A painful process explained step-by-step
Robert C. Jones, M.D.
LtCol, USAF, Medical Corps
Staff Anesthesiologist
Andrews Air Force Base, Maryland
E-mail: rob — at — notbob — dot — com
Web site: http://www.notbob.com
Note: presentation best viewed as slide show
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

• This presentation was written prior to
Microsoft’s release of Windows XP service pack 2; Rob is still evaluating the effect of SP2 on wireless networking on several computers, and will update these slides Real Soon Now.
Until then, consider these slides to refer to
Windows XP SP1, and, as always, please remain calm.
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

•…then you need to read my extensive discussion of Wireless
Internet INsecurity here: http://www.notbob.com/wlani/
•This presentation assumes some knowledge of the basics of wireless security and some competence with computers ( i.e
., more than just the ability to turn them on)
• Why Windows XP and not Mac, Unix, BSD, Linux, Amiga…?
 People who use Windows (of any kind) need more help
 Most Windows users don’t RTFM: read the fine manual

Windows XP makes WPA much harder than it has to be

Windows XP has the largest installed base
•All legal disclaimers in my original talk apply to this addendum
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

•WPA = “WiFi ® Protected Access”
•Quick fix to broken initial wireless security method, WEP (= “Wired Equivalent Protocol”)
•Why is WEP broken?
 For the full explanation, see my original talk. Here’s the executive summary:
WEP standard implements RSA Security’s
RC4 encryption improperly: http://www.rsasecurity.com/rsalabs/node.asp?id=2009
Flaws in key scheduling algorithm

Large number of weak keys
 encryption easily cracked
Initialization vector (IV) is sent in the clear with each chunk– subtract 24 bits of IV from encryption key length (so advertised “128 bit” security is really only 104 bits…more bits good, fewer bits bad, so this is bad)
As a result, attackers can sniff the information going across your WEP-protected network and crack the security in hours to days, depending on the age of your access point’s firmware and the traffic across the network; see this article: http://www.oreillynet.com/pub/a/wireless/excerpt/wirlsshacks_chap1/index.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

(skip this slide if you don’t care)
•WPA is a subset of the upcoming IEEE 802.11i security standard; designed to be forward-compatible with 802.11i (Update: Specification finally approved; certified products due Sep 04: http://www.infoworld.com/article/04/06/25/HNwlan_1.html
)
•Security enhancements:

TKIP: Temporal Key Integrity Protocol– per-packet key mixing, message integrity check (MIC; aka “Michael”), and extended initialization vector address most of the weakness of WEP; much harder to “crack”, but not impossible: http://wifinetnews.com/archives/002453.html

AES: Advanced Encryption Standard--optional “enhanced” security cipher based on
Rijndael cipher
(gotta love the parrot: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ AES skeptics: http://www.cryptosystem.net/aes/ ; http://www.schneier.com/crypto-gram-0209.html#1 )
 Enterprise-level, port-based user authentication through 802.1x and EAP (no user authentication in WEP– only device authentication) [called “WPA Enterprise” by the
WiFi Alliance ]

Option for SOHO users: PSK (pre-shared key)– eliminates need for RADIUS http://www.wi-fiplanet.com/tutorials/article.php/2148721 http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf
http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_ProtectedAccessWebcast_2003.pdf
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

•WPA support requires upgrades to 3 things:
•Your wireless Access Point (AP)

You need firmware that supports WPA

Most APs sold in 2004 should support WPA out of the box
•Your wireless client (the actual card thing in your computer)
 Client also called “supplicant” (because you’re begging for access)

You need firmware that supports WPA
 Most new 802.11g and a/b/g clients support WPA; many older 802.11b clients
(pre-2003) may not be upgradeable (considered legacy devices)
•Your operating system (Windows XP, in this case)

You need WPA upgrades to Windows XP
 Microsoft helpfully does not include the updates in the automatic Windows Update function; you have to install them yourself manually (for Service Pack 1; WPA
References: functionality now included in SP2) http://www.pcmag.com/print_article/0,3048,a=107756,00.asp
http://www.microsoft.com/whdc/device/network/802x/WPA.mspx
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

•For this talk, we will be using a Linksys
WRT54GS router, a Sony Vaio with a LAN-
Express AS 802.11g mini-PCI card, and
Windows XP Home edition with Service Pack 1 and all critical updates
•Your specific screens may look different, but the process should be the same with other wireless routers and client devices
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

