Emerging Technology: Wireless Security - Is Protected Access Enough?
By Andy Dornan
10/06/2003

Most networkers think Wi-Fi is just a brand name, a label placed on Wireless LAN (WLAN) equipment to show that it conforms to one of the IEEE 802.11 standards. This used to be true, but the Wi-Fi Alliance (www.wi-fi.org), the group that tests 802.11 products for interoperability and awards the Wi-Fi mark to those that pass, is slowly becoming less like the IEEE's public relations wing and more like a standards organization in its own right.

Two years ago, Wi-Fi was almost synonymous with 802.11b, the WLAN standard that has since become ubiquitous in offices, homes, and public hotspots alike. The faster 802.11a and 802.11g have broadened Wi-Fi's definition, while at the same time the Alliance has broadened its tests to go beyond the speeds mandated by the IEEE, as well as ensure smooth handoffs when more than one version of 802.11 is used in the same network. But with the publication of its Wi-Fi Protected Access (WPA) specification, which becomes mandatory in all Wi-Fi hardware this October 2003, the Alliance has come its furthest yet. Its motivation is simple: to fix 802.11's most notorious problem-security.

WEP SERVICES

Everybody knows that WLANs are insecure. Even before the Wi-Fi Alliance was formed, engineers on the IEEE's 802.11 committee had been warning that the standard's Wired Equivalent Privacy (WEP) encryption was insufficient: It used keys that were too short, had easily spoofed authentication credentials, and lacked any mechanisms to distribute new keys to users.

At least one vendor's marketing department replied that security didn't matter. Because 802.11 already encodes every transmission with a particular key at its CDMA Physical layer, these vendors claimed that transmissions were in code. While technically true, this claim is disingenuous because the keys used in CDMA are already very well known, and in order for the standard to work, they have to be hardwired into every NIC and access point (AP). The result is that unless some higher-level encryption is used, any client can eavesdrop on or join any network.

WEP was intended to provide this higher-level security, but it turned out to be even weaker than its critics feared. As 802.11b became increasingly popular, security researchers and black-hat hackers alike began to attack the protocol. In August 2001, a team of cryptographers published a paper that detailed a critical weakness. The problem lay in key re-use, a familiar issue in cryptography: If the same key is used repeatedly to encrypt the same data, patterns emerge that an attacker can use to create a crib sheet that will ultimately discover the key.

Networking protocols are full of repeated data, and attackers can sometimes even choose their own plain text by spamming their targets. Aware of this, WEP's designers included another number, the Initialization Vector (IV), which is appended to the key before encryption. The problem is that WEP's IVs are very short at only 24 bits, which means that the IVs themselves are often repeated. Attackers merely need to collect enough packets to discern patterns and break the code. Within days of the team's discovery, the free AirSnort software spread across the Internet. Billed as a key recovery tool, AirSnort automates the key cracking process, making WEP-encrypted networks accessible to people without any mathematical or computer skills.

WLAN experts responded in different ways. Many recommended VPNs as a solution, treating all WLAN traffic as if it were on the Internet. This is secure, but it can also be cumbersome in a large 802.11 deployment. Most VPNs are designed for remote access, not high speeds and constant use, and they require hefty client software that some platforms aren't capable of running.

The AirSnort attack can be thwarted by changing the WEP key before IVs are repeated, so many WLAN vendors are offering their own key rotation or key exchange mechanisms. Most have also made the WEP key longer, extending it from the 40 bits specified in the standard to 104 or even 168 bits. Some claim to use stronger keys, usually 128 or 192 bits, which is misleading. WEP's RC4 encryption algorithm requires that the key's length be a multiple of 64 bits, but 24 of these bits are used for the IV, so the effective key length is actually shorter.

Even if keys could be made as long as vendors claim, the flaws in WEP are so severe that longer keys don't provide as much protection as they ought to. When a strong cipher is used, each extra bit in a key doubles the amount of work that an attacker has to perform, so the difficulty of cracking the code scales exponentially with key length. Under WEP, it scales linearly: Each extra bit merely adds a constant number of packets (about 20,000) to the total that must be captured.

