It’s no secret that wireless LANs (WLANs) aren’t very secure. The original security built-in to the 802.11b Wi-Fi standard called for a WLAN security level equivalent to that of cabled networks: the Wired Equivalent Privacy, or WEP, was the less than perfect result.
Despite the self-evident fact that any security is better than none, a disturbingly-high proportion of corporates don’t even bother to impose the most elementary levels of security on their WLANs, leaving themselves wide open to intruders.
WEP uses a shared (symmetric) secret-key to encrypt data at the MAC layer, using differing sizes of keys depending on the manufacturer. The baseline security is 40-bit encryption using the RC4 algorithm. The 802.11 standard was amended in late 2000 to allow for the support of 128-bit encryption keys – a substantial improvement, although it still wasn’t enough.
The shortcomings in WEP were down to a mixture of factors. WEP had an overly conservative specification, which didn’t want to overstress the power of Wi-Fi adapters already stretched by the complexities of the Wi-Fi MAC. Another flaw was due to US export restrictions which prevented the export of strong encryption and limited the initial flavour of WEP to 40-bits. WEP’s packet integrity checking was also flawed, which allowed data to be modified or inserted in transit. Finally, WEP only protected the initial association with the network and user data frames. Management and control frames aren’t encrypted by WEP, giving a cracker plenty of scope to disrupt transmissions with spoofed frames.
By definition, finding WLANs has to be easy so 802.11 ‘beacon’ frames, used to broadcast network parameters, are sent unencrypted. By monitoring beacon frames any suitably equipped cracker, using programs such as NetStumbler, can easily scan for the presence of local wireless networks, even without the aid of a high-gain antenna or that other essential tool, the empty Pringles tube.
Cracks in WEP
It didn’t take long for WEP to be cracked. By the summer of 2001, two US universities had published papers pointing out that WEP offered insufficient randomness and key space. This meant a cracker could sniff relatively few packets to crack a WEP key. Subsequent work showed that cracking a 128-bit key wouldn’t take much longer. The final straw was a paper that described a flaw in the ‘key scheduling algorithm’ of the RSA RC4 algorithm employed by WEP. This made certain RC4 keys fundamentally weak and the paper designed an attack that would allow a passive listener to recover the secret WEP key simply by collecting a sufficient number of frames encrypted with weak keys.
MAC authentication was an early feature added to many wireless access points, allowing only NICs with registered MAC addresses to connect to the WLAN, thus going some way to compensate for WEP’s shortcomings. However, as genuine MAC addresses are freely broadcast, it’s relatively easy to for a cracker to determine valid MAC addresses and spoof them to gain access to the WLAN.
To be fair, manufacturers have tried to improve WEP’s dismal security capabilities. Updated firmware from many vendors now makes APs resistant to cracking tools such as AirSnort and WEPCrack. Some even use key management protocols to change the WEP key every 15 minutes. Some vendors, such as D-Link, offer stronger 256-bit encryption, too.
Nevertheless, by the autumn of 2001, WEP had placed a question-mark over the corporate viability of Wi-Fi: it had proved to be incapable of providing either privacy or user authentication.
WPA: Halfway house
Fortunately, the Institute of Electrical and Electronics Engineers (IEEE) 802.11i working group has defined an extension to the 802.11 protocol that provides for better security. At present, the 802.11i standard is in draft form and isn't expected to be ratified until the end of 2003. In the meantime, most Wi-Fi manufacturers have agreed to use a temporary standard for enhanced security called Wi-Fi Protected Access or WPA. Although WPA is a stop-gap protocol and isn't officially recognised by IEEE, it is a subset of the upcoming IEEE 802.11i standard and will be forwardly-compatible with it.
