MOHAMMAD YASIN ARASHPOUR

(1)

IMPLEMENTATION OF WIRELESS SECURITY ON VIRTUALWiFi

MOHAMMAD YASIN ARASHPOUR

DISSERTATION SUBMITTED IN FULFILLMENT OF FULL

REQUIREMENT FOR THE DEGREE OF MASTER OF

INFORMATION TECHNOLOGY

FACULTY OF COMPUTER SCIENCE &

INFORMATION TECHNOLOGY

UNIVERSITY MALAYA

KUALA LUMPUTR

(2)

i

Abstract

From early 21st century with improving wireless platforms and increasing number of wireless Access Points (APs), there have been several solutions assessed to use multiple APs at the same time. VirtualWiFi (previously known as MultiNet) is one of these in-vestigations which uses one wireless card and virtualizes it into more than one card. This helps the wireless card to connect to a number of APs at the same time. It creates virtual adapters as many number as wireless domains which are connected to it. Then, the driver assigns each virtual adapter to the specific AP.

VirtualWiFi was implemented as an NDIS (Network Driver Interface Specification) driver which is an intermediate level between Data Link layer and Network layer. It is an Application Programming Interface (API) for network cards in Windows platforms.

Previous works accomplished connecting one wireless card to multiple APs simul-taneously and they focused on reducing the switching time between APs and aggrega-tion of bandwidth to gain more throughput. However, wireless security had not been implemented until the new version of VirtualWiFi (Version 1.0) was released in 2006. In this new version, simple kind of wireless security, known as WEP (Wired Equivalent Privacy), was implemented to protect the system from simple attacks which indentified by WEP.

Wired Networks send signals and data through cables whereas wireless networks propagate signals through air. As a result, IEEE 802.11 specified several services to provide secure environment such as WEP and WPA. According to the vulnerability of WEP, WPA2 is recommended to make wireless network more secured.

In this research, NDIS 5.1 (which is related to the Windows XP) is used to imple-ment and add wireless security (WEP and WPA together) to VirtualWiFi driver. This driver was written in C++ language. The IEEE 802.11 wireless LAN (WLAN) object identifiers (OIDs) which can be used in C++ language are supported by NDIS.

The new driver is evaluated using testbed implementation. After implementing new NDIS in the driver, it can be examined in a real testbed which is checked with networks containing different wireless security such as WEP or WPA.

(3)

ii

Acknowledgments

I would like to take the opportunity to thank people who guided and supported me during my study. First, I would like to thank my supervisor Dr. Miss Laiha Mat Kiah, for her guidance, support and encouragement throughout my dissertation work. I would also like to thank my fellow graduate students, especially Amir Reza Bagheri, and the staff at Faculty of Computer Science and Information Technology, who have offered their help and their suggestions and comments encouraged me a lot.

And at the end, I would like to express my sincere gratitude to my family specially my mother, for her forever emotional support and love, and my father, for his guidance and showing me the path of success. Without their encouragements, I could never be strong enough to overcome difficulties.

(4)

iii

List of Figures

Figure 2.1 : WEP frame. Length of fields measured in bytes (Moen, 2004) ... 13

Figure 2.2 : Encryption/Decryption using WEP (AirTight Network, 2010)... 14

Figure 2.3 : Key mixing and data encryption in TKIP (bulbul, 2008) ... 18

Figure 2.4 : Relationship between WEP, WPA and WPA2 ... 21

Figure 3.1 : Research methodology progress model ... 28

Figure 4.1 : The modified Windows network stack (Chandra, 2006) ... 35

Figure 4.2 : New Generation of TCP/IP Stack (Windows Network Stack) ... 36

Figure 4.3 : General NDIS Architecture (Microsoft Corporation, 2010) ... 37

Figure 5.1 : Testing open system authentication ... 61

Figure 5.2 : Testing WEP ... 62

Figure 5.3 : Testing WPA ... 64

(8)

vii

List of Tables

Table 2.1: WEP Mechanism, WPA and 802.11i Security Protocols (Bulbul, 2008) ... 20 Table 4.1: IEEE 802.11 wireless LAN (WLAN) object identifiers (OIDs)... 39 Table 4.2: Encryption status in NDIS miniport driver (Microsoft Corporation, 2010) .. 53 Table 5.1: List of instruments for testing ... 60

(9)

viii

List of Abbreviations

AES Advanced Encryption Standard AP Access Point

BSS Basic Service Set

BSSID Basic Service Set IDentifier CCMP Counter Mode CBC MAC Protocol EAP Extensible Authentication Protocol

FIPS Federal Information Processing Standards Publications ICV Integrity Check Value

IE Information Element IV Initialization Vector MAC Media Access Control MIC Message Integrity Check MMD Multinet Miniport Driver MPD Multinet Protocol Driver

NDIS Network Driver Interface Specification OID Object IDentifier

PMKID Pairwise Master Key Identifier PSK Pre-Shared Key

RSN Robust Security Network SSID Service Set IDentifier TK Temporal Key

TKIP Temporal Key Integrity Protocol WEP Wired Equivalent Privacy Wi-Fi Wireless Fidelity

WLAN Wireless LAN

WMI Windows Management Instrumentation WPA Wi-Fi Protected Access

(10)

1

Chapter One: Introduction

1.1 Overview

The term wireless refers to computers that can communicate with each other without using any wire. Unlike LAN (Local Area Network) which connects computers with kind of cabling like UTP (unshielded twisted pair); in wireless network, no data cabling is required. The users in this type of network can share data files and other resources without any requirement to connecting to each other physically.

The noticeable advantages of a wireless network are easily seen when considering the needs of users of mobile devices, i.e. handheld PC’s, mobile phones and laptops.

The term Wi-Fi (Wireless Fidelity) defined as a wireless networking technology which works with no physical connection between sender and receiver by using radio frequency (RF) technology. The term Wi-Fi is often used as a synonym for IEEE 802.11 technology. Wi-Fi allows devices like personal computer to connect to the Inter-net when they are in the range of wireless Inter-network. (WiFi Alliance, 2010)

Each wireless network has a limitation of covering area for transmission of data. Therefore, the transmission distance decides the possible distances between an AP (Access Point) and any wireless devices in its relative domain. But the possible range of transmission area can be extended by using multiple access points which they conclude different types of local networks. It means that if the number of access point increases, the coverage area of data transmission will be extended. Covering the overlapping areas is an important thing in designing and managing APs. This makes authorized users to roam around the covered area easily.

The access areas which provide Internet access through wireless local area network (WLAN) are called "hot spots". Most Wi-Fi users access the internet through home or

(11)

2 work networks. In addition, there are over thousand Wi-Fi Hot Spots worldwide in cafes, airports, and hotels. Some of them provide accessing to the Internet freely but most of them charge a fee.

Most people are, by now, quite comfortable with Internet & Email access from their own homes, offices or Internet cafes. They also use Virtual Private Networks, operated over existing public wired systems. The future development of wireless technologies will aim to give anyone with a wireless device, immediate connection to a wireless access point, allowing high-speed Internet, Email & VPN capabilities.

1.1.2 Virtual Wi-Fi

VirtualWiFi is virtualization architecture for wireless LAN (WLAN) cards. It ab-stracts a single WLAN card to appear as multiple virtual WLAN cards to the user. The user can then configure each virtual card to connect to a different wireless network.