• Because enabling WPA on your router will cut off communication with your client device, be sure that everything is working OK without WPA ( i.e
., enable WEP with 128 bit security and make sure that the connection is functional)
• It is always a good idea to have a wired connection to your router in order to fiddle with settings when (when) your wireless connection goes down ( e.g
., when you switch from WEP to
WPA, for example)
• I do not ever recommend running a wireless AP without any security (in “open” mode), because I am way paranoid when it comes to network security
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

•Log onto router by opening your internet browser and typing in the IP address listed in your router’s manual (in this case, for
Linksys, 192.168.1.1):
Never, ever check this box!
Note: your router’s manual will give you the default password; if you lost it, you can find the defaults by searching Google for: default router passwords (without quotes); if you changed the default a long time ago and forgot it, then reset the router using the little button in the back
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

• Note that the firmware version (2.07.1) supports WPA out of the box
• You must choose Pre-shared Key (PSK) for SOHO use (unless you have a RADIUS server)
• You can select TKIP or AES; TKIP is standards-based (AES implementation in WPA not standardized; will become standardized in 802.11i); UPDATE: some client chips prefer AES
• Group renewal key can be left at whatever default your router manufacturer has set
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

A few words about picking a good PSK passphrase…
• The “Achilles heel” of SOHO-mode WPA (“WPA-Personal”) is that users might pick weak passphrases for the PSK
• As all BOFHs know, users are clueless and pick bad passphrases more often than their noses
• Passphrases that are easily guessed include anything in any dictionary, names, birthdays, phrases, slang, acronyms…the worst password is your account name.
• The bottom line: pick a passphrase which is as random as possible, with a mix of upper and lower case letters, numbers, and special characters (%^&*#$ ~ @+), and which is at least 20 characters long; for more do’s and don’t’s, see: http://geodsoft.com/howto/password/password_advice.htm
• Here’s a helpful passphrase FAQ : http://131.155.140.135/~galactus/remailers/passphrase-faq.html#210
• For a really good passphrase, check out Diceware: http://world.std.com/~reinhold/diceware.html
• This article discusses the WPA PSK problem in gory detail: http://wifinetnews.com/archives/002452.html
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

“Stevan...commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The
New York Times' Web site and E-ZPass electronic toll statements.
In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life.
"This is one of these things that if I stop and think about it, it is not good, but
I do my best not to stop and think about it," said (Stevan), an information technology manager in New York.” http://www.cnn.com/2004/TECH/ptech/06/01/beyond.passwords.ap/index.html
(obnote: managers are generally clueless feebs when it comes to actual technology, clinical medicine, etc . If they actually knew technology or medicine, they would be doing something useful with their lives instead of micromanaging and writing meaningless policies QED. Yeah, pointy haired exboss, you’re so vain, I bet you think this comment’s about you, don’t you?)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

“But…my router’s firmware doesn’t give me a WPA option!”
Assuming your AP can support WPA, you need to upgrade your firmware, my friend:
• Linksys: http://www.linksys.com/download/
• Netgear: http://kbserver.netgear.com/kb_web_files/n101190.asp
; http://kbserver.netgear.com/main.asp
• Netegriti EM-500AG: http://www.discountechnology.com/products/wistron-802.11abg/EM-500AG.zip
• Buffalo: http://www.buffalotech.com/wireless/_SUPPORT/downloads.php
• D-Link: http://support.dlink.com/faq/view.asp?prod_id=1401 ; http://support.dlink.com/downloads/
• Microsoft:
Microsoft Broadband Networking Utility (BNU) should automagically update firmware; if not, go here: http://www.microsoft.com/hardware/broadbandnetworking/15_Downloads.aspx
• SMC: http://www.smc.com/index.cfm?sec=Products&pg=Product-List&cat=5&site=c
• Zyxel: http://us.zyxel.com/support/download.php
Note: representative sample of AP manufacturers; not in any particular order; if your manufacturer is not on this short list, then try their website!
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

