The Promise of 802.1X

Previous page
Table of content
Next page

How WEP Fails

In very simple terms, WEP does its encryption by XORing (combining) a block of 'cleartext' (unencrypted data) with a string of pseudorandom numbers the same length as the block of cleartext, usually 1,500 bytes. This string of pseudorandom numbers is called a keystream. The block of data is called a frame. Frames are embedded in packets and then transmitted over the air. It is absolutely vital that a different keystream be used to encrypt each frame. If a hacker manages to sniff two packets whose frames are encrypted with the same keystream, cracking the secret key becomes easier. In fact, the more packets are recorded with the same IV, the easier cracking the secret key becomes. So essentially each bit of data that goes out is combined with a bunch of random junk to prevent someone from knowing what is actually in the data. Since the junk changes with each piece of data, the hacker can't (easily) separate the 'wheat from the chaff ' and thus your communications are safer.

The problem is this: The pseudorandom numbers that go into the keystream are generated with a 24-bit random number seed (a seed is an initial value that the computer uses to generate 'random' numbers) called an initialization vector (IV).

This IV value is transmitted with every encrypted frame, in the clear and unencrypted. So a hacker can look at two encrypted frames and know whether or not they were encrypted with the same IV.

Nominally, each frame transmitted is encrypted with a different IV. The problem is, there are only 16,777,216 different IV values. That sounds like a lot, but when you have a Wi-Fi network capable of slinging data at 11 megabits per second, you can exhaust all possible IV values in about six hours if the network is in continuous, saturated use. At that point, most current Wi-Fi hardware resets the IV value to zero and begins again, so a second set of 16,777,216 frames begins to move through the air, providing a patient hacker with a full second set of frames encrypted with the same IV. After another six hours a third set begins with the same IV, and so on. In a little over a day's time, enough frames can be recorded by a hacker to allow the calculation of the secret key used to encrypt all those frames. (It takes between 15 and 25 billion bytes of data, sometimes more, to do the crack in a reasonable amount of time. Sometimes it takes less, due to 'weak' IV values. More on that a little later.)

The good news is that this is for a network that is constantly moving data, at the maximum bit rate, without pause, for an entire day. Some corporate Wi-Fi networks may be used as heavily as that. Most small office and home office networks are not, or anywhere even close. A home office network with two or three users might pass so little data that it would take months to gather enough encrypted data to do the crack.

Most hackers aren't that patient, and in truth what you have on your machine probably isn't worth that kind of effort to them (see Chapter 12). This means that for all its flaws, WEP is strong protection for lightly used networks. As I explained earlier, security isn't necessarily fool proof, but may be thought of as a wall built high enough to discourage all but the most determined intruders. The time it takes to hack into Wi-Fi networks on which WEP is enabled is what will keep you secure.

Weak Initialization Vector (IV) Values

The bad news is that there is a complication: Weak IVs. By an extremely arcane mathematical quirk, about 2% of those 16,777,216 IV values turn traitor: They 'leak' a little information about the data that they encrypt. Each frame's IV value is included with the frame, and in the clear. The IV is not encrypted! This allows password cracker utilities like AirSnort to watch for weak IV values, and it gathers packets encrypted using weak IVs until it has enough to do the crack. This can shorten the time it takes to crack WEP radically, to as little as an hour or two for a heavily used network, or perhaps a week or ten days for a lightly used home network. The time required depends completely on how often weak IVs turn up in the stream of packets passing between access points and clients.

And how often a weak IV will turn up in a transmission is almost impossible to predict. Weak IV values are not distributed evenly throughout the full range of possible IV values, and if an access point is using IVs sequentially it may use several in quick succession, and then no more for a long time. If an access point pulls IV values at random, all bets are off. You just can't tell.

Published research indicates that it takes between 60 and 256 frames of data encrypted with a weak IV to crack WEP. Weak IVs are sparse enough in the total space of 16 million IVs so that about 5 million frames must be gathered to have enough weak IVs to do the crack. Of course, a hacker can get lucky and gather weak IVs more quickly than that; it's just impossible to tell. For corporate networks in constant use, that can be as little as an hour, though usually longer. For sparsely used home networks, it could still take weeks at the very least. So if you notice a guy sitting across from your house in a car that hasn't moved for two days, with a newly grown beard, and a crate full of Power Bars… worry.

