Security and 802.11 Wireless Networks

WEP Deficiencies

How serious are WEP's deficiencies? Before answering that question, I'll first have to discuss how WEP operates. WEP uses a stream cipher named RC4, which means that it uses a shared secret key to generate an arbitrarily long sequence of bytes from a pseudorandom number generator. This stream is XORed with the plaintext to produce the encrypted ciphertext . (RC4 encryption works successfully with Secure Sockets Layer (SSL), the encryption protocol that lets you breathe easier when you use credit cards to makes purchases on the Web.)

Early 802.11b networks used 40-bit keys because of the federal government's restrictions on encryption in those days, but most current components use 104-bit keys. Hackers can crack a 40-bit key with a brute-force attack in just hours with modern PCs, but for now, a brute-force attack on a 104-bit key would take longer than the current age of the universe, so there's little to worry about on that front.

It's easy to break RC4 encryption if a second instance of encryption with a single keya keystream reusecan be isolated. The WEP designers were aware of this problem, and they built into WEP a so-called Initialization Vector (IV), a 24-bit value that changes with each packet and is appended to the unchanging shared secret key to minimize the likelihood of "key collision."

The IV is carried in the clear in each packetotherwise the receiver couldn't set up the RC4 engine for decryption. Because 224 is 16,777,216, it initially appears that an eavesdropper would have to capture many millions of packets to identify keystream reuse instances, but thanks to the "birthday paradox," a key collision is likely to occur after only 5,000 or so packets. (The birthday paradox uses elementary probability techniques to demonstrate that the odds are greater than even that, out of a group of 23 randomly chosen people, at least two of them will have the same birthday.)

If this problem weren't serious enough, Fluhrer, Mantin, and Shamir, in "Weaknesses in the Key Scheduling Algorithm of RC4" (see Resources), identified a further problem with RC4. This paper demonstrates that a fraction of the keys in RC4 are weak, revealing more of the structure of early bytes in the output than they ought to. By exploiting the statistical properties of this weakness, an attacker can crack any message in hours, independently of other attacks. AirSnort (http://airsnort.shmoo.com/), one of the best-known WEP cracking tools, employs this attack.

Even assuming a less than fully loaded network, an attacker can create a full keystream dictionary in just a few days. Various vendor-specific implementation choices can reduce this crack time substantially. The 802.11 standard doesn't specify a key distribution method, so vendor algorithms generating shared secret keys from passwords might be subject to simple dictionary attacks that greatly reduce the problem of guessing the key. The general reliance on out-of- band usually manualkey distribution ensures that keys won't be changed often. Attackers capable of sending data into the network can speed up the key-cracking process in various ways. (See "Intercepting Mobile Communications: The Insecurity of 802.11," at www.isaac.cs.berkeley.edu/isaac/mobicom.pdf for more details.)

Authentication Issues

Authentication failures result in unknown users on the network. An attacker who intends to crack WEP or misuse network resources must first authenticate successfully. (A large fraction of 802.11 networks are configured with the authentication system turned off, so a person who wants to attack one of these systems wouldn't even have to take the simple steps listed here.)

The 802.11 specification supports a two-step form of authentication. Potentially participating stations must respond correctly to a cryptographic challenge (the authentication step) and then associate with an access point by submitting the access point's Service Set Identifier (SSID.) The association step adds little security to the systemsome vendors provide clients with a list of SSIDs to choose from. But all vendors broadcast the SSID values in the clear, so a protocol analyzer with a wireless card can find these values in seconds.

The authentication step relies on RC4 encryption, as WEP does. The problem isn't the insecurity of WEP as such, or of RC4 in itself. Again, it's an issue of implementation. An access point issues a cryptographic challenge by encrypting a random string with the shared secret key using RC4. The initiator must decrypt the challenge and send the plaintext back to the access point, which compares the decrypted plaintext with the original random string. If they match, the initiator is authenticated.

By capturing only two frames the challenge frame and a successful response framean attacker can easily derive a keystream that will successfully decrypt future challenges. An integrity check is built into WEP systems, presumably to prevent this replay attack. But the integrity check is based on the Cyclic Redundancy Check (CRC) mechanism that many data-link protocols use, and CRC doesn't de-pend on a cryptographic key, so it's easy to get around this obstacle .