WPA fixes many of WEP’s flaws. Its Temporal Key Integrity Protocol (TKIP) provides important data encryption enhancements, including a per-packet key mixing function, a message integrity check (MIC or Michael!), an extended initialisation vector (IV) with sequencing rules, and an automatic re-keying mechanism, which simplifies a potentially tedious manual chore. The ‘keyspace’, or number of possible keys that can be used, would take 100 years of continuous transmission to exhaust.
To bolster user authentication, WPA implements 802.1x and the Extensible Authentication Protocol (EAP), which provide a framework for strong user authentication. It calls for a central authentication server, such as RADIUS, to authenticate each user on the network before they join it.
While WPA goes a long way towards addressing the shortcomings of WEP, not all users will be able to take advantage of it. That's because WPA isn’t backward-compatible with some legacy devices and operating systems. From a hardware standpoint, this means only that your access points and NICs must recognise the WPA standard. Hardware manufacturers have been slow in releasing WPA firmware updates for their access points and wireless NICs. Moreover, not all users can share the same security infrastructure – for example wireless PDAs lack the processing power of a PC.
At present, WPA firmware upgrades have mainly appeared for the current generation of 802.11g hardware. Leading the pack has been hardware based on the Broadcom Wi-Fi chipset, eg Buffalo, Belkin and Linksys. Netgear is conspicuous by its absence. At the moment, the list of 802.11a or b hardware that is now WPA-compatible is quite short (Cisco, 3Com and Linksys) and for some legacy Wi-Fi hardware, it may never arrive. The principal reason for the delay seems to be that the code required to implement the various flavours of EAP is large and the flash memory in Wi-Fi kit is not over-generous.
But it isn’t merely a case of updating access point or router firmware, there is also the question of the so-called ‘supplicant’ software. Simply having WPA-capable hardware and drivers isn’t enough. The clients still need to know how to use the new features, such as TKIP and 802.1x. This is handled by a piece of software known as a ‘supplicant’, and getting this right has proved to be trickier than expected. Thus far, the most commonly available supplicant is the WPA patch for Windows XP. It is free but you do have to run Windows XP. Other supplicants are available, eg from Funk and Odyssey but they can cost $40-50 per seat. Some Wi-Fi vendors will include their own supplicant software but many big names will rely solely on that included with Windows XP/Windows Server 2003.
Applying encryption to network traffic inevitably imposes a performance overhead. That was certainly true of WEP back in the early days of Wi-Fi and the considerably more complex WPA doesn’t escape this penalty. For this reason, AES, which requires much more number-crunching power than WEP, was omitted from the WPA specification because it might impose unacceptable throughput losses on legacy hardware. WPA can degrade network performance too, unless a WLAN system has hardware that will run and accelerate the WPA protocol. For most WLANs, there's currently a trade-off between security and performance without the presence of hardware acceleration in the access point.
Nevertheless, early reports suggest that the impact WPA has on throughput is modest, if variable. You’ll see, on average, no more than a 10-15 percent hit with WPA switched on, with some hardware showing no real performance degradation.
Although WPA is more than a temporary fix for WEP, we’ll have to wait for 802.11i (aka WPA 2) for the real McCoy. The main pieces of the 802.11i draft that are not included in WPA are secure IBSS, secure fast handoff, secure de-authentication and disassociation, as well as enhanced encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require hardware upgrades to implement.
Though some wireless access points offer dual-mode security, using both WPA and WEP, WPA isn't directly compatible with WEP. The Wi-Fi Alliance doesn't recommend mixing the two, as this approach leaves a network just as open as WEP alone.
Until 802.11i becomes a reality, WLAN security will be a work in progress. Upgrading to WPA will greatly enhance WLAN security. Until then, if the rudimentary security offered by WEP is insufficient to protect your network data then you have to assume that the link layer offers no security. This entails placing all WLANs on the other side of the firewall, in a DMZ. It also means treating all WLAN users as you would dial-up users – they are ‘unknown’ and hence require authentication before network access is granted. This also means that strong encryption (IPSec, SSL or SSH) or VPNs should be employed.