Chapter 10: WLAN Risk and Threat Mitigation | Wireless Operational Security

Now that you have learned the tools and techniques of the potential adversary, it is time to follow through with the second part of Sun Tzu's strategy as described in the introduction to the last chapter. This understanding will help you close the gaps in understanding your Wireless Local Area Network (WLAN) adversary and enable the strategy of "know the enemy and know yourself" as advocated by Sun Tzu. The purpose of this chapter is to teach you the tools and techniques necessary to protect your network against cyberadversaries.

10.1 Mitigating Static WEP Risks with TKIP

The Temporal Key Integrity Protocol (TKIP) is a replacement for Wired Equivalent Privacy (WEP) in the 802.11i specification for wireless network security. WEP is a flawed security protocol that is part of the 802.11 standard. TKIP includes several features that will eliminate the risks present in the current version of WEP. A hashed Initialization Vector (IV) is added to the WEP key. This becomes the session key used to encrypt traffic and to help protect against sniffing exploits that can allow attackers to eavesdrop connections and impersonate legitimate stations . TKIP has also added the ability to generate dynamic keys to help protect against brute force key-cracking attacks, which are sometimes used against static keys found in WEP. The integrity of packets is guaranteed through the use of a Message Integrity Check (MIC) [1], also known as "Michael," that helps protect against key-cracking attacks, which are based on replay and packet injection techniques. WiFi Protected Access (WPA) will support TKIP. WPA is an interim protocol developed by the WiFi Alliance as a solution to the security issues discovered in WEP until the 802.11i specification is complete.

10.1.1 Overview of WEP and TKIP

Although WEP has inherent flaws, it is still appropriate for use in some wireless networks and is better than no security at all. TKIP was designed to be backward compatible with WEP and, when needed, WEP-only equipment can interoperate with TKIP-enabled devices that use WEP to step down to the older approach. An overview of the WEP and TKIP protocols is given in the following sections.

WEP

802.11 standard designers intended WEP to provide a level of security on the wireless network roughly equivalent to the security of a wired network through the use of simple authentication and encryption. Encryption prevents eavesdroppers from gathering data passed in cleartext format across the network. Authentication is used to keep unauthorized users from accessing the network.

Cracking WEP is not as easy as the media makes it out to be. It takes a significant amount of work to crack WEP and find a usable WEP key. It requires a large number of packets, long periods of time, and a fast CPU to process the packet information in order to derive the WEP Key. The upper time limit required to crack WEP is assessed to take between one and two days; however, the use of automated WEP cracking software can successfully collect enough packets in three to four hours to break WEP vulnerabilities. On the other hand, if there is very low traffic volume, it can take days to collect enough information for an attack to be effective. The number of packets required to successfully crack WEP is a matter of probability and varies from key to key. The attacker may listen and gather packets at various times, looking for the most optimum time to take advantage of weaknesses. Attackers look for times when security monitoring may be less active, such as during nonworking hours. WEP was not intended to be a complete security solution but still serves its purpose for baseline security within the WLAN environment. It is not a trivial task to crack WEP. WEP offers simple authentication and data encryption, and it is better than having no security at all on the WLAN. WEP can also be effective where data privacy is concerned . The wired network connected to a WLAN only using WEP must deploy additional security measures as part of a complete WLAN security solution to make up for the vulnerabilities inherent in WEP.

TKIP

The IEEE 802.11i task group developed the Dynamic Temporal Key Integrity Protocol (TKIP) as the encryption standard for WLANs and the next generation of WEP [1] to correct weak and static WEP- related security vulnerabilities. TKIP was designed as an alternative for those requiring security more robust than WEP and less than that provided by more full-featured security solutions such as 802.11 x /EAP and IPSec VPNs. TKIP uses a message integrity check and a rekeying mechanism to fix the flaws of WEP. If WEP is the only security feature being used on the WLAN, firmware upgrades that support TKIP should be applied to the hardware in use. To address the security weaknesses in WEP, TKIP provides a cost-effective alternative to expensive advanced wireless security solutions. WEP data privacy problems still exist in 802.1 x implementations because they only address access control and authentication.

