Conclusions
Wired Equivalent Privacy (WEP) isn't. The protocol's problems are a result of misunderstanding of some cryptographic primitives and therefore combining them in insecure ways. These attacks point to the importance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided.
IT Certification CCIE,CCNP,CCIP,CCNA,CCSP,Cisco Network Optimization and Security Tips
Monitoring
Monitoring
Despite the difficulty of decoding a 2.4GHz digital signal, hardware to listen to 802.11 transmissions is readily available to attackers in the form of consumer 802.11 products. The products possess all the necessary monitoring capabilities, and all that remains for attackers is to convince it to work for them.
Although most 802.11 equipment is designed to disregard encrypted content for which it does not have the key, we have been able to successfully intercept WEP-encrypted transmissions by changing the configuration of the drivers. We were able to confuse the firmware enough that the ciphertext (encrypted form) of unrecognized packets was returned to us for further examination and analysis.
Active attacks (those requiring transmission, not just monitoring) appear to be more difficult, yet not impossible. Many 802.11 products come with programmable firmware, which can be reverse-engineered and modified to provide the ability to inject traffic to attackers. Granted, such reverse-engineering is a significant time investment (we have not done this ourselves), but it's important to note that it's a one time cost. A competent group of people can invest this effort and then distribute the rogue firmware through underground circles, or sell it to parties interested in corporate espionage. The latter is a highly profitable business, so the time investment is easily recovered.
Despite the difficulty of decoding a 2.4GHz digital signal, hardware to listen to 802.11 transmissions is readily available to attackers in the form of consumer 802.11 products. The products possess all the necessary monitoring capabilities, and all that remains for attackers is to convince it to work for them.
Although most 802.11 equipment is designed to disregard encrypted content for which it does not have the key, we have been able to successfully intercept WEP-encrypted transmissions by changing the configuration of the drivers. We were able to confuse the firmware enough that the ciphertext (encrypted form) of unrecognized packets was returned to us for further examination and analysis.
Active attacks (those requiring transmission, not just monitoring) appear to be more difficult, yet not impossible. Many 802.11 products come with programmable firmware, which can be reverse-engineered and modified to provide the ability to inject traffic to attackers. Granted, such reverse-engineering is a significant time investment (we have not done this ourselves), but it's important to note that it's a one time cost. A competent group of people can invest this effort and then distribute the rogue firmware through underground circles, or sell it to parties interested in corporate espionage. The latter is a highly profitable business, so the time investment is easily recovered.
Table-based Attack
Table-based Attack
The small space of possible initialization vectors allows an attacker to build a decryption table. Once he learns the plaintext for some packet, he can compute the RC4 key stream generated by the IV used. This key stream can be used to decrypt all other packets that use the same IV. Over time, perhaps using the techniques above, the attacker can build up a table of IVs and corresponding key streams. This table requires a fairly small amount of storage (~15GB); once it is built, the attacker can decrypt every packet that is sent over the wireless link.
The small space of possible initialization vectors allows an attacker to build a decryption table. Once he learns the plaintext for some packet, he can compute the RC4 key stream generated by the IV used. This key stream can be used to decrypt all other packets that use the same IV. Over time, perhaps using the techniques above, the attacker can build up a table of IVs and corresponding key streams. This table requires a fairly small amount of storage (~15GB); once it is built, the attacker can decrypt every packet that is sent over the wireless link.
Active Attack from Both Ends
Active Attack from Both Ends
The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station. Most wireless installations have Internet connectivity; the packet will be successfully decrypted by the access point and forwarded unencrypted through appropriate gateways and routers to the attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it may even be possible to change the destination port on the packet to be port 80, which will allow it to be forwarded through most firewalls.
The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station. Most wireless installations have Internet connectivity; the packet will be successfully decrypted by the access point and forwarded unencrypted through appropriate gateways and routers to the attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it may even be possible to change the destination port on the packet to be port 80, which will allow it to be forwarded through most firewalls.
Active Attack to Inject Traffic
Active Attack to Inject Traffic
The following attack is also a direct consequence of the problems described in the previous section. Suppose an attacker knows the exact plaintext for one encrypted message. He can use this knowledge to construct correct encrypted packets. The procedure involves constructing a new message, calculating the CRC-32, and performing bit flips on the original encrypted message to change the plaintext to the new message. The basic property is that RC4(X) xor X xor Y = RC4(Y). This packet can now be sent to the access point or mobile station, and it will be accepted as a valid packet.
A slight modification to this attack makes it much more insidious. Even without complete knowledge of the packet, it is possible to flip selected bits in a message and successfully adjust the encrypted CRC (as described in the previous section), to obtain a correct encrypted version of a modified packet. If the attacker has partial knowledge of the contents of a packet, he can intercept it and perform selective modification on it. For example, it is possible to alter commands that are sent to the shell over a telnet session, or interactions with a file server.
The following attack is also a direct consequence of the problems described in the previous section. Suppose an attacker knows the exact plaintext for one encrypted message. He can use this knowledge to construct correct encrypted packets. The procedure involves constructing a new message, calculating the CRC-32, and performing bit flips on the original encrypted message to change the plaintext to the new message. The basic property is that RC4(X) xor X xor Y = RC4(Y). This packet can now be sent to the access point or mobile station, and it will be accepted as a valid packet.
A slight modification to this attack makes it much more insidious. Even without complete knowledge of the packet, it is possible to flip selected bits in a message and successfully adjust the encrypted CRC (as described in the previous section), to obtain a correct encrypted version of a modified packet. If the attacker has partial knowledge of the contents of a packet, he can intercept it and perform selective modification on it. For example, it is possible to alter commands that are sent to the shell over a telnet session, or interactions with a file server.
Passive Attack to Decrypt Traffic
Passive Attack to Decrypt Traffic
The first attack follows directly from the above observation. A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs. By XORing two packets that use the same IV, the attacker obtains the XOR of the two plaintext messages. The resulting XOR can be used to infer data about the contents of the two messages. IP traffic is often very predictable and includes a lot of redundancy. This redundancy can be used to eliminate many possibilities for the contents of messages. Further educated guesses about the contents of one or both of the messages can be used to statistically reduce the space of possible messages, and in some cases it is possible to determine the exact contents.
