Cover V11, I05

Article
Figure 1
Figure 2
Figure 3
Figure 4

may2002.tar

Wireless (In)Security

Ido Dubrawsky

Wireless networks began with the IEEE 802.11 standard in 1997. This standard specified everything from how various devices on the wireless network speak to each other to the security of the network. When it was first drafted, the authors of the 802.11 standard understood the need to provide a "privacy" to the wireless network that would be similar to that provided by wired networks. Their work towards this regard was termed "Wired Equivalent Privacy", or WEP for short.

The original intent of WEP was not to provide a secure network protocol similar to that provided by IPSec, but rather to provide an equivalent level of privacy to that found on a wired network. WEP was designed to prevent "casual eavesdropping". While the design of WEP met its intended goals, the authors of the 802.11 could not have foreseen the deployment configurations systems and network administrators used for wireless networks. Wireless networks were deployed in a similar fashion to wired networks -- without regard to the one fundamental difference between the two. While wired networks remain constrained within the physical limitations of the network wire, wireless networks have no physical boundaries. Because of this fundamental difference, WEP went from being a "good enough" protocol to an inadequate protocol.

IEEE 802.11

The IEEE 802.11 standard provides for all the definitions and constructs necessary for wireless networks. Everything from the physical transmission specifications to the authentication negotiation is provided. Wireless traffic, like its wired counterpart, consists of frames transmitted from one station to another. A feature that sets wireless networks apart from wired networks is that one end of the communication pair is either another wireless client or a wireless access point.

The 802.11 standard provides for two modes for wireless clients to communicate: ad-hoc and infrastructure. The ad hoc mode is geared for a network of stations within communication range of each other. Ad hoc networks are created spontaneously between the network participants. In infrastructure mode, access points provide for a more permanent structure for the network. An infrastructure consists of one or more access points as well as a distribution system (i.e., wired network) behind the access points that tie the wireless network with the wired network.

To distinguish between different wireless networks, the 802.11 standard defines the SSID (Service Set Identifier). The SSID is a configurable string of up to 32 characters that identifies a wireless network. It is similar to the network portion of an IP address for wired LANs. The SSID can be considered the identity element that "glues" various components of a wireless LAN together. Traffic from wireless clients that use one SSID can be distinguished from other wireless traffic using a different SSID. By using the SSID, an access point can determine which traffic is meant for it and which is meant for other wireless networks.

802.11 traffic can be subdivided into three parts: control frames, management frames, and data frames. Control frames include such information as Request to Send (RTS), Clear to Send (CTS), and Acknowledgment (ACK) messages. Management frames include beacon frames, probe request/response, authentication frames, and association frames. Data frames are, as the name implies, 802.11 traffic that carries data. That data is typically considered network traffic, such as IP encapsulated frames.

There are two types of authentication mechanisms used by 802.11: open authentication and shared key authentication. Open authentication requires that the client have pre-existing knowledge of the wireless network SSID. The client must also know whether WEP is in use on the wireless network and, if it is in use, the value of the WEP key. With shared key authentication, the wireless client must prove its knowledge of the secret key. Proof is obtained through a challenge-response exchange similar to the exchange used in CHAP. The access point sends a random challenge to the client (in clear text) who then encrypts the challenge and transmits it back to the access point. The access point decrypts the response and compares the challenge to what was transmitted. If the two agree, the client is authenticated. As discussed below, shared key authentication is actually less secure than open authentication because it provides several components for a known plaintext attack.

The WEP Protocol

WEP is a form of electronic codebook in which a given block of text is encrypted at the sending station, transmitted, and then decrypted at the receiver. Figure 1 shows how WEP encryption proceeds.

In Figure 1, the plaintext message (1) is run through an integrity algorithm (the 802.11 standard specifies the use of CRC-32) to produce an Integrity Check Value (ICV), which is then appended to the end of the original plaintext message (2). A "random" 24-bit Initialization Vector (IV) is generated and prepended to the secret key (which is distributed through an out-of-band method) and that is then input (3) to generate a seed value for the WEP pseudo-random number generator (PRNG). The WEP PRNG (4) outputs a key sequence equal in length to the plaintext/ICV message. This key sequence and the plaintext/ICV message is then XOR'ed (5) to produce the WEP ciphertext. The ciphertext is then prepended with the IV (in plaintext) and transmitted (6).

Once the data is encrypted, it is packaged (Figure 2). The encrypted data/ICV combination is appended to the IV used, along with the shared secret, to generate the RC4 keystream. This IV consists of the 24-bit initialization vector, a 6-bit 0-value pad, and 2-bits set aside for the key ID. The secret key is 40 bits long. The key ID allows the network administrator or user to choose one of up to four separate 'secret' 40-bit keys on the wireless device. This allows the flexibility of providing users different keys for different wireless networks, or for easily switching between keys should one secret key become compromised.

One confusing feature of WEP is the length of the keys. While a 64-bit key is used to generate the RC4 keystream, which is then XOR'ed to the data/ICV combination, 24-bits of that key is the Initialization Vector. This leaves only 40-bits for the actual secret key.

WEP2

Realizing the problems with WEP, the IEEE proposed changes to the WEP protocol in 2001. This new version of WEP, known as WEP2, increases the IV space from 24 to 128 bits and provides for mandatory Kerberos V support. While increasing the IV size to 128 bits does alleviate the IV collision problem of WEP (discussed below), it does nothing to eliminate the problem of known plaintext attacks, keystream reuse (described below), the problems with rogue access points, and denial-of-service attacks against access points and wireless clients. Some vendors have added support for WEP2 keys in their products but complete support for the entire WEP2 proposal has yet to be achieved.

WEP Problems

Initialization (IV) Weaknesses

WEP2 only appeared recently and is still making its way to the marketplace. Most existing WEP-based wireless networks were designed around the earlier WEP standard. If you already have or are thinking of purchasing a WEP network that uses the 24-bit IV, it is worth considering the implications. An IV space of only 224 yields approximately 16 million possible IV keys. The 802.11 standard does not specify any method to choose the IV. Many vendors designed the firmware for their wireless devices to start the IV at 0 (that is 00:00:00) at device initialization and increment each successive IV value by 1. This is reminiscent of the old TCP Sequence Number incrementing on UNIX by 64K for every packet, which results in an increase in low-value IV reuse -- a widely known weakness of keystreams.

Another weakness related to the IV comes from its limited size as defined by the 802.11 standard. Because the IV is only 24 bits wide, an 11-Mbps wireless network can easily exhaust all IV values within a few hours of use by several clients. This then leads to the possibility of IV collisions. IV collisions occur when two packets are encrypted with a keystream generated from the same IV value, v, and secret key, k. A collision can result in the attacker's ability to derive the plaintext in the encrypted in the wireless packets. As shown in Figure 1, the plaintext/checksum message is XOR'ed with the RC4 keystream generated by the IV/secret key combination. If two packets are encrypted with the same keystream (i.e., an IV collision has occurred), the keystream can be removed by XOR'ing the two packets together. This leaves the XOR combination of the plaintext data in the two packets. Although this may not seem to be a problem, remember that IP traffic tends to be well structured. This feature can be used by an attacker to determine the value of the data by looking for text that, when XOR'ed with itself, results in the XOR of the two plaintexts [1].

Cipherstream Reuse

A related problem to IV collision is that given the fact that a keystream can be recovered from a WEP packet, it is possible for an attacker to use that stream later to decrypt other packets. Because the IV space is so limited, an attacker can seek to capture keystreams by sending traffic into a network with various IV values. The keystreams can be extracted by XOR'ing the encrypted traffic with the known plaintext. This, in effect, creates a dictionary of keystreams. Later when legitimate traffic crosses the wireless network, the attacker can intercept it and, if he has a keystream for the IV used with the encryption of that traffic, he can XOR out the keystream and recover the plaintext information [2].

Plaintext Attacks

Another approach that can be used to attack a wireless network is a known plaintext attack. In this attack, the attacker knows the plaintext message and has a copy of the ciphertext. The missing piece is the key used to encrypt the plaintext (or decrypt the ciphertext). A simple approach to implementing a known plaintext attack against WEP would be to send a target system on the wireless LAN a known piece of data and then capture that data as it is transmitted to the destination. This data can be generated by a simple piece of email. Once the attacker has captured the encrypted WLAN traffic of the email sent to the target, he will have three pieces of a four-piece puzzle: the known plaintext, the encrypted data, and the IV. It is a trivial matter to take all of those pieces and use a dictionary attack to try and determine the secret key. Another possibility is to use the challenge/response exchange used by the shared key authentication mechanism of the 802.11 standard as the basis of a known plaintext attack. Here the known plaintext is the random challenge sent by the access point to the client, and the ciphertext is the response provided by the client.

As with any password-based security scheme, WEP's security relies on the difficulty of discovering the secret key through a brute-force attack. And, as with any password or secret key, this difficulty is related to the length and composition of the key as well as how often the key is changed. One feature of WEP that originally was determined to be an asset (but later turned out to lead to one of the more dire attacks against it) was that WEP is self-synchronizing for each message. This feature comes out of the fact that the IV is transmitted, in plaintext, with each packet. While 802.11 suggests that the IV values change, the standard leaves it up to the implementer to decide how often the IV changes and how. In the best-case scenario, the IV should be a random value. However, as mentioned previously, some vendors implemented the 802.11 standard in their wireless cards so that the IV gets reset to 00:00:00 whenever the card or system is reset and then increments linearly with each packet sent.

One side effect of the known plaintext attack is that the attacker can take the ciphertext and XOR it with the known plaintext to recover the keystream. This keystream can then be used (with the correct IV attached) to inject packets into the wireless network by reusing the keystream and XOR'ing it with new data. In this way, an attacker can insert packets to the wireless network without actually authenticating to the access point.

Fluhrer, Mantin, and Shamir

In August of 2001, Scott Fluhrer of Cisco Systems and Itsik Mantin and Adi Shamir of the Computer Science Department of The Weizmann Institute in Israel released a paper discussing weaknesses in the Key Scheduling Algorithm (KSA) of RC4. The KSA derives an initial state from a variable size key and then feeds this state to the pseudo-random number generator (PRNG) of RC4, which uses the input to generate a pseudo-random keystream.

Problems with RC4 are not new. In 1995, Andrew Roos posted some preliminary results from an analysis of RC4's PRNG to the Usenet newsgroup sci.crypt. In 1996, Ian Farquhar posted to sci.crypt that there was an approximately 35% probability that the first byte of the keystream generated by RC4 would be the same as the first byte of the key.

Fluhrer, Mantin, and Shamir discovered two weaknesses in the KSA. The first weakness is the existence of large classes of "weak" keys where a small part of the secret key determines a large number of bits of the KSA output [3]. This ultimately results in the problem where the initial output of the RC4 algorithm is disproportionally affected by a small number of key bits. The second vulnerability is related to the first. It occurs when part of the key presented to the KSA is exposed to the attacker (as in WEP, where the IV is exposed). When the same secret part of the key is used with numerous different exposed values, an attacker can rederive the secret part by analyzing the initial word of the keystreams with relatively little work. The attack that Fluhrer, Mantin, and Shamir devised works against any key size, including both the 24-bit key of WEP and the 128-bit key of WEP2, and does not matter whether the IV precedes the secret key or follows the secret key.

The work done by Fluhrer, Mantin, and Shamir was applied by Adam Stubblefield of Rice University and John Ioannidis and Aviel Rubin of AT&T Labs. Their work utilized off-the-shelf hardware and software and was able to crack the encryption provided by WEP on their test network within the span of a few hours. Their work was duplicated by others and, while Stubblefield et al. did not release their source code to the public, they noted that two other tools were currently publicly available: airsnort and Tim Newsham's WEPCrack [4].

Securing Wireless Networks

Wireless networks are being deployed at an ever-increasing pace. According to a recent report by Allied Business Intelligence, 4.9 million wireless nodes were shipped worldwide in 2000, and the number is expected to climb to 55.9 million wireless nodes by 2006. This explosion in deployment of wireless devices and wireless LANs will result in considerable difficulties for systems and network administrators if the problems with WEP are not addressed. To deal with WEP's problems, several vendors (including Cisco Systems, Agere Systems, Enterasys Networks, and Avaya) have each devised proprietary solutions to address some of WEP's near-term problems.

Some vendors have adopted the Extensible Authentication Protocol (EAP) authentication mechanism in the IEEE 802.1x standard. This standard allows for port-based access control where access to the network is granted only after the client authenticates. For WLANs, this method works very well because access can be granted by the access point once the user has successfully authenticated to a RADIUS server. This also provides for an interim solution until the 802.11i working group can provide a better security mechanism for wireless LANs.

Access Points

However, network administrators can still deploy wireless networks even with the current problems inherent with WEP. The caveat is that wireless networks must be afforded special consideration when deployed. With that in mind, network administrators deploying wireless access points should consider the placement of the access point very carefully. Wireless access points should not be connected to the internal wired LAN even if WEP is enabled. With the well-known weaknesses of WEP and the low level of difficulty in cracking WEP-based traffic, the wireless LAN is better viewed as an insecure or "dirty" network. Thus, access points should be placed outside a firewall. Access into the network should be provided either through Secure Shell or through an IPSec-based VPN solution. The Secure Shell connection and the IPSec-based VPN connection provides for both user authentication as well as user differentiation.

Most access points can accommodate MAC filtering and should be configured to do so, even though MAC addresses can be spoofed. WEP should be active; even with the weaknesses inherent with WEP, there is no need to make it easier for an adversary to attack the network. Network address management is a difficult issue that must also be considered. One benefit to utilizing wireless devices that can support 802.1x authentication mechanisms is that network addresses can be provided after authentication is complete and access has been granted. However, many WLAN devices do not support EAP authentication. For wireless LANs based on those devices, an external DHCP server providing network addresses to specific clients only on the wireless LAN is one solution -- with the understanding that this host's only function is to provide addresses to wireless clients. However, that server will probably become the focus of access as well as denial-of-service attacks. While not optimal, it does provide for network address management on the wireless LAN. Another possibility is to use the built-in DHCP server available on many wireless access points.

The firewall should allow only IPSec traffic or Secure Shell traffic into the network. All traffic from the clients should be routed through the IPSec VPN or the Secure Shell connection. Figure 3 shows a wireless network configured as described above. In step 1, the wireless client authenticates and associates to the wireless access point using open authentication. The access point is configured to filter based on a MAC address. Once authentication and association completes, the access point forwards DHCP requests to the DHCP server. The server assigns the wireless client a network address in step 2. With the wireless client now on the wireless network, the client can proceed to access the "wired" network beyond the firewall. To do this, the client either sets up an IPSec VPN tunnel to the VPN device or uses Secure Shell to connect to the SSH server, as shown in step 3 of Figure 4. The firewall is configured to permit only SSH traffic or IPSec traffic to pass through. All other traffic is denied.

Until the problems with WEP are properly addressed, wireless networks will remain a significant problem for administrators. However, even with the current difficulties posed by wireless LANs, it is still possible to deploy them if they are treated with the proper respect and consideration.

References

1. N. Borisov, I. Goldberg, and D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. Published in the Proceedings of the Seventh Annual International Conference of Computing and Networking. July, 2001.

2. J. Walker. Unsafe at any key size; An analysis of the WEP encapsulation. IEEE Doc: 802.11-00/362. October 2000.

3. S. Fluhrer, I. Mantin, and A. Shamir. Weakness in the Key Scheduling Algorithm of RC4. August 2001.

4. A. Stubblefield, J. Ioannidis, and A. Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. AT&T Labs Technical Report TD-4ZCPZZ. August 2001.

5. Institute for Electrical and Electronic Engineers, "ANSI/IEEE Std 802.11, 1999 Edition", 1999

Ido Dubrawsky has been working in UNIX and network administration field for nine years. When not working on security, he spends his free time with his wife, Diana, their two children, and their dog, Reidy. He is currently employed by Cisco Systems in the Cisco Secure Consulting Service as a Network Security Engineer.