UPDATE! 17 June 04
After buying a Netegriti (Wistron) EM-500AG a/b/g mini-PCI card for my notebook from http://www.discountechnology.com
, it took quite a bit of struggling to enable WPA.
Turns out that some implementations of WPA require SSID broadcasting to be turned on for supplicant authentication to work ( i.e
., you will get a strong signal and see the connection, but you won’t be able to use the connection to do anything [like surfing the
Net]).
Note that this is now safe with WPA in place ( vs.
during ancient WEP-only era ca . 2002); WEP + No SSID broadcast <<< safe than WPA + SSID broadcast
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

start | settings | control panel | system | hardware | device manager | network adapters | your wireless adapter
Any driver prior to
May 2003 will need to be upgraded (WPA standard finalized
May 03)
This card didn’t work under WPA with “shared”– needed to leave in
“auto”
• Your client card manufacturer should tell you whether their latest firmware supports WPA
• Follow the instructions given by your manufacturer to flash the firmware (don’t interrupt power during flashing! Very bad karma!)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

Update 1 http://www.microsoft.com/downloads/details.aspx?FamilyID=009d8425-ce2b-47a4-abec-274845dc9e91&displaylang=en ; download link is on right side of page
Update 2 http://support.microsoft.com/?kbid=826942 ; download link is halfway down the page
Download and install these two updates; be sure to reboot after each one
(they don’t remind you to do so); again, as of late Aug 04, the brand new
Win XP SP2 update includes WPA functionality (about time!)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV

Make sure Wireless Zero Configuration service is running: start | run | open: services.msc

Start | Settings | Control Panel | Network connections | Right click on wireless adapter | properties
You can try AES if you want…if it works for your network, cool…
Here’s a timesaver: copy your WPA password onto the
Windows clipboard from your router’s configuration screen
(ctrl-C), then paste into the Network key dialogs
(ctrl-V); note that
Windows prevents you from copying from within the Network key field if you choose to type in the key
This happy icon means that your connection is working!
(might need to hit refresh button below “configure” to change the icon)

Start | Settings | Control Panel | Network connections | Right click on wireless adapter | properties
Note that 802.1x is mandatory for WPA (can’t change it…greyed out)
Meaningless for WPApersonal with PSK, so leave it as default (as shown)

• Now your wireless connection is the safest in the neighborhood…99.9% of attackers will now leave you alone to go after the low-hanging fruit of lusers who are still using WEP (or the 70 + % of hoi polloi with no security at all)
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

hint: be sure to view this as a slide show to see the words behind the pictures
• mid-2004: WPA2 (marketing term for 802.11i with
RSN, as discussed in my original presentation )
– Will require hardware encryption engine on the chipset
– Uses AES via CCMP (Counter-mode CBC-MAC Protocol), which is stronger than TKIP (even at same 128 bit key length)
– Most newer 802.11g and a/b/g devices should be able to handle AES with firmware upgrade…older devices (pre-2003) will likely need to be upgraded in hardware ( i.e
., replaced)
– Detailed support for 802.1x and EAP for strong user authentication
– ? Strong reason to upgrade WPA to WPA2 for average users; certainly mandatory for enterprises with proprietary secrets, but probably not necessary to secure your MP3s… from: http://www.cs.umd.edu/~waa/1x.pdf
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
excerpt of rijndael (AES) source code
CIA XXIV

“They that can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.”
--Benjamin Franklin
“Computers have enabled people to make more mistakes faster than almost any invention in history, with the possible exception of tequila and hand guns.”
--Mitch Ratcliffe

a work in progress (18 June 04)
• I’m in the process of upgrading my notebook to Mandrake Linux
10.0 (from 9.1); my wireless card is the Netegriti EM-500AG; stay tuned for an update on my experience…
• Excellent Linux WLAN HOWTO: http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/
• For Atheros-based client cards (including mine), here’s the madwifi
FAQ: http://www.mattfoster.clara.co.uk/madwifi-faq.htm
• The web-based CVS viewer for the madwifi project on SourceForge is here: http://cvs.sourceforge.net/viewcvs.py/madwifi/madwifi/
• The CVS address for both the madwifi driver and the WPA module is in the FAQ, Jack: http://www.mattfoster.clara.co.uk/madwifi-
2.htm
•
Free WPA supplicant (supports many cards, including Atheros ar521x): http://hostap.epitest.fi/wpa_supplicant/
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

Can’t forget my MacOS buddies…
• As of this writing, Apple only supports WPA on
AirPort Extreme (802.11g)
• Here’s a page with info on setting up WPA in MacOS
X: http://www.oreillynet.com/pub/a/wireless/2003/12/18
/wap.html
• The URL for the firmware upgrade is wrong; here’s the right one: http://www.apple.com/downloads/macosx/apple/airp ortextremefwupdate.html
CIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.