Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Senior Project
Qi Liao
Hartwick College
May 2005
Introduction
My motivation:
Wireless communication has taken off.
Great potential: convenience, increasing speed
and security.
How secure is it?
Almost every Univ. & College has wireless
network on campus. Increasing necessity to
investigate its security.
My Goal:
This project is to explore two basic wireless
networks architecture here at Hartwick College:
open-system and WEP protected system, with
emphasis on breaking WEP.
Does WEP really achieve its goal: Wired
Equivalent Privacy?
My Architecture:
Two laptop computers with wireless cards and
one WEP encrypted AP.
One is used to passively intercept the
communication between the other computer and
the AP.
My Approach:
theoretical analysis supported with empirical
data, and some implementations of
programming.
Wireless Communications
Wireless networks are diverse. Three
categories:
Wireless Wide Area Networks
(WWAN)
(cell phones) 2G cellular, CDPD,
GSM, Mobitex.
Wireless Local Area Network
(WLAN)
802.11, HiperLAN
Wireless Personal Area Networks
(WPAN)
Bluetooth, IR, ad hoc (no
infrastructures needed)
Wireless technologies are changing
rapidly. New products and features
means new threats or vulnerabilities.
Security of cell phones, PDA, and other
ad hoc or Bluetooth networks are
interesting.
My focus: Security of WLAN
Attacks to Open-System:
Architecture of Yager Hall Library: I
used
NetStumbler version 0.4.0 to obtain the
basic information of the APs and WLAN.
There are one Avaya AP on the 5th floor of
the library (channel 9) and the other on the
2nd floor (channel 3).
Figure 3: AP Information Obtained through NetStumbler
Attacks to Open-System:
I used Ethereal—the Network Protocol
Analyzer Version 0.10.9 to analyze
packet data.
I used “host 147.205.100.135” as both
source and destination address in the
capture filter to monitor all the traffic
come to and leave the machine that I
am testing in the lab on the 5th floor of
library.
It was more efficient in my own test
environment. More importantly it
prevented accidentally violate the
privacy of other users.
Below are the raw data of the packets
that I captured under the open-system
wireless network by using Microsoft
Outlook to send and receive emails.
As we can clearly see the user
information in Table 1, 2, and 3, the user
name is “LiaoQ” and password is
“M1234%^dd”. The message is also
sent in plain text, which is “This is a
secret message text here.”
Attacks to Open-System:
0000 00 02 b3 d0 cb 42 00 0d 88 58 ce 88 08 00 45
00 .....B...X....E.
0010 00 34 04 61 40 00 80 06 14 71 93 cd 64 87 93
cd .4.a@....q..d...
0020 55 d0 0b f5 00 6e 1a 65 34 a3 9a 38 87 2b 50
18 U....n.e4..8.+P.
0030 44 17 6b f9 00 00 55 53 45 52 20 6c 69 61 6f
71 D.k...USER liaoq
0040 0d
0a ..
0000 00 02 b3 d0 cb 42 00 0d 88 58 ce 88 08 00 45
00 .....B...X....E.
0010 00 38 04 62 40 00 80 06 14 6c 93 cd 64 87 93
cd .8.b@....l..d...
0020 55 d0 0b f5 00 6e 1a 65 34 af 9a 38 87 30 50
18 U....n.e4..8.0P.
0030 44 12 4d c3 00 00 50 41 53 53 20 4d 31 32 33
34 D.M...PASS M1234
0040 25 5e 64 64 0d
0a %^dd..
Attacks to Open-System:
0000 00 02 b3 d0 cb 42 00 0d 88 58 ce 88 08 00 45
00 .....B...X....E.
0010 02 2b 04 5a 40 00 80 06 12 81 93 cd 64 87 93
cd .+.Z@.......d...
0020 55 d0 0b f4 00 19 1a 63 8d 18 9a 35 d0 5b 50
18 U......c...5.[P.
0030 43 4f 26 ec 00 00 46 72 6f 6d 3a 20 22 71 69
22 CO&...From: "qi"
0040 20 3c 6c 69 61 6f 71 40 68 61 72 74 77 69 63
6b <liaoq@hartwick
0050 2e 65 64 75 3e 0d 0a 54 6f 3a 20 3c 6c 69 61
6f .edu>..To: <liao
0060 71 40 68 61 72 74 77 69 63 6b 2e 65 64 75 3e
0d q@hartwick.edu>.
