Kshitiz Saxena / International Journal of Engineering Science and Technology

Vol. 2(8), 2010, 3657-3661

The Analyses of Wireless Encryption

Protocol- Proposed Enhancement to
Handshake Mechanism in WPA
Kshitiz Saxena
Department of Computer Science
NITTTR
Sec-26, Chandigarh
ABSTRACT
In this paper we have analyzed wireless encryption protocols and have proposed enhancements to existing
handshake mechanism in WPA by using Elliptic Curve Cryptography.
KEYWORDS
802.11, Handshake Mechanism, WEP, WPA, Encryption Technologies, TKIP, Wireless security, ECC
1.

Introduction

IEEE 802.11 standard offers a wide gamut of wireless encryption technologies ranging from WEP to WPA2. WEP
has been in use for a good time now but several attacks [1][2][3][4][5][6] have forced IEEE to come up with a
revised standard IEEE 802.11i which uses WPA2 as an ultimate solution to securing data in WLANs. However
attacks have been reported on WPAs variants TKIP and CCMP and a weak passphrase could easily lead to a
compromise in the shared secret key.
2.

Modifications to Handshake Mechanism in WPA

The proposed modification is to change the way the secret shared key is used. There are two essential pillars of
wireless security namely authentication and confidentiality. Authentication is defined in RFC 4949 as the process of
verifying a claim that a system entity or system resource has a certain attribute value. RFC 4949 defines
confidentiality as the property that data is not disclosed to system entities unless they have been authorized to know
the data. 802.11i IEEE standard is designed with authentication and confidentiality as principle paradigms,
WPA/WPA2 are built on these aspects of wireless network security.
A proposed standard for an authentication network is the Extensible Authentication Protocol (EAP) and it supports
multiple authentication methods. The protocol is implemented in the data link layer and there are many variants of
the protocol, each providing a way by which a user is authenticated prior being granted access to a network. A preshared key (PSK) is used in place of an authentication server but a globally shared key doesnt prevent a user from
denial of service (DoS) attacks.
802.11b standard proposed Wired Equivalent Privacy (WEP) as an encryption mechanism but it has been proved
that a complete key recovery (figure 1) is possible within minutes [1][2][3][4]. The new standard 802.11i was
proposed to resolve this vulnerability by employing the Counter-mode/CBC MAC protocol (CCMP) which uses
temporal keys and employs a resilient encryption algorithm (AES).

Figure 1: A snapshot illustrating recovery of WEP key within minutes

ISSN: 0975-5462

3657

Kshitiz Saxena / International Journal of Engineering Science and Technology

Vol. 2(8), 2010, 3657-3661
The Wi-Fi alliance introduced Temporal Key Integrity Protocol (TKIP) to provide backward compatibility with
existing equipment. TKIP provides WEP encryption with temporary keys (like CCMP). Before TKIP/CCMP
protocols could be used a four-way handshake (figure 2) establishes a framework needed to generate temporal keys.
PMK {ANounce,msg1}

A
U
T
H
E
N
T
I
C
A
T
O
R

S
U
P
P
L
I
C
A
N
T

PMK {SNounce, msg2, MIC}

PMK {ANounce, msg3, MIC}

PMK {msg4, MIC}

Figure 2: 4-way handshake in WPA protocol

This handshake was modified from original four-way handshake due to reported DoS attacks and is incorporated as
is in 802.11i. In figure 2, the 4-way handshake is explained and its purpose is to establish the pairwise transient key
(PTK) to be used for the symmetric encryption in further communication. An eavesdropper is prevented from
deducing the key as PTK is a temporary key which is changed periodically (3600 seconds on most AP). A pairwise
master key (PMK), supplicant nounce (SN), supplicant MAC address (SA), authenticator nounce (AN), and
authenticator MAC address (AA) are used to derive the PTK using a function which could be logically represented
as:
PTK=F(PMK,Pairwise key expansion, min(AA,SA)||
max(AA,SA)||min(ANounce,SNounce)||max(ANounce,SNounce))
An eavesdropper whose is an insider, to obtain secret information for personal gains may eavesdrop and figure 3
illustrates such an attempt:

INTRUDER

. Decrypts Handshake with PSK

. Sniff MAC Address (SA,AA)
. PTK= F(PMK,AA,SA,ANounce,
SNounce)

PMK(ANounce,msg1)

A
P

PMK(SNounce,msg2,MIC)

