Security Vulnerabilities in 802.11 Network

Security Vulnerabilities in 802.11 Network

CS578 Final Project

Security Vulnerabilities in 802.11 Network

Submitted by

Fu-Hsiang Chen

Kenji Sakamoto

June 4 2003

Index

Abstract

1.Introduction

What is 802.11 protocols?

Problem of Wireless LAN

Security Measurements in 802.11 Network

SSID

WEP

MAC Filtering

2. Vulnerabilities of WEP

Short IV Problem

Lacking Key Management

Checksum Algorithm Problem

3. Solutions for WEP Vulnerabilities

VPN

Using Proprietary Wireless Hardware

Upgrade 802.11 Firmware to WPA

4. References

Abstract

802.11 wireless LAN protocols have become the most popular protocols for wireless networking. Several methods have been provided to secure 802.11 network such as SSID, WEP and MAC filtering. This paper focuses on the cryptography study of WEP with brief introduction to other methods.

Current implementation of security protocol in a 802.11 network is WEP (Wired Equivalent Privacy). It is an optional encryption standard for Wi-Fi network implemented in the MAC layer and it is supported by most wireless device vendors. If WEP is activated, the Network Interface Card (NIC) encrypts each 802.11 frame before transmission using an RC4 cipher. The receiving station, such as an access point performs decryption when the frame arrives. WEP uses a secret 40 or 64-bit key to encrypt and decrypt datagram. In infrastructure mode, if WEP is activated, the receiving point must use the same key for decryption. This has to be done in the wireless access point (i.e. the wireless network hardware). Each NIC also must be manually configured with the same key. Some vulnerabilities of WEP have been reported such as too short IVs and the using of static keys.

The IV of WEP protocol is only 24 bits, therefore if the network traffic is too busy, same IV will be reused in hours. If attacker could collect enough number of frames, he/she could determine the shared key by observing packets with same IV. On the other hand, 802.11 does not provide key exchange among stations, therefore the same key is used unless user makes change of it. The key may remain unchanged for weeks, months or years. Hackers will have enough time to derive the secret key.

One way to eliminate these security vulnerabilities is to implement VPN in the network to create a secured channel between the two communicating parties. This solution, however, requires extra hardware and software investment and need some technical expertise. Wi-Fi Alliance released a new encryption protocol named WPA (Wi-Fi Protected Access) in March 2003, which is the most cost-effective solution for 802.11 security problems.

1.Introduction

What is 802.11 protocols?

802.11 (also known as Wi-Fi protocol) is a network protocol for wireless Local Area Network (LAN). It is created by the Institute of Electrical and Electronics Engineers (IEEE) to ensure the compatibility and reliability of wireless LAN. It is also known as Wi-Fi protocol and has become the most popular protocol for wireless LAN networking. A 801.11 network operates at high speeds access, provides 2.4 GHz radio band and data rates up to 11 Mbps (this is for the 801.11b protocol, 802.11a and 802.11g have 54 Mbps data rates). The 802.11 standard focuses on the bottom two levels of the ISO/OSI model - the physical layer and data link layer. The comparison of ISO/OSI model, wired Ethernet (IEEE 802.3) and 802.11 Network is shown in the following figure. The black box on the third column shows where 802.11 protocols reside.

OSI/ISO / Ethernet / 802.11
Application
Presentation
Session
Transport / TCP / TCP
Network / IP / IP
Data Link / PPP, SLIP, HDLC / Logical Link Control (802.2)
Media Access Control(MAC)
Physical / NIC / Wireless PCMCIA/NIC

802.11 network defines two types of operation (i.e. two topologies); one is peer-to-peer or Ad Hoc mode, and the other is client-server or infrastructure mode. In infrastructure mode, the wireless network requires at least one access point (AP) connected to a wired network. All communication to other workstations or devices has to go through the wireless access point and/or the wired network before it can reach the destination. Through an Ethernet link that is connected between a wired backbone and an access point, it allows network devices to communicate with each other. All network traffic from the wireless stations goes through an AP and reach it’s destination in either a wired or a wireless LAN or WAN. This is shown in the following diagram.

