WEP and WPA

advertisement
Topic : Wireless Security with WEP and WPA
In a wireless network (WLAN) data is sent out over the air. Any wireless device
within radio frequency range can view the data packets if they are not encrypted. In a
wired network , data is confined to the physical boundaries of the network. Wireless
network communications are more prone to interference and jamming. As such security
on a wireless network is difficult to provide for as compared to a wired network.
Computer hackers called "war chalkers" roam around the neighborhood with wireless
devices trying to find insecure wireless computer networks they can hack into. 802.11a
and 802.11b are popular IEEE standards for wireless lans .Wired Equivalent Privacy or
WEP is a protocol that provides security for a 802.11 network. It acts on data being
transmitted between an access point and network adapters and vice versa. WEP acts over
the data only between 802.11 stations and not on the wired side of the network as in
between access points.
WEP encrypts the data to provide security . WEP is implemented at the data-link and
physical layers of the OSI model . Since it is limited to only two layers it does not
provide for end-to-end security. Most wireless NICs and access point vendors support
WEP. The main objectives of WEP is to provide the following security services :
1. Authentication – Verify the identity of communicating client stations.
2. Confidentiality- Prevent eavesdropping
3. Integrity- Ensure that information is not altered
WEP can be used for both open and shared-key authentication. In case of open
authentication unless the client has the correct WEP key it is not allowed to
communicate. In case of shared-key authentication , the client is allowed to
communicate only if it answers the access-point’s challenge question with the correct
encrypted WEP key . A static WEP key can also be used. This key has to be the same for
all communicating devices. Each NIC and access points may need to be manually
configured for WEP. In case a device is lost or stolen, the WEP key has to be changed
manually for the remaining devices. If a tool like airsnort is used to find out the WEP
key, the network administrator has no way of knowing that the key has been found out.
WEP uses RC4 encryption. RC4 is a symmetric stream cipher that was invented
by Ron Rivest of RSA Data Security, Inc. It supports a variable length key. 802.11
specifies RC4 encryption and key but does not specify how keys are to be distributed.
This results in a lot of implementation problems in key management. The static key needs
to be supplied by the user of the sending station. It can be 40 or 128 bits length. WEP2
uses 128 bits. The 40 bit key is vulnerable to brute force attack. WEP uses a 24 bit
initialization vector (IV). This vector is randomly generated. It provides a range of
16,777,216 possible values WEP concatenates the IV and the key to generate a
keyschedule or what is known as a seed. IV changes to a freshly generated one for each
frame transmitted. The seed is then used to generate a keystream of length equal to the
frame’s payload and 32 bits of integrity check value (ICV) or checksum. The keystream
is XORed with the payload. The IV is transmitted as clear text and is located within the
first few bytes of the beginning of the frame. At the receiving station the checksum is
calculated and compared against the one sent. If is not the same the frame may be
rejected.
In a home network WEP can be enabled on the router using the management
console of the router. It also has to be enabled on each wireless adapter or NIC. A preshared key has also to be designated for the network. The Wi-Fi router has a default key
set . This should be changed. Otherwise there might be a chance that somebody else
within the range of the network might have the default key on. Any body else with the
same WEP key can access the network. A Wi-Fi router comes with choices of 5 or 6
WEP keys from which one can be chosen. But there is a possibility that somebody else
might choose the same. A better option is to use a freely available WEP key generator to
create a custom WEP key. After WEP is enabled on a network the transmission speed of
the network reduces because of the encryption/decryption process that is added on.
The vulnerabilities of WEP arise because of the relatively short key and the static
nature of the shared key. With the small length key it is possible for reoccurrence of IVs
within a very short time of about 24 hours. . It is not mandatory by the 802.11 standard
that the transmitting station send a separate IV for each transmitted frame. Keystreams
can be very similar. It is possible for a malicious user to determine a pattern by collecting
enough frames and figuring out the key or the data transmitted. Frames having common
data at the beginning of the frame like “From” email addresses may create a common
pattern. After encryption using same key they will still have common data making it easy
for hackers to get to the data. Exchange of keys is not supported by 802.11. So, the same
key is reused unless manually changed for long periods of time making the network all
the more vulnerable. When the same IV is used with the same key on an encrypted packet
it is known as an initialization-vector collision. The IV is sent out in plaintext. This
makes it very easy for sniffers to see it. Certain patterns of the IV can used to break into
the network. Both 40 and 128 bit WEP can be cracked by readily available tools on the
internet. The 128 bit WEP key can be obtained in 15 minutes.