S
T
A

Figure 3: An insider with PSK can sniff classified information

On the other hand an outsider (also an eavesdropper) needs to depend on a weak passphrase to gain access to the
network by capturing a single packet and using brute force attacks (e.g. by the use of coWPAtty/Aircrack-ng suite).
Figure 4 illustrates one such example:

ISSN: 0975-5462

3658

Kshitiz Saxena / International Journal of Engineering Science and Technology

Vol. 2(8), 2010, 3657-3661

Figure 4: Aircrack-ng successfully cracking WPA-PSK

Our proposed modifications to WPA are meant to thwart both the malicious attacks by insider and outsider
eavesdropper. Another key exchange protocol (Diffie-Hellman key exchange) has been proposed and can be used
here but we shall soon see the underlying benefits of Elliptic Curve Cryptography (ECC) based key exchange
protocol.
The ECC has shown better results and has been standardized as IEEE P1363 standard for Public-Key Cryptography.
Figure 5 illustrates our proposed ECC based key exchange protocol:
AP

STA

nA - Access Point Key

Calculate PA=nA X G
nB - Random Key
PMK {ANounce,msg1,G,Eq,PA}

Calculate PA=nB X G

PMK {SNounce,msg2,PB,MIC}

Calculate:
PHK =nA X PB

Calculate:
PHK =nB X PA

PHK {ANounce,msg3,MIC}

PHK {msg4,MIC}

Figure 5: Improved 4-way handshake using ECC

The figure entails an explanation of how our proposed key exchange management is better than the existing one.
Here it is important to understand that the supplicants key nB (which is a private key) is a randomly generated key,
whereas nA is the authenticators key (shared). Here global parameters are Eq(a,b) which is an elliptic curve with
parameters a,b and q is either prime or an integer of the form 2n and G which is a point on elliptic curve whose order
is larger value n. Public Handshake Key (PHK) is a transient key and is used for subsequent encryption of messages.

ISSN: 0975-5462

3659

Kshitiz Saxena / International Journal of Engineering Science and Technology

Vol. 2(8), 2010, 3657-3661
The security of ECC depends on how difficult it is to determine PHK. This is referred to as elliptic curve logarithm
problem. The fastest known technique for taking the elliptic curve logarithm is known as the Pollard rho method.
The table 1 shows key sizes in terms of computational efforts for cryptanalysis. As can be seen smaller key size can
be used for ECC. ECC therefore has computational advantage with a shorter key length than any other cryptosystem.
Symmetric Scheme
(Key size bits)

ECC- Based Scheme

(Size of n bits)

56

112

80

160

128

256

256

512

ECC based key exchange protocol generates transient keys, it is faster, better, and more secure than Diffie-Hellman
key exchange. Furthermore, PHK is resilient to man-in-the-middle attacks unlike Diffie-Hellman key exchange as
the private keys are with the authenticator and supplicant separately and even a weak PMK during the 4-way
handshake the STA can choose a longer key (unlike conventional process) and thereby ensuring a more secure
WLAN. Even if an insider hacker captures the first two exchanges still as the PHK is derived from the private keys
of AP and STA, such an effort would not compromise the security of WLAN.
It is important to understand that our proposed scheme requires lesser memory and the choice of a longer key on
STAs can be justified as STAs have more processing capabilities than APs.
3. Analysis
The proposed key exchange mechanism is quite promising as it employs a similar architecture as used in existing 4way handshake. The overhead incurred is the use of ECC in generating public-private key pairs for each
communicating entity and the authenticator has to store the public key of each supplicant till the communication
lasts. However, the computational and storage requirements are low in comparison to the increased security offered
to the WLAN employing the new mechanism. The association process undergoes little change and the authenticator
can broadcast the security policy to the Supplicant. The basic nature of the 4-way handshake remains unchanged and
confidentiality of the messages is ensured without any overhead.
In case of open systems where no authentication is required our proposed mechanism still offers security as both the
authenticator and supplicant maintain public-private key pairs with PHK being throughout instead of no key
altogether. The 802.11i specifications caution about the insider eavesdropping and man-in-the-middle attack on the
WPA-PSK system, however our proposed enhancements are able to ensure authenticity and confidentiality by the
implementation of PHK.
Our proposed authentication mechanism thus overcomes limitations in WPA-PSK without introducing additional
vulnerabilities. In open systems (public WLAN) our enhancements add confidentiality thereby ensuring that
vulnerabilities such as eavesdropping and man-in-the-middle attacks (which exist in present public WLAN) are
taken care of and user data is protected from malicious user.
4.

