Some More Depth on Wireless Security


Background.  Think about some of the different ways you've interacted with wireless networks.
  • renting a hotel room and making use of your own laptop
  • traveling to a cyber cafe and making use of your own laptop
  • connecting to the University's network
  • connecting to your home network

Now think of some of the other people trying to use these same networks.

  • the hotel manager/accountant updating the books
  • the cafe manager processing inventory and demand figures in order to place orders
  • the University's registration, grade and progress tracking systems

Even for these common situations you can see how gaining and limiting access to appropriate computer resources is very important.  As we've already discussed in previous pages, this is not necessarily all that easy!

So it should be obvious that in different settings it is important to have different sorts of authentication available.  Some hotels require you to pay for your connection, others make it readily available for anyone staying in the hotel.  The cyber cafe is also quite likely to want to allow nearly entirely open connectability to at least one of its WLANs.  But in most instances, network administrators want to limit access to their WLANs.  This is what we will discuss in more depth in this webpage.

The 802.11 specification explicates two main mechanisms for authentication when trying to limit access to their WLANs.

  • Open Authentication
  • Shared Key Authentication

Open Authentication.  What is termed open authentication actually requires at least matching WEPs on each client and AP.  There still must be some sort of preconfigured WEP.  If there isn't, then there will likely be no security whatsoever.

The following diagram represents what is termed to be Open Authentication based on WEPs.



After open authentication and the association process the client can begin to transmit and receive data.  But if the WEPs don't match the client will not be able to encrypt or decrypt data correctly and all such frames will be dropped by both the client and the AP.  If the keys match, then data transceiving will be possible.

Shared Key Authentication.  The Shared Key Authentication approach is not all that different from the Open Authentication approach except, that no association is allowed unless a client is able to encrypt/decrypt a challenge correctly.  Again, in order for this encryption/decryption to happen correctly the client and AP must have matching WEP keys.

The following diagram represents the process for Shared Key Authentication.



To give some more words of description I've written out the following.
  1. A client sends an authentication request for Shared Key Authentication to an AP.
  2. The AP responds with a cleartext challenge frame.
  3. The client encrypts the challenge and responds back to the AP.
  4. If the AP can correctly decrypt the frame and retrieve the original challenge, the client is sent a success message.
  5. Given a success message, the client can access the WLAN.

MAC Address Authentication.  It should make sense that many organizations want to be able to verify that a client has a MAC Address that is on a specified list.  This should really help develop appropriate access to a WLAN.  Unfortunately, MAC Address Authentication was not specified in 802.11 so it is only available through particular vendors.

This MAC Address Authentication can be done against

  • a list local to an AP
  • a list on an external authentication server
    • such as a RADIUS Server

Obviously, this sort of authentication could help in a large variety of situations.

The following diagram represents the MAC Address Authentication process making use of a RADIUS Server.



Vulnerabilities.  The 802.11 specifications have some quite well known vulnerabilities.  The following outline summarizes many of them.
  • Open Authentication Vulnerabilities
    • doesn't allow determination of validity of the person using the client
    • usual WEP problems to be surveyed later
  • Shared Key Authentication Vulnerabilities
    • doesn't allow determination of validity of the person using the client
    • vulnerable to some known plaintext attacks
      • possible to discover the shared key based on intercepting frames and decrypting in certain ways
        • eavesdropper can capture both plaintext challenges and ciphertext responses
        • algorithms exist for determining key streams
  • MAC Address Authentication
    • MAC addresses are sent unencrypted
    • attacker can spoof a MAC address
      • this only requires a NIC that allows the UUA - Universally Administered Address, assigned by the manufacturer, to be overwritten with an LAA - Locally Administered Address.
      • an attacker can use a protocol analyzer to determine a valid MAC address in a particular BSS and then use it in an LAA compliant NIC
  • WEP Encryption Vulnerabilities
    • Fluhrer, Mantin and Shamir, three crypto-analysts have developed an algorithm that can derive a WEP key by passively collecting particular frames from a WLAN.
      • Based on a statistical method that requires only about one hours worth of data on a fairly busy system.
        • 4 million frames of data for 104-bit WEP encrytion

The WLAN industry recognizes these vulnerabilities and is working to develop an IEEE 802.11i standard that will make WLANs both scalable and manageable.  But this standard is still not settled and approved.  Though I have a source that claims to have very good insights into what will be developing.