Topic : Wireless Security with WEP and WPA In a wireless network (WLAN) data is sent out over the air. Any wireless device within radio frequency range can view the data packets if they are not encrypted. In a wired network , data is confined to the physical boundaries of the network. Wireless network communications are more prone to interference and jamming. As such security on a wireless network is difficult to provide for as compared to a wired network. Computer hackers called "war chalkers" roam around the neighborhood with wireless devices trying to find insecure wireless computer networks they can hack into. 802.11a and 802.11b are popular IEEE standards for wireless lans .Wired Equivalent Privacy or WEP is a protocol that provides security for a 802.11 network. It acts on data being transmitted between an access point and network adapters and vice versa. WEP acts over the data only between 802.11 stations and not on the wired side of the network as in between access points. WEP encrypts the data to provide security . WEP is implemented at the data-link and physical layers of the OSI model . Since it is limited to only two layers it does not provide for end-to-end security. Most wireless NICs and access point vendors support WEP. The main objectives of WEP is to provide the following security services : 1. Authentication – Verify the identity of communicating client stations. 2. Confidentiality- Prevent eavesdropping 3. Integrity- Ensure that information is not altered WEP can be used for both open and shared-key authentication. In case of open authentication unless the client has the correct WEP key it is not allowed to communicate. In case of shared-key authentication , the client is allowed to communicate only if it answers the access-point’s challenge question with the correct encrypted WEP key . A static WEP key can also be used. This key has to be the same for all communicating devices. Each NIC and access points may need to be manually configured for WEP. In case a device is lost or stolen, the WEP key has to be changed manually for the remaining devices. If a tool like airsnort is used to find out the WEP key, the network administrator has no way of knowing that the key has been found out. WEP uses RC4 encryption. RC4 is a symmetric stream cipher that was invented by Ron Rivest of RSA Data Security, Inc. It supports a variable length key. 802.11 specifies RC4 encryption and key but does not specify how keys are to be distributed. This results in a lot of implementation problems in key management. The static key needs to be supplied by the user of the sending station. It can be 40 or 128 bits length. WEP2 uses 128 bits. The 40 bit key is vulnerable to brute force attack. WEP uses a 24 bit initialization vector (IV). This vector is randomly generated. It provides a range of 16,777,216 possible values WEP concatenates the IV and the key to generate a keyschedule or what is known as a seed. IV changes to a freshly generated one for each frame transmitted. The seed is then used to generate a keystream of length equal to the frame’s payload and 32 bits of integrity check value (ICV) or checksum. The keystream is XORed with the payload. The IV is transmitted as clear text and is located within the first few bytes of the beginning of the frame. At the receiving station the checksum is calculated and compared against the one sent. If is not the same the frame may be rejected. In a home network WEP can be enabled on the router using the management console of the router. It also has to be enabled on each wireless adapter or NIC. A preshared key has also to be designated for the network. The Wi-Fi router has a default key set . This should be changed. Otherwise there might be a chance that somebody else within the range of the network might have the default key on. Any body else with the same WEP key can access the network. A Wi-Fi router comes with choices of 5 or 6 WEP keys from which one can be chosen. But there is a possibility that somebody else might choose the same. A better option is to use a freely available WEP key generator to create a custom WEP key. After WEP is enabled on a network the transmission speed of the network reduces because of the encryption/decryption process that is added on. The vulnerabilities of WEP arise because of the relatively short key and the static nature of the shared key. With the small length key it is possible for reoccurrence of IVs within a very short time of about 24 hours. . It is not mandatory by the 802.11 standard that the transmitting station send a separate IV for each transmitted frame. Keystreams can be very similar. It is possible for a malicious user to determine a pattern by collecting enough frames and figuring out the key or the data transmitted. Frames having common data at the beginning of the frame like “From” email addresses may create a common pattern. After encryption using same key they will still have common data making it easy for hackers to get to the data. Exchange of keys is not supported by 802.11. So, the same key is reused unless manually changed for long periods of time making the network all the more vulnerable. When the same IV is used with the same key on an encrypted packet it is known as an initialization-vector collision. The IV is sent out in plaintext. This makes it very easy for sniffers to see it. Certain patterns of the IV can used to break into the network. Both 40 and 128 bit WEP can be cracked by readily available tools on the internet. The 128 bit WEP key can be obtained in 15 minutes. Making IVs random provides certain amount of security. Some other measures that might provide more security in a SOHO (Small Office Home Office )network are as follows. 