0070 0a 53 75 62 6a 65 63 74 3a 20 73 65 63 72 65
74 .Subject: secret
0080 20 6d 65 73 73 61 67 65 0d 0a 44 61 74 65 3a
20 message..Date:
0090 46 72 69 2c 20 34 20 46 65 62 20 32 30 30 35
20 Fri, 4 Feb 2005
00a0 31 35 3a 32 38 3a 33 36 20 2d 30 35 30 30 0d
0a 15:28:36 -0500..
00b0 4d 65 73 73 61 67 65 2d 49 44 3a 20 3c 4d 43
45 Message-ID: <MCE
00c0 45 4c 47 43 48 4c 45 50 44 46 42 46 41 50 4b
46 ELGCHLEPDFBFAPKF
00d0 48 43 45 41 42 43 41 41 41 2e 6c 69 61 6f 71
40 HCEABCAAA.liaoq@
00e0 68 61 72 74 77 69 63 6b 2e 65 64 75 3e 0d 0a
4d hartwick.edu>..M
00f0 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e
30 IME-Version: 1.0
0100 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a
20 ..Content-Type:
0110 74 65 78 74 2f 70 6c 61 69 6e 3b 0d 0a 09 63
68 text/plain;...ch
0120 61 72 73 65 74 3d 22 69 73 6f 2d 38 38 35 39
2d arset="iso-8859-
0130 31 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61
6e 1"..Content-Tran
0140 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20
37 sfer-Encoding: 7
0150 62 69 74 0d 0a 58 2d 50 72 69 6f 72 69 74 79
3a bit..X-Priority:
0160 20 33 20 28 4e 6f 72 6d 61 6c 29 0d 0a 58 2d
4d 3 (Normal)..X-M
0170 53 4d 61 69 6c 2d 50 72 69 6f 72 69 74 79 3a
20 SMail-Priority:
0180 4e 6f 72 6d 61 6c 0d 0a 58 2d 4d 61 69 6c 65
72 Normal..X-Mailer
0190 3a 20 4d 69 63 72 6f 73 6f 66 74 20 4f 75 74
6c : Microsoft Outl
01a0 6f 6f 6b 20 49 4d 4f 2c 20 42 75 69 6c 64 20
39 ook IMO, Build 9
01b0 2e 30 2e 36 36 30 34 20 28 39 2e 30 2e 32 39
31 .0.6604 (9.0.291
01c0 31 2e 30 29 0d 0a 49 6d 70 6f 72 74 61 6e 63
65 1.0)..Importance
01d0 3a 20 4e 6f 72 6d 61 6c 0d 0a 58 2d 4d 69 6d
65 : Normal..X-Mime
01e0 4f 4c 45 3a 20 50 72 6f 64 75 63 65 64 20 42
79 OLE: Produced By
01f0 20 4d 69 63 72 6f 73 6f 66 74 20 4d 69 6d 65
4f Microsoft MimeO
0200 4c 45 20 56 36 2e 30 30 2e 32 38 30 30 2e 31
34 LE V6.00.2800.14
0210 34 31 0d 0a 0d 0a 54 68 69 73 20 69 73 20 61
20 41....This is a
0220 73 65 63 72 65 74 20 6d 65 73 73 61 67 65 20
74 secret message t
0230 65 78 74 20 68 65 72 65
2e ext here.
Attacks to Open-System:
Attacks to Open-System:
The Webmail also sends message in
plain text both in send and receive
mode.
I used Webmail to send a short email to
myself. As we can see in the following
captured data, the message is “This is a
top sceret message here.” The detailed
packet information and interpretation
enclosed in the Appendix in my paper.
0000 00 02 b3 d0 cb 42 00 0d 88 58 ce 88 08 00 45
00 .....B...X....E.
0010 01 d9 0a ad 40 00 80 06 0c 7f 93 cd 64 87 93
cd ....@.......d...