(adopted from

In Ad Hoc Mode, two or more 802.11 wireless devices communicate directly with one another without using any access point or wired network. There is no security protocols among Ad Hoc clients, that is none of the communication between any two clients are encrypted or has any integrity check and access control.

802.11 Ad Hoc Wireless network.

(adopted from

Problem of Wireless LAN

In traditional wired networks, all networks'traffic resides inside the company building which provide certain level of protection from intruders. However, it is not the same case for a wireless network. Wireless network signal is openlytransmitted in the open air instead of that in closed circuit. Signal could be anywhere even outside the company building. It is easy to set up a signal receiver within the wireless signal range and collect network traffic. This inherited nature of wireless network makes it more vulnerable to malicious attack. Therefore security implementation is more crucial in wireless network than the wired counterpart.

Security Measurements in 802.11 Network

There are three methods to secure access to an AP in the current standard of IEEE 802.11 protocols (includes 802.11b, 80211g and 802.11a). These methods include:

  • Service Set Identifier (SSID)
  • Wired Equivalent Privacy (WEP) algorithm
  • MAC Address filtering

SSID

SSID is an identification name stored in an AP or group of APs to identify what wireless subnets are available. SSID could serve as a form of authentication check. If a wireless client does not configure its NIC with correct SSID value, access is denied to the associated AP.

SSID security alone is very weak because the value is known by all network cards and AP, and can be accessed through air and radio waves, since SSID is not encrypted. The AP is capable of broadcasting its SSID andif broadcasting is enabled, any client without SSID can receive it and have access to the AP. Users can also share SSID with other people because there is no authentication or access control in SSID and anAP has noknowledge who is accessing the network.

WEP

WEP protocol is designed to protect wireless network against eavesdropping and physical security attack. WEP is the encryption standard specified in IEEE 802.11 standard. WEP encrypts a data frame and its content using RC4 stream cipher to protect authorized communication on a wireless LAN. WEP uses a 40-bit secret key for authentication and encryption, and some vendors provide 104-bit secret key encryption (known as WEP2). The encryption key is appended with a 24-bit “initialization vector” (IV) to form a 64- or 128- bit key. When WEP encryption is enabled, the AP send out an encrypted challenge packet to any client who wants to connect to the AP. Then the client uses the secret key to encrypt the correct response packet in order to authenticate itself and gain network access. The client computer and the AP share the same key to encrypt and decrypt data. All WEP keys on a wireless LAN must be configured manually, because there is no key management mechanism in current 802.11 protocol. WEP security protocols are only available in a client/server (infrastructure) mode with an AP. Peer-to-Peer (Ad Hoc) mode does not have WEP implementation.

The following diagram shows how encryption is done in WEP protocol. It involves a integrity check value algorithm (ICV) and a pseudo random number generator (PRNG). In RC4 encryption, an IV is appended with a secret key to form a seed for PRNG. The generated random number is then xor-d with a plaintext to form ciphertext.

The resulting frame is shown in the following diagram (Nikita et. al.):

The entire encryption processes can be summarized as follows:

  • Checksum calculation: P = c(M)
  • Plaintext: P = (M, || c(M))
  • Encryption: C = P  ( RC4 (IV||K) )
  • Transmission: Client Server: ( IV || C )

To decrypt the message, the follow scheme is used:

  • P' = C  RC4 (IV, K) = ( P  ( RC4 (IV, K) )  RC4 (IV, K) = P

For integrity check, the following processes is used:

  • P' = (M', || c(M))
  • ICV' = c(M')
  • Compare ICV' with c(M) for data integrity check

WEP encryption has some weaknesses, which are vulnerable to various kinds of attacks. We will have a closer look at these problems in the coming section.

MAC Filtering

Each network device has a unique hardware number called MAC address (Media Access Control). In an Ethernet network, a MAC address is the same as an Ethernet address. It is a48-bit hex number and the following screen shot shows an example of Ethernet/MAC address of a NIC card using windows 2000's ipconfig command.