VirtualWiFi (previously known as MultiNet) allows users to simultaneously connect their computers to multiple wireless networks using just one WLAN card.

The VirtualWiFi virtualization architecture exposes multiple virtual adapters, one for each wireless network to which connectivity is desired. It then implements a net-work hopping scheme which switches the wireless card across multiple virtual wireless network cards. The goal is to make the switching transparent to the users, so that they feel connected on all the wireless networks. (Microsoft research centre, 2010)

1.1.3 Wireless security

Network security in a wireless LAN environment is a unique challenge. In Local Area Networks, users or computers connect to each other using wired media which sends electrical signals through cables but Wireless LAN (WLAN) propagates signals

(12)

3 through the air. Therefore, it is very simple to intercept wireless signals. Hence, network administrators should implement extra level of security to accomplish this challenge. If wireless networks become open and are not secured, they will be encountering a number of exceptional serious risks and dangers. Some of these risks and attacks are Intercep-tion and Monitoring wireless traffic, inserIntercep-tion attacks, jamming and misconfiguraIntercep-tion as well as client-to-client attacks.

Insertion attack happens when unauthorized users access the network without going through security process. Jamming or Denial of Service (DoS) attacks are going to hap-pen when legitimate data cannot reach to the clients because the traffic which destroys the related frequencies.

The IEEE 802.11 specification identifies several services to provide a secure operat-ing environment. The security services of wireless networks are provided largely by the Wired Equivalent Privacy (WEP) protocol. WEP is invented to let users have equivalent security in comparison with wired network especially LAN. WEP is an algorithm which uses RC4 to encrypt and decrypt data. It combines 40-bit WEP key with 24-bit Initiali-zation Vector (IV) to encode the data but WEP does not provide end-to-end security. This means that the main problem of this algorithm is key management. If the key which every user employs it for association part is compromised in consequence of any attacks or risks that are mentioned above, they have to change the key. WPA (Wi-Fi Protected Access), introduced in 2003, avoids most of defenselessness of WEP. (Bar-ken, 2004)

WPA uses Temporal Key Integrity Protocol (TKIP) to solve the flaws of key reused in WEP. TKIP uses same encryption algorithm RC4 as WEP in order to support compa-tibility with existing networks. In comparison with WEP, TKIP changes the key in every 10000 packets to decrease the chance of finding it. (Wong, 2005)

(13)

4

1.2. Problem statement

There has been extraordinary growth in wireless networks at homes, cafes, airports, offices and even across cities. Despite of this growth, it is not possible to connect with more than one network (AP) at the same time. The current version of VirtualWiFi (Ver-sion 1.0), which is released by Microsoft research centre produces an 802.11 driver which abstracts one WLAN card to be seemed as multiple virtual cards. The user can connect each virtual card to a different Access Points (wireless networks). Hence, the VirtualWiFi driver permits users to connect to multiple wireless networks simultaneous-ly (Chandra, 2006).

Since releasing VirtualWiFi driver (version 1.0) in 2005 several applications have been made. “Client Conduit” is one of them which is useful for diagnosing faults and recovering them in wireless networks (Adya, 2004). “Slotted Seeded Channel Hopping (SSCH)” is another application which uses orthogonal channels to increase capacity of wireless ad hoc networks (Bahl, 2004). “WiFiProfiler” tries to find and resolve root cause of wireless problems by leveraging the collaboration users within the same do-main (Chandra, 2006).

Kandula (2008) introduces FatVAP as an improved VirtualWiFi driver which com-bines available bandwidth at reachable Access Points and also splits the traffic by ba-lancing their loads. It assigns traffic to available APs based on their calculated band-width. It allows users to control unused bandwidth at multiple access points to maxim-ize its throughput.

As mentioned above, all previous works focused only on the driver itself, or tried to provide a method in order to decrease switching time between access points. However, no attempts have been done on improving its security aspects.

It is true that a simple security, like a WEP (Wired Equivalent Privacy) based one, was implemented in the first and only version of the VirtualWiFi driver (Chandra,

(14)

5 2006). Despite of the fact that using simple WEP is better than lack of any wireless se-curity, Dynamic WEP (WEP with variable key) and WPA are two improved wireless security which have been suggested for secured wireless networks.

In order to implement confident wireless security like dynamic WEP and WPA on VirtualWifi driver, this research proposed a method based on NDIS. NDIS (Network Driver Interface Specification) is a miniport driver which sits between layer two (Data Link Layer) and layer three (IP Layer). This miniport driver creates number of virtual MAC and IP addresses to help wireless card to be connected to more than one network at one time. Applying wireless security on this miniport driver is helpful to implement WEP and Dynamic WEP as well as WPA on VirtualWiFi driver.

NDIS corroborates the Object Identifiers (OIDs) of IEEE 802.11 wireless LAN (WLAN). It has many versions that each of them is supported by specific Windows ver-sions. NDIS 5.0, which is related to Windows XP, is used to prepare sufficient objects to make WPA algorithm in VirtualWiFi driver.

VirtualWiFi driver is written in C++ programming language. NDIS prepares objects which are useful in C++ to implement our proposed method or algorithms.

So, the problem can be stated as follow:

“The current version of VirtualWiFi (version 1.0) can only support simple WEP.

Using same key for all packets (static key), being detectable Initialization Vector,

unau-thorized authentication and poor key management are some problems of using simple

WEP. Due to the known vulnerabilities of WEP, we aim to provide an alternative

me-thod for security by implementing WPA (Wi-Fi Protected Access) technique (algorithm)

(15)

6

1.3. Research Aims and Objectives

This research aims to make VirtualWiFi driver more secure. The main challenge is how to implement WPA and WEP in this driver. At first, we are trying to scrutinize Vir-tualWiFi driver and find out how it works, and then we have to study about secure algo-rithms on wireless network. Furthermore, we should look for a proper method to im-plement on VirtualWiFi driver. The main aim of this research is to improve security is-sue upon VirtualWiFi driver.

In particular, the objectives of this research are to:

1. Study and scrutinize VirtualWiFi, find out how it works and review algo-rithms which are developed to make wireless networks secure like WEP and WPA.

2. Propose a method or service which can be utilized in Windows XP to make VirtualWiFi driver more secure than simple WEP which is implemented in its last version (version 1.0).

3. Test the proposed technique by designing a testbed which contains more than one AP, and examine new proposed driver with both WEP and WPA.

(16)

7

1.4 Significance of the Research

The study of security is important in wireless networks because today with im-provement of access points and wireless domains in the world, threats and unauthorized access menace our systems. As well known, “Wi-Fi Alliance”, which is the group that has WiFi trademark, lay down some standard protocols to secure wireless computer networks. One of the most important algorithms which is used to secure wireless net-work is WEP (Wired Equivalent Privacy) but researchers found several serious weak-nesses on this protocol that make it to be cracked easily (Bittau, 2006).

After that, “Wi-Fi Alliance” developed a new standard protocol which is called WPA (Wi-Fi Protected Access) and improved it by WPA2 to those problems found in WEP.