Most key exchange mechanisms are based around 802.1x, an IEEE standard for implementing the Extensible Authentication Protocol (EAP) over LANs. 802.1x can also help bolster WEP's authentication; however, because it was designed to be as flexible as possible, it is incomplete.

The most widespread way to complete 802.1x is Lightweight EAP (LEAP), a proprietary technology from Cisco Systems. LEAP requires Cisco APs, but will now work with most vendors' NICs. This is because Cisco has persuaded all the main 802.11 radio chip manufacturers to include some of its proprietary client code, known as Cisco Compatible Extensions (CCX), in their hardware. The one holdout, Broadcom, quickly adopted CCX after Cisco purchased its largest customer, Linksys.

EYE TO THE FUTURE

The IEEE is developing a new technology to replace WEP, but its precise details haven't yet been agreed upon, and it may not become widespread until 2005 (see figure). One thing is certain, however: The most advanced and secure form, 802.11i, won't be fully compatible with the installed base of Wi-Fi equipment.



One way that 802.11i improves on WEP is by throwing out its RC4 encryption algorithm in favor of Rijndael (AES), the U.S. government's official cipher. This requires specialized hardware, which isn't present in older 802.11b gear. Anticipating 802.11i, many newer Wi-Fi cards and APs do include this hardware, but there's no guarantee that they will fully support the standard once it's ratified. Most vendors say their AES-capable hardware will be software-upgradeable to 802.11, though this may involve reflashing the device's CMOS memory, not just installing a new driver.

So that users of non-AES hardware can still join 802.11i networks without compromising security, the draft also includes an alternative encryption system called Temporal Key Integrity Protocol (TKIP). Originally known as WEP2, TKIP is based on the same encryption algorithm as WEP, so it can re-use the existing RC4 encryption chips. This theoretically means that almost all 802.11 hardware is software-upgradeable to TKIP, though many users won't need to do this: Every major vendor has included TKIP in all WLAN devices made since 2002.

Despite WEP's flaws, the RC4 algorithm itself is sound, so there's no reason to think that TKIP will inherit the flaws of its predecessor. It fixes the repeated-IV problem by doubling the IV size to 48 bits, and by separating the IV from the key so that all 128 bits of the key can actually be used for key data. Like AES-based 802.11i, keys can be assigned on a per-user basis and changed whenever necessary, rather than shared by an entire network. Another key is used to authenticate the sender of each packet, preventing an attacker from hijacking a legitimate user's session after logon.

WEP includes a CRC-32 checksum so that recipients can be sure that data hasn't been altered in transit. This checksum is good at detecting accidental changes due to interference, but is vulnerable to deliberate attacks. To prevent this in 802.11i, the protocol's designers developed their own mode of AES called AES-CCMP. This automatically adds a Message Integrity Check (MIC) to every packet, which acts like a digital signature, protecting against both accidental and deliberate changes. RC4 can't be made to include this, so TKIP includes its own separate MIC algorithm, codenamed Michael.

Rather than wait for the full 802.11i standard, the Wi-Fi Alliance has combined TKIP with some other aspects of the 802.11i draft to produce WPA (see table). The most important of these is 802.1x, the authentication protocol that many WLAN vendors are already using. This is separate from the authentication built into TKIP or AES-CCMP because it happens at the user or application level, not automatically for every packet. 802.1x also controls how TKIP and AES keys are exchanged, though a precise method of doing so isn't specified in the standard.



EAP's incompleteness can seem like an omission, but it was intentional: IEEE 802 standards only cover Physical and MAC layer protocols; they don't try to make assumptions about what users will try to run over them. By omitting an actual authentication method, 802.1x leaves its implementers free to use any type of authentication at all, from a plain text password to a DNA sequence.

Many EAP extensions are proprietary, with Cisco's LEAP being the most prominent among them, but WLAN vendors are also implementing standard methods from the IETF. The favorite is RFC 2716, a PKI-based technology also known as Transport Layer Security (TLS). Like AES-based 802.11i, TLS is a long-term plan. It isn't widely used yet, as it requires a digital certificate on every network node.