The MAC address is used by the Media Access Control sub-layer of the Data-Link Layer of telecommunication protocol. It can also be used as an identification of a client to determine whether it has privilege to access a wireless network or not. To secure an AP using MAC address filtering, every access point must have a list of authorized client MAC address in its access control list. Setting up MAC address filtering is a time consuming work because the list of client MAC address must be inputted manually in each access point and the list must be kept up-to-date at all time. It is suitable for a samll scale SOHO LAN environment, but for large scale network, it is a burden for IT staffs.

2. Vulnerabilities of WEP

Three are some general goals in network security such as Access Control, Integrity and Confidentiality. The implementation of 802.11 tried to achieve the goals by:

Security Requirement / Goal / implementation in 802.11
Access Control / Only authorized people can access the network / Private key encryption using RC4, only people with correct private key can access the network.
Integrity / Prevent tampering with transmitted messages / Using integrity check value (ICV) to provide data integrity
Confidentiality / Prevent eavesdropping / Using RC4 to encrypt every frame

The presumption of these security claims is base on that it is difficult to discover the secret key through a brute-force attack. According to Nikita et. al., none of the above measurements are correctly implemented in WEP. We will discuss the problems in the following sections.

Short IV Problem

IV is used to create randomness in the keystream of RC4. WEP uses a per-packet IV to vary the keystream value for each transmitted frame. However, the IV of WEP protocol is only 24 bits, therefore if the network traffic is too busy, the same IV will be reused in hours. If the secret key changed constantly, the keystream will change accordingly.This can be seen in the following encryption formula. The keystream is a function of IV and K. Change either of them will change the keystream value.

  • C = P  ( RC4 (IV, K) )

However, as mentioned, the current 802.11 network protocols do not have any key management or distribution mechanism and require a person to manually change the key on each device.Moreover, all devices in a 802.11 LAN share the same secret key. Changing a compromised key requires tremendous amount of labour and considering the fact that wireless equipment are usually used on lap top computer for employees on the road, it is very difficult for IT staffs to manage key distribution.

Since IV can repeat in a short amount of time and constant key change is not feasible, if attacker could collect enough number of frames, he/she could determine the shared key by observing packets with same IV or use the well-known attack of stream ciphers. This is shown as follows.

If C1 = P1  ( RC4 (IV, K) )

And C2 = P2  ( RC4 (IV, K) )

Then C1  C2 = [P1  ( RC4 (IV, K) )]  [P2  ( RC4 (IV, K) )] = P1  P2

Knowing P1  P2 can reveal lots of information, for example: if one of the plaintext in P1  P2 is known, then the other plaintext can be obtained. In the other case, if the attacker has partial knowledge of some plaintext such as pattern of English vocabulary or frequency analysis, with patience and time, he/she can derive the secret key and inject malicious packets into the network.

Lacking Key Management

As mentioned, 802.11 does not provide key exchange among network devices, therefore the same key is used unless user make change of it. The key may remain unchanged for weeks, months or years. Hackers would have enough time to derive the key used in a network. On the other hand, WEP keys are static for encryption and authentication, making WEP susceptible to password replay attacks, traffic injection, and statistical attacks.

Checksum Algorithm Problem

WEP check sum algorithm (or integrity check algorithm, ICV) is a linear function of the message. It means the message can be changed without changing the checksum value (Nikita et. al.) thus lost the goal of data integrity check. The ICV of WEP is also an unkeyed function, which means if an adversary has a plaintext, he can calculate the checksum and construct a new packet. Since reuse IV is allowed, by reusing the keystream to create new packet, the adversary can inject traffic into the network without being detected by the receiver. This compromises the goal of access control.

3. Solutions for WEP Vulnerabilities

There are several solutions that can mitigate or eliminate the problems of current WEP protocol. These solutions include implementing VPN, using proprietary wireless hardware, and upgrade 802.11 firmware to WPA. These solutions will be discussed in the following sections.