VirtualWiFi is an advanced wireless driver that can connect to more than one access points or wireless domains with only one wireless card. However, according to the last version of this driver (version 1.0), it can support only simple WEP. As mentioned be-fore, WEP can be broken easily, Due to this problem, this research tries to make this driver secure.

Despite the many problems that the WEP has, the fact that it will continue to be ap-plied in order to provide security to wireless networks is undeniable. We add WPA along with WEP to achieve the ability of connecting to both security systems.

Finally, this research can claim that it has added immunity against threats as a new specification along with other specifications of this driver.

(17)

8

1.4. Research Methodology

The research methodology concept talks about the acts of working to create a new system. In this section, the required activities to gain the aim of this research are listed ac-cording to each objective as follow:

1. Study previous work about: 1.1 VirtualWiFi

1.2 Wireless Security

1.3 NDIS (Network Driver Interface Specification) 2. Learn about how the VirtualWiFi driver works.

3. Adding required C++ code to implement wireless security in the driver. 4. Compare suggested method with the only version of this driver (version 1.0):

Scenarios: Creating a testbed which is built from D-Link and/or NetGear APs to evaluate level of security of proposed driver.

(18)

9

1.5 Thesis Layout

The remainder of the thesis is organized as follows:

Chapter 2: In this chapter we introduce VirtualWiFi as a driver which can connect one wireless card to more than one access point or wireless networks. It gives a good background on existing wireless security algorithms and how it works. The introduction of NDIS (Network Device Interface Specification) which is Windows device driver that enables single NIC (Network Interface Card) to supply multiple network protocols is given later in fourth chapter.

Chapter 3: The methodology of designing and implementing proposed improved VirtualWiFi driver are discussed in Chapter Three.

Chapter 4: This chapter provides a technical outlook of the design of NDIS. It gives number of Object Identifiers (OIDs) of IEEE 802.11 wireless LAN (WLAN) which is used to prepare WEP and WPA in the VirtualWiFi driver.

Chapter 5: It contains the testing scenario to prove the proposed driver and reach the goal. This chapter gives a discussion about those results and a comparison.

Chapter 6: At the end, the last chapter will sum up the steps taken; contribution, the limits and difficulties encountered and indicate the path for future work.

(19)

10

Chapter Two: Literature Review

Progressively, computers in residential areas, coffee shops like Starbucks branches, and most office environments can connect multiple open access points (APs). For ex-ample, cafes and restaurants provide free WiFi Internet, cities provide metropolitan networks and many residential users connect to the Internet through the access points.

The connection rate to these access points through wireless link is often 30Mbps with 80.11a as a high speed one and it can be connected with the newer 802.11n. Never-theless, the throughput of network bandwidth of wireless connection is relatively low in comparison with DSL or cable modem links which connect access points to the Internet (Yang et. al, 2006).

Preferably, a user would want to use all reachable access points at the same time and gain sum of their bandwidth. Past works on this area presented that it is possible to connect one wireless card to more than one access point simultaneously but we cannot maintain concurrent TCP connections across them and also we cannot collect or mix the AP bandwidth.

Although previous works on this specific subject prepared software and im-proved driver like MultiNet, they cannot support all features in wireless network such as advanced wireless security like dynamic WEP and WPA. (Kandula et al, 2008)

WEP is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard. WPA is introduced in 2003 to solve WEP prob-lems like static key, key distribution and also insufficient key size.

The VirtualWiFi kernel module has support for multiple WLAN cards but the Vir-tualWiFi service does not support it yet. The mechanism of switching and buffering are implemented in the kernel, while the logic and policies are implemented as a user level

(20)

11 service. Finally, the first and only version of VirtualWiFi driver which has not yet in-cluded support for dynamic WEP and WPA. (Ranveer Chandra, 2007)

The literature review is divided into two parts. In the first part we are going to de-scribe about wireless security and the second part previous works on virtualWiFi are explained and NDIS (Network Driver Interface Specification) as a service of Windows will be described in Chapter Four.

2.1 Wireless Security

2.1.1 Introduction

The main difference between wired network and wireless one is the way that how they send or receive data. Concerning to the security risks, the main difference between wired and wireless networks is how they can access to the data that is transmitted through media of network. In wired networks, the only possible way to access the data is to tap the media which is used for the network communication; whereas in wireless networks the media used for communication is air. The data which is transmitted via the radio frequency can be accessed by equipment that is available in the market for a low price (Bulbul, 2008).

From the initial development stages of wireless technology and its security needs, experts knew that security would be the main issue. In a comparison between wireless and wired Networks, Wireless Networks are less secured than traditional wired net-works, since wireless transmit information through the air and anyone who has or knows the range and with the suitable device can intercept those transmissions easily. It is certain that matching all security needs of a wireless network is not an easy task. There are a number of security issues that makes securing a WLAN difficult.

Since WEP is the first and initial WLAN security mechanism, it is aimed to be used in the most of wireless networks than WPA/WPA2 and 802.11i. Although the enormous

(21)

12 popularity of WEP, it has several serious weaknesses identified by cryptanalysts; there-fore it was replaced by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard RSN (also known as WPA2) in 2004 ratified. (Bulbul, 2008)

2.1.2 WEP

WEP is the protocol initially developed to secure wireless transmissions (Hytnen, R. and Garcia, M. 2006). Wired Equivalent Privacy (WEP) is one of the algorithms which is used to provide wireless security for users implementing 802.11 wireless networks. A group of volunteer IEEE members has developed WEP as an encryption algorithm. Considering the data is transmitted from one end point to another one through radio waves in wireless networks, the aim of developing WEP was to provide security through an 802.11 wireless network. WEP used had three main characteristics: confi-dentiality and access control as well as data integrity. It provides conficonfi-dentiality with protecting wireless communication from eavesdropping. Preventing unauthorized access to a wireless network is one of the responsibilities of WEP that prepares access control. Data integrity is provided by preventing tampering with transmitted messages. (Wong, 2003)

WEP uses the RC4 stream cipher to encrypt the data. In this algorithm, both end points should set an equal key known as shared key to set a connection between them. WEP algorithm combines a forty bit WEP key with a twenty four bit random number which is called an Initialization Vector (IV). The sender XORs the stream ciphers with the real data to produce cipher text. The stream cipher is a coder that encrypts text (ci-pher text). This method applies an algorithm and cryptographic key to each bit on data stream. The packet which is the combination of IV and cipher text is sent to the receiv-er. The receiver decrypts the packet using the stored shared key (WEP key) and the

(22)

at-13 tached IV(Douglas, 2002). WEP was proposed in 1999 in the IEEE standard 802.11 to provide security which is same as a wired Ethernet. This algorithm should insure confi-dentiality by comparing the shared key which both end points are proposed and integrity of the frames on the wireless network by implementing sequence numbers for packets. A Cyclic Redundancy Check (CRC) is used to compute an Integrity Check Value (ICV) on the message. ICV is a function that is used to create secret key from variable length of inputs. The ICV is then concatenated on the message before encrypting with the stream cipher RC4. (Borisov, 2006) The WEP-frame is illustrated in Figure 2.1.