Static WEP keys are still used as keying material in TKIP, but this is made into a type of dynamic WEP solution by rotating the WEP keys on a variable time interval. Another form of dynamic WEP is the 802.1 x Extensible Authentication Protocol (EAP) solution. Although TKIP is still a hardware-based shared-key solution, it fixes these weaknesses through the use of authentication based on user criteria such as passwords or certificates.

10.1.2 How TKIP Addresses the Weaknesses in WEP

TKIP is a set of modifications the IEEE 802.11i task group created as a measure to augment security issues found in the existing WEP algorithm. WEP is susceptible to forgery, weak-key, collision, and replay attacks. The algorithm in TKIP address these weaknesses. WEP does not support per-packet authentication, resulting in a vulnerability to forgery attacks. Encrypted packets can be captured, some of the data changed, and then the modified packets can be resent . TKIP mitigates this risk through the use of Message Integrity Check (MIC), which verifies whether the message has been tampered with during data transmission by using a verification routine sent with the data packet routed to the receiver. The use of MIC features does add a significant amount of network overhead and can result in decreased network throughput. This degradation should be considered when deciding whether to use TKIP as part of a WLAN security profile.

The per-packet RC4 key is constructed in WEP by concatenating the RC base key and the packet Initialization Vector (IV). A weak-key attack derives the RC4 base key by analyzing a series of packets with different IVs to exploit WEP's static key problem. TKIP mitigates this risk through the use of key-mixing to derive short-lived encryption keys. This process begins with a 128-bit "temporal key" shared between clients and access points. The key encrypting the data is produced, combining the temporal key with the client's MAC address and a relatively large (48-bit) initialization vector. Each station uses different key streams to encrypt the data as a result of this process. The temporal keys are typically defaulted to change every 10,000 packets in TKIP's dynamic scheme to minimize cracking opportunities for eavesdroppers and to eliminate eventual key duplication. Because the volume of traffic will vary across the network, the TKIP scheme will also vary, making it unpredictable and harder to exploit than WEP.

TKIP increases the number of bits used for the IV from 24 to 48 to increase the possible number of IVs that can be used and discards packets received with numbers that are lower than previous packets so that duplicate keys are not possible. This eliminates the risk of collision attacks. Collision attacks occur when repeated keys using the same IV are used. Such reuse would allow transmitted data to be recovered by an attacker over time.

A replay attack occurs when an attacker eavesdrops and records transmitted data. The recorded data is then replayed at a later time. A replay attack on a security protocol uses the replay of messages from a different context, substituting false or erroneous data into the original message, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol exchange without incident. A sequence number for generated packets is used by TKIP to address this type of attack. After the TKIP keys are regenerated, both the sender and receiver sequence is reset back to zero and starts over. The sequence is incremented by one for each packet sent, and the receiver will discard any packet that arrives out of sequence. A replay attack cannot be detected by MIC.

10.1.3 When and How to Use TKIP and WEP

Many wireless security companies base their marketing strategy on the vulnerabilities of WEP. Even if the hacker is on a fully used wireless network using WEP cracking tools such as WEPcrack [3] or Airsnort [4], it can take hours or days to collect enough packets to exploit WEP. It is unlikely that a hacker is going to spend the extensive effort (hours or days) needed to crack a WEP key on a home or SOHO network. It is also unlikely that a hacker is going to target a corporate system unless they have inside information about the value of the information stored on the WEP-protected network.

Although superior to WEP, TKIP is not intended to be a long- term solution. TKIP provides only minimal security on the devices on which it is used and significantly degrades network performance. TKIP will be an interim solution until WEP is replaced by AES, which will eliminate the vulnerabilities of WEP and provide a stronger solution than TKIP through the use of the Rijndael algorithm instead of RC4.

For the near term, WEP and TKIP will continue to be the solution of choice for some wireless networks because faster hardware is required to process the AES algorithm, and older hardware cannot be upgraded to support it. Although AES devices will likely be backward compatible, the continued use of the older hardware will require the use of WEP or TKIP to communicate securely, albeit in a less secure manner than AES.