1. A custom key can be used with non-dictionary words. 2. DHCP can be turned off and instead static IP addresses can be used. 3. Firewalls can be used . WEP can be employed for a minimum level of security. WEP works well for a home network or small office network. It might not given enough protection against hackers but might give enough protection against casual eavesdroppers trying to get into the network and using network resources. Bigger networks used for business purposes need to be more secure. There are other security solutions like CISCO’s Lightweight Extensible Authentication Protocol (LEAP) or Extensible Authentication Protocol (EAP). These methods might require additional software and hardware, such as certificate servers or authentication servers and have interoperability issues of hardware having to be from the same vendor. A solution announced by Wireless Fidelity Alliance is Wi-Fi Protected Access (WPA). It is almost a replacement for WEP removing many of its shortcomings. WPA is based on 802.11i. . It can be configured to work with authentication server in corporation networks and it can also work in home and SOHO environments without authentication servers using preshared key mode. WPA can be used by universities and other public organizations where vendor specific solutions have not been able to be used because of interoperability issues. WAPs’ and NICs’ firmware can be upgraded to use WPA. Like WEP, WPA uses security settings to encrypt and decrypt data that is transmitted over the network. But it does not use one static security key for encryption as WEP does. It uses Temporal Key Integrity Protocol (TKIP) to dynamically generate a new key for every packet and generate different sets of keys for each communicating device. Once the key changes , it is automatically synchronized by the protocol at the access point and clients. TKIP starts the pre-shared key for each authenticated client. When WPA is enabled, a passphrase is established. This along with other network settings is stored in the base station of each networked computer. TKIP verifies the client’s configuration. WPA works with all variants of Wi-Fi. WPA complies to 802.11i and 802.1x standards. WPA provides more secure protection than WEP and is easily implementable. It fixes all problems except for denial- of- service attacks that WEP is threatened with. The 128 bit key is referred to as temporal key (TK) .WPA can also use Pre-Shared Keys. These keys are not actually used to encrypt data but instead used to create dynamically changing ciphers using RC4. The 48 bit initialization vector is combined with the temporal station’s TK to produce a phase 1 key. The phase 1 key is combined with the IV in phase 2 to produce a different packet key for each packet sent. This makes it difficult for hackers to decrypt the data unlike WEP which uses the same key many times unless manually re-configured. WEP uses a 32 bit checksum that is calculated over the frame’s payload data. This checksum called Integrity check value(ICV) is appended at the end of the frame. The ICV can be modified by malicious users. The receiving station would not be able to figure out that the frame has been modified by malicious users. WPA uses a security solution called Michael to thwart this problem. Michael computes a Message Integrity Code (MIC) which is 8 bits. The MIC is inserted at the end of the frame payload and before the ICV. It is also encrypted along with the frame data to prevent being modified maliciously. It also contains a frame counter which would prevent a replay attack or duplicates being sent again and again. In order for WPA security to take effect all devices in the network have to use WPA. If some of the devices still use WEP then the security of the whole network will be weak.WEP clients do not support automatic re-keying. WPA does not work with a configuration that does not have a gateway or access point and only has peer-to-peer clients. WPA is not enabled by default on an upgraded firmware. It has to be installed separately and a password has to be set. WPA can work in a pre-shared key scheme or 802.1x authentication scheme. A pre-shared key (PSK)has to be configured on the WAP as well as the client. WLANs can continue to operate at 2.4GHz with WPA. Pairwise Master Key (PMK), is used to protect transmissions from a computer to another device. Using a pre-shared passphrase of less than 20 characters can make it easy to get to the pre-shared key and in turn PMK. The additional parameters used to generate the PMK, including both MAC addresses and the SSID, can be found by passively snooping network traffic.WPAv2.0 has been announced and this will use AES instead of DES ‘s RC4. It will use a symmetric block cipher. In conclusion security on a wireless network is a grave issue. WEP can be used in SOHO environments and WPA can be used in corporate environments to provide security. References : Mostly interenet sources. Some of the urls referred are as follows : www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/networking_solutions_w hite_paper09186a008009c8b3.shtml techrepublic.com.com/5100-6265-5060773-2.html techrepublic.com.com/5100-6265-5060773.html www.eweek.com/article2/0,1759,1374909,00.asp