Getting rid of weak IVs entirely would at least solve this particular problem. As of this writing, Wi-Fi hardware vendors have begun to filter out weak IV values inside access points and client adapters before they're used to encrypt frames. Orinoco, as best I know, was the first product line to incorporate weak IV filtering. Others are working on it, and fairly soon weak IV filtering will be de rigueur in the Wi-Fi world. Even if you have older Wi-Fi gear, you may be able to add weak IV filtering yourself by performing a firmware update. Check with your Wi-Fi manufacturer's Web site to see if firmware updates are available for your equipment, and if so, download and install the updates.

There are other peculiar glitches that can make cracking WEP easier. Reinitializing some client adapters causes the IV sequence to reset to 0. (This is the only reason I can think of for leaving your Wi-Fi hardware powered up all the time.) If the adapter is initialized regularly, low-value IVs will be used more frequently than highvalue IVs, and the chances of a listening hacker gathering sufficient packets encrypted with the same IV increases. Certain random IV generation systems fall prey to the 'birthday paradox,' which indicates that randomly generated numbers will turn up duplicates more rapidly than simply iterating through the full sequence in order.

The 'birthday paradox' is a statistical anomaly that can be stated this way: If you have 20 people in a room (say, at a dinner party) the chances that two of them have the same birthday is about 40%. 'By inspection' this seems peculiarly high (and you can try it yourself at your next dinner party) but the math has been proven. There are more possible IVs than possible birthdays, of course, so the chances are not as bad as that, but they are still bad enough so that pulling IVs randomly is not the best way to operate.

Unfortunately, I've found that most Wi-Fi manufacturers don't talk about how their firmware works. (Some, to be fair, buy their firmware from the chip foundries that supply their Wi-Fi chipsets, or from software houses like KarlNet, and don't even know how it works!) To find out how your access point chooses IV values probably requires that you do some packet sniffing and analyze the sequence of IVs by which your data is encrypted under WEP. If you're savvy with Linux and have a Linux machine available to you, install AirSnort, learn how to interpret the data it provides, and see what your own risks are. This takes a good deal of skill and isn't for everybody, obviously, but the very best defense you can mount against the black hats is to become a white hat yourself.

Defeating AirSnort with Key Rotation

There's a pretty effective fix for AirSnort-style attacks on WEP: If you change your encryption keys before 16,777,216 frames pass over your system, duplicate IV values don't matter. (This depends, of course, on how IV values are chosen on your hardware, which is difficult to determine. If your hardware issues IVs randomly, duplicates will turn up more quickly than if IVs are issued sequentially.) Similarly, if you change your encryption keys before significant numbers of weak IV values are used, the attack will fail. It's only when duplicate or weak IV values and the same encryption key pair up that the attack is possible. Change the keys, and the hacker has to begin recording frames again, from scratch. This is why it's important to change your WEP encryption keys on a regular basis. Changing keys weekly is very strong protection for a lightly used home network. Changing them monthly is reasonably good, unless certain members of your family are constantly downloading MP3 audio or DVD video files through their Wi-Fi links. (Are they? It might be a good time to check.)

For large corporate networks that pass a lot of data, the picture is not as good. Key distribution is a difficult and time-consuming process for networks that have a lot of wireless adapters. Changing keys daily would be strong protection, but that would involve running around to every Wi-Fi client adapter on the network every morning to manually re-enter a new set of keys. Some companies are actually doing that, but it's a lot of man-hours to spend.

Automatic key update is one of the 'key' features (sorry) of both the Wi-Fi Protected Access (WPA) standard and the (further out) IEEE 802.11i task group. Automatic key update is part of a larger technology called Temporal Key Integrity Protocol (TKIP) that both WPA and 802.11i implement. Once manufacturers incorporate WPA or 802.11i features into their hardware, WEP becomes a much stronger security system. Automatic key update will generate new WEP encryption keys automatically at a preset interval (and if the machine does all the work, it can be done every couple of hours) and transmit them in encrypted form to all connected client machines, which then switch to the new keys automatically. The new keys are encrypted by the old keys, so if new keys are sent out fairly often, even once a day, WEP becomes almost uncrackable by utilities like AirSnort. We should be there by mid-2003, with any luck at all.