When such statistical analysis is inconclusive based on only two messages, the attacker can look for more collisions of the same IV. With only a small factor in the amount of time necessary, it is possible to recover a modest number of messages encrypted with the same key stream, and the success rate of statistical analysis grows quickly. Once it is possible to recover the entire plaintext for one of the messages, the plaintext for all other messages with the same IV follows directly, since all the pairwise XORs are known.
An extension to this attack uses a host somewhere on the Internet to send traffic from the outside to a host on the wireless network installation. The contents of such traffic will be known to the attacker, yielding known plaintext. When the attacker intercepts the encrypted version of his message sent over 802.11, he will be able to decrypt all packets that use the same initialization vector.
The first attack follows directly from the above observation. A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs. By XORing two packets that use the same IV, the attacker obtains the XOR of the two plaintext messages. The resulting XOR can be used to infer data about the contents of the two messages. IP traffic is often very predictable and includes a lot of redundancy. This redundancy can be used to eliminate many possibilities for the contents of messages. Further educated guesses about the contents of one or both of the messages can be used to statistically reduce the space of possible messages, and in some cases it is possible to determine the exact contents.
When such statistical analysis is inconclusive based on only two messages, the attacker can look for more collisions of the same IV. With only a small factor in the amount of time necessary, it is possible to recover a modest number of messages encrypted with the same key stream, and the success rate of statistical analysis grows quickly. Once it is possible to recover the entire plaintext for one of the messages, the plaintext for all other messages with the same IV follows directly, since all the pairwise XORs are known.
An extension to this attack uses a host somewhere on the Internet to send traffic from the outside to a host on the wireless network installation. The contents of such traffic will be known to the attacker, yielding known plaintext. When the attacker intercepts the encrypted version of his message sent over 802.11, he will be able to decrypt all packets that use the same initialization vector.
WEP setup
WEP setup
The 802.11 standard describes the communication that occurs in wireless local area networks (LANs). The Wired Equivalent Privacy (WEP) algorithm is used to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network; this function is not an explicit goal in the 802.11 standard, but it is frequently considered to be a feature of WEP.
WEP relies on a secret key that is shared between a mobile station (eg. a laptop with a wireless ethernet card) and an access point (ie. a base station). The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit. The standard does not discuss how the shared key is established. In practice, most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from the attacks we describe; however, no commercial system we are aware of has mechanisms to support such techniques.
The following two sections describe the problems in the algorithm and the technical details of our attacks; they assume some background understanding of cryptographic protocols. You may wish to skip to the following section, which discusses the practicality of the attacks.
Problems
WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext.
This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others.
WEP has defenses against both of these attacks. To ensure that a packet has not been modified in transit, it uses an Integrity Check (IC) field in the packet. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The IV is also included in the packet. However, both of these measures are implemented incorrectly, resulting in poor security.
The integrity check field is implemented as a CRC-32 checksum, which is part of the encrypted payload of the packet. However, CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.
The initialization vector in WEP is a 24-bit field, which is sent in the cleartext part of a message. Such a small space of initialization vectors guarantees the reuse of the same key stream. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours. (The amount of time may be even smaller, since many packets are smaller than 1500 bytes.) This allows an attacker to collect two ciphertexts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext. Worse, when the same key is used by all mobile stations, there are even more chances of IV collision. For example, a common wireless card from Lucent resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same time will provide an abundance of IV collisions for an attacker. (Worse still, the 802.11 standard specifies that changing the IV with each packet is optional!)
The 802.11 standard describes the communication that occurs in wireless local area networks (LANs). The Wired Equivalent Privacy (WEP) algorithm is used to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network; this function is not an explicit goal in the 802.11 standard, but it is frequently considered to be a feature of WEP.
WEP relies on a secret key that is shared between a mobile station (eg. a laptop with a wireless ethernet card) and an access point (ie. a base station). The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit. The standard does not discuss how the shared key is established. In practice, most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from the attacks we describe; however, no commercial system we are aware of has mechanisms to support such techniques.
The following two sections describe the problems in the algorithm and the technical details of our attacks; they assume some background understanding of cryptographic protocols. You may wish to skip to the following section, which discusses the practicality of the attacks.
Problems
WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext.
This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others.
WEP has defenses against both of these attacks. To ensure that a packet has not been modified in transit, it uses an Integrity Check (IC) field in the packet. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The IV is also included in the packet. However, both of these measures are implemented incorrectly, resulting in poor security.
The integrity check field is implemented as a CRC-32 checksum, which is part of the encrypted payload of the packet. However, CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.
The initialization vector in WEP is a 24-bit field, which is sent in the cleartext part of a message. Such a small space of initialization vectors guarantees the reuse of the same key stream. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours. (The amount of time may be even smaller, since many packets are smaller than 1500 bytes.) This allows an attacker to collect two ciphertexts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext. Worse, when the same key is used by all mobile stations, there are even more chances of IV collision. For example, a common wireless card from Lucent resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same time will provide an abundance of IV collisions for an attacker. (Worse still, the 802.11 standard specifies that changing the IV with each packet is optional!)
Security of the WEP algorithm
Security of the WEP algorithm
This is some information about our analysis of the Wired Equivalent Privacy (WEP) algorithm, which is part of the 802.11 standard. This work was performed jointly by Nikita Borisov, Ian Goldberg, and David Wagner. If you have any questions, please contact us at wep@isaac.cs.berkeley.edu.
Executive Summary
We have discovered a number of flaws in the WEP algorithm, which seriously undermine the security claims of the system. In particular, we found the following types of attacks:
* Passive attacks to decrypt traffic based on statistical analysis.
* Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.
* Active attacks to decrypt traffic, based on tricking the access point.
* Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic.
Our analysis suggests that all of these attacks are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network.
Note that our attacks apply to both 40-bit and the so-called 128-bit versions of WEP equally well. They also apply to networks that use 802.11b standard (802.11b is an extension to 802.11 to support higher data rates; it leaves the WEP algorithm unchanged).
This is some information about our analysis of the Wired Equivalent Privacy (WEP) algorithm, which is part of the 802.11 standard. This work was performed jointly by Nikita Borisov, Ian Goldberg, and David Wagner. If you have any questions, please contact us at wep@isaac.cs.berkeley.edu.
Executive Summary
We have discovered a number of flaws in the WEP algorithm, which seriously undermine the security claims of the system. In particular, we found the following types of attacks:
* Passive attacks to decrypt traffic based on statistical analysis.
* Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.
* Active attacks to decrypt traffic, based on tricking the access point.
* Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic.
Our analysis suggests that all of these attacks are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network.
Note that our attacks apply to both 40-bit and the so-called 128-bit versions of WEP equally well. They also apply to networks that use 802.11b standard (802.11b is an extension to 802.11 to support higher data rates; it leaves the WEP algorithm unchanged).
Other Resources
Other Resources
• University of California, Berkeley Internet Security, Applications,
Authentication and Cryptography (ISAAC) Report on WEP insecurity
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
• Wi-Fi Alliance
http://www.wi-fi.org/
• National Institute of Standards and Technology
http://www.nist.gov
• University of California, Berkeley Internet Security, Applications,
Authentication and Cryptography (ISAAC) Report on WEP insecurity
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
• Wi-Fi Alliance
http://www.wi-fi.org/
• National Institute of Standards and Technology
http://www.nist.gov
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is poised to become the de facto encryption
standard. AES applies 128-, 192-, or 256-bit keys to 128-, 192-, or 256-bit blocks of
data.
As of 2004, there had been no reported cracks of AES, and it is the first time that the
U.S. Government’s National Security Agency (NSA) authorized an encryption tool for
transmission of top-secret, classified information.
Advanced Encryption Standard (AES) is poised to become the de facto encryption
standard. AES applies 128-, 192-, or 256-bit keys to 128-, 192-, or 256-bit blocks of
data.
As of 2004, there had been no reported cracks of AES, and it is the first time that the
U.S. Government’s National Security Agency (NSA) authorized an encryption tool for
transmission of top-secret, classified information.
Data Encryption Standard (DES)
Data Encryption Standard (DES)
Data Encryption Standard (DES) is an encryption method that uses a secret key. It is
so hard to break (it provides 72 quadrillion possible keys) that the U.S. government
forbids its exportation to other countries. It is tough to break because the key is
randomly chosen from an enormous pool.
DES applies a 56-bit key to each 64-bit block of data. This is considered strong
encryption. Of course strong is a relative term, and if someone is really determined and
has the resources, it is possible to crack DES. Many organizations employ triple DES,
which applies three keys in succession.
Data Encryption Standard (DES) is an encryption method that uses a secret key. It is
so hard to break (it provides 72 quadrillion possible keys) that the U.S. government
forbids its exportation to other countries. It is tough to break because the key is
randomly chosen from an enormous pool.
DES applies a 56-bit key to each 64-bit block of data. This is considered strong
encryption. Of course strong is a relative term, and if someone is really determined and
has the resources, it is possible to crack DES. Many organizations employ triple DES,
which applies three keys in succession.
Encryption
Encryption
Scrambling a WLAN’s data as it leaves the AP, and then unscrambling it when it arrives
at the client, requires an encryption method. The popular RC4 has already been
discussed, but sturdier, stronger encryption methods are out there and in use in WLAN
systems, as described next.
Scrambling a WLAN’s data as it leaves the AP, and then unscrambling it when it arrives
at the client, requires an encryption method. The popular RC4 has already been
discussed, but sturdier, stronger encryption methods are out there and in use in WLAN
systems, as described next.
WPA2
WPA2
As you might deduce from its name, WPA2 is the second and latest version of WPA.
The most important difference between the two is the method of encryption. WPA uses
RC4, whereas WPA2 uses AES. Not only is the AES encryption method much stronger,
it is also a requirement for some government and industry users.
WPA2 is backward compatible with WPA, and many WPA-certified products can be
upgraded with software to WPA2. However, some products might require hardware
upgrades. WPA was designed to be a software upgrade to WEP. However, WPA2 didn’t
have such a design goal. As such, in many cases a hardware upgrade will be necessary
to update to WPA2.
Other
As you might deduce from its name, WPA2 is the second and latest version of WPA.
The most important difference between the two is the method of encryption. WPA uses
RC4, whereas WPA2 uses AES. Not only is the AES encryption method much stronger,
it is also a requirement for some government and industry users.
WPA2 is backward compatible with WPA, and many WPA-certified products can be
upgraded with software to WPA2. However, some products might require hardware
upgrades. WPA was designed to be a software upgrade to WEP. However, WPA2 didn’t
have such a design goal. As such, in many cases a hardware upgrade will be necessary
to update to WPA2.
Other
WPA
WPA
WPA was designed as a replacement for WEP. The Temporal Key Integrity Protocol
(TKIP) is an improvement over WEP. It causes keys to automatically change, and when
used in conjunction with a larger initialization vector (IV), it makes discovering keys
highly unlikely.
Credentials
Used
Digital
certificate
Windows
password
Clients:
Windows,
Novell NDS,
LDAP password,
and OTP
or token.
Server: Digital
certificate
Windows
password
Server: Digital
certificate
Windows
password,
LDAP user
ID and
password
PAC
Single Sign-On
Using
Windows
Login?
Yes Yes No Yes Yes
Password
Expiration and
Change?
– No No Yes Yes
Fast Secure
Roaming
Compatible?
No Yes No No Yes
WPA
Compatible?
Yes Yes Yes Yes Yes
Table 4-1 Comparing 802.1X Authentication Methods (Continued)
78 Wi-Fi Protected Access (WPA)
NOTE: An IV is a block of bits added to the first block of data of a block cipher. This block
is added—or hashed—with the base key and is used with other types of ciphers. This block
strengthens security because the same transmissions with the same key yield the same
output. As a result, attackers can notice the similarities and derive both the messages and
the keys being used.
On top of authentication and encryption improvements, WPA secures the payload
better than in WEP. With WEP, cyclic redundancy checks (CRC) are used to ensure
packet integrity. However, it is possible to alter the payload and update the message
CRC without knowing the WEP key because the CRC is not encrypted. WPA uses
message integrity checks (MIC) to ensure packet integrity. The MICs also employ a
frame counter, which prevents replay attacks.
NOTE: Replay attacks occur when an attacker intercepts a transmission, and then
rebroadcasts that transmission at a later time. For example, if a password is intercepted, the
attacker does not need to know how to read the message; he can simply rebroadcast it later,
and then gain access using the victim’s credentials.
NOTE: MICs are often called Michael in Wi-Fi parlance.
Breaking into a WLAN using WPA is more difficult than WEP because the IVs are
larger, there are more keys in use, and there is a sturdier message verification system.
