Current 802.11b networks define standards for encrypting data that is transmitted
over the air. Data encryption prevents eavesdropping by other wireless network
users. Encryption is typically implemented within the wireless hardware at each
mobile device and each access point to deliver performance that can keep up with
data transmission rates.
However, the standard 802.11b security mechanisms do not meet the needs of
enterprise wireless LAN deployments due to their reliance on global keys. Global
keys complicate management of large-scale systems, because their encryption
algorithms are vulnerable to attack, and because they do not address the
authentication and access control requirements of an enterprise environment.
Attempts to address these issues have met with limited success, as they complicate
systems management and increase cost without actually delivering security for the
wireless LAN.
Wired Equivalent Privacy (WEP)
The 802.11b standard defines an encryption algorithm known as Wired Equivalent
ii iii
Privacy (WEP),
which relies on the RC4 cryptographic process. WEP employs a
40-bit or 104-bit secret key that is shared by the wireless client and the access point.
During packet transmission, a checksum is appended to the data, a 24-bit
Initialization Vector (IV) is chosen at random and appended to the WEP key to form a
64-bit or 128-bit encryption key, and the data and checksum are encrypted using that
encryption key. During packet reception, the Initialization Vector (IV) is retrieved from
the packet, the WEP key and IV are combined to reconstruct the encryption key, the
packet is decrypted using that key, and the checksum is verified. The Appendix to
this paper provides a more detailed description of the WEP encryption algorithm.
The WEP key also forms the basis for a mutual authentication scheme that allows the
access point to authenticate mobile clients before they are granted access to the
wireless network. When a mobile client first registers with an access point, the
access point issues a challenge. The client uses the WEP key to compute a valid
challenge response, and upon receiving this valid response, the access point is
assured that the client is a valid network user. (The mutual authentication exchange
is then reversed, so the mobile client can be sure that it is communicating with a valid
access point.)
WEP encryption and authentication rely on an out-of-band distribution of the shared
secret key to the access point and wireless client. Traditionally, the WEP key has
been distributed manually to all clients, but, as described later in this paper, newer
systems generate a shared WEP key dynamically when a client connects to the
access point.
Limitations of Wireless LAN Security
Though widely deployed, existing security technologies in wireless LAN environments
introduce many problems within enterprise environments:
1. Reliance on global keys complicates systems management and introduces
additional security exposures.
2. Insecure encryption algorithms leave the wireless LAN vulnerable to attack.
3. Limited access control and filtering capabilities prevent control of network
usage.
Global Key Management
In most 802.11b networks today, the access point uses a single WEP key that is
shared by all authorized mobile clients. In an enterprise environment, the integrity of
the global WEP key is almost impossible to maintain, so WEP’s security promise
cannot be fulfilled.
First, the WEP key cannot realistically be kept secret. The global WEP key must be
programmed into all authorized client devices, because that WEP key is used to
grant access to the wireless network. Though an IT department conceivably could
take responsibility for configuring all clients with this WEP key, this approach is
impractical in anything but the smallest deployments. Instead, the WEP key must be
disseminated to users, who individually enter it into their client devices; the same
WEP key must be made available to guest users. Having distributed the key in this
fashion, the IT manager can no longer assume that it is secret.
Second, key management is essentially impossible in this environment. The burden
of changing the WEP key is significant, because it involves updating the configuration
of all client devices and all access points. It is unrealistic to expect such a key
update to occur in an organized fashion, particularly within a large enterprise. Once
a WEP key is established, it is likely to stay.
Third, because any client device configured with the WEP key can connect to the
wireless LAN, IT managers cannot block unauthorized users from gaining network
access. For example, misplaced or stolen devices are likely to have the WEP key
programmed into their configuration. Former employees who have recorded the
WEP key can easily obtain new hardware and configure it with the key. To get
temporary access to the enterprise network, guests will have programmed the WEP
key into their own devices. Any of these unauthorized users may gain access to the
corporate wireless network from any location having wireless network coverage—
even from outside the company’s offices.
Overall, WEP is so difficult to configure and manage that most 802.11b deployments
iv
do not use it at all!
A similar situation exists with Bluetooth networks, in which a
shared key must be established between all clients and all access points. The
natural approach is to either rely on a single global key or to simply turn off
encryption entirely.
Insecure Algorithms
The WEP mutual authentication and encryption algorithms have significant flaws that
make them inadequate for securing enterprise environments.
Researchers from the University of Maryland have discovered that by eavesdropping
on 802.11b traffic, an intruder can obtain enough information to generate valid
challenge responses during the mutual authentication process without actually
v
obtaining the WEP key.
As a result, an intruder can successfully gain access to an
802.11b network as a valid user.
Other work by researchers at Intel Corporation, the University of California Berkeley,
Cisco Corporation, and the Weizmann Institute has revealed flaws in the WEP
vi,vii,viii
encryption and checksum algorithms.
The problems arise for three reasons: The WEP algorithm selects a new encryption key on every packet, but flaws in
the key selection algorithm limit the value of this mechanism; this weakness
enables an attacker to analyze encrypted traffic and recover the data even
though the encryption key is changing. This situation arises for two reasons.
First, regardless of the WEP key length, the WEP algorithm only selects from a
24
limited number of actual encryption keys. In particular, because only 2
24
Initialization Vector values are available, only 2 encryption keys are possible for
a particular WEP key value of any length. Second, all of the encryption keys
have a similar structure because they are derived from a common WEP key. In
particular, all of the encryption keys share the same 40-bit or 104-bit WEP key
prefix and differ only in the 24-bit Initialization Vector suffix. The RC4 cryptographic algorithms underlying WEP have a significant proportion
of “weak keys” which, when used, make the encrypted data particularly
vulnerable to attack. In other protocols that use RC4, this flaw is not a major
issue because the likelihood of selecting a weak key is minimal. However, the
WEP algorithm, which generates a new encryption key for each packet by
randomly generating an Initialization Vector, cycles through these weak keys
frequently. The WEP checksum (CRC) and encryption (RC4) algorithms rely on the same
computational processes; consequently, an attacker who modifies the content of
an encrypted packet can also calculate how to modify the packet so that it still
presents a valid checksum. Intruders therefore can modify packet transmissions
without being detected. This insidious attack allows an intruder to disrupt
communication or, worse, interject false information into the data stream
undetected. Furthermore, an intruder can exploit the checksum weaknesses to
launch so-called “known plaintext” attacks on the WEP encryption by generating
erroneous requests that solicit known responses from a server.
By listening to the 802.11b network and analyzing encrypted data relative to well-
known network protocol patterns, an intruder can obtain enough information to
reconstruct the full set of encryption keys used by clients and access points in the
wireless network.
Limited Access Control and Filtering
The wireless LAN standards provide inadequate access control to the wired network.
Network access control relies on possession of the WEP key, but once a device is
authorized, it gains full access to the entire network. There is no information about
who is actually using the device, whether that user should be able to access the
network, and, if so, what data that user should be allowed to access. This situation is
particularly problematic when trying to offer network access to guest users, whose
access would ideally be restricted to the Internet or selected intranet or extranet
hosts.
Some access point implementations enable an IT manager to register a list of client
MAC addresses that may gain access to the network. The access point only grants
access to devices that transmit using one of the registered MAC addresses.
However, these filters still do not identify who is using the device and what that user
is authorized to do. In addition, these filters are difficult to administer, rely on careful
asset tracking to account for lost or stolen devices, and are not conducive to an
environment that supports guest or other temporary access.
Subscribe to:
Post Comments (Atom)
0 comments
Post a Comment