Journal of Computer Networks and Communications

Review Article

WiFi and WiMAX Secure Deployments

Table 2

WiFi and WiMAX threat analysis comparative overview.

(a)


IEEE Protocol		WiFi

		WEP	WPA	WPA2

Passive attacks	Eavesdropping	Cannot be avoided.	Cannot be avoided.	Cannot be avoided.
		(i) Traffic patterns can determine the content of communication (Video conferencing, Instant messaging)	(i) Traffic patterns can determine the content of communication (Video conferencing, Instant messaging)	(i) Traffic patterns can determine the content of communication (Video conferencing, Instant messaging)
		(ii) Station's and AP's MAC address interception	(ii) Station's and AP's MAC address interception	(ii) Station's and AP's MAC address interception
	Traffic analysis	Cannot be avoided	Cannot be avoided	Cannot be avoided

Active attacks	Key cracking	RC4 key cracking very possible	RC4 key cracking very possible	AES provides safety—No key cracking possible
	User-Authentication Breaching	(i) Shared key authentication weak due to RC4 (Brute force, dictionary attacks)	(i) Shared key authentication weak due to RC4	(i) Firmware change leads to authentication breaching
		(ii) Firmware change leads to authentication breaching	(ii) Firmware change leads to authentication breaching	(ii) 802.1X very secure
			(iii) 802.1X very secure
	Masquerading (Spoofing)	(i) Station masquerading	(i) Station masquerading	802.1X authentication very strong but session hijacking is possible after the 3rd message from the AP for successful EAP
	Masquerading (Spoofing)	(ii) AP masquerading	(ii) AP masquerading (When 802.1X is not used)
	Replay attacks	Yes, no mechanism to prevent replay attacks	48-bit TKIP sequence counter (TSC) to prevent replay attacks	48-bit packet counter to prevent replay attacks
	Message modification attacks	CRC-32 weak to prevent such attacks	(i) CRC-32 weak to prevent such attacks	CCMP provides safety in modification attacks
	Message modification attacks	CRC-32 weak to prevent such attacks	(ii) MIC prevents such attacks on MSDU	CCMP provides safety in modification attacks
	DoS attacks (PHY layer)	Jamming	Jamming	Jamming
	DoS attacks (MAC layer)	(i) Network block with CSMA/CA exploitation	(i) Network block with CSMA/CA exploitation	(i) Network operation blocking with CSMA/CA exploitation
		(ii) De-authentication attack	(ii) De-authentication attack	(ii) De-authentication attack
		(iii) Deliberate CRC errors	(iii) Deliberate CRC errors

(b)


IEEE Protocol		WiMAX

		802.16	802.16e

Passive attacks	Eavesdropping	Cannot be avoided.	Cannot be avoided.
		(i) Information disclosure of the SS's location at certain period of times due to the fact that management messages are sent in the clear	(i) Information disclosure of the SS's location at certain period of times due to the fact that management messages are sent in the clear
		(ii) SS's and BS's MAC address interception	(ii) SS's and BS's MAC address interception
	Traffic analysis	Cannot be avoided	Cannot be avoided
Active attacks	Key cracking	(i) With DES-CBC there is possibility of cracking if TEK	(i) With DES-CBC there is possibility of cracking
		(ii) With AES-CCM, threat if PN-key combination is used more than once	(ii) With AES-CCM, threat if PN-key combination is used more than once
		(iii) TEK encryption well secured	(iii) With AES-CBC, no key cracking possible
			(iv) TEK encryption well secured
	User-Authentication Breaching	If network equipment stop being standalone units, as it is the case now, and instead 802.16 compliant chipsets take their place inside laptops, as it was announced from WiMAX forum members, the change of Firmware can lead to authentication breaching	If network equipment stop being standalone units, as it is the case now, and instead 802.16 compliant chipsets take their place inside laptops, as it was announced from WiMAX forum members, the change of Firmware can lead to authentication breaching
	Masquerading (Spoofing)	(i) SS's MAC address spoofing	(i) SS's MAC address spoofing
	Masquerading (Spoofing)	(ii) Lack of mutual authentication could lead to BS's spoofing	(ii) Lack of mutual authentication with PKM v.1 could lead to BS's spoofing
	Replay attacks	(i) In PKM authentication, replay attack on the 2nd and 3rd message	(i) In PKM v.1 authentication, replay attack on the 2nd and 3rd message
		(ii) In SA-TEK 3-way handshake replay attack possible if AK hasn't changed	(ii) In PKM v.1 SA-TEK 3-way handshake replay attack possible if AK hasn't changed
			(iii) In PKM v.2 authentication, replay attack on the 2nd message
	Message modification attacks	(i) Message modification of the 3rd message in PKM of the encrypted AK	(i) For data traffic integrity, DES-CBC, AES-CCM and AES-CBC mode ensure safety on message modification attacks
		(ii) For data traffic integrity, DES-CBC and AES-CCM mode ensure safety on message modification attacks	(ii) The HMAC and CMAC protected Management messages are safe on modification attacks
		(iii) The HMAC protected Management messages are safe on modification attacks
	DoS attacks (PHY layer)	(i) Jamming	(i) Jamming
	DoS attacks (PHY layer)	(ii) Scrambling (on control and management messages)	(ii) Scrambling (on control and management messages)
	DoS attacks (MAC layer)	(i) Message modification of the 3rd message in PKM	(i) Message modification of the 3rd message in PKM v.1
		(ii) Replay attacks on 2nd message in PKM authentication	(ii) Replay attacks on 2nd message in PKM v.1 and v.2 authentication
		(iii) Replay attack in SA-TEK 3-way handshake, if AK hasn't changed	(iii) Replay attack in PKM v.1 SA-TEK 3-way handshake, if AK hasn't changed
		(iv) DoS attacks with Reset Command (RES-CMD) management message	(iv) DoS attacks with Reset Command (RES-CMD) management message
		(v) DoS attacks with Ranging Response (RNG_RSP) set to value 2 [Abort]	(v) DoS attacks with Ranging Response (RNG_RSP) set to value 2 [Abort]