Wireless Security
Notes from the tutorial at Usenix Security 2002
A good general security aphorism: When your system depends on everyone
adhering to the rules in order for it to work, it is open to attack.
Wireless policy
We should have a clearly stated policy, findable on the security site
and the policy page, about not putting up rogue wireless access points, and
why it's a bad idea to do so. Also we should give information about wireless
security issues and the need for end-to-end encryption.
Exposures to consider with wireless
- Technology problems, e.g., interoperability
- Theft of hardware (card fits easily in pocket, laptops are stealable)
- Masquerading (can alter MAC easily, get past
MAC-based authentication) - AP authenticates systems, not users.
- Viruses - speakers believe wireless-tailored viruses are only a matter
of time.
- Eavesdropping - sniffing the wireless portion of the net is trivial because
authentication isn't required for that. Authentication just gets you past
the AP onto the wired net.
- Authorization vulnerabilities
WEP
Purpose is to provide Wired Equivalent Privacy -- i.e., (only) the level of
privacy you'd get if using a wired connection. However, it fails to achieve
this. RC4 encryption would work fine but not implemented correctly. Note again
that WEP only protects transmissions in the air.
One thing that stops people from using WEP is that there is no mechanism for
sharing keys between Access Points. Each Access Point must be contacted separately
to manage keys. This contributes to either not using WEP at all, or never changing
the keys once established.
WEP is flawed even if it worked well encryption-wise. For performance reasons,
it doesn't encrypt the SSID and in general doesn't encrypt management packets.
SSID=Service Set Identifier, an identifier attached to packets sent over the
WLAN that functions as a password for joining a particular radio network (BSS,
"basic service set"). All radios and access points within the same
BSS must use the same SSID or their packets will be ignored. Note that wireless
configuration information, including WEP key, is either stored on the card itself
(and therefore stealable by stealing the card) or stored locally on the system
-- and again stealable by either breaking in or by stealing the laptop. Cisco
stores information on the card; Lucent stores it locally on the system -- under
Windows it's stored in a world-readable registry key!
Most implementations use the default SSID anyway, so sniffing it or locating
it on the system or card isn't necessary. See www.wi2600.org/mediawhore/nf0/wireless/ssid_defaults
for a list.
Lots of problems with WEP
- CRC check chosen for authentication is weak. It was never
designed for authentication, but only for detecting problems in data integrity.
It is possible to modify a message while maintaining a valid CRC. You can
also inject messages this way. The 40-bit ascii string generator used causes
the same 40-bit key to be generated again by the pseudo-random number generator
every 2^24 times. It takes about 35 seconds on a 500Mhz PIII to derive the
key. The 128-bit key generated for WEP doesn't suffer these particular problems,
as it relies on MD5, not CRC.
- Keystream reuse. Note again that the shared key is static
and due to inconvenient management, is rarely if ever changed. The randomness
of the keystream depends on the Initialization Vector, which is repeated after
about 16 million packets. For a given initialization vector, the keystream
doesn't change. When the keystream is reused, two messages end up encrypted
with the same keystream. In addition, most clients simply reset the IV to
0 and begin incrementing by 1 for each packet, hardly random. There are lots
of collisions, and each collision makes it easier to mathematically derive
the keystream. An easy attack involves sending a bunch of known packets, like
pings, and then watches the replies, which he knows to be a static IV plus
ciphertext version of a known reply.
- Key Scheduling Algorithm used with RC4. A paper indicates
that an attacker can gain access via this vulnerability to an entire WLAN
in less than 15 minutes. It requires 1-8 million packets, and is not particularly
CPU intensive. The root of the problem is the "known plaintext"
of the IV prepended to the key, which leads to a weak key. RC4 isn't the culprit,
the poor key choice is. Longer keys won't help with this problem -- the attacker
recovers each key byte individually, so longer keys cause the attack to scale
linearly, not exponentially as one would normally expect for a longer encryption
key. Practically speaking, 128-bit keys are no more secure against this attack
than 40-bit.
So, you don't need to steal the card or look at the WEP key on the local hard
drive, registry, wherever - you can trivially derive it.
Current 802.11b authentication options
- Open is the default, meaning any client can associated
with an access point. That doesn't mean they would be handed an IP address,
though, or able to get past the access point. Note that it does mean they'd
have access to the wireless portion of the network, even if they can't get
past the access point onto the wired net.
- Shared key authentication uses a shared secret key (i.e.,
the WEP key) to authenticate the client to the AP. This is massively flawed,
though, unfortunately: the client sends an authentication frame to the AP,
which responds with a 128-bit challenge. The client replies with the same
challenge sent back encrypted with the shared key. AP then replies with
a "success" authentication if the decrypted version of the challenge
matches the original.
- Closed Network - no broadcast SSID in the beacon packet.
Netstumbler (see below) won't find AP's that don't broadcast the SSID. However,
clients must know the SSID already in order to connect to closed networks.
- Captive Portal - this is what many hotels or cafes use
for network access. AP's are all on a separate network, and traffic isn't
passed without successful authentication, usually MAC-based. Can still sniff
the wireless portion, though.
Current 802.11b Authorization
MAC layer. Can configure the AP to talk only to specific MAC addresses. This
controls access to the wired network, note, not the wireless portion.
WEP keys are totally insecure because it's easy to obtain the key. However,
for knob-rattlers and other casual intruders (script kiddies), WEP is substantially
better than nothing, since it makes the difference between some
(small) effort and no effort. It is currently so unused that no one
bothers to exploit it - there are too many totally unsecured wireless networks
around to make even the trivial effort involved worthwhile. It can still help
protect against casual snoopers and bandwidth theft.
Note about security model with wireless in general: in the wireless phone/pager
service world, security meant prevention of fraud - protection of provider's
ability to bill users and get money. NOT protection of user privacy, or user
anything, particularly data.
Terminology
An access point typically connects wireless with wired networks. If it connects
two wireless nets, it's technically an "extension point".
Things to watch out for with implementation
Access Point placement - because channels are spaced at 5Mhz,
while bandwidth itself is 22Mhz (FCC specification), you can get interference
if you have 2 channels right next to each other. Roaming can be achieved by
having slightly overlapping AP areas, using *different* channels.
Can increase capacity and bandwidth by:
- reducing physical coverage area per AP
- reducing client-to-AP ratio
- using aggregation to increase AP-to-client ratio using load balancing.
Note that you can really have only three AP's in the latter setup, because
only three channels can be used in the same space without some overlap &
interference.
Two most common mistakes made: not changing the default SNMP community strings
and the default SSID.
Best practices
- enable WEP
- change your SSID from the default
- change your SNMP community string
- disable broadcast of SSID
- change the password on the AP
- periodically survey your own site
- use MAC address filtering, think about whether you really want to use DHCP
on your wireless network
- encourage use of end-to-end encryption (SSL, SSH, VPN) for confidentiality
and privacy
- Expand IDS to include WLAN activity
- Update security policies to specifically address wireless net.
Differences between the 802.11x's
- 802.11b - what we use now, aka "WiFi". Operates
in 2.4Ghz range. Residential Gateways & Enterprise Access Points tend
to be identical hardware but different firmware, the residential gateway being
limited to, say, 10 clients at a time. Access Servers usually include built-in
Radius or some mechanism for talking to an authentication server. Outside
Routers usually don't talk directly to clients
- 802.11a operates in 5Ghz range. Has data rates of 20Mbps
and up, uses Intersil's Orthoganal Frequency Division Multiplexing (OFDM),
a much more efficient encoding method. TI's Binary Convolution Coding (PBCC)
was a contender, but not chosen -- however, may be supported as an option.
- 802.11g uses same 2.4Ghz range, but is much more efficient
in transmission technology and so allows higher throughput than 802.11b.
802.11a is closer to completion now than 802.11g (still 2.4Ghz range, but more
efficient data transmission), but probably will never completely replace 802.11g
or b. For one thing, in some countries the 5Ghz spectrum is licensed, sometimes
by the military. It also uses more power than the other two. However, new plasma
light bulb technology, 75% more efficient, operate in 2.4Ghz range, so may help
drive adoption of 802.11a in some areas, since operation of these lights would
crater an 802.11g or b WLAN. Note that neither 802.11g *nor* 802.11a is likely
to be usable as a simple firmware upgrade for wireless equipment. Simply too
different from 802.11b.
The Future
Planned improvements to WEP
- Short-term: a lightweight protocol called TKIP (previously
called WEP v. 2, but the name WEP is now considered somewhat tainted). This
can be implemented on existing hardware with a firmware update, so any 802.11b
WEP-capable system could use it. In addition to addressing the known issues
with WEP, it stores keys dynamically in memory rather than on the card or
in the local system registry. It includes a mechanism for clients to share
a group key (multicast) in addition to each having a special individual key
(unicast).
- Long-term: a protocol based on AES encryption for future devices. Won't
be supported for existing cards due to increased resource demands.
Robust Security Network (RSN)/ Enhanced Security network (ESN)
= same thing, two names.
Defined in 802.11 Security Baseline. RSN security consists of two basic subsystems,
TKIP or AES for data privacy (note that the AES-based wireless encryption protocol
hasn't been defined yet); and security association management for improved security
negotiation procedures, authentication, and key management.
Roaming
- IAPP, Inter Access Point Protocol to standardize roaming features for use
within a single organization. Started by Cisco, Digital Ocean and Lucent.
802.11f is the proposed extension to 802.11.
- WECA, Wireless Ethernet Compatability Alliance is part of the Wireless
ISP Roaming (WISPR) Initiative, intended to ultimately allow roaming everywhere,
much like wireless phone service in Europe, where it doesn't matter who the
local carrier is -- you still get coverage and you still get billed. Would
use RADIUS and a browser for authentication. Note that in this scenario end-to-end
encryption becomes more critical than ever.
Questions to ask vendors regarding support for 802.1X
- Do you support dynamic key mapping keys (per-station unicast keys)?
- Do you support use of password-based authentication methods that are invulnerable
to dictionary attack? If so, is the specification public?
- Can the AP *automatically* change the default keys?
- What are your plans for supporting forthcoming AES-based ciphers? What
about TKIP, at least?
Resources
Netstumbler = utility for finding wireless networks and access points (and
SSIDs), doesn't sniff data traffic: www.netstumbler.com
Note: you can configure an AP not to respond to probe packets such
as those used by netstumbler. By default they do respond. Users will need to
know the SSID prior to using the wireless net, then, since the AP won't tell
it to them.
NAI has a commercial wireless sniffer that records everything.
Cellular: I am ignoring this for my notes. Good places for technical information
about cellular: www.privateline.com/Cellbasics/Cellbasics.html
and www.howstuffworks.com/cell-phone.htm
One note about WAP, though: "gap in WAP" is that WAP handset to WAP
server is WTLS, WAP server to Internet is SSL, but locally on WAP server, once
data is decrypted it is exposed until re-encrypted with SSL. So, whoever controls
WAP server has access to everything.
Cisco VPN (but not our 5000 series) will ultimately support mobile PDA clients.
Here is a good list of 10 things to do to make your
wireless network more secure.
* A note about MAC authentication - try
looking in card properties under Advanced. MAC address has a handy field you
can fill in to set it to whatever you want!