0020 55 d1 0c 45 00 50 34 2f 89 33 d6 af 26 ae 50
18 U..E.P4/.3..&.P.
0030 41 1c bf 5f 00 00 43 6d 64 3d 73 65 6e 64 0a
4d A.._..Cmd=send.M
0040 73 67 54 6f 3d 6c 69 61 6f 71 40 68 61 72 74
77 sgTo=liaoq@hartw
0050 69 63 6b 2e 65 64 75 0a 4d 73 67 43 63 3d 0a
4d ick.edu.MsgCc=.M
Attacks to Open-System:
Table 4: Captured Data under the Open-system Wireless Network in Yager
Hall Library. Webmail Message Content Sent (continued).
0060 73 67 42 63 63 3d 0a 75 72 6e 3a 73 63 68 65
6d sgBcc=.urn:schem
0070 61 73 3a 68 74 74 70 6d 61 69 6c 3a 69 6d 70
6f as:httpmail:impo
0080 72 74 61 6e 63 65 3d 31 0a 68 74 74 70 3a 2f
2f rtance=1.http://
0090 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f
66 schemas.microsof
00a0 74 2e 63 6f 6d 2f 65 78 63 68 61 6e 67 65 2f
73 t.com/exchange/s
00b0 65 6e 73 69 74 69 76 69 74 79 2d 6c 6f 6e 67
3d ensitivity-long=
00c0 0a 75 72 6e 3a 73 63 68 65 6d 61 73 3a 68 74
74 .urn:schemas:htt
00d0 70 6d 61 69 6c 3a 73 75 62 6a 65 63 74 3d 73
65 pmail:subject=se
00e0 63 72 65 74 20 6d 65 73 73 61 67 65 0a 75 72
6e cret message.urn
00f0 3a 73 63 68 65 6d 61 73 3a 68 74 74 70 6d 61
69 :schemas:httpmai
0100 6c 3a 68 74 6d 6c 64 65 73 63 72 69 70 74 69
6f l:htmldescriptio
0110 6e 3d 3c 21 44 4f 43 54 59 50 45 20 48 54 4d
4c n=<!DOCTYPE HTML
0120 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43
2f PUBLIC "-//W3C/
0130 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 20 54
72 /DTD HTML 4.0 Tr
0140 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22
3e ansitional//EN">
0150 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 4d 45
54 <HTML><HEAD><MET
0160 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43
6f A HTTP-EQUIV="Co
0170 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e
54 ntent-Type" CONT
0180 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b
20 ENT="text/html;
0190 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e
3c charset=utf-8"><
01a0 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 44 49
56 /HEAD><BODY><DIV
01b0 3e 54 68 69 73 20 69 73 20 61 20 74 6f 70 20
73 >This is a top s
01c0 63 65 72 65 74 20 6d 65 73 73 61 67 65 20 68
65 ceret message he
01d0 72 65 2e 3c 2f 44 49 56 3e 3c 2f 42 4f 44 59
3e re.</DIV></BODY>
01e0 3c 2f 48 54 4d 4c
3e </HTML>
Attacks to WEP
The basic network model that I used
consists of one WEP encrypted AP, one
laptop PC with Orinoco Silver Wireless
Card running Windows XP Professional
(used to intercept the wireless
communication data), and one laptop
PC with Orinoco Silver Wireless Card
running Red Hat Linux Fedora Core 3
(used to send and receive data).
Architecture at CISC clubhouse:
There are two open-system APs of SSID of
Johnstone.
There is one WEP encrypted AP, running on
channel 6,located at Professor Lichtman’s office.
D-Link AirPremier DWL-2200AP 802.11g
Wireless 108Mbps Access Point with PoE.
Figure 6: Basic AP Information Obtained Through NetStumbler.
Attacks to WEP
A user needs a secret WEP key in order to
be connected to the CISC wireless network.
Figure 8: Connecting to the WEP Protected Wireless Network by Providing the
Shared Key.
XOR
1
Decryption: P’ = C⊕keystream
= (P⊕keystream)⊕keystream
=P
decrypted plaintext P’ = (M’, c’). Verifies the checksum:
c(M’)?=c’
IV Collision Attack
The WEP standard recommends that the IV be
changed after every packet.