Figure 2.1 : WEP frame. Length of fields measured in bytes (Moen, 2004)

RC4 is a symmetric key algorithm which is used to encrypt and decrypt the data. RC4 like most of ciphers initialized from secret key and it is basically a pseudo random number generator. In order to produce cipher text stream, RC4 generates a key stream, then XOR it with plaintext (data). The encryption key is a per-packet key which is ob-tained by linking an Initialization Vector (IV) with the user key. The decryption process uses the same secret key which is exactly used in encryption process. It means that both sender and receiver use the same secret key to encrypt or decrypt the data in RC4 algo-rithm. Due to export regulations, the standard specifies 64-bit keys where IV part has 24 bits but due to security issues and for more difficult to discover the encryption key, many vendors have also implemented 128-bit keys where 24 bits are the IV. (Moen et al, 2004)

The data transmission in WEP works in the following way. A secret key K is shared between two communicating parties. Given a message M, the sender (either the station

(23)

14 or the AP) first computes a CRC checksum c (M), and then concatenates them into a plaintext.

The sender chooses an initialization vector (IV) and uses the RC4 algorithm to gen-erate a keystream RC4 (IV, K), which is a long sequence of pseudo random bits. The length of IV is 24 bits. The key length has two popular choices; 40-bit or 104-bit keys, in the so-called 64-bit and 128-bit versions respectively (the difference in the notations can be explained by the 24-bit IV). The sender XORs the plaintext with the keystream to obtain the ciphertext.

Finally, the sender transmits the IV and the ciphertext C. The WEP-encoded data frame is illustrated in Fig. 2.2.

Figure 2.2: Encryption/Decryption using WEP (AirTight Network, 2010)

2.1.3 WEP vulnerability

Unfortunately, the encryption protocol had not been subjected to a significant amount of peer review before released (B. Nikita, 2001). Serious security flaws were present in the protocol. Although the application of WEP may stop casual sniffers, ex-perienced hackers can crack the WEP keys in a busy network within 15 minutes. In general, WEP is considered as a broken protocol. (Barnes, 2002)

(24)

15 The vulnerability of WEP can be attributed to the following:

1. WEP key recovery - WEP uses the same WEP key and a different IV to encrypt da-ta. The IV has only a limited range (0 to 16777215) to choose from. Eventually, the same IVs may be used over and over again. By picking the repeating IVs out of the data stream, a hacker can ultimately have enough collection of data to crack the WEP key.

2. Unauthorized decryption and the violation of data integrity – Once the WEP key is revealed, a hacker may transform the ciphertext into its original form and un-derstand the meaning of the data. Based on the unun-derstanding of the algorithm, a hacker may use the cracked WEP key to modify the ciphertext and forward the changed message to the receiver.

3. Poor key management – A proper WEP key is typed into a wireless device asso-ciated in a wireless network to enable the WEP. Unfortunately, there are no mechanisms to renew the stored WEP key. Once the WEP key is compromised, for example, an employee leaves a company; the key has to be changed in order to maintain the security. Changing keys may be applicable in a home or small business environment. However, in an enterprise environment with thousands wireless mobile devices associated with the wireless network, the use of this method is almost impossible. (Wong S., 2003)

4. No access point authentication – WEP only provides a method for network inter-face cards (NICs) to authenticate access points. There is no way for access points to authenticate the NICs. As a result, it is possible for a hacker to reroute the data to access points through an alternate unauthorized path.

(25)

16 2.1.4 WPA

Wi-Fi Protected Access is a wireless encryption standard based on a subset of IEEE 802.11i that replaces instead of WEP (Bulbul, 2008). Designed to run on some existing WEP-based hardware as a software upgrade, Wi-Fi Protected Access is derived from and will be forward compatible with the upcoming WPA2 standard. When properly in-stalled, it will provide wireless LAN users with a high level of assurance that their data transmitted over the radio link will remain protected through the WPA encryption me-thod and only authorized users can access the network.

WPA utilizes the Temporal Key Integrity Protocol (TKIP). TKIP provides data en-cryption enhancements through a per-packet key mixing function and Message Integrity Check (MIC), an enhanced Initialization Vector (IV) with sequencing rules, and a ses-sion derived re-keying mechanism. As to strengthen user authentication, WPA imple-ments 802.1X and the Extensible Authentication Protocol (EAP). Together, these me-chanisms provide a framework for strong user authentication, including mutual authen-tication.

Wi-Fi Protected Access 2, or WPA2, is also based on 802.11i. It adds additional se-curity features, the most important of which are pre-authentication, which enable secure fast roaming, and AES (Advanced Encryption Standard)–the new FIPS standard for data encryption.

In response to the security flaws in WEP, a new security standard for WLANs, WPA, was released by Wi-Fi Alliance in October 2002. Today, most Wi-Fi products in the market are WPA-compliant, or can be easily upgraded to support WPA (Bulbul, 2008).

The primary goal of WPA is to revise the known security flaws in WEP yet retain backward compatibility with legacy WEP devices. Thus, WPA addressed the security flaws in WEP through the following primitives:

(26)

17 • Temporal Key Integrity Protocol (TKIP), a new data encryption protocol that

de-feats the keystream reuse and weak key attacks;

• Message integrity codes (MICs), which defeat the message forgery attacks;

• 802.1x authentication, which achieves strong authentication, authorization, and key management.

TKIP: Similar to WEP, TKIP also XORs the plaintext with a random keystream to obtain the ciphertext. However, it derives the keystream in a way different from WEP, as shown in Fig.3. TKIP uses a 128-bit temporal key (TK) and a 48-bit IV. IV is reset to 0 whenever TK is changed, then incremented by one after each transmission. The 48-bit length guarantees that IVs will not be reused with the same TK, as it takes 600+ years to exhaust the IV space even at 54Mb/s.

As shown in Figure 2.3, TKIP uses a two-phase key mixing operation to derive the per-packet keystream, and each phase fixes one particular flaw in WEP. Phase 1 mixes TK with the first 4 bytes of IV and the sender’s MAC address, and generates an inter-mediate key P1K. This prevents keystream reuses due to cross-station IV collision. Phase 2 takes input P1K with TK and the last 2 bytes of IV to generate a unique 128-bit RC4 key. This separates the known association between IV and the key; thus preventing exploiting weak keys to recover TK. Finally, the RC4 key is used to generate the keys-tream, which is then XORed with the plaintext. (Yang, H. et al, 2006)

(27)

18 Figure 2.3: Key mixing and data encryption in TKIP (bulbul, 2008)

2.1.5 IEEE 802.11i

802.11i that has been emerged in 2004 uses the concept of a Robust Security Net-work (RSN), where wireless devices need to support additional capabilities. This new standard and architecture utilizes the IEEE 802.1X standard for access control and Ad-vanced Encryption Standard (AES) for encryption. It uses a pair-wise key exchange (four way handshake) protocol utilizing 802.1X for mutual authentication and key man-agement process.

802.11i allows various network implementations and can use TKIP but by default RSN uses AES (Advanced Encryption Standard) and CCMP (Counter Mode CBC MAC Protocol) which provides a stronger, scalable solution. (Bulbul, H et al, 2008)

IEEE 802.11i uses dynamic negotiation of authentication and encryption algorithms between access points and mobile devices. The authentication schemes proposed in the

(28)

19 draft standard are based on 802.1X and Extensible Authentication Protocol (EAP). The encryption algorithm is Advanced Encryption Standard (AES).