WPA was designed as a replacement for WEP. The Temporal Key Integrity Protocol
(TKIP) is an improvement over WEP. It causes keys to automatically change, and when
used in conjunction with a larger initialization vector (IV), it makes discovering keys
highly unlikely.
Credentials
Used
Digital
certificate
Windows
password
Clients:
Windows,
Novell NDS,
LDAP password,
and OTP
or token.
Server: Digital
certificate
Windows
password
Server: Digital
certificate
Windows
password,
LDAP user
ID and
password
PAC
Single Sign-On
Using
Windows
Login?
Yes Yes No Yes Yes
Password
Expiration and
Change?
– No No Yes Yes
Fast Secure
Roaming
Compatible?
No Yes No No Yes
WPA
Compatible?
Yes Yes Yes Yes Yes
Table 4-1 Comparing 802.1X Authentication Methods (Continued)
78 Wi-Fi Protected Access (WPA)
NOTE: An IV is a block of bits added to the first block of data of a block cipher. This block
is added—or hashed—with the base key and is used with other types of ciphers. This block
strengthens security because the same transmissions with the same key yield the same
output. As a result, attackers can notice the similarities and derive both the messages and
the keys being used.
On top of authentication and encryption improvements, WPA secures the payload
better than in WEP. With WEP, cyclic redundancy checks (CRC) are used to ensure
packet integrity. However, it is possible to alter the payload and update the message
CRC without knowing the WEP key because the CRC is not encrypted. WPA uses
message integrity checks (MIC) to ensure packet integrity. The MICs also employ a
frame counter, which prevents replay attacks.
NOTE: Replay attacks occur when an attacker intercepts a transmission, and then
rebroadcasts that transmission at a later time. For example, if a password is intercepted, the
attacker does not need to know how to read the message; he can simply rebroadcast it later,
and then gain access using the victim’s credentials.
NOTE: MICs are often called Michael in Wi-Fi parlance.
Breaking into a WLAN using WPA is more difficult than WEP because the IVs are
larger, there are more keys in use, and there is a sturdier message verification system.
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA)
Another means of WLAN security comes in the form of Wi-Fi Protected Access
(WPA). WPA was introduced in 2003 by the Wi-Fi Alliance, a nonprofit association
that certifies WLAN product interoperability based on IEEE 802.11 specifications.
Two versions of WPA exist: WPA and WPA2. They are described in the sections that
follow.
Another means of WLAN security comes in the form of Wi-Fi Protected Access
(WPA). WPA was introduced in 2003 by the Wi-Fi Alliance, a nonprofit association
that certifies WLAN product interoperability based on IEEE 802.11 specifications.
Two versions of WPA exist: WPA and WPA2. They are described in the sections that
follow.
Comparison of 802.1X Authentication Methods
Comparison of 802.1X Authentication Methods
There are a lot of differences among PEAP, Cisco Wireless EAP, EAP-TLS, and EAPFAST.
To help sort the attributes of these protocols, Table 4-1 compares the various
features of these different authentication methods.
Table 4-1 Comparing 802.1X Authentication Methods
Characteristics EAP-TLS
Cisco
Wireless
EAP
PEAP Version 1
(with Generic
Token Card)
PEAP Version 0
(with MS-CHAP
Version 2) EAP-FAST
User
Authentication
Database and
Server
OTP
LDAP
Novell NDS
Windows NT
Domains
Active
Directory
Windows
NT
Domains
Active
Directory
OTP
LDAP
Novell NDS
Windows NT
Domains
Active
Directory
Windows NT
Domains
Active
Directory
Windows
NT Domains
Active
Directory
LDAP
Server
Certificates
Required?
Yes No Yes Yes No
Client
Certificates
Required?
Yes No No No No
Operating
Systems
Windows XP/
2000/CE
Other OSes
supported
with thirdparty
utility.
Windows
98/2000/
NT/ME/
XP/CE
Mac OS
Linux
DOS
Windows XP/
2000/CE
Other OSes
supported with
third-party
utility.
Windows XP/
2000/CE
Other OSes
supported with
third-party
utility.
Windows
XP/2000/CE
Other OSes
supported
with thirdparty
utility.
Characteristics
EAP-TLS
Cisco
Wireless
EAP
PEAP Version 1
(with Generic
Token Card)
PEAP Version 0
(with MS-CHAP
Version 2) EAP-FAST
Wi-Fi Protected Access (WPA) 77
Wi-Fi Protected Access (WPA)
Another means of WLAN security comes in the form of Wi-Fi Protected Access
(WPA). WPA was introduced in 2003 by the Wi-Fi Alliance, a nonprofit association
that certifies WLAN product interoperability based on IEEE 802.11 specifications.
Two versions of WPA exist: WPA and WPA2. They are described in the sections that
follow.
WPA
WPA was designed as a replacement for WEP. The Temporal Key Integrity Protocol
(TKIP) is an improvement over WEP. It causes keys to automatically change, and when
used in conjunction with a larger initialization vector (IV), it makes discovering keys
highly unlikely.
Credentials
Used
Digital
certificate
Windows
password
Clients:
Windows,
Novell NDS,
LDAP password,
and OTP
or token.
Server: Digital
certificate
Windows
password
Server: Digital
certificate
Windows
password,
LDAP user
ID and
password
PAC
Single Sign-On
Using
Windows
Login?
Yes Yes No Yes Yes
Password
Expiration and
Change?
– No No Yes Yes
Fast Secure
Roaming
Compatible?
No Yes No No Yes
WPA
Compatible?
Yes Yes Yes Yes Yes
There are a lot of differences among PEAP, Cisco Wireless EAP, EAP-TLS, and EAPFAST.
To help sort the attributes of these protocols, Table 4-1 compares the various
features of these different authentication methods.
Table 4-1 Comparing 802.1X Authentication Methods
Characteristics EAP-TLS
Cisco
Wireless
EAP
PEAP Version 1
(with Generic
Token Card)
PEAP Version 0
(with MS-CHAP
Version 2) EAP-FAST
User
Authentication
Database and
Server
OTP
LDAP
Novell NDS
Windows NT
Domains
Active
Directory
Windows
NT
Domains
Active
Directory
OTP
LDAP
Novell NDS
Windows NT
Domains
Active
Directory
Windows NT
Domains
Active
Directory
Windows
NT Domains
Active
Directory
LDAP
Server
Certificates
Required?