In addition, attackers can use a well- understood method to make arbitrary changes to a message, so the checksum of the changed message is the same as that of the original. This data-integrity failure not only implies that an attacker can modify any contentfor example, the position of a decimal point in a financial documentbut it also lets attackers use the checksum to assess the correctness of their decryption attempts.

Properly authenticated and associated clients are often given full access to the wireless network. Even without cracking WEP encryption, attackers can access wired networks connected to the wireless one, and perform illegal, embarrassing, or otherwise undesirable acts that reflect badly on the network administration. Attackers can also spread viruses, Trojan Horse programs, and perform local or remote Denial of Service (DoS) attacks.

The 802.11 and WEP mechanisms say little about enhanced access control. Some access-point vendors build in a MAC address table that can serve as an access-control list, accepting traffic only from clients whose MAC address appears on the list. The problem is that MAC addresses are necessarily transmitted in the clear, so a wireless protocol analyzer can pick them up immediately. In general, you can configure wireless NICs with different MAC addresses, so a spoofing attack on this form of access control is trivial.

Protective Responses

It should be clear that the 802.11 families of wireless products share serious deficiencies in privacy, confidentiality, data integrity, and provisions for safety from various other attacks. That isn't to say that WEP is useless. A home network that isn't connected to an enterprise network, isn't part of a commercial operation, and has no confidential, illegal, or embarrassing online content will provide little incentive for an attacker to defeat WEP authentication and encryption. Every other 802.11 network should be accessible only via VPN login or equivalent mechanisms.

Network managers should periodically audit their facilities for rogue 802.11 networks. Wireless traffic should be outside the enterprise firewall or within the Demilitarized Zone (DMZ). User-initiated wireless networks probably won't be outside the secure perimeter and offer a juicy target for attackers, whatever their motives. In fact, user-initiated networks are likely to be implemented without authentication and WEP, which is as big a security hole as can be imagined.

The principal deficiencies of 802.11 security are the result of security implementation by software and hardware engineers who lack sufficient understanding of real-world security. The security experts who criticized WEP implementation from the beginning weren't simply tooting their own horns. Some of the choices seem elementary, such as the use of CRC for integrity assurance.

Similarly, security textbooks emphasize that RC4 keys ought never to be repeated, not just limited to once every 16 million packets. No doubt there were performance, power consumption, and cost constraints that entered into the poor decisions. Every packet of an 802.11 wireless network requires a lot of processing work, and radios are often finicky performers. Wireless LAN implementations prior to 802.11b had lousy performance and no security, so even WEP was a step in the right direction.

The 802.11 committees are aware of these shortcomings. The 802.1X committee has defined a standard for authentication and key management for Ethernet and other 802-numbered data-link technologies that should eventually be integrated with 802.11 systems. Proposals to strengthen or replace WEP are also in discussion. All the problems identified so far can be addressed, but delays of months or years are almost certain where standards organizations are concerned . In the meantime, the need to add security features beyond those built into the 802.11 protocols will undermine the attractive simplicity of wireless networks.

Resources

The Unofficial 802.11 Security Web Page, www.drizzle.com/~aboba/IEEE, has a comprehensive list of relevant materials.

"Intercepting Mobile Communications: The Insecurity of 802.11," by Nikita Borisov, Ian Goldberg, and David Wagner, can be found at www.isaac.cs.berkeley.edu/isaac/mobicom.pdf. This paper is one of the most clear and understandable descriptions of cryptographic subjects to be found anywhere . It explains WEP thoroughly and precisely and presents the problems associated with keystream reuse.

"Weaknesses in the Key Scheduling Algorithm of RC4," by Scott Fluhrer, Itsik Mantin, and Adi Shamir, can be found at www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf. The details provided in this paper are probably beyond the ability of security civilians, but these findings provide the basis for AirSnort, a widely available cracking tool. You can find out more about AirSnort and download the software at http://airsnort.shmoo.com/.

With a laptop outfitted with NetStumbler (www.netstumbler.com/), you can find unauthorized wireless networks, assess the reachability of authorized networks, or go war driving and find all the wireless access points in the neighborhood.

The protocol analyzers from Network Associates (www.nai.com), WildPackets (www. wildpackets.com), and Network Instruments (www.networkinstruments.com), among others, can decode wireless traffic when outfitted with supported wireless interface cards.

This tutorial, number 167, by Steve Steinke, was originally published in the June 2002 issue of Network Magazine.