Dynamic negotiation of authentication and encryption algorithms let RSN evolves with the state of the art in security. Using dynamic negotiation, 802.1X, EAP and AES, RSN is significantly stronger than WEP and WPA. However, RSN would run very poorly on legacy devices. Only the latest devices have the capability required to accele-rate the algorithms in clients and access points, providing the performance expected from today’s WLAN products. (Wong, 2003)

2.1.6 Comparison of WEP Mechanism, WPA and 802.11i

WEP has been regarded as a failure in wireless security, as it has been accepted by the IEEE that WEP was not aimed to provide full security. The original WEP security standard, using RC4 cipher is widely considered to be vulnerable and broken due to the insecure IV usage. It uses 40 bits of encryption key RC4 cipher by default, and then it concatenates this key with IV values per packet sent over the air. Vulnerabilities of RC4 can be summarize in three main parts; having no key management mechanism embed-ded, no automatic or periodic key change attribute associated with it, causing re-use and easy to capture small sized IVs that leads to key deciphering to the third parties. The data integrity check mechanism of WEP is not cipher protected and uses CRC-32, ICV providing no header integrity control mechanism and lack of replay attack prevention mechanism.

WPA, an interim solution to the WEP vulnerability, uses a subset of 802.11i fea-tures and generally believed as a major security improvement in wireless environment. In the light of critics done towards WEP, WPA has numerous enhancements over WEP such as TKIP encryption cipher mechanism, 128 bits of key size, mixed type of

(29)

encryp-20 tion key per packet usage, 802.1X dynamic key management mechanism, 48 bits of IV size and implementation of 802.1X. WPA also supports EAP usage for authentication, providing data integrity and header integrity, ciphering aspect via MIC that is inserted into TKIP and IV sequence mechanism to prevent replay attacks and support for exist-ing wireless infrastructures (Wong S., 2003).

Table 2.1: WEP Mechanism, WPA and 802.11i Security Protocols (Bulbul, 2008)

Features of Mechanism

WEP WPA 802.11i

Encryption Cipher Mechanism RC4 (Vulnerable – IV Usage) RC4 / TKIP AES /CCMP CCMP /TKIP

Encryption Key Size 40 bits * 128 bits 128 bits

Encryption Key Per Packet Concatenated Mixed No need Encryption Key

Manage-ment None 802.1x 802.1x Encryption Key Change None For Each Packet No need IV Size 24 bits 48 bits 48 bits Authentication Weak 802.1x - EAP 802.1x -EAP Data Integrity CRC 32 –ICV MIC (Michael) CCM Header Integrity None MIC (Michael) CCM Replay Attack Prevention None IV Sequence Sequence

(*) Some vendors apply 104 and 232 bits key, where the 802.11requires a 40 bits of encryption key.

(30)

21 IEEE 802.11i seems to be the strongest security protocol for wireless networks as far as all previously declared vulnerabilities and drawbacks pertaining to WEP and WPA concerned. After the confirmation of 802.11i standard, RSN is accepted as the final solution to wireless security, expected to provide the robust security required for wireless environments. RSN provides all the advantages of WPA in addition to stronger encryption through the implementation of AES, roaming support and CCM mechanism for data and header integrity.

WPA supports existing wireless infrastructures. WPA deployments over current WEP installations provide cost effective and hassle free shifts where vendors can transit to the WPA standard through a software or firmware upgrade. For RSN, this is not the case. It requires extra hardware upgrade in order to implement AES (Bulbul, H et al, 2008). Table 2.1 shows the comparison between these three wireless security protocols in details.

Classified security of wireless networks which are mentioned above can be summa-rized as follows:

(31)

22

2.2 Virtual Wi-Fi

Prior works on virtual Wi-Fi fall into two main areas that are described below:

2.2.1 Connecting to Multiple APs

There has been much interest in connecting a wireless user to multiple networks. Most prior works use separate cards to connect to different APs or cellular base stations. “A big, fat access point with a large antenna and a bunch of Wi-Fi cards that automati-cally connect to the strongest signals it can pick up. Then it would combine all these signals into one freeloading broadband canal for me to use” (V. Boris, 2006).

‘PERM’ connects multiple Wi-Fi cards to different residential ISPs, probes the la-tency via each ISP, and assigns flows to cards to minimize lala-tency. ‘PERM’ uses broad-band Internet access diversity in residential area for better last-mile Internet connectivi-ty, and can be immediately deployed at no additional cost (N. Thompson and G. He, 2006).

On the other hand, ‘Horde’ uses multiple cellular connections via different provid-ers. In addition to aggregating bandwidth, ‘Horde’ allows an application to modify net-work QoS for its streams.

Moreover Horde’s approach is useful mostly when different streams gain value from different aspects of network performance and when the available network channels have dissimilar and/or time-varying characteristics (A. Qureshi and J. Guttag, 2005).

In contrast to this work which stripes traffic across independent connections, Kan-dula (2007) uses the same card to associate and exchange data with multiple APs. Fur-ther, ‘FatVAP’ uses virtual connections to these APs that it ensures fast switching be-tween them without losing packets already on queue.

(32)

23 The closest work to this project is the ‘MultiNet’ project which was later named ‘VirtualWiFi’. ‘MultiNet’ abstracts a single WLAN card to appear as multiple virtual WLAN cards to the user. The user can then configure each virtual card to connect to a different wireless network.

‘MultiNet’ facilitates simultaneous connections to multiple networks by virtualizing a single wireless card. The wireless card is virtualized by introducing an intermediate layer below IP which continuously switches the card across multiple networks. The goal of the switching algorithm is to be transparent to the user who sees her machine as being connected to multiple networks (R. Chandra and P. Bahl, 2004).

‘MultiNet’ applies this idea to extend the reach of APs to far-away clients and to solve the problem of poor connectivity. ‘FatVAP’ also builds on this vision of ‘Multi-Net’ but it has some distinctions in design and applicability. One of the most distinc-tions between them is that MultiNet works and runs in Windows operating systems, but FatVAP executes in Linux based systems. Two principal advantages of FatVAP in comparison of MultiNet are described as follows:

First, ‘MultiNet’ provides switching capabilities but it does not mention about which APs a client should toggle and how long it should remain connected to an AP to maximize its throughput. In contrast, ‘FatVAP’ schedules AP switching to maximize throughput and balance load. The load balancer which is implemented in FatVAP as-signs traffic to APs proportionally to the bandwidth which can be obtain from an AP. FatVAP also does not constrain the user from having multiple cards. If the user however happens to have multiple cards, it would allow the user to exploit this capability to ex-pand the number of APs that it switches between and hence improves the overall throughput.

Second, ‘FatVAP’ can switch APs at a fine time scale and without dropping packets; this makes it the only system that maintains concurrent TCP connections on multiple

(33)

24 APs. Whereas, ‘VirtualWiFi’ takes much longer time to switch between wireless net-works, ranging from a few tens of ms to 600ms. (Ranveer Chandra, 2007)

2.2.2 AP Selection

Current drivers select an AP based on signal strength. Prior research has proposed picking an AP with four main methods.

First one based on “load Sensitive”. Under this algorithm, mobile hosts select an access point based on both the current signal-noise ratio as well as the current load at the access point. To avoid oscillation they introduce randomness and hysteresis (G. Judd and P. Steenkiste. 2002).

Second one based on “potential bandwidth”. S. Vasudevan, D. Papagiannaki, and C. Diot. (2005) claimed that potential bandwidth between AP and end-host is an important metric in the process of AP selection. They described a methodology for estimating the potential bandwidth based on delays experienced by beacon frames from an AP. Beacon Frames are frames that have control information and are transmitted in each of the 11 channels and help a wireless station to identify nearby access point in passive scanning mode.

Third one based on combination of metrics. This selection algorithm presented the design and implementation of Virgil, an automatic AP discovery and selection system. Virgil quickly associates to each AP found during a scan, and runs a battery of tests de-signed to discover the AP’s suitability for use by estimating the bandwidth and round-trip-time to a set of reference servers. Virgil also probes for blocked or redirected ports, to guide selection in favor of preserving application services currently in use (Nicholson et. al, 2006).

(34)

25 And the last one is fundamentally different from these techniques where it does not pick a single AP but rather multiplexes the various APs in a manner that maximizes client throughput. (Kandula, 2007)

2.3 Summary

To put it in a nutshell, in this chapter we discussed about wireless security and com-pared it wired one. Then three protocols or algorithms which are used in wireless net-works as a security issue are described. WEP is the protocol initially developed to se-cure wireless networks. It uses RC4 stream cipher to encrypt data. Serious security flaws have been identified in this algorithm. The vulnerabilities of WEP are explained later. In response to the security flaws in WEP, WPA was released. It utilized TKIP and MIC to provide data encryption enhancements. It also implements 802.1X and EAP to strengthen user authentication. After that all three algorithms were compared to each other.

Then we went through the VirtualWiFi and discussed how it works. Prior works on VirtualWiFi are divided into two parts. Connecting to multiple APs is the first part and different algorithms and methods for selecting APs are the second part.

(35)

26

Chapter Three: Research Methodology

3.1 Overview

The research methodology concept talks about the acts of working to create a new system. This chapter describes the research methods and evaluation methodology used for improving VirtualWiFi by adding two wireless security algorithms. There are some methods to use in order to come up with a new system (driver), including Waterfall model, Iterative model, Spiral model and some others. The first one is going to be used in this research is The Waterfall model.

The Waterfall model is a sequential development process. In this model, the direc-tion of these processes is downwards; each starts when the previous step is done com-pletely. The flow of progress for this research is shown in figure 3.1, and each step is explained in more details as follows.

3.2 Literature Review

In the literature review, all concepts which are related to wireless LAN (Local Area Network), are defined as standard algorithms that are used to make wireless LAN se-cure, all aspects of VirtualWiFi driver and different techniques and theories of connect-ing to more than one AP ( access point) by only one wireless card are studied. These could be used to approach the problem statement. In this part the previous related works are also reviewed.

The Chapter Two of this research explained in detail how WEP works and then ex-plained why user shouldn't use it. When the original IEEE 802.11 standard was pub-lished, Wired Equivalent Privacy (WEP) was included as a method to provide secure communications. However, as this chapter described, WEP fell short of real needs in a

(36)

27 number of areas. Understanding WEP's failings before moving on will help people un-derstand why the next-generation security methods (WPA, WPA2) are so much strong-er. This new generation of security methods will take over from WEP and finally meet the needs of both high security and scalability for large systems.

All the major weaknesses of WEP have been addressed by TKIP, including weak key attacks, lack of tamper detection, lack of replay protection, and others. Furthermore, TKIP has been designed by some of the most eminent experts in the field and confi-dence in the integrity of the solution is high. TKIP has now been adopted as part of the WPA certification and also is included as part of RSN in IEEE 802.11i.

VirtualWiFi (previously known as MultiNet) is a virtualization architecture for wire-less LAN (WLAN) cards. It creates multiple virtual WLAN from one real adapter which users know it as their WLAN card. The user can then configure each virtual card to connect to a different wireless network. Therefore, VirtualWiFi allows a user to simul-taneously connect his machine to multiple wireless networks using just one WLAN card. This new functionality introduced by VirtualWiFi enables many new applications, which were not possible earlier using a single WLAN card.

VirtualWiFi is implemented on Windows XP. Hence, learning about different hid-den services in Windows XP which is the platform of this driver is the next step after finding a problem. NDIS (Network Device Interface Specification) is one of these ser-vices. NDIS is an application programming interface (API) which is in logic link control layer (LLC) that acts between layer two and layer three in OSI (Open Systems Intercon-nection) model. It is a service that is used in this research to implementing wireless se-curity in VirtualWiFi Driver.

(37)

28

Figure 3.1: Research methodology progress model

Literature Review

Study about



Wireless LAN (Local Area Network)



Wireless Security



Virtual WiFi



NDIS (Network Device Interface Specification)

System Development

Requirement

Analysis

Design

Implementation

Test

Enhance Safety Factor of VirtualWiFi Driver

Data Collection and Analysis

Evaluating and Testing the Proposed Driver

(38)

29

3.3 System Development

The development of this system consists of five phases:

• Requirements: The purpose of this phase is to determine what the system does and to specify its characteristics. It also puts the requirements together to develop the system. Like every system's requirements of this proposed driver has two main categories which are Functional and non-Functional re-quirements. As it is mentioned before, the VirtualWiFi driver is imple-mented on Windows XP. Therefore implementing wireless security such as dynamic WEP and WPA can be done by services which are support by Windows XP. Due to increased APs, all changes have to be done in end-user systems. This system has to address all kind of wireless security me-thods and each user who works with Windows XP has to connect to more than one AP with different kind of security methods when this proposed driver is implemented. Functional requirements are determined according the applied model which is proposed. Security, Safety and Response time are three main non functional requirements that are more important than others attributes.

• Analysis: It deals with the analysis of the requirements and sees how the design and the implementation phases are going to reach them. In this part of research several steps were used to prepared final map of our proposed method. Understanding VirtualWiFi driver and analysis how it works is the main step of this process. VirtualWiFi was written by C++ language pro-gramming. A Windows DDK installation, with an XP build environment and a Windows Platform SDK installation are required on the machine used for build-ing VirtualWiFi.

(39)

30 The other step of analysis process is to find how WPA and its contained protocols like TKIP can be implemented in the driver. Then NDIS as one of the hidden services in Windows XP is used to map all wireless security me-thods to VirtualWiFi driver. NDIS supports object identifiers (OIDs) of IEEE 802.11 wireless LAN (WLAN).

• Design: The logical part of the system is designed here. This includes which service of Windows XP should be used to overcome problem and make the driver secure. Also this stage defines how this service (NDIS) could do its task. Most part of this phase has been done in previous phase (analysis).

In addition, the latest version of VirtualWiFi driver (version 1.0) is re-viewed.

• Implementation: The next stage after Analysis and Design is Implementa-tion phase. The main purpose of this stage is to develop secured VirtualWi-Fi driver, so that WEP (Wireless Equivalent Privacy) and WPA (Wi-VirtualWi-Fi pro-tected Access) are implemented on it. Using NDIS service as an application programming interface (API) to write codes in C++ which is the language of latest version of VirtualWiFi driver is one of the main activities of this phase. For dynamic WEP, we try to recreate a key in a period of time and for WPA, we built TKIP algorithms by some objects which are mentioned in next chapter.