Conclusion

The existing IEEE 802.11i the latest standard for WLAN and offers security by the use of a separate authentication
server, however at the lower level WPA-PSK has security limitations where a global key is shared amongst all users.
Practical attacks on WPA [1] have shown a serious security breach for SOHO users in terms of loss of
confidentiality and authentication.
Our proposed solution not only caters to authentication but also offers confidentiality to the user data. The use of
ECC to generate PHK is an attractive possibility without compromising the security or revamping the existing
protocol. ECC offers considerably greater security for a given key size. The smaller key size also makes possible
much more compact implementations for a given level of security, which means faster cryptographic operations,
running on smaller chips or more compact software. This means less heat production and less power consumption
all of which is of particular advantage in constrained devices, but of some advantage anywhere. There are

ISSN: 0975-5462

3660

Kshitiz Saxena / International Journal of Engineering Science and Technology

Vol. 2(8), 2010, 3657-3661
extremely efficient, compact hardware implementations available for ECC exponentiation operations, offering
potential reductions in implementation footprint even beyond those due to the smaller key length alone.
We have also proposed the use of ECC to secure communications in public WLANs since most access points come
configured with no security and a nave user can still securely communicate without getting into the details of
configuring an AP. The proposed scheme adds no overhead and offers more security than the existing 802.11i WPATKIP/CCMP.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]

[13]

[14]

[15]
[16]

Martin Beck and Erik Tews, Practical Attack Against WEP and WPA , Conference on Wireless Network Security, Proceedings of the
second ACM conference on Wireless network security (Zurich, Switzerland), 2009
Andreas Klein, Attacks on the RC4 stream cipher, Designs, Codes and Cryptography, ACM 2008.
Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin, Breaking 104 bit wep in less than 60 seconds, Sehun Kim, Moti Yung, and
Hyung-Woo Lee, editors, WISA, volume 4867 of Lecture Notes in Computer Science, pages 188-202,Springer, 2007.
Andrea Bittau, Mark Hendley, Joshua Lackey, The Final Nail in WEPs coffin, IEEE Symposium on Security and Privacy, pages 386-400
(IEEE Computer Society, 2006).
Andrea Bittau, The Fragmentation Attack in Practice, IEEE Symposium on Security and Privacy, IEEE Computer Society, September
2005
Adam Stubbleeld, John Ioannidis, and Aviel D. Rubin, A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP).,
ACM Transactions on Information and System Security, 7(2):319-332, May 2004.
KoreK. chop chop (experimental WEP attacks). at http://www.netstumbler.org/showthread.php?t=12489, 2004.
Borisov, Golderg, Wagner, Intercepting Mobile Communications: The Insecurity of 802.11, International Conference on Mobile
Computing and Networking, Proceedings of the 7th annual International Conference on Mobile Computing and Networking, 2001.
Fluhrer S., Mantin I., Shamir A, Weaknesses in Key Scheduling Algorithm of RC4, Lecture Notes In Computer Science;Vol.2259,
Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography, 2001
Aircrack-ng. Aircrack-ng homepage. http://aircrack-ng.org/
Bernard Aboba, Larry J. Blunk, John R. Vollbrecht, James Carlson, and Henrik Levkowetz. Extensible Authentication Protocol (EAP).
Internet RFC 3748, June 2004.
IEEE Std 802.11-1997 Information Technology- telecommunications And Information exchange Between Systems-Local And Metropolitan
Area Networks-specific Requirements-part 11: Wireless Lan Medium Access Control (MAC) And Physical Layer (PHY) Specifications.
IEEE Std 802.11-1997, Nov 1997.
Information technology- Telecommunications and information exchange between systems- Local and metropolitan area networks- Specific
requirements- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. ANSI/IEEE Std 802.11/
1999 Edition (R2003), 2003.
Information technology- Telecommunications and information exchange between systems- Local and metropolitan area networks- Specific
requirements- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 4: Further
Higher Data Rate Extension in the 2.4 GHz Band. ISO/IEC 8802.11:2005/Amd.4.2006(E) IEEE Std 802.11g-2003 (Amendment to IEEE Std
802.11-1999),2006.
Port Based Network Access Control. IEEE Std 802.1X-2004, 2004.
C.He and J.C. Mitchell, Analysis of the 802.11i 4-way handshake Wise 04: Proceedings of the 2004 ACM workshop on Wireless
Security. New York, NY,USA: ACM Press, 2004, pp.43-50.

ISSN: 0975-5462

3661