES based strong encryption.All the schemes considered use their own synchronization algorithm, in fact scheme by Wang et al. [22] uses three different synchronization algorithms.Schemes by Ren et al. [23], Lee et al. [24], Pepyne et al.
[25] and Singh and Sharma [26] involves initial message exchanges.Key freshness is incorporated by Pepyne et al. [25] and Singh and Sharma [26].None of these involves extra messages for evolving new symmetric key (key renewal).
Considering the memory requirements of these schemes Singh and Sharma [26] has the greatest (912 bits) while Lee et al. [24] has the lowest (24 bits).Others except Pepyne et al. [25] have 256 bits memory requirements.Pepyne et al. [25] has 384 bits memory requirements.As far as communication overheads are concern, Johnson et al. [19,20] and Ren et al. [23] have requirements of 3 bits per frame and 7 bits per ACK frame for counter.Wang et al. [21,22] has no extra bit requirements as these keep the authentication bits in the unused type and subtype fields of 802.11 frame.Lee et al. [24] requires four extra frames, each having 3 authentication bits.Pepyne et al. [25] has requirements of keeping 128 bits per frame for keeping counter.ASN based scheme by Singh and Sharma [26] has no explicit requirements but requires 48 bits per ACK for synchronization.

Features
Advantage(s) Disadvantage(s) On comparing the computational performance of the lightweight authentication schemes mentioned in Table 4, it is found that Pepyne et al. [25] and Singh and Sharma [26] take more computational time as compared with others.Singh and Sharma [26] takes more computational time due to the fact that it involves MIC evaluation and encryption of frame for enhancing the security.It is shown in [26] that considering only the authentication the time taken for computational cost for is 0.5 micro seconds which implies that it is same as that of other lightweight solutions.
[25], the chances of Brute Force attacks on authentication bits embedded in the frames are quite high in these schemes.Except Pepyne et al.
[25] and Singh and Sharma [26] the possibilities of frame contents modification, man-in-the middle attack, replay attacks and DoS attacks are quite high.Pepyne et al. [25] and Singh and Sharma [26] do not allow frame contents modifications and DoS attacks.Pepyne et al. [25] suffers under man-in-the middle attack and replay attacks.
Though KHC is considered in this chapter initially under the Access control mechanisms, it involves lightweight per frame authentication also and needs a special mention in this sub-section.In comparison with the schemes mentioned in Table 4, KHC has longer initial entity authentication process.KHC also has raised memory requirements but meets important security features like forward secrecy, key refreshing, lightweight per frame authentication, per frame encryption etc. required by any WLAN security protocol.
Apart from the two main authentication types i.e., MIC based authentication and lightweight authentication, the others are password key exchange mechanisms and layered authentication.The password key exchange mechanisms [27,28] provide mutual authentication between client and authentication server (AS), identity privacy, half forward secrecy and low computation cost for a client.These mechanisms lack some of the mandatory and recommended requirements for the key exchange methods [29].Also, these schemes provide authentication at the AS level only while ignoring the authentication at the AP level.The layered authentication achieved by EAP which acts as basis for higher layer authentication protocols, contains certain vulnerabilities e.g.no identity protection, no protected cipher suite negotiation, and no fast reconnection capability [29].

Features
Advantage(s) Disadvantage(s) Singh and Sharma [26] • utilizes sequence number of the frame along with the authentication stream generators for authentication

Secure handoff
WLANs handoffs are essential for providing continuous mobility to a wireless Station in an Enterprise LAN.Two important requirements of the handoff are: (1) establishment of a secure connection of the roaming STA with new access point (AP) and (2) completion of handoff within time limits such that the undergoing communication remains unaffected.The time limit on handoff for multimedia and real time WLAN applications is approximately 50 ms [30].During this period no data packets transfer occurs.As per the 802.11iWLAN security standard, the complete secure STA authentication (default Full EAP/TLS) via AS evolving shared secret key between STA and AP takes time of the order of 300 ms to 4 s [12] and hence is unfit for the handoffs.For reducing this time, notion of pre-authentication is introduced wherein full 802.1Xauthentication involving AS is done utilizing old AP and candidate AP (new AP).Hence, at the time of handoff only 4-way handshake is required between STA and candidate AP.In this pre-authentication process, an inaccurate candidate AP prediction has associated resource wastage issues as full 802.1Xwill again be required [31].Researchers have considered predictive authentication and proactive key distribution for reducing the handoff times.Former involves predicting the candidate AP whereas latter involves locating a group of candidate APs.Thus, in former the problem of inaccurate candidate AP prediction exists whereas in latter the problem of extra communication overhead for authentication with group of APs exists.
Researchers have also worked towards reactive solutions wherein the candidate AP is selected by STA and then the security context is transferred to this AP.In such solutions, STA requests to AS via old AP, then AS transfer security context and material to the candidate AP.Singh and Sharma [32] proposed one such novel secure handoff scheme that maintains security properties while evolving and transferring the security context (key and initial vector) to the candidate AP.The scheme is lightweight and uses reactive method for handoff.Two kinds of APs are defined in the scheme: normal AP and Domain Controller AP (DCAP).STA request DCAP through AP by putting ID of the candidate AP.DCAP in turn distributes the STA context (key and initial vector) to the candidate AP.Thus, when STA roams into the area of candidate AP, less time is involved in the STA authentication at the candidate AP.
For providing fast and secure handoff for the mobile STA in WLANs, standard bodies IEEE and IETF have defined protocols like Control and Provisioning of Wireless Access Points (CAPWAP), HandOver Keying (HOKEY) and IEEE 802.11r (Task group r) [5].CAPWAP supports centralized management of APs.HOKEY extends the Authentication, Authorization and Accounting (AAA) architecture to support key deriving and distribution with involving full EAP authentication.802.11r depends upon passing credentials directly between APs for handover.Though CAPWAP takes very less time, it is more or less re-authentication with centralized Access Controller (AC), followed by key transfer to new Wireless Termination Points (WTP).HOKEY is successful in multidomains but it takes more communication time.Among these three (CAPWAP, HOKEY and 802.11r), 802.11r is more efficient in terms of communication overheads.It still has issues concerning the safe transfer of key between APs.

