Page 457 - From GMS to LTE
P. 457
Wireless Local Area Network (WLAN) 443
all data exchanged remains confidential and an eavesdropping attacker is unable
to decode any of the values exchanged either during the authentication proce-
dure that follows or later on in an offline attack. It is important to note that this
key exchange is not for authentication purposes but just for establishing an
encrypted channel over which sensitive data can be exchanged. Only once a
bidirectional encrypted channel is established is authentication information
exchanged. This approach can be compared to a password‐protected website
that uses the secure http (HTTPS) transfer protocol. HTTPS is used to provide
an encrypted channel that cannot be decrypted by a third party, and the user-
name and password provided by the user to a web page that is received over the
encrypted channel serves as authentication.
Step 2: The AP and the client device generate a random number that is referred to as
a ‘Nonce’. Together with an eight‐digit PIN, it is used as the input to a hash
function. The hash function generates a 256‐bit result from the two values
from which neither the PIN nor the random number can be deducted as the
hash function is not reversible.
Step 3: The AP and the client device exchange their hash function results.
Step 4: Once each side has received the hash result of the other side, the nonce values
are exchanged.
Step 5: Both devices now use the nonce value of the other device, add the PIN and
execute the hash function over these parameters. If the result matches the hash
values that have been transferred in step 1, both sides can be sure that the same
PIN was used on both sides.
Step 6: After both sides have verified that the PIN was identical on both sides, the
WPA/WPA2 password is transmitted. The string transmitted is the password
the user would have typed in if WPS was not used.
Step 7: Once the client device has received the WPA/WPA2 password, a standard
WPA/WPA2 connection establishment is performed.
The only weakness of the initially designed procedure is that it cannot protect against
an active attack, that is, a man‐in‐the‐middle attack in which an attacker is able to intercept
frames from both devices, modify them and forward them to the destination. In practice,
however, a number of weaknesses were unfortunately introduced during implementa-
tion that makes some devices very vulnerable to brute force attacks. If WPS is always
active and the PIN always remains the same, it is possible to retrieve the WPA/WPA2
key with a brute force attack by trying out all possible PIN combinations. Such an attack
is typically successful within only a few hours despite the eight‐digit length of the PIN.
This is because the PIN is validated in two parts of four digits. That means that an
attacker only needs to perform 10,000 WPS attempts at most to get the first four digits.
The second step can be performed even faster as one of the remaining four digits is used
as a checksum to ensure the user has entered the PIN correctly. It is therefore determin-
istic. Some APs try to slow down attacks by only accepting a few WPS attempts per
minute. This certainly slows down attacks but often not by a large degree. The only way
to prevent such an attack is to use a PIN only once as was perhaps initially intended by
those specifying the WPS authentication exchange. From a usability point of view, this
is not very convenient as the PIN cannot be printed on the back of a device. As a conse-
quence, only a few AP vendors have implemented a changing PIN. Therefore, some
security experts recommend disabling WPS in an AP.
