Basic 802.11 Security and Its Known Problems

When IEEE 802.11b was first defined, its security depended on two basic security mechanisms: the SSID and WEP. Some manufacturers have added MAC address filtering to their products.

Service Set ID (SSID)

The SID is a string used to define a common roaming domain among multiple access points (APs). Different SSIDs on APs can enable overlapping wireless networks. The SSID was once thought to be a basic password without which the client could not connect to the network. However, this claim can be easily overridden since APs broadcast the SSIDs multiple times per second and any 802.11 analysis tool such as Airmagnet, NetStumbler, or Wildpackets Airopeek can be used to read it. Because users often configure clients, this so-called password is often widely known.

Should you change your SSID? Absolutely. Although the SSID does not add any layer of security, it should be changed from the default value so that other people do not accidentally use your network.

Wired Equivalent Protocol (WEP)

The IEEE 802.11b standard also defines an authentication and encryption method called WEP to mitigate security concerns. Generally, authentication is utilized to protect against unauthorized access to the network, whereas encryption is used to defeat eavesdroppers who may try to decrypt captured transmissions. 802.11 uses WEP for both encryption and authentication.

Four options are available when using WEP:

• Do not use WEP.

• Use WEP for encryption only.

• Use WEP for authentication only.

• Use WEP for authentication and encryption only.

WEP encryption is based on RC4, which uses a 40-bit key in conjunction with a 24-bit random initialization vector (IV) to encrypt wireless data transmissions. (This is why you may see some 802.11b systems labeled as having 64-bit encryption. They are no different than those labeled as having 40-bit encryption keys.) If enabled, the same WEP key must be used on all clients and APs for communication. Most vendors today also offer 128-bit WEP (which uses a 104-bit key). This is a stronger encryption method that makes it more difficult for eavesdroppers to decipher over-the-air transmissions. Although it is not part of the IEEE 802.11b standard, this mode has been implemented on many different vendors' products, some of which are not interoperable.

To prevent unauthorized access, WEP also defined an authentication protocol. Two forms of authentication are defined by 802.11b: open system and shared key. Open system authentication enables any 802.11b client to associate with the AP and skip the authentication process. No authentication of clients or encryption of data occurs. It can be used for public access WLANs, which can be found in coffee shops, airports, hotels, conference centers, and other similar venues where the public is invited to use the network. Typically, the open network authenticates the user using user name password over a secure login web page. For closed networks such as the home or enterprise, this mode can be used when other methods of authentication are provided.

Using shared key authentication, the AP sends a challenge phrase to the client radio that is requesting authentication. The client radio encrypts the challenge phrase using the shared key and returns it to the AP. If the AP successfully decrypts it back to the original challenge text, it proves that the client has the correct private key. The client is then allowed to make a network connection.

To the casual observer, it would seem that the shared key authentication process is more secure than the open key authentication process. However, since both the challenge phrase (which was sent in cleartext) and the challenge are available, a hacker can derive the WEP key. Thus, neither open system authentication nor shared key authentication is secure.

Because the 802.11 standard relies on external key management services to distribute the secret keys to each station and does not specify key distribution services, most 802.11 client access cards and APs rely on manual key distribution. This means that the keys remain static unless the network administrator changes them. Obvious problems result from the static nature of the keys and the manual process of key management as changing the keys on each station in a large network can be extremely time consuming. If a station is lost due to theft or accident, the keys will need to be changed on all stations. Furthermore, given the mobility of the population and without a convenient way to manage this task, the network administrator may be under great pressure to accomplish this in a reasonable time frame.

Another concern about the robustness of WEP is that it only provides at most four shared static encryption keys. This means that the four encryption keys are the same for all clients and APs every time a client accesses the network. With enough time, physical proximity, and tools downloaded from the Web, hackers can determine the encryption key being used and decrypt data. Since the whole company is using the same set of keys at any one particular time, it is just a matter of a few hours before enough data is collected to crack a 128-bit key.

Since WEP can be cracked, should you use WEP? If you have nothing else, use WEP to make it more difficult on potential hackers or spammers. You don't want to have your bandwidth stolen for someone else's illegal activities. This is the equivalent of asking "since doors can be picked, should I bother locking the door?"

MAC Address Filtering

Besides the two basic security mechanisms that 802.11 provides, many companies implement MAC address filtering in their products. This mechanism is not flawless either.

The MAC address filter contains the MAC addresses of the wireless network interface cards (NICs), which may associate with any given AP. Some vendors provide tools to automate the entry and update processes; otherwise, this is an entirely manual process. A MAC filter is also not very strong security since it is easy to discover known good MAC addresses with a sniffer. Then, using Linux drivers available on the Internet for most 802.11 client access cards, you can configure the sniffed MAC address into the card and gain access to the network. Although not perfectly secure, MAC address filtering is one more layer on the onion—it makes it more difficult for someone to gain access.

The other two steps mentioned by the Wi-Fi Alliance, use of session keys and a VPN system, are good, workable solutions for securing Wi-Fi. In order to understand how much security is needed for a particular application, it is important to understand the threats and potential attacks.