The PC industry does intend to put a hardware digital certificate inside every client as part of its controversial Trusted Computing Platform Architecture (TCPA), but for now certificates have to be generated in software. So that managers of WPA networks don't have to purchase or produce a certificate for every client, the IETF is also considering Tunneled TLS (TTLS) and Protected EAP (PEAP), two rival challenge-response protocols that only place certificates on APs.

PEER OR HIERARCHY?

WPA isn't just TKIP and 802.1x. It also incorporates two other technologies from the 802.11i working group: Key Hierarchy and Cipher Negotiation. Key Hierarchy means that several different keys can be used for different purposes and be known to different participants. For example, broadcast packets must be understandable to every node on the network, so they need to use a shared key just like WEP. Packets intended for one particular user can use a key known only to the sender and that recipient. At the top of the hierarchy is the authentication method used in 802.1x-usually either a public key embedded in a digital certificate or a private key derived from a password.

Cipher Negotiation is required when not every client connecting to a network supports the same security mechanisms. This will be particularly useful when WPA and full 802.11i are both available, as it will allow clients and APs to negotiate which mechanisms to use. Depending on individual security policies, a network may require AES or a particular 802.1x extension. If security is less important, it can enable connectivity with older WEP-only clients that haven't been upgraded to WPA.

The full 802.11i draft includes two more modes of operation which weren't ready in time for WPA: the Independent Base Service Set (IBSS), and support for EAP over an Ethernet LAN (EAPOL). IBSS enables nodes to authenticate each other, even when out of range of an AP. This is necessary in an ad-hoc (peer-to-peer) network where clients aren't able to request authentication from an AP or server.

EAPOL is the reverse of IBSS, enabling clients to pre-authenticate with APs by sending their credentials through a wired LAN. This allows for easier roaming, both between APs and from wired to wireless. Under WEP and WPA, clients need to re-authenticate each time they connect to a different AP. With EAPOL, all this authentication can be performed in advance.

The IEEE is calling the complete 802.11i feature set a Robust Security Network (RSN), and the Wi-Fi Alliance has already announced plans to brand them as WPA2. But if you don't need smooth roaming or ad-hoc network support, and you don't do business with the U.S. government, the current WPA should be sufficient.

Whichever standard you choose, it's important to remember that both WPA and 802.11i only fix the technical problems with WEP. No protocol can guarantee that networks are impervious to attack, and even if WPA or 802.11i could, it wouldn't fix the greatest problem with WLAN security: that most APs ship with WEP turned off, and most users don't turn it on.

For all the publicity surrounding WEP's weaknesses, most people who break into wireless networks don't have to bother cracking its code because the networks are left open. In a comprehensive survey of every 802.11b AP in Manhattan, the non-profit Public Internet Project (www.publicinternetproject.org) found that 71 percent included no security at all, not even WEP. It's impossible to know how many of these were left open deliberately by people or companies that want to share their Internet connections, but some are clearly mistakes, providing access to private networks, too. Even the best security is useless if it's switched off.

Senior Editor Andy Dornan's book, The Essential Guide to Wireless Communications Applications, ISBN 013-0097-187, is published by Prentice Hall. You can contact him at [email protected].



--------------------------------------------------------------------------------

Resources

The official WPA site, www.wi-fi.org/wpa, contains several useful presentations on the new standard, including those from the Wi-Fi Alliance's member vendors and independent analysts such as the Burton Group.

The Berkeley team that cracked WEP has a FAQ on the protocol at www.isaac.cs.berkeley.edu/isaac/wep-faq.html.

For more details on TKIP, as well as useful tips on securing WLANs (with or without WPA), see September 2003's Network Defense. For a descriptor of 802.1x and its extensions, see December 2002's Roadblocks for War Drivers: Stop Wi-Fi from Making Private Networks Public.

As its title suggests, the book Real 802.11 Security: Wi-Fi Protected Access and 802.11i (Addison Wesley, 2003), by John Edney and William A. Arbaugh, focuses specifically on the two new WLAN security standards.

netmag