• Test: In this phase the design, implementation and performance will be tested to check all the activities. This final stage is to check the system for both secure algorithms (protocols) that are used; WEP and WPA.

Four scenarios are designed to show how our proposed method worked with different wireless security methods. In the first scenario open system

(40)

au-31 thentication is tested. In the next scenario simple and dynamic WEP are tested. Connecting to the AP which is supported by WPA as a wireless se-curity is the next scenario. In the last scenario, a wireless domain network with two APs is designed to show how our proposed method can connect to both WLAN which one of them supports WPA and the other one works with WEP. This is included in the last chapter along with the final results.

3.4 Enhance Safety Factor of VirtualWiFi Driver

The latest version of VirtualWiFi (version 1.0) was implemented in Windows XP. Before installation of this driver, Windows DDK based on XP environment and Win-dows platform SDK are required on the machine used for building VirtualWiFi. Then, the driver is enhanced by adding TKIP (Temporal Key Integrity Protocol) algorithm and changing the key in a period of time in WEP method to the source code and to come up with a new driver (proposed driver) which overcomes lack of security in VirtualWiFi driver. This process includes both the design and implementation. After that the user should define an environment variable called SDK_INCLUDE_PATH, which should point to the include path of the SDK installation. Then all changes have been done in VirtualWiFi source code. Then ‘install.cpp’ and ‘virtualwifi.cpp’ have been combined together by ‘serviceinstaller’. At this point free build environment in DDK should be checked in windows XP and then all VirtualWiFi tree code has been run automatically by running ‘built –ceZ’ in command prompt interface. Implementing dynamic WEP and WPA which are known as most significant secure protocols for wireless networks in this specific driver (VirtualWiFi) are explained in the next chapter.

(41)

32

3.5 Data Collection and Analysis

When the implementation of new VirtualWiFi driver is completed and the wireless security protocol is designed and implemented properly, the defined scenarios would be ready to perform the experiment.

At first the testbed is going to be designed and the improved driver in different sit-uations would be tested. Then the driver is going to be examined by the wireless net-works which are designed by APs that support WPA and WEP as their wireless securi-ty. If the new driver works with access points (wireless networks), then connecting with two networks that each of them supports different secure protocol will be tested.

3.6 Prepare Report on Output Result

In this phase, the results of the tests conducted in the last phase are evaluated. In this research, evaluation is done by justifying the output of the test in the last chapter. The latest driver of VirtualWiFi is supported by only simple WEP (Wireless Equivalent Pri-vacy) which has a big risk because the shared secret key which is used in WEP algo-rithm is static and it cannot support any function to exchange the key. Therefore, com-parison of the new proposed driver to the previous one is the best evaluation for this re-search. To achieve these goal four scenarios will be defined to check proposed driver. All these scenarios which will be discussed in details in chapter five has been designed in real time networks and any simulators have not been used.

3.7 Summary

This chapter has emphasized the research methodology used to carry out the re-search. The explanation is grounded based on literature reviews, development metho-dology, and survey of comparison of the new proposed driver to the previous version of it to find out the affect of proposed model in system.

(42)

33

Chapter Four: Driver Implementation

4.1 Overview

VirtualWiFi is implemented in most operating systems like Windows and Linux. VirtualWiFi is an old project, and Microsoft has started working on it in 2003. Micro-soft Research Centre is actively working on this project since 2006 and from then the driver which is released is not supported by Microsoft Research but its code is available and it is an open source for researchers. In the new version of Windows (Windows 7), this driver has been implemented. In early 2008, Srikanth Kandula worked on this driv-er in Linux based systems but he could not pdriv-erform wireless security in it.

Reading the released driver which is written with C++ language indicates that it does not support advanced wireless security such as Dynamic WEP and WPA. Our sug-gestion method to prepare these security algorithms is to use one of the services which are implemented in Windows XP. NDIS (Network Driver Interface Specification) is a miniport driver which is working between layer two and layer three in TCP/IP protocol suite. It is possible to virtualized more than one address for specific wireless card and manages the packets with NDIS services which are being in layer 7.

According to the structure of virtualWiFi driver, implementing wireless security can be done with NDIS Object Identifiers (OIDs).

This chapter contains what NDIS is and how it works, then explains each object which is used in the driver to implement wireless security.

(43)

34

4.2 NDIS

NDIS is an acronym for Network Driver Interface Specification. The main reason for NDIS is to state a standard API for Network Interface Cards (NICs). Media Access Controller (MAC) contains the details of implementation of NIC’s hardware. If the me-dia and type of network are same, it can be accessed through common programming interface.

NDIS also provides “wrapper” which has a library of functions. Higher level proto-col drivers like TCP/IP and MAC driver can work with this library. Early versions of NDIS were jointly developed by Microsoft and the 3Com Corporation. Novell also pre-sented a similar device driver for NetWare called Open Data-Link Interface (ODI). NDIS is a windows device driver interface where a single NIC (Network Interface Card) can support multiple network protocols like TCP/IP and IPX connections. Also it can be used by ISDN (Integrated Services Digital Network) adapters. There is a proto-col manager inside NDIS that accepts requests from transport layer (Network Driver) and gives them to the NIC in the data link layer (layer 2). So if a computer has more than one NIC and connects to multiple networks, NDIS can manage and route traffic to proper card.

As shown in Fig. 5, NDIS is a virtual driver which contains two parts: Multinet Pro-tocol Driver (MPD) and Multinet Miniport Driver (MMD). MPD ties up the lower edge to the network card miniport driver together and MMD binds at the upper edge to the network protocols, such as TCP/IP (Chandra, 2006).

MPD sets a virtual adapter for each network that is connected to the wireless cards. So it means that each virtual adapter should have unique NIC to connect to specific network. The MPD also manages and controls the state of virtual adapters. It also buf-fers the packets which are not matched with the SSID which is busy sending or receiv-ing procedure.

(44)

35 Figure 4.1: The modified Windows network stack (Chandra, 2006)

According to Fig. 4.1, modified parts which are MultiNet (VirtualWiFi) Driver and its service have been added to the Windows network stack (specified Windows XP). However, Windows network stack come from OSI model which has seven parts. Net-work Driver Interface Specification (NDIS) is a discrimination part that is used in new architecture of Windows stack. It plays and intermediate role in connection of new gen-eration of TCP/IP which is depicted in Fig. 4.2 and Network Interface Cards (NICs) (Chereddi, 2007).

(45)

36 Figure 4.2: New Generation of TCP/IP Stack (Windows Network Stack)

Wireless card can only communicate with the network which is associated to it. Therefore, if packets are not related to the current network, it will be remained and send it to the virtual adapter. Then the adapter sends it to the up layer when the related wire-less card is active. MPD also maintains the information about currently active virtual driver.

The MMD keeps the state of each virtual adapter. So, different IP addresses for each network can be assigned to one wireless card by this architecture (NDIS). It is also re-sponsible for handling query and set operations meant for the underlying wireless adap-ter (Chandra, 2006).

