Wireless Networking Security Questions and Answers

Microsoft Windows-based Laptop and SECURITY Registry File

Show your work (except for the True/false questions) using proper terms and notations.

1. (34 pts.) True/False Questions (NO explanation is needed):

(a) On a Microsoft Windows-based laptop computer the SECURITY registry file maintains a history list of the host computer’s wireless connections.

(b) The electric and magnetic fields associated with an electromagnetic wave are typically perpendicular to each other when the wave is propagating in open space.

(c) In a noise-free communication channel if the number of discrete signal (or voltage) levels is doubled from 4 levels to 8 levels, then the channel capacity (i.e., data rate) is expected to be doubled.

(d) IEEE 802.11 Security Standard WEP (Wired Equivalent Privacy) uses CRC checksum for its data integrity protection.

(e) In IEEE 802.11 Security Standard WEP (Wired Equivalent Privacy), both the Initialization Vector (IV) and Integrity Check Value (ICV) are sent in clear text when included in a frame/packet during transmission.

(f) Wireless stations (clients) may be communicating directly with each other and without going through the access point (AP) when the network is operating in the Infrastructure Mode.

(g) The services and protocols specified in the IEEE 802 family map to the bottom three layers of the OSI (Open Systems Interconnection) 7-layer model.

(h) The RC4 cipher used in WEP (Wired Equivalent Privacy) uses a CRC algorithm in generating pseudo-random numbers.

(i) Suppose an electromagnetic wave has a frequency of f cycles/second, a period T seconds/cycle, and a wave length W meters/cycle. These quantities are related by the equation c = W/T when the waves are transmitted in a vacuum, where c = the speed of light ? 3?108 meters/second.

(j) Within the frequency bands of the radio spectrum defined by the International Telecommunication Union (ITU), the UHF (ultrahigh frequency band) is of higher frequency than that of the SHF (superhigh frequency band).

(k) Encoding and decoding wireless signals is a function of the PHY (physical) layer of the 802.11 protocol.

(l) The OSI security architecture’s recommendation X.800 is prepared by the ITU-T sector of the International Telecommunication Union (ITU). (m)The three interframe space (IFS) values used in frame transmissions of an 802.11 network are related by the following: DIFS > PIFS > SIFS.

(n) Each 802.11 MAC frame must include at least two MAC addresses (for sender and receiver, respectively).

(o) Suppose the first, lower-address byte is 0x40 for an 802.11 MAC frame’s FC (frame control) field. This MAC frame’s subtype is “Association Request.”

Electric and Magnetic Fields Associated with Electromagnetic Wave

(p) A typical client authentication process of 802.11 networks requires the client first be authenticated with an AP (access point) before being associated.

(q) The FMS attack against a WEP-protected wireless network exploited the flaw due to RC4’s weak keys.

2. (4 pts.) According to the US Federal Information Security Management Act (FISMA) of 2002 there are three security objectives, known as the “CIA Triad”, for information and information systems.

(a) What do each of the letters “C”, “I”, and “A” stand for in the “CIA Triad”?

(b) Which of the above three security objectives includes ensuring information “non-repudiation” and “authenticity”?

3. (8 pts.) Use appropriate formulas and show your work to manually decompose the signal f(t) = 5cos(t) • cos(2t + ?/5) into a linear combination (i.e., a sum of constant multiples) of sinusoidal functions, and determine the amplitude, frequency, and phase shift of each component after decomposition. Note: Each of the sinusoidal functions in your answer must be of the form A sin(Bt + C) where A > 0, B > 0, while C can be positive, zero, or negative.
4. (10 pts.) Consider the wireless LAN channels used by Wi-Fi 802.11n in the US for the 2.4 GHz ISM band in which each channel has a bandwidth of 40 MHz. Suppose a channel's signal-to-noise ratio SNR = 400. Show your work and answer each of the below questions:

(a) Calculate the channel's signal-to-noise ratio in decibels, SNRdB.

(b) Calculate the (maximum) channel capacity according to the Shannon Capacity Formula, assuming the channel’s signal-to-noise ratio SNR = 400.