This way, each packet receives a different keystream.
However, it does not say anything else about how to
select IV’s, and each individual vendor does things
differently.
random vs constant
As through my observation, both my Orinoco PC Card
Silver (5 volt) by Lucent Technology, increments the
IV by one for each packet it transmits.
IV Collision Attack
I will address my Brute-force attack later. But my first
approach is to explore the vulnerability of WEP
regardless of keysize.
No matter the 64-bit or 128-bit key, the IV field used
by WEP is only 24 bits wide, nearly guaranteeing that
the same IV will reused for multiple messages.
Statistically, an IV collision occurs for every 5000
packets with a random IV implementation.
I measured that the AP at CISC department send and
receive about 1000 packets each minute.
That means for every five minutes, there is an IV
collision.
When two packets assigned with two identical IV, or
an IV collision, happens, RC4(iv,k) will produce the
same keystream for the two packets since the secret
WEP key do not change. We can see an interesting
property here:
If C1 = P1⊕keystream
and C2 = P2⊕keystream
IV Collision Attack
0000 08 41 d5 00 00 0f 3d fa 97 93 00 02 2d 29 26
25 .A....=.....-)&%
0010 00 02 b3 d0 cb 42 30 02 16 00 00 00 aa 17 65
a3 .....B0.......e.
0020 ba fe bd 42 68 60 2d 76 2e fb b3 3d 87 a5 39
10 ...Bh`-v...=..9.
0030 2f c5 6d 18 d8 c8 7e 7a 23 6e ce 7f 28 37 01
c5 /.m...~z#n..(7..
0040 4c 4c 80 0f f9 86 b3 7e 63 06 b1 9b d9 eb 59
42 LL.....~c.....YB
0050 50 93 5f ce d9 9a d4 45 da 87 0c 5f 38 90 f6
d1 P._....E..._8...
0060 8f 8d 30
c7 ..0.
0000 08 41 d5 00 00 0f 3d fa 97 93 00 02 2d 29 26
25 .A....=.....-)&%
0010 00 04 23 0d 6e 7c f0 01 16 00 00 00 aa 17 65
a3 ..#.n|........e.
0020 ba fe bd 42 68 a0 2d 20 20 ea f3 3d 38 a2 a7
05 ...Bh.- ..=8...
0030 2f c5 6d 18 d8 c8 7e 4b a0 74 01 24 80 d6 3b
e8 /.m...~K.t.$..;.
0040 09 4c 80 41 28 f3 a5 ae 5b 22 46 a8 48 22 09
17 .L.A(...["F.H"..
0050 c7 5c 03 bc d9 49 97 f9 da bd 58 dc a0 24 f5
d3 .\...I....X..$..
0060 d0 ef 29 79 6f ca 9c 48 1e 42 5e 8a 4a df a6
af ..)yo..H.B^.J...
0070 98 b8 c0 b4 dd 46 8b 55 f7 72 83 e7 f5 8e 5e
f8 .....F.U.r....^.
0080 cf e6 9c df 8a 04 8d 1e 3b ee 19 a9 1d fd 46
89 ........;.....F.
0090 60
5e `^
IV Collision Attack
I wrote a small program in Java to perform the XOR
operations on captured data.
Show my program.
00011101 11111101
IV Collision Attack
One may make an educative guess of
some components of the packet, such
as some fields of IP traffic, since
protocols usually have common
structures.
If the bit of C1⊕C2 is 1, then the bits in
P1 and P2 have to be of different parity,
namely one “0” and one “1”.
If the bit of C1⊕C2 is 0, then the bits in
P1 and P2 have to be the same.
Some linear ciphers can be solved by
analyzing frequency of English letters.
The first seven most frequently used
letters are E, T, N, R, I, O, and A, so
some probability approaches may work.
If we have n ciphertexts that all reuse
the same keystream, as n increases, it
gets easier to guess the contents.
keystream = C⊕P
0010 03 00 00 0c 20 00 01 b4 42 73 00 01 00 20 4d
49 .... ...Bs... MI
0020 4c 53 57 30 2e 35 35 2e 32 33 34 28 30 30 33
30 LSW0.55.234(0030
0030 63 31 2d 36 33 33 36 38 30 29 00 02 00 11 00
00 c1-633680)......