Yes No Yes Yes No
Client
Certificates
Required?
Yes No No No No
Operating
Systems
Windows XP/
2000/CE
Other OSes
supported
with thirdparty
utility.
Windows
98/2000/
NT/ME/
XP/CE
Mac OS
Linux
DOS
Windows XP/
2000/CE
Other OSes
supported with
third-party
utility.
Windows XP/
2000/CE
Other OSes
supported with
third-party
utility.
Windows
XP/2000/CE
Other OSes
supported
with thirdparty
utility.
Characteristics
EAP-TLS
Cisco
Wireless
EAP
PEAP Version 1
(with Generic
Token Card)
PEAP Version 0
(with MS-CHAP
Version 2) EAP-FAST
Wi-Fi Protected Access (WPA) 77
Wi-Fi Protected Access (WPA)
Another means of WLAN security comes in the form of Wi-Fi Protected Access
(WPA). WPA was introduced in 2003 by the Wi-Fi Alliance, a nonprofit association
that certifies WLAN product interoperability based on IEEE 802.11 specifications.
Two versions of WPA exist: WPA and WPA2. They are described in the sections that
follow.
WPA
WPA was designed as a replacement for WEP. The Temporal Key Integrity Protocol
(TKIP) is an improvement over WEP. It causes keys to automatically change, and when
used in conjunction with a larger initialization vector (IV), it makes discovering keys
highly unlikely.
Credentials
Used
Digital
certificate
Windows
password
Clients:
Windows,
Novell NDS,
LDAP password,
and OTP
or token.
Server: Digital
certificate
Windows
password
Server: Digital
certificate
Windows
password,
LDAP user
ID and
password
PAC
Single Sign-On
Using
Windows
Login?
Yes Yes No Yes Yes
Password
Expiration and
Change?
– No No Yes Yes
Fast Secure
Roaming
Compatible?
No Yes No No Yes
WPA
Compatible?
Yes Yes Yes Yes Yes
EAP-FAST
EAP-FAST
EAP-FAST is like EAP-TLS in that it uses a certificate-like Protected Access
Credential (PAC) file for authentication, and it is like PEAP in that it authenticates the
station using a username and password via an encrypted TLS tunnel. EAP-FAST is
unique in that it is designed to speed re-authentication as stations roam among APs.
EAP-TLS and PEAP require lengthy message exchanges between the station and the
server, taking several seconds to re-authenticate. Applications that are not latency
sensitive do not need to worry much about this; however, applications that are sensitive
to latency (such as voice over IP) suffer if re-authentication takes more than a few
milliseconds.
EAP-FAST uses shared secret keys to accelerate the re-authentication process. Public
keys are convenient because the station and AP can authenticate each other without
having to know each other in advance. (Public keys are used when connecting to a
secure website, for instance.) Secret keys are faster, but require that both the station and
the AP already have the secret key. Figure 4-5 shows how EAP-FAST works.
Figure 4-5 The EAP-FAST Authentication Process
The EAP-FAST authentication process is as follows:
1. The client associates with the AP.
1 2
3
4
5
6
Client
Access Point Switch
RADIUS Server
76 IEEE 802.1X Authentication
2. The AP blocks the client from accessing the network.
3. The client verifies the RADIUS server’s credentials with the shared secret key.
4. The RADIUS server authenticates the client with the shared secret key.
5. The RADIUS server and the client agree on the WEP key.
6. A secure connection is established.
EAP-FAST is like EAP-TLS in that it uses a certificate-like Protected Access
Credential (PAC) file for authentication, and it is like PEAP in that it authenticates the
station using a username and password via an encrypted TLS tunnel. EAP-FAST is
unique in that it is designed to speed re-authentication as stations roam among APs.
EAP-TLS and PEAP require lengthy message exchanges between the station and the
server, taking several seconds to re-authenticate. Applications that are not latency
sensitive do not need to worry much about this; however, applications that are sensitive
to latency (such as voice over IP) suffer if re-authentication takes more than a few
milliseconds.
EAP-FAST uses shared secret keys to accelerate the re-authentication process. Public
keys are convenient because the station and AP can authenticate each other without
having to know each other in advance. (Public keys are used when connecting to a
secure website, for instance.) Secret keys are faster, but require that both the station and
the AP already have the secret key. Figure 4-5 shows how EAP-FAST works.
Figure 4-5 The EAP-FAST Authentication Process
The EAP-FAST authentication process is as follows:
1. The client associates with the AP.
1 2
3
4
5
6
Client
Access Point Switch
RADIUS Server
76 IEEE 802.1X Authentication
2. The AP blocks the client from accessing the network.
3. The client verifies the RADIUS server’s credentials with the shared secret key.
4. The RADIUS server authenticates the client with the shared secret key.
5. The RADIUS server and the client agree on the WEP key.
6. A secure connection is established.
The PEAP
The PEAP authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client verifies the RADIUS server’s certificate.
4. The RADIUS server authenticates the client using MS-CHAP or other means,
such as an OTP.
5. The RADIUS server and the client agree on the WEP key.
6. A secure tunnel is established between the client and the server.
An organization can use Windows logins and passwords if it has not issued certificates
to every station. RADIUS servers that support EAP-TTLS and PEAP can check LAN
access requests with Windows domain controllers, Active Directories, and other
existing user databases.
PEAP Version 0 and Version 1
There are two versions of PEAP:
• PEAP Version 0 (also known as Microsoft PEAP)
• PEAP Version 1 (also known as Cisco PEAP)
Each version supports a different method of client authentication through its TLS
tunnel. Version 0 authenticates clients using MS-CHAP Version 2. This limits user
databases to those supporting MS-CHAP Version 2, such as Active Directory.
1 2
3
4
5
6
Client
Access Point Switch
RADIUS Server
IEEE 802.1X Authentication 75
Version 1 (Cisco PEAP) authenticates clients using OTPs and logon passwords, which
allow OTP support from vendors and logon password databases in addition to
Microsoft databases.
In addition, Version 1 enables users to hide name identities until the TLS tunnel is
created. This ensures that usernames are not broadcast during the authentication phase.
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client verifies the RADIUS server’s certificate.
4. The RADIUS server authenticates the client using MS-CHAP or other means,
such as an OTP.
