Wireless Security


Background.  By design, wireless is inherently vulnerable when it comes to security.  Think about transmitting information between a client and an AP through radio waves.  It should make sense that other people could easily pick up the signal.  This is even more true since APs and clients broadcast their packets by design.

Many people are very suspicious and concerned about wireless due to its security vulnerabilities.  I've seen very little evidence that their concerns are unfounded.  One should also always remember that improving security is going to come at some costs of operating overhead.  Considering that wireless bandwidth is not all that great in the first place, you should assume that the better the security approach, the more it impacts bandwidth availability.  Yet, security measures do exist that convince many security professionals.  But, wireless implementations are not for the careless!

WEP.  Standard wireless security is based on something called WEP - Wired Equivalent Privacy.  It is very reasonable to look at WEP as the first line of defense.  WEP encryption scrambles the radio communication between wireless devices to keep the communication private. Communicating devices use the same WEP key to encrypt and decrypt radio signals. WEP keys are used to encrypt both unicast and multicast messages. Remember, unicast messages are addressed to just one device on the network. Multicast messages are addressed to multiple devices on the network.

But even Cisco's website states the following about WEP.

WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally designed to provide your wireless LAN with the same level of privacy available on a wired LAN. However, the basic WEP construction is flawed, and an attacker can compromise the privacy with reasonable effort.

This can even be done with software that is widely available such as Kismet and AirSnort.  So unless you have implementations where you have almost no concerns about intelligent outsiders tapping into your wireless transmissions you need to do something more than make use of WEP.

Improvements on WEP.  Due to the necessities, you should expect that improvements over WEP exist.  I will survey some of the things that Cisco has implemented in addition to some IEEE specifications.  You can surely assume that other networking device producers have their own solutions.  At present, I am unsure what has become universal standards, but most of these are likely to have already become modified and propagated.

To be honest, much of what I am writing is quite "borrowed" from Cisco's website.

EAP - Extensible Authentication Protocol does what you'd likely expect the next likeliest improvements to be over WEP.  EAP provides dynamically changing WEP keys to wireless devices.  This way someone is not nearly as capable of breaking in and discovering particular WEP keys that don't change.  From Cisco's website.

If an intruder passively receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key.

So, this at least makes the hurdles for a cracker considerably more involved!  This sort of approach seems to have been built into some of the IEEE 802 specifications which we will discuss in another section.

But, this doesn't get around the fact that people have purchased devices based on WEP and want to make sure they can still use them.  One approach, again taken from Cisco's website is

•TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four enhancements to WEP:

–A per-packet key mixing function to defeat weak-key attacks

–A new IV sequencing discipline to detect replay attacks

–A cryptographic message integrity Check (MIC), called Michael, to detect forgeries such as bit flipping and altering packet source and destination

–An extension of IV space, to virtually eliminate the need for re-keying

Obviously, other approaches exist, but this should give you some sense that wireless device developers aren't pretending there are not difficulties with wireless security.

Something else that can be selected an has impact on the quality of encryption and keys is the number of bits that need to be decoded/encoded within WEP security.  For example, some have 40 bit encryption, others have 128 bit encryption.

802.1x Framework.  The IEEE 802.1x control protocol makes use of a number of authentication algorithms based on EAP.  We have actually only illustrated one implementation supported by Cisco on its wireless devices.  EAP was originally developed for authenticating dial up PPP - Point to Point connections.  It has been extended and upgraded to deal with more situations.  Cisco's terminology is actually quite limited in comparison to what the acronym means within the IEEE specs.

In general, EAP has been developed as a fairly flexible framework to support authentication, negotitate security parameters and deliver session keys for things like

  • passwords
  • one-time passwords
  • SecurID tokens
  • Digital Certificates

Some authors characterize EAP as providing an envelope for a sender and receiver to handle authentication.  How the envelope is created depends on the methods selected.

Generally, EAP messages are sent to a back-end authentication server, maybe even a RADIUS server.  This authentication server chooses the appropriate authentication method and requests/requires a client to transmit the appropriate credentials to greatly increase the chances the client is who they claim.

For example, Cisco's Aironet devices, support a variety of 802.1x authentication algorithms including the following.

  • LEAP = Lightweight EAP - makes use of a new encryption key for each session each time a user tries to connect to supplement WEP encryption.
    • the AP must authenticate itself to the client to make sure they aren't a rogue agent
    • the client must authenticate itself to the AP and network
    • the process involves transmitting certain information and running it through resident LEAP algorithms
    • makes use of usernames and passwords
  • EAP - TLS = EAP Transport Layer Security - makes use of a new encryption key for each session each time a user tries to connect to supplement WEP encryption.
    • the AP must authenticate itself to the client to make sure they aren't a rogue agent
    • the client must authenticate itself to the AP and network
    • the process involves mutually transmitting certificates
    • makes use of digital certificates to generate WEP keys for the user for this particular session
  • PEAP = Protected EAP - involves the same sort of mutual investigations as the previous two, but the handshaking process is itself encrypted based on EAP - TLS approaches.