0040 00 01 01 01 cc 00 04 93 cd 37 ea 00 03 00 06
42 .........7.....B
0050 36 00 04 00 08 00 00 00 08 00 05 00 2d 52 65
76 6...........-Rev
0060 69 73 69 6f 6e 20 43 2e 30 39 2e 32 32 20 2f
73 ision C.09.22 /s
0070 77 2f 63 6f 64 65 2f 62 75 69 6c 64 2f 76 67
72 w/code/build/vgr
0080 6f 28 63
30 o(c0
0000 08 42 00 00 01 00 0c cc cc cc 00 0f 3d fa 97
93 .B..........=...
0010 00 30 c1 63 36 f2 10 eb f4 26 09 00 d7 4e f6
51 .0.c6....&...N.Q
0020 00 a5 b8 94 3f 54 2f d8 5f 09 c2 0f 74 02 da
c3 ....?T/._...t...
0030 e0 41 24 b3 2b 3d c7 7b 21 a4 64 a5 bb 7c 70
ea .A$.+=.{!.d..|p.
0040 0f 84 fd 53 79 89 9c 02 24 c2 80 8a 20 97 f9
e2 ...Sy...$... ...
0050 b6 a7 a8 f5 b1 f9 af 9d 97 dc 61 f2 63 56 66
3d ..........a.cVf=
0060 00 b2 53 2e f7 8a 89 9d 08 e7 e3 6a 0b 3b 0f
60 ..S........j.;.`
0070 78 c2 c5 9f 91 5b 53 8e 5a 24 e9 9c a2 45 ad
b0 x....[S.Z$...E..
0080 bf f9 e5 ea d6 00 02 17 db bc 6e b2 bb ec 7e
f9 ..........n...~.
0090 72 6f 79 43 9b c4 fc 86 f4 9b 7a 2b c7 af 14
14 royC......z+....
00a0 c7 1e 0c
3b ...;
// cipherByte⊕keyByte=ICV byte
Brute-Force Attack
Here is my algorithm for a dictionary-
based brute-force attack:
Read in 3 WEP encrypted packets (IV,
Mc+ICVc);
Loop:
Read in passphrasei from a
dictionary file;
ki=MD5(passphrasei); // or no hashing
function applied at all.
keystreami=RC4(IV, ki);
Mp’+ICVp’=(Mc+ICVc)⊕keystreami; //
try to decrypt
if (CRC32(Mp’)=ICVp’
try the 2nd & 3rd packet and
do the same thing to see if they
match;
if match, return ki;
else move to next passphrase
and repeat above procedure.
else
repeat above procedure.
Brute-Force Attack
My algorithm involves some important
functions such as RC4, MD5, CRC32,
etc.
However, Java does not provide source
codes in c:\java\src.zip, but native
methods for RC4 algorithm
Tried many times, but got
java.security.InvalidAlgorithmParameter
Exception: ARCFOUR key generation
does not take any parameters
I concluded that it was not implemented
in Java API to specify a secret key with
the RC4 algorithm but we have to use
the default random key instead.
Finally, I decided to write my own RC4
class in Java. I used the algorithm
described in the famous paper
“Weakness in the Key Scheduling
Algorithm of RC4” written by Fluhrer,
Mantin, and Shamir.
The basic algorithm of RC4 is showed
below.
Brute-Force Attack
Pseudo Random Generation Algorithm
(PRGA)
Initialization:
i=0
j=0
Generation loop:
i=i+1
j=j+S[i]
swap(S[i],S[j])
Output z=S[S[i]+S[j]]
Key Scheduling Algorithm (KSA)
Initialization:
For i=0…N-1
S[i]=i
j=0
Scrambling:
For i=0…N-1
j=j+S[i]+K[i mod l]
swap(S[i],S[j])
Table 12: KSA & PRGA Algorithms of RC4
Brute-Force Attack
Ok, we got RC4 done. What’s next?