5. The RADIUS server and the client agree on the WEP key.
6. A secure tunnel is established between the client and the server.
An organization can use Windows logins and passwords if it has not issued certificates
to every station. RADIUS servers that support EAP-TTLS and PEAP can check LAN
access requests with Windows domain controllers, Active Directories, and other
existing user databases.
PEAP Version 0 and Version 1
There are two versions of PEAP:
• PEAP Version 0 (also known as Microsoft PEAP)
• PEAP Version 1 (also known as Cisco PEAP)
Each version supports a different method of client authentication through its TLS
tunnel. Version 0 authenticates clients using MS-CHAP Version 2. This limits user
databases to those supporting MS-CHAP Version 2, such as Active Directory.
1 2
3
4
5
6
Client
Access Point Switch
RADIUS Server
IEEE 802.1X Authentication 75
Version 1 (Cisco PEAP) authenticates clients using OTPs and logon passwords, which
allow OTP support from vendors and logon password databases in addition to
Microsoft databases.
In addition, Version 1 enables users to hide name identities until the TLS tunnel is
created. This ensures that usernames are not broadcast during the authentication phase.
Cisco Wireless EAP
Cisco Wireless EAP
The Cisco proprietary take on EAP is known as Cisco Wireless EAP.
NOTE: Cisco Wireless EAP is also known as Lightweight EAP (LEAP). However, some users
interpreted “lightweight” with a negative connotation, so Cisco opted to call it Cisco
Wireless EAP instead.
Cisco Wireless EAP provides username and password-based authentication between a
wireless client and AP, via an authentication server.
Cisco Wireless EAP server and client derive a session key, so that future frames can be
encrypted with a key different than keys used by other sessions, thus providing stronger
security. In addition, new keys are generated each time the client roams to a new AP.
Dynamic keys, a feature in all EAP implementations, address an enormous
vulnerability inherent with static encryption keys. Static keys are shared among all
stations on the WLAN. If an attacker can crack the static shared key, he can eavesdrop
on all WLAN traffic. Dynamic session keys make it more difficult for the attacker
because there is less traffic to analyze, and consequently, it reduces the potential for
finding a flaw. In addition, if the attacker is able to crack the key, the session might
already be over.
When using Cisco Wireless EAP, dynamic per-user, per-session WEP keys are
generated each time the user authenticates to the WLAN. You can strengthen security
even further by requiring WEP key timeouts, which forces re-authentication
This
generates a new WEP key, even for existing sessions. Figure 4-3 shows the Cisco
Wireless EAP process.
The Cisco Wireless EAP authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client provides login credentials to the RADIUS server.
4. The RADIUS server and the client authenticate each other.
5. The RADIUS server and the client derive a session key.
6. Secure communications are established between the client and the server.
The Cisco proprietary take on EAP is known as Cisco Wireless EAP.
NOTE: Cisco Wireless EAP is also known as Lightweight EAP (LEAP). However, some users
interpreted “lightweight” with a negative connotation, so Cisco opted to call it Cisco
Wireless EAP instead.
Cisco Wireless EAP provides username and password-based authentication between a
wireless client and AP, via an authentication server.
Cisco Wireless EAP server and client derive a session key, so that future frames can be
encrypted with a key different than keys used by other sessions, thus providing stronger
security. In addition, new keys are generated each time the client roams to a new AP.
Dynamic keys, a feature in all EAP implementations, address an enormous
vulnerability inherent with static encryption keys. Static keys are shared among all
stations on the WLAN. If an attacker can crack the static shared key, he can eavesdrop
on all WLAN traffic. Dynamic session keys make it more difficult for the attacker
because there is less traffic to analyze, and consequently, it reduces the potential for
finding a flaw. In addition, if the attacker is able to crack the key, the session might
already be over.
When using Cisco Wireless EAP, dynamic per-user, per-session WEP keys are
generated each time the user authenticates to the WLAN. You can strengthen security
even further by requiring WEP key timeouts, which forces re-authentication
This
generates a new WEP key, even for existing sessions. Figure 4-3 shows the Cisco
Wireless EAP process.
The Cisco Wireless EAP authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client provides login credentials to the RADIUS server.
4. The RADIUS server and the client authenticate each other.
5. The RADIUS server and the client derive a session key.
6. Secure communications are established between the client and the server.
EAP-TLS
EAP-TLS
EAP with Transport Layer Security (EAP-TLS) requires that both the station and
RADIUS server authenticate themselves using public key cryptography, such as smart
cards or digital certificates.
This conversation is secured with an encrypted TLS tunnel. That is, only the
authentication is encrypted. After that is complete, then WEP, WPA, or WPA2 provide
user data encryption. Although this makes EAP-TLS resistant to decryption dictionary
and man-in-the-middle (MitM) attacks, the station’s identity (and the name bound to
the certificate) can still be culled by attackers.
Because EAP-TLS is standard on Microsoft Windows XP, Windows 2000, and
Windows Server 2003, it is popular in Windows-based environments. Figure 4-2 shows
EAP-TLS in action.
The EAP-TLS authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client authenticates the server with a certificate.
4. The RADIUS server authenticates the client with a certificate.
5. The RADIUS server and the client agree on a WEP key.
6. A secure tunnel is established between the client and the server.
Client 1 2
3
4
5
6
Access Point Switch
RADIUS Server
72 IEEE 802.1X Authentication
The downside to this method is that issuing digital certificates to each station is time
consuming, and most organizations prefer to use usernames and passwords for
wireless authentication. Protected EAP (PEAP), which is discussed later in this
chapter, is a good substitute for EAP-TLS.
EAP with Transport Layer Security (EAP-TLS) requires that both the station and
RADIUS server authenticate themselves using public key cryptography, such as smart
cards or digital certificates.
This conversation is secured with an encrypted TLS tunnel. That is, only the
authentication is encrypted. After that is complete, then WEP, WPA, or WPA2 provide
user data encryption. Although this makes EAP-TLS resistant to decryption dictionary
and man-in-the-middle (MitM) attacks, the station’s identity (and the name bound to
the certificate) can still be culled by attackers.
Because EAP-TLS is standard on Microsoft Windows XP, Windows 2000, and
Windows Server 2003, it is popular in Windows-based environments. Figure 4-2 shows
EAP-TLS in action.
The EAP-TLS authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client authenticates the server with a certificate.