5. (6 pts.) In an attempt to improve WEP’s security a proposed modification (known as WEP2) uses 128 bits for the initialization vector (IV) value. In this case, show your work and estimate how many packets are needed “on average” for an attacker monitoring wireless communications between an AP (access point) and a wireless client (station) to detect a pair of duplicated IVs (Initialization Vectors) with at least 50% probability, assuming the IV values are generated randomly using WEP2’s 128-bit IVs. (Hint: Recall the Birthday Paradox.)
6. (6 pts.) Give at least two (different) reasons why ARP (address resolution protocol) packets are chosen to be used in attacking WEP-protected 802.11 networks.
7. (12 pts.) Suppose two parties involved in a wireless communication uses a stream cipher based on the CRC checksum algorithm CRC-32Q algorithm (http://crccalc.com/), with an initial value of zero and without post-processing, for encrypting their data. The ciphering process is described below: Before communication the sender and receiver first agreed to a pair of secret keys K1 and K2, where K1‘s length equals to the plaintext’s length and K2 is of 4 bytes used to protect the CRC-32Q’s checksum. The stream cipher (similar to WEP) takes a plaintext A, calculates CRC(A), the plaintext A’s CRC value using the CRC-32Q algorithm given above, then encrypts them using keys K1, K2, respectively, through the XOR operation, i.e., as A? K1, CRC(A) ? K2, before transmitting them through a wireless channel. (Thus, the ciphertext consists of a total of 6 bytes.) When the transmitted ciphertext is received, the receiver will use the same key pair K1 and K2 to decipher, recover the original text, and verify the received text’s integrity, through the same XOR operations as follows:

(a) Suppose an attacker knew the plaintext is of 2 bytes (i.e., 16 bits, bits numbered 0 to 15 from left to right), and the attacker wants to change/flip bits 0, 3, and 15 (according to the above bit numbering order) of the plaintext but without knowing the key values. Assuming the attacker could capture the transmission signal, stop it from being delivered to the intended receiver, alter the captured ciphertext and resend it without disrupting the communication. Describe precisely (with all details):

(i) how and what the attacker should do to modify the captured ciphertext (which consists of a total of 6 bytes);

(ii) what the attacker sends to the receiver;

(iii) how the receiver recovers the altered plaintext and verifies the CRC checksum, without detecting the data had been altered (i.e., the attacker succeeded)

(b) Suppose the attacker knew the plaintext, which is a 2-byte text “WZ”, and captured the ciphertext when the sender sent, in hexadecimal values, as 0x5659 and 0xC8EE1BEB. Describe precisely (with all details) how and what the attacker could do to determine the key values of K1,

K2 used in the stream cipher, including the recovered key values. (Note: Do not use any bruteforce methods.)

Suppose you are given what appears to be the beginning 217 bytes of a pcap file (but incomplete) shown below in a hex dump:

Answer each of the below questions with answers only, no explanations needed:

(a) Determine the type/format of this pcap file (i.e., choose one of the following: the original pcap format originated from the libpcap library; the pcap next generation pcapng format; or N/A if the information not applicable or not available)

(b) Determine the link layer type of packets in the file (both the code in decimal value and its name; or N/A if the information is not applicable/available)

(c) Determine the first packet's time stamp in the form of yyyy-mm-dd hh:mm:ss.xxxxxx (where y:year, m:month, d:day, h:hour, m:miute, s:second, x's: micro- or nano-seconds), or N/A if the information is not applicable/available.

(d) Determine the first packet's length (in bytes, in decimal value) excluding the packet header, or answer N/A if the information is not applicable/available.

(e) Determine the type (both name and code in decimal value), subtype (code, in decimal value), and any non-zero flag(s) in the Frame Control field of the file’s first MAC frame, or answer N/A if the information is not applicable/available. Hint: the first MAC frame starts at offset 0x7C.

(f) Determine the first MAC frame’s Duration (in decimal value)

(g) Determine the first MAC frame’s fragment number and sequence number (in decimal value)

(h) Determine the first MAC frame’s all embedded MAC addresses and their designation (DA, SA, etc.)