MD5, also developed by Professor
Rivest of MIT, takes as input a message
of arbitrary length and produces as
output a 128-bit message digest of the
input.
Java supports MD5 natively.
MD5 is widely used on APs to generate
keys from a passphrase for 128 bits
keys. However, I could not make it work
with my program, as I could not specify
a size of 64 but only 128 in Java API.
After many tests, I found out the AP at
CISCClub, using 64-bit instead of 128-
bit key, does not apply MD5 but instead
directly uses the ASCII value of the
plaintext key of a length of five letters,
thus a 40-bit key. This made things even
easier.
CRC-32 calculates a checksum. The
“CRC” is acronym for “Cyclic
Redundancy Code” and “32” represents
the length of checksum in bits: 32 bits=4
bytes. This algorithm is based on the
polynomial division. The idea is to take
the data as a very long binary number
and divide it by a constant divisor. The
remainder is the CRC checksum.
Java also supports CRC32 natively.
Brute-Force Attack
If the key checks out, I should also
check it with another packet to make
sure the key is actually valid, since it is
possible that the packet can be
decrypted with an invalid key and the
checksum could still be valid.
CRC was designed primarily for
catching transmission errors not for
integrity protection purposes like MD5
and SHA-1 was designed for.
The probability that two messages will
produce exactly the same hash code
under CRC32 is 1/232. Since MD5 in
Java uses 128 bits, the probability is
further decreased to 1/2128, and for
SHA-1 about 1 in 2160. Therefore, by
testing three packets in my program, I
am extremely positive that the
recovered key is the right key since
Countermeasure
Disable Weak Keys:
RC4 has a weak key schedule.
The probabilistic correlation between some bits of
the shared WEP key and some bits of the output
keystream (for a large class of weak keys) is one
of prime vulnerabilities of the RC4
implementation in WEP.
The firmware for the old 802.11b based wireless
cards can be modified (newer hardware now has
built-in feature) so that, the weak IVs are skipped
and no longer sent out as part of a WEP
encrypted packet.
Dropping the initial bytes from the RC4 output:
An alternative to disabling weak keys is to drop
some initial bytes, say 128 bytes, of the RC4
stream cipher.
Modifying the CRC algorithm:
Make it non-linear.
Dynamic key management techniques:
Cryptographic keys should be updated
automatically and changed frequently.
Use temporal keys.
Periodical change of keys:
Changing WEP keys will result in reconfiguring
AP and client machines.
How to change encryption key for EVERY
packet?!
Instead of doing keystream = RC4 (iv, key), we
can do keystream = RC4 (iv, MD5 (iv, key)).
Hashing the concatenation of the per-packet IV
and the secret WEP key before feeding it to a
RC4 stream generator would prevent the IV from
revealing any useful information about the shared
WEP key.
Future Works and Trends
If I would have more time to spend on this one-
semester project, I would very much want to do more
work in the following fields.
Probabilistic Attack based on the Weakness in the
Key Scheduling Algorithm of RC4:
The basic idea is that the PRGA uses the state
array to create a pseudorandom sequence and
the first byte of output is given by S[ S[1] + S[
S[1] ] ], where S is the state array.
After the key setup phase, the first byte of output
depends on only 3 values of the state array: S[1],
S[S[1]], and S[ S[1] + S[ S[1] ] ].
There is a strong probabilistic correlation
between some bits of the WEP key and some
bits of the output keystream for a large class of
weak keys, which are of the form <i+3, 255, X>,
where i corresponds to the current WEP key byte
key[i], and the value of X is unrestricted.
If I had had enough time, I might have
implemented this attack in the Java program.
Distributed Brute-force Attack:
My Java program works well with a key length of
64 bits. But as the key bits increase, the time of a
Brute-force attack increases exponentially.
It would be nice if I could have programmed
concurrently, testing a group of keys on each
Java Virtual Machine in a distributed computing
environment. The communication, cooperation
and security problem need to be considered.
Vulnerability of WPA and AES Encryption Algorithm:
RC4 and WEP are getting old. More advanced
algorithm and protocol are going to be deployed.
It would be very exciting and challenging to find
the vulnerability of these more advanced
encryption methods.
The End
Thank you!