Of course, the AirSnort attack is not the only way to attack WEP. It's just the quickest. There's another way that you should be aware of, though it's not as much of a threat.

Brute-Force Attacks

There are basically two ways to break a password or key-protected system:

  1. Exploit some weakness in the method used to encrypt the data. Wired Equivalent Privacy (WEP) has a serious flaw in its encryption algorithm, and this well-known 'RC4' flaw is behind utilities like AirSnort and WEPCrack.

  2. Start with a dictionary of common passwords, and throw passwords at the system until you find one that works. Such dictionaries have been compiled by hacker groups around the world and can be found on the Web without a great deal of searching. (I discovered with some amusement that my last name- 'Duntemann'-is in a password dictionary assembled by hackers in Germany. Needless to say, I'm not using my last name as a password, and I often wonder who is!)

The second method tries passwords or key strings until one works. Because of something called 'social engineering' (which basically means taking advantage of other people's stupidity) a dictionary-based brute-force attack can work very quickly- if you used the name of your dog or one of your kids or a big city or something common and easily guessed. (Don't!)

A brute-force attack on WEP isn't quite that easy. WEP doesn't actually use a password made out of letters and numbers. WEP uses purely numeric key values that are actually strings of hexadecimal (base 16) digits. Some manufacturers of Wi-Fi gear use a 'key generator' to generate a hexadecimal key value from a textual word or phrase like 'Minneapolis' or 'gotta boogie all night long.' But the key itself is a simple number.

Theoretically, with a number you start at zero and count up (or start at the maximum value and count down) trying keys sequentially until one works. It's possible to eliminate some values through arcane cryptographic analysis, but what's left are still a great many keys to try.

The kicker for brute-force attacks on WEP, however, is the unavoidable time it takes to try a key. 'Guessing' doesn't have to go through the entire challenge-response conversation used by WEP, but each guess requires calculations that take a small but still significant amount of time.

Security expert Tim Newsham actually wrote a brute-force WEP attack utility, and found that a brute force attack on standard 40/64 bit WEP would take about 210 days on a typical Pentium system-and calculated that a brute-force attack on the more secure 104/128 bit WEP would take, well, longer than the remaining lifetime of our universe. (1019 years!)

Brute force attacks generally do not pick keys at random. There are a few shortcuts, and all of them are based on the sort of 'social engineering' that I mentioned earlier. Most savvy hackers begin a brute force attack with WEP keys generated from a dictionary of common passwords. To forestall this sort of attack you should not use common words or any word or phrase somehow guessable from your name or business. (That is, avoid using your spouse's name, your children's names, your dog or cat's name, the type of car you drive, things like that.) The best pass phrases for WEP key generators are remember-able but not guessable things like 1tallcool1forme2nite or i1thelottery2day. Random strings of characters are better but not very easy to remember. Do your best, and always remember the low-hanging fruit effect.

To sum up: Unless you're stupid and use an easily-guessable key, a brute force attack on standard 64-bit WEP could take several months, and is thus possible but not practical. For 128-bit WEP, brute force is simply impossible. In practical terms, even the 64-bit brute-force crack is academic, because an AirSnort-style crack could be done much more quickly in almost every case. Once the Wi-Fi Protected Access standard is implemented by manufacturers, Wi-Fi gear will support the temporal key integrity protocol (TKIP), which updates WEP keys automatically at defined intervals through encrypted transfers. When this happens, AirSnort-type attacks become much more difficult, and brute force attacks become basically impossible-because the keys would change long before a brute force attack would have the time to succeed.


Previous page
Table of content
Next page
Jeff Duntemann's Drive-By Wi-Fi Guide
Jeff Duntemanns Drive-By Wi-Fi Guide
ISBN: 1932111743
EAN: 2147483647
Year: 2005
Pages: 181
Authors: Jeff Duntemann
BUY ON AMAZON
Project Management JumpStart
Absolute Beginner[ap]s Guide to Project Management
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Cisco IOS Cookbook (Cookbooks (OReilly))
Microsoft WSH and VBScript Programming for the Absolute Beginner
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy