Basic 802.11 Security and Its Known Problems

 
Basic 802.11 Security and Its Known Problems
When IEEE 802.11b was first defined, its security depended on two basic security mechanisms: the SSID
and WEP. Some manufacturers have added MAC address filtering to their products.
Service Set ID (SSID)
The SID is a string used to define a common roaming domain among multiple access points (APs).
Different SSIDs on APs can enable overlapping wireless networks. The SSID was once thought to be a
basic password without which the client could not connect to the network. However, this claim can be
easily overridden since APs broadcast the SSIDs multiple times per second and any 802.11 analysis tool
such as Airmagnet, NetStumbler, or Wildpackets Airopeek can be used to read it. Because users often
configure clients, this so-called password is often widely known.
Should you change your SSID? Absolutely. Although the SSID does not add any layer of security, it
should be changed from the default value so that other people do not accidentally use your network.
Wired Equivalent Protocol (WEP)
The IEEE 802.11b standard also defines an authentication and encryption method called WEP to mitigate
security concerns. Generally, authentication is utilized to protect against unauthorized access to the
network, whereas encryption is used to defeat eavesdroppers who may try to decrypt captured
transmissions. 802.11 uses WEP for both encryption and authentication.
Four options are available when using WEP:
l Do not use WEP.
l Use WEP for encryption only.
l Use WEP for authentication only.
l Use WEP for authentication and encryption only.
WEP encryption is based on RC4, which uses a 40-bit key in conjunction with a 24-bit random
initialization vector (IV) to encrypt wireless data transmissions. (This is why you may see some 802.11b
systems labeled as having 64-bit encryption. They are no different than those labeled as having 40-bit
encryption keys.) If enabled, the same WEP key must be used on all clients and APs for communication.
Most vendors today also offer 128-bit WEP (which uses a 104-bit key). This is a stronger encryption
method that makes it more difficult for eavesdroppers to decipher over-the-air transmissions. Although it
is not part of the IEEE 802.11b standard, this mode has been implemented on many different vendors'
products, some of which are not interoperable.
To prevent unauthorized access, WEP also defined an authentication protocol. Two forms of
authentication are defined by 802.11b: open system and shared key. Open system authentication
enables any 802.11b client to associate with the AP and skip the authentication process. No
authentication of clients or encryption of data occurs. It can be used for public access WLANs, which can
be found in coffee shops, airports, hotels, conference centers, and other similar venues where the public
is invited to use the network. Typically, the open network authenticates the user using user name
password over a secure login web page. For closed networks such as the home or enterprise, this mode
can be used when other methods of authentication are provided.
Using shared key authentication, the AP sends a challenge phrase to the client radio that is requesting
authentication. The client radio encrypts the challenge phrase using the shared key and returns it to the
AP. If the AP successfully decrypts it back to the original challenge text, it proves that the client has the
correct private key. The client is then allowed to make a network connection.
To the casual observer, it would seem that the shared key authentication process is more secure than the
open key authentication process. However, since both the challenge phrase (which was sent in cleartext)
and the challenge are available, a hacker can derive the WEP key. Thus, neither open system
authentication nor shared key authentication is secure.
Because the 802.11 standard relies on external key management services to distribute the secret keys to
each station and does not specify key distribution services, most 802.11 client access cards and APs rely
on manual key distribution. This means that the keys remain static unless the network administrator
changes them. Obvious problems result from the static nature of the keys and the manual process of key
management as changing the keys on each station in a large network can be extremely time consuming.
If a station is lost due to theft or accident, the keys will need to be changed on all stations. Furthermore,
given the mobility of the population and without a convenient way to manage this task, the network
administrator may be under great pressure to accomplish this in a reasonable time frame.
Another concern about the robustness of WEP is that it only provides at most four shared static
encryption keys. This means that the four encryption keys are the same for all clients and APs every time
a client accesses the network. With enough time, physical proximity, and tools downloaded from the
Web, hackers can determine the encryption key being used and decrypt data. Since the whole company
is using the same set of keys at any one particular time, it is just a matter of a few hours before enough
data is collected to crack a 128-bit key.
Since WEP can be cracked, should you use WEP? If you have nothing else, use WEP to make it more
difficult on potential hackers or spammers. You don't want to have your bandwidth stolen for someone
else's illegal activities. This is the equivalent of asking "since doors can be picked, should I bother locking
the door?"
MAC Address Filtering
Besides the two basic security mechanisms that 802.11 provides, many companies implement MAC
address filtering in their products. This mechanism is not flawless either.
The MAC address filter contains the MAC addresses of the wireless network interface cards (NICs),
which may associate with any given AP. Some vendors provide tools to automate the entry and update
processes; otherwise, this is an entirely manual process. A MAC filter is also not very strong security
since it is easy to discover known good MAC addresses with a sniffer. Then, using Linux drivers available
on the Internet for most 802.11 client access cards, you can configure the sniffed MAC address into the
card and gain access to the network. Although not perfectly secure, MAC address filtering is one more
layer on the onion—it makes it more difficult for someone to gain access.
The other two steps mentioned by the Wi-Fi Alliance, use of session keys and a VPN system, are good,
workable solutions for securing Wi-Fi. In order to understand how much security is needed for a particular
application, it is important to understand the threats and potential attacks