4. The RADIUS server authenticates the client with a certificate.
5. The RADIUS server and the client agree on a WEP key.
6. A secure tunnel is established between the client and the server.
Client 1 2
3
4
5
6
Access Point Switch
RADIUS Server
72 IEEE 802.1X Authentication
The downside to this method is that issuing digital certificates to each station is time
consuming, and most organizations prefer to use usernames and passwords for
wireless authentication. Protected EAP (PEAP), which is discussed later in this
chapter, is a good substitute for EAP-TLS.
Extensible Authentication Protocol
Extensible Authentication Protocol
The EAP is a framework that supports multiple methods of authentication. In essence,
EAP manages the authentication, but the variant of EAP used dictates how clients are
authenticated. Some authentication methods include:
• Token cards
• Kerberos
• Public key authentication
• Certificates
• Smart cards
• One-time passwords (OTP)
Several variations on EAP are possible. Depending on your organization’s need, it
allows different types of authentication.
As Figure 4-1 shows, EAP authentication is a multistep process:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client provides login information.
4. A Remote Authentication Dial-In User Service (RADIUS) server and client
authenticate each other.
5. A RADIUS server and client agree on a WEP key.
6. Authentication is completed.
This is the basic framework of how EAP works. However, individual authentication
methods can make the process slightly different.
The EAP is a framework that supports multiple methods of authentication. In essence,
EAP manages the authentication, but the variant of EAP used dictates how clients are
authenticated. Some authentication methods include:
• Token cards
• Kerberos
• Public key authentication
• Certificates
• Smart cards
• One-time passwords (OTP)
Several variations on EAP are possible. Depending on your organization’s need, it
allows different types of authentication.
As Figure 4-1 shows, EAP authentication is a multistep process:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client provides login information.
4. A Remote Authentication Dial-In User Service (RADIUS) server and client
authenticate each other.
5. A RADIUS server and client agree on a WEP key.
6. Authentication is completed.
This is the basic framework of how EAP works. However, individual authentication
methods can make the process slightly different.
802.1X Protocols
802.1X Protocols
802.1X can be thought of as a control inside your Ethernet switches and APs. The
control starts in the OFF position. It considers 802.1X requests and if it decides to grant
access, the control moves to the ON position. After a period of time, the station times
out or disconnects, moving the control back to the OFF position.
Although the credibility of WEP has taken a beating, it’s not totally out of the WLAN
security game. WEP is a necessary part of an 802.1X deployment. WEP, used in
conjunction with 802.1X, is far more secure than when it is used in static deployments.
An even more robust security mechanism, Wi-Fi Protected Access (WPA), is discussed
later in this chapter.
There are several protocols used with the 802.1X standard for LAN Port Access
Control. Within the 802.1X framework, a LAN station is not allowed to pass traffic
through an Ethernet device or WLAN AP until it has successfully authenticated itself.
After it has been authenticated, the client can pass traffic on the LAN.
There are 43 protocols that work within the framework of 802.1X authentication. Some
of the popular protocols you are likely to see in Cisco wireless networking include a
variety of Extensible Authentication Protocol (EAP) authentication frameworks. These
are covered in the sections that follow.
802.1X can be thought of as a control inside your Ethernet switches and APs. The
control starts in the OFF position. It considers 802.1X requests and if it decides to grant
access, the control moves to the ON position. After a period of time, the station times
out or disconnects, moving the control back to the OFF position.
Although the credibility of WEP has taken a beating, it’s not totally out of the WLAN
security game. WEP is a necessary part of an 802.1X deployment. WEP, used in
conjunction with 802.1X, is far more secure than when it is used in static deployments.
An even more robust security mechanism, Wi-Fi Protected Access (WPA), is discussed
later in this chapter.
There are several protocols used with the 802.1X standard for LAN Port Access
Control. Within the 802.1X framework, a LAN station is not allowed to pass traffic
through an Ethernet device or WLAN AP until it has successfully authenticated itself.
After it has been authenticated, the client can pass traffic on the LAN.
There are 43 protocols that work within the framework of 802.1X authentication. Some
of the popular protocols you are likely to see in Cisco wireless networking include a
variety of Extensible Authentication Protocol (EAP) authentication frameworks. These
are covered in the sections that follow.
Manage Port Access
Manage Port Access
WLANs can include or exclude devices based on MAC addresses using access control
lists (ACLs). For more on MAC filtering, skip ahead to Chapter 8, “Wireless Security:
Next Steps.” Although this type of ACL is easy to implement and manage on small
networks, they are tough to manage in large and dynamic networks because individual
MAC addresses have to be entered manually for each authorized device. Obviously,
this is laborious.
Attacking with MAC
Because ACLs use MAC addresses, they are also prone to attack. An intruder can sit
nearby and pick up traffic between the AP and authorized clients. Although the
contents of a WEP conversation are encrypted, the MAC address is not. As a result, an
attacker can do one of two things:
• The patient attacker can wait until the monitored station disassociates from the
network, and then simply reconfigure the network interface card (NIC) to
broadcast the intercepted MAC address.
• The impatient attacker can simply send a disassociate request to the AP, bumping
the legitimate station off the WLAN. Before the legitimate station can reassociate,
the attacker can associate with the spoofed MAC address.
The LAN Port Access Control framework, outlined by the 802.1X standard, helps
control access to one’s WLAN.
WLANs can include or exclude devices based on MAC addresses using access control
lists (ACLs). For more on MAC filtering, skip ahead to Chapter 8, “Wireless Security:
Next Steps.” Although this type of ACL is easy to implement and manage on small
networks, they are tough to manage in large and dynamic networks because individual
MAC addresses have to be entered manually for each authorized device. Obviously,
this is laborious.
Attacking with MAC
Because ACLs use MAC addresses, they are also prone to attack. An intruder can sit
nearby and pick up traffic between the AP and authorized clients. Although the
contents of a WEP conversation are encrypted, the MAC address is not. As a result, an
attacker can do one of two things:
• The patient attacker can wait until the monitored station disassociates from the
network, and then simply reconfigure the network interface card (NIC) to
broadcast the intercepted MAC address.
• The impatient attacker can simply send a disassociate request to the AP, bumping
the legitimate station off the WLAN. Before the legitimate station can reassociate,
the attacker can associate with the spoofed MAC address.
The LAN Port Access Control framework, outlined by the 802.1X standard, helps
control access to one’s WLAN.