Making IVs random provides certain amount of security. Some other measures
that might provide more security in a SOHO (Small Office Home Office )network are as
follows.
1. A custom key can be used with non-dictionary words.
2. DHCP can be turned off and instead static IP addresses can be used.
3. Firewalls can be used
.
WEP can be employed for a minimum level of security. WEP works well for a
home network or small office network. It might not given enough protection against
hackers but might give enough protection against casual eavesdroppers trying to get into
the network and using network resources. Bigger networks used for business purposes
need to be more secure. There are other security solutions like CISCO’s Lightweight
Extensible Authentication Protocol (LEAP) or Extensible Authentication Protocol (EAP).
These methods might require additional software and hardware, such as certificate
servers or authentication servers and have interoperability issues of hardware having to
be from the same vendor. A solution announced by Wireless Fidelity Alliance is Wi-Fi
Protected Access (WPA). It is almost a replacement for WEP removing many of its
shortcomings.
WPA is based on 802.11i. . It can be configured to work with authentication
server in corporation networks and it can also work in home and SOHO environments
without authentication servers using preshared key mode. WPA can be used by
universities and other public organizations where vendor specific solutions have not been
able to be used because of interoperability issues. WAPs’ and NICs’ firmware can be
upgraded to use WPA.
Like WEP, WPA uses security settings to encrypt and decrypt data that is
transmitted over the network. But it does not use one static security key for encryption as
WEP does. It uses Temporal Key Integrity Protocol (TKIP) to dynamically generate a
new key for every packet and generate different sets of keys for each communicating
device. Once the key changes , it is automatically synchronized by the protocol at the
access point and clients. TKIP starts the pre-shared key for each authenticated client.
When WPA is enabled, a passphrase is established. This along with other network
settings is stored in the base station of each networked computer. TKIP verifies the
client’s configuration. WPA works with all variants of Wi-Fi. WPA complies to 802.11i
and 802.1x standards.
WPA provides more secure protection than WEP and is easily implementable. It
fixes all problems except for denial- of- service attacks that WEP is threatened with. The
128 bit key is referred to as temporal key (TK) .WPA can also use Pre-Shared Keys.
These keys are not actually used to encrypt data but instead used to create dynamically
changing ciphers using RC4. The 48 bit initialization vector is combined with the
temporal station’s TK to produce a phase 1 key. The phase 1 key is combined with the IV
in phase 2 to produce a different packet key for each packet sent. This makes it difficult
for hackers to decrypt the data unlike WEP which uses the same key many times unless
manually re-configured.
WEP uses a 32 bit checksum that is calculated over the frame’s payload data. This
checksum called Integrity check value(ICV) is appended at the end of the frame. The
ICV can be modified by malicious users. The receiving station would not be able to
figure out that the frame has been modified by malicious users. WPA uses a security
solution called Michael to thwart this problem. Michael computes a Message Integrity
Code (MIC) which is 8 bits. The MIC is inserted at the end of the frame payload and
before the ICV. It is also encrypted along with the frame data to prevent being modified
maliciously. It also contains a frame counter which would prevent a replay attack or
duplicates being sent again and again.
In order for WPA security to take effect all devices in the network have to use
WPA. If some of the devices still use WEP then the security of the whole network will be
weak.WEP clients do not support automatic re-keying. WPA does not work with a
configuration that does not have a gateway or access point and only has peer-to-peer
clients. WPA is not enabled by default on an upgraded firmware. It has to be installed
separately and a password has to be set. WPA can work in a pre-shared key scheme or
802.1x authentication scheme. A pre-shared key (PSK)has to be configured on the WAP
as well as the client. WLANs can continue to operate at 2.4GHz with WPA.
Pairwise Master Key (PMK), is used to protect transmissions from a computer to
another device. Using a pre-shared passphrase of less than 20 characters can make it easy
to get to the pre-shared key and in turn PMK. The additional parameters used to generate
the PMK, including both MAC addresses and the SSID, can be found by passively
snooping network traffic.WPAv2.0 has been announced and this will use AES instead of
DES ‘s RC4. It will use a symmetric block cipher.
In conclusion security on a wireless network is a grave issue. WEP can be
used in SOHO environments and WPA can be used in corporate environments to provide
security.
References :
Mostly interenet sources. Some of the urls referred are as follows :
www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/networking_solutions_w
hite_paper09186a008009c8b3.shtml
techrepublic.com.com/5100-6265-5060773-2.html
techrepublic.com.com/5100-6265-5060773.html
www.eweek.com/article2/0,1759,1374909,00.asp
Download