VPN

VPN stands for Virtual Private Network and it is a common way to create a secure tunnel in an un-trusted network. Every packet that goes through the tunnel must be encrypted before it is send to the network and only the receiver can decrypt the packet. Once the data packet is encrypted, it is of no use to any attacker who tries to collect traffic on the network. Take commonly used VPN protocol IPSec for example. IPSec encrypts all IP datagrams before they are sending to the network. Three security measurements are used in IPSec. Authentication Header (AH) adds authentication information to IP data to provide authentication and data integrity and prevent data from being modified by adversaries during transmission. Encapsulation Security Payload (ESP) provides data confidentiality by encrypting all data and part of ESP header using triple-DES or other encryption algorithm. Internet Key Exchange (IKE) protocol is used to negotiate the choice of cryptographic algorithm used by AH and ESP. The key exchange, verification and maintenance are also done using IKE.

Combining WEP and IPSec, network data is encrypted both at layer 2 (data link) and layer 3 (Network) of the OSI/ISO model. All data encrypted by WEP is also encrypted by IPSec and there is not much left for an attacker to hack the network. However, implementing IPSec requires extra software (mostly free software) configuration and requires a IPSec gateway between AP and wired LAN which may cause some technical difficulties for SOHO users.

Using Proprietary Wireless Hardware

Big network hardware vendors such as Cisco, provide extra security measurements in their wireless product. Take Cisco for example, all Cisco network product comes with a protocol called Lightweight Extensible Authentication Protocol (LEAP). EAP is an 802.1x standard that allows developers to pass security authentication data between authentication server, the AP and wireless client. EAP has a number of variants: EAP MD5, EAP-Tunneled TLS (EAP-TTLS), Lightweight EAP (LEAP) and Protected EAP (PEAP). Cisco’s LEAP encrypts data transmissions using dynamically generated WEP keys, and supports mutual authentication to secure wireless network. These proprietary solutions are very effective, but require all clients NIC and AP be purchased from the same vendor, which increase the total cost of the network. Moreover, these proprietary hardware usually have poor interoperability with other vendor’s product, therefore create problem when upgrading network hardware.

Upgrade 802.11 firmware to WPA

Realising the vulnerability of WEP encryption, Wi-Fi Alliance (

OpenSection/index_noflash.asp) released a new encryption protocol named WPAin March 2003.

WPA stands for Wi-Fi Protected Access and it is based on the current IEEE proposal of the 802.11i standard. 802.11i is still under development and will not be available until end of 2003. The Wi-Fi Alliance,considering the long wait of 802.11i will stall the use of wireless equipment and cause loss to vendors, decided to adopt WPA before the release of 802.11i.

As we have seen, the one of the flaws in WEP is the static secret key rather than dynamic. WPA provides effective key distribution and enables use across different vendor’s network equipment. WPA includes both the Temporal Key Integrity Protocol (TKIP) and802.1xmechanisms, which together provide dynamic key encryption and mutual authentication for mobile clients. WPA AP can periodically generate a unique encryption key for each client. TKIP introduces new algorithms to WEP, which includes extended 48-bit initialisation vectors and associated sequencing rules, per-packet key construction, key derivation/distribution function, and a message integrity checking code (also called "Michael").

In a large enterprise, WPA can be configured to take advantage of an authentication server, such asRemote Authentication Dial-In User Service (RADIUS), using 802.1x with EAP. The authentication server stores user credentials, which allows effective authentication control and integration into existing IT system.

For SOHO users, who usually do not have an authentication server, WAP has the ability to operate in "preshared key mode." It is similar as the previous WEP implementation, a client's NIC is configured with a secret key (or phrase), and it must match the one stored in the AP. An access point can use the pass phrase for authentication.

WPA is the perfect solution for legacy equipment because one can upgrade WPA by firmware upgrade and does not require purchasing new wireless network hardware. It is designed to be forward compatible with the 802.11i standard. The coming 802.11i standard will include Advanced Encryption Standard (AES), which provide more security than RC4. But to use AES will require the replacement of a legacy AP because AES encryption needsmode powerful processors for calculation. 802.11i will be targeted for new equipment.