Comparisons of various handoff mechanisms
CAPWAP and HOKEY does not change the existing 802.11 frame structure.802.11r is a separate protocol and hence has different frame structure.All except CAPWAP scheme generates fresh session keys.Fresh traffic keys are generated by all the schemes.Communication overhead of KHC based handoff scheme is less as Security in Wireless Local Area Networks (WLANs) DOI: http://dx.doi.org/10.5772/intechopen.89857compared to any other scheme.This handoff scheme shortens the handoff latency by initiating a key transfer process prior to moving to the new AP and performing handoff.It strengthens the security by (1) protecting STAs from re-associating to Malicious APs, (2) evolving fresh keys even during handshake, (3) authenticating all the frames during the handoff and, (4) safeguarding against DoS attacks and, (5) providing continuous authentication during communication.

Conclusions
This chapter discusses about the present WLAN security environment.It is clear that the WLAN security environment till date is dominated by WPA2 (IEEE 802.11i) standard.Researchers have pointed out regarding length and complexity of the WPA2.The major point of concern in WPA2 is key refreshing mechanism i.e., 4-way handshake due to which the WLAN security is considered vulnerable.Researchers, hence target to reduce the length of this handshake while maintaining the security properties intact.
The chapter also studies other WLAN security mechanisms proposed by researchers and categories them into: (i) access control, (ii) per frame authentication and (iii) secure handoff mechanisms.It provides category wise comparative analysis of these mechanisms.Three mechanisms are considered in the access control category.Among them Key Hiding Communication (KHC) is the most attractive but it requires changes in the existing WLAN frame structure.Per frame category is further sub-categorized into: (a) per frame authentication mechanisms utilizing MIC and (b) lightweight per frame authentication mechanisms.For enhancing the security, most of the per frame authentication solutions rely on MIC for both authentication and integrity of frame.It is shown that this MIC verification involves computation time and large number of such verifications may result in computation DoS attack on the receiver.The researchers hence advocate separating the authentication and integrity parts in per frame authentication.The lightweight per frame authentication mechanism are though lightweight in nature but lacks security properties like key refreshing, secrecy and integrity.In this chapter, several handoff mechanisms for WLAN environment are also discussed and it is accomplished that none guarantees to maintain required level of security during the specified handoff time limits.
WLAN security is having a transformation from WPA2 to WPA3.WLAN security is strengthened in the upcoming standard i.e., WPA3.It is very early to comment on the effectiveness of WPA3 and it is evident that the existing WLAN devices will continue to use WPA2.The new upcoming WLAN devices will obviously follow the backward compatibility towards WPA2.Thus, researchers can still target to test the implementation of 802.11i with the novel ideas like MIC reduction, 4-way handshake reduction and blockchain application in WLANs [33].In wireless medium, per frame lightweight authentication mechanisms will prove an edge and in future, researchers may consider developing such solutions.For maintaining uninterrupting communication quick, secure, accurate and secure handoff is the need of the hour.Hence, researchers in future may consider implementation of efficient and secure handoff mechanisms using WPA3.

Figure 1 .
Figure 1.A simplified overview of initial access authentication protocol (FLAP).

Figure 2 .
Figure 2.A simplified overview of online authentication phase of SWAS scheme.

Figure 3 .
Figure 3.A simplified overview of communication phase of KHC scheme.

Table 2 ,
memory requirements of WEP is least.802.11i has more memory requirements than WEP but less than others.Among others, SWAS has highest while FLAP has lowest memory requirements.Communication overhead analysis shows that (1) KHC and WEP involves per frame overheads whereas in others it is done implicitly and, (2) KHC is efficient in key refreshing as compared to others.For key refreshing each of 802.11i and FLAP requires 4 frames, * N.A. * N.A. *

Table 1 .
Property wise comparison of WLAN access control security mechanisms

Table 4 .
Comparison of per frame WLAN authentication solutions.