IEEE 802.1X Authentication
IEEE 802.1X Authentication
The Institute of Electrical and Electronics Engineers (IEEE) 802.1X standard is an
improvement over the capabilities of the WEP. Although WEP provides encryption
services, 802.1X provides authentication services. WEP offers a certain measure of
encryption between AP and client; however, the data still floats in the ether, exposing
it to analysis and examination. In a wired network, unauthorized devices can be
blocked from the network if you disable unused RJ-45 jacks and associating Media
Access Control (MAC) addresses to Ethernet switch ports.
The Institute of Electrical and Electronics Engineers (IEEE) 802.1X standard is an
improvement over the capabilities of the WEP. Although WEP provides encryption
services, 802.1X provides authentication services. WEP offers a certain measure of
encryption between AP and client; however, the data still floats in the ether, exposing
it to analysis and examination. In a wired network, unauthorized devices can be
blocked from the network if you disable unused RJ-45 jacks and associating Media
Access Control (MAC) addresses to Ethernet switch ports.
WEP Weaknesses
WEP Weaknesses
WEP is vulnerable to attack for several reasons:
• Distributing WEP keys manually is a time-intensive, laborious task. Because it is
tedious to manually rekey the WEP code, the keys are not likely to change
frequently. Therefore, an attacker probably has enough time to decipher the key.
• When keys are not changed often, attackers can compile so-called decryption
dictionaries. These are huge collections of frames, encrypted with the same key.
These frames can then be analyzed and used for attack.
• Standardized WEP implementations use 64- or 128-bit shared keys. Although the
128-bit key sounds excessively durable, it is still possible to crack a key this size
within a short interval with sustained traffic.
• WEP uses RC4 for encryption. Of all the possible RC4 keys, the statistics for the
first few bytes of output are nonrandom, which can provide information about the
key.
NOTE: RC4 is the most widely used software stream cipher. In addition to WEP, it is also
used in secure sockets layer (SSL), the encryption medium used for web pages. Although
widely deployed and adequate for web use, it is generally not considered a good means of
encryption for WLANs.
WEP is vulnerable to attack for several reasons:
• Distributing WEP keys manually is a time-intensive, laborious task. Because it is
tedious to manually rekey the WEP code, the keys are not likely to change
frequently. Therefore, an attacker probably has enough time to decipher the key.
• When keys are not changed often, attackers can compile so-called decryption
dictionaries. These are huge collections of frames, encrypted with the same key.
These frames can then be analyzed and used for attack.
• Standardized WEP implementations use 64- or 128-bit shared keys. Although the
128-bit key sounds excessively durable, it is still possible to crack a key this size
within a short interval with sustained traffic.
• WEP uses RC4 for encryption. Of all the possible RC4 keys, the statistics for the
first few bytes of output are nonrandom, which can provide information about the
key.
NOTE: RC4 is the most widely used software stream cipher. In addition to WEP, it is also
used in secure sockets layer (SSL), the encryption medium used for web pages. Although
widely deployed and adequate for web use, it is generally not considered a good means of
encryption for WLANs.
WEP Overview
WEP Overview
The first, most basic level of securing a wireless LAN (WLAN) is to set up a wired
equivalent privacy (WEP) key. This is a means of encryption that encodes
transmissions between an access point (AP) and client. This is a basic means of
security, but it is not thorough. When wireless devices were first introduced, this was a
quick and easy way to provide security. Unfortunately, WEP is inherently flawed;
however, it might be your only option if you work with older equipment or client
software.
If enough traffic is passed back and forth between client and AP, the packets can be
intercepted and the encryption key deduced. This is not a likely issue for homes and
small offices that have light wireless activity and uninteresting data. However, in an
organization with high volumes of wireless traffic and critical data, it is easy for an
intruder to crack the code. It is perhaps worth the effort of the intruder.
68 IEEE 802.1X Authentication
NOTE: The Aironet 1100 Series, 1200 Series, 1300 Series APs, and the 1400 Series bridges
that run Cisco IOS Software are especially vulnerable because they send any WEP key in
cleartext to the simple network management protocol (SNMP) server if the snmp-server
enable traps wlan-wep command is enabled. If you use WEP, make sure this command is
disabled
The first, most basic level of securing a wireless LAN (WLAN) is to set up a wired
equivalent privacy (WEP) key. This is a means of encryption that encodes
transmissions between an access point (AP) and client. This is a basic means of
security, but it is not thorough. When wireless devices were first introduced, this was a
quick and easy way to provide security. Unfortunately, WEP is inherently flawed;
however, it might be your only option if you work with older equipment or client
software.
If enough traffic is passed back and forth between client and AP, the packets can be
intercepted and the encryption key deduced. This is not a likely issue for homes and
small offices that have light wireless activity and uninteresting data. However, in an
organization with high volumes of wireless traffic and critical data, it is easy for an
intruder to crack the code. It is perhaps worth the effort of the intruder.
68 IEEE 802.1X Authentication
NOTE: The Aironet 1100 Series, 1200 Series, 1300 Series APs, and the 1400 Series bridges
that run Cisco IOS Software are especially vulnerable because they send any WEP key in
cleartext to the simple network management protocol (SNMP) server if the snmp-server
enable traps wlan-wep command is enabled. If you use WEP, make sure this command is
disabled
Wireless Security
Wireless Security
Network security is extremely important. Security becomes even more complicated
and critical when wireless devices are added to the network. Because data floats around
in the ether, anyone can pick it up. This chapter addresses the issues of security in a
wireless network and shows how to bolster your network’s security mechanisms.
Security Overview
Applying strong wireless security mechanisms is the key to ensure that a wireless
network is protected against unauthorized access and eavesdropping. Unfortunately,
wireless security is vulnerable if implemented improperly. The following sections
examine some of the issues surrounding wireless security and how you can avoid
trouble.
Network security is extremely important. Security becomes even more complicated
and critical when wireless devices are added to the network. Because data floats around
in the ether, anyone can pick it up. This chapter addresses the issues of security in a
wireless network and shows how to bolster your network’s security mechanisms.
Security Overview
Applying strong wireless security mechanisms is the key to ensure that a wireless
network is protected against unauthorized access and eavesdropping. Unfortunately,
wireless security is vulnerable if implemented improperly. The following sections
examine some of the issues surrounding wireless security and how you can avoid
trouble.
Subscribe to:
Posts (Atom)