The general architecture of NDIS which is implemented in Windows based Operat-ing Systems (OS) is depicted in Figure 4.3.

(46)

37 Figure 4.3: General NDIS Architecture (Microsoft Corporation, 2010)

NDIS wrapper is a software driver that allows users to connect to the network de-vices by implementing NDIS interfaces and Windows kernel.

NDIS as a miniport driver located between an upper layer and lower layer of TCP/IP stack. For upper layer, NDIS supports driver which receives packets from application layer or user kernel and it also supports lower layer which gets data from physical layer (media) and then passes it to the upper layers. Therefore, as shown in Fig 4.3, NDIS wrapper can communicate with Transport layer of TCP/IP stack from one side and to Network Interface Card (NIC) from the other side. NDIS is a service that has a library in windows directory. There are many objects inside it that can be used by users. The area of using these objects conceptually related to layer two and three. As it mentioned before, WEP and WPA or other wireless security methods work in presentation layer but for controlling packets and due to authentication process, Object Identifiers (OIDs) work in the layer between two and three to control and manage them. NDIS library

(47)

pre-38 pares OIDs for WLAN, so that these objects are used in this research to add Dynamic WEP and WPA in VirtualWiFi driver. NDIS.dll is a library file of Network Driver In-terface Specification in Windows. It can be configured to creating new driver or custo-mizing existing driver.

NDIS corroborates the Object Identifiers (OIDs) of IEEE 802.11 wireless LAN (WLAN). It has many versions where each of them is supported by specific Windows versions as follows:

• NDIS 2.0: MS-DOS, Windows for Workgroups 3.1, OS/2

• NDIS 3.0: Windows for Workgroups 3.11

• NDIS 3.1: Windows 95

• NDIS 4.0: Windows 95 OSR2, NT 4.0

• NDIS 5.0: Windows 98, 98 SE, Me, 2000

• NDIS 5.1: Windows XP, Server 2003, CE

• NDIS 5.2: Windows Server 2003 SP2

• NDIS 6.0: Windows Vista

• NDIS 6.1: Windows Vista SP1, Server 2008

(48)

39

4.3 802.11 Wireless LAN Objects

The 802.11 wireless LAN (WLAN) object identifiers (OIDs) are supported by ver-sions 6.0 and later of the Network Driver Interface Specification (NDIS). Miniport driv-ers that support the 802.11 interface for IEEE 802.11 network interface cards (NICs) must support all compulsory 802.11 OIDs. For some OIDs, support is recommended but it is optional. The WLAN OIDs must be defined in one of the header files which have to be named as Ntddndis.h where they are available through Windows Management In-strumentation (WMI).

The WLAN OIDs are listed in the following table (Table 4.1). The full name of each object is placed in Appendix A. In this table, an X in the respective column indicates that the OID supports query (Q), set (S), or indication (I) operations. The table also in-dicates mandatory (M), recommended (R), or optional (O) support requirements for dif-ferent operating systems and for Wireless Privacy Authentication version 1 (WPA) and Wireless Privacy Authentication version 2 (WPA2) (Microsoft Corporation, 2010).

Table 4.1: IEEE 802.11 wireless LAN (WLAN) object identifiers (OIDs)

Shortcut Name Q S I Windows 2000 and ME Windows XP and Later WPA WPA2 Shortcut X X M M M M BSSID X X M M M M SSID X R R M M Net.Type.Support X X O M M M Net.Type.In.Used X X O O O O Power.Level X X O M M M RSSI X X O O O O RSSI.Trigger X X R M M M

(49)

40 Infra. Mode X X O O O O Num. Antennas X X O O O O RX.Antenna.Selected X X O O O O TX.Antenna.Selected X O M M M Configuration X R R R R Disassociate X X R R R R Power.Mode X R M M M BSSID.List.Scan X R M M M BSSID.List X X O O O O Privacy.Filter X R M M M Reload.Default X X R M M M Auth.Mode X X R M M M Encryp.Status X M M M M Add.WEP X R M M M Remote.WEP X O O M M Add.Key X O O M M Remote.Key X O O M M Assoc.Info X O O M M Test X O O O M Capability X X O O O M PMKID X X X R R R R

The OIDs listed above are all identifiers which can be used in IEEE 802.11 Wireless LAN in NDIS miniport driver. Some of these OIDs which are listed bellow have been used in Virtual Wi-Fi driver to make it secure:

BSSID, SSID, BSSID List Scan, BSSID List, Authentication mode, Encryption Sta-tus, Add and Remove WEP,PMKID, Capability and Association Information.

(50)

41 It is noteworthy that dynamic WEP uses a WEP key that changes periodically (dy-namically) for better security. The latest version of VirtualWiFi supports only simple WEP so that when the WEP key is installed by dynamic WEP, it is used in the standard way with the same number of bits, same IV and same RC4 algorithm until the key is changed. Configuring this structure can be done easily in C++ language. Random num-ber from 10 to 100 second is set for periodic time of key changing.

Implementing TKIP algorithm is the main part of WPA method that is configured to achieve connecting to wireless networks which support WPA. Some OIDs of NDIS 5.1 library are appropriate to perform TKIP algorithm in any driver like VirtualWiFi which works in Windows XP operating system. More details of how these objects have been used in this research are described as below:

4.3.1 OID_802_11_BSSID

This object can be set and when it sets, the object sends a request to the miniport driver to set the Media Access Control (MAC) address of the associated access point. After that, the device associates with specific AP with the requested BSSID.

When the desired BSSID is set, one of the following actions should be taken:

• If the device is associated with an AP that has the same BSSID, the device must reassociate with the AP.

• If the device is associated with an AP that has a different BSSID, the device must disassociate from that AP. The device must then attempt to associate with an AP with the specified BSSID within the current Extended Service Set (ESS). • If the device is not associated with any AP, the device must attempt to associate

(51)

42 When BSSID is defined, the device should connect with the desired BSSID and cannot disconnect from it or roam to the other BSSID.When BSSID sets to the broad-cast MAC address (0xFFFFFFFFFFFF), it becomes clear, and after it is cleared, the de-vice can search and connect to any BSSID within the appropriate SSID.

The object sends a request for the MAC address of AP to the miniport driver. If the device being in ad hoc mode, the driver returns the IBSS MAC address. And if the de-vice is neither connected to any AP nor operating in ad hoc mode, the miniport driver returns NDIS_STATUS_ADAPTER_NOT_READY as an error code.

The data type for this OID is the NDIS_802_11_MAC_ADDRESS array type, which is defined as follows:

typedef UCHAR NDIS_802_11_MAC_ADDRESS[6];

4.3.2 OID_802_11_SSID

This Object can be set and when it sets, it sends a request to the miniport driver to set SSID (Service Set Identifier) of the BSS which the device can connect. If the device connects to the SSID, then the miniport driver returns zero for the SsidLength_member.

The data type for this OID is the NDIS_802_11_SSID structure, which is defined as follows:

typedef struct _NDIS_802_11_SSID

{

ULONG SsidLength;

UCHAR Ssid[32];

MOHAMMAD YASIN ARASHPOUR

IMPLEMENTATION OF WIRELESS SECURITY ON VIRTUALWiFi