Like my posts on IT governance standards, I produced this training material some time back when I was doing a lot of IT security work. I’ve since moved onto other IT disciplines, but I hope that this article is of some use to those looking for an introduction to WIFI security. I have divided the material into two parts. The first half is background and theory, and the second half of a practical example.
I remember when writing it, my audience, although technically savvy did not a have a strong background in cryptography or security. So I tried to make it easy to read, rather than too technical. Not sure if I succeeded! 🙂
A Security Primer – Security Principles
The ISC2 common body of knowledge (CBK) is the basis for the Certified Information Systems Security Professional (CISSP) certification.
The CBK defines 3 major security principles known as the CIA triad: Confidentiality, Availability and Integrity.
- Confidentiality is the principle that information will not be disclosed to unauthorized subjects. Unauthorized Network sniffing is an example of a violation of confidentiality.
- Integrity is trust that can be placed in the information. Data integrity is having assurance that the information has not been altered between its transmission and its reception. Data integrity can be compromised when information has been corrupted, willfully or accidentally, before it is read by its intended recipient.
- Availability defines that information or resources are available when required and are accurate, relevant and timely. It is certainly possible that a confidentiality and integrity are protected, but an attacker causes resources to become less available than required, or not available at all, eg Denial of Service.
Identification, Authentication, Authorisation and Accountability
- Identification describes a method of ensuring that a subject (user, program or process) is the entity it claims to be
- Authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. The sender being authenticated may be a person using a computer, a computer itself or a computer program.
- Authorisation is the process of verifying that a known person has the authority to perform a certain operation.
- Accountability, is synonymous with non-repudiation. The non-repudiation of receipt of information means that an agent can’t deny receiving information. The non-repudiation of sourcing information means that an agent can’t deny sending information.
Encryption, Integrity and Authentication: WEP vs. WPA vs. WPA2
Everyone who has ever site up wireless will know WEP. They will also likely know that WEP is a ‘bad thing’. Here we explain why WEP is now considered to be a very poor choice for wireless security and what was done to fix it.
The original Wired Equivalent Privacy (WEP) algorithm was used to protect wireless communication from eavesdropping. It uses predefined ‘WEP keys’ to encrypt the traffic using the RC4 encryption algorithm. It also ensures data integrity by using an "Integrity Check Value". This is 4 bytes and appended to the end of each packet.
One of several security problems with WEP is that using a static, unchanging WEP key means that brute force efforts can be undertaken to ‘crack’ the key by capturing enough encrypted packets. WEP also uses an Initialisation Vector (IV) which is used to ensure that text encrypted with the same encryption key translates to a different ciphertext value. Unfortunately, IV is too small and is vulnerable to attacks that make the IV easy to determine. In addition, the size of the key – 40 bits – has been cited as a weakness of WEP. When the standard was written in 1997, 40-bit keys were considered reasonable for some applications. Since the goal was to protect against "casual eavesdropping" it seemed sufficient at the time. The U.S. did not tightly control exports of 40-bit encryption, and the IEEE wanted to ensure exportability of wireless devices.
The WEP Integrity Check Value (a fancy name for a hash) is based on CRC-32, an algorithm for detecting noise and common errors in transmission. CRC-32 is an excellent checksum for detecting errors, but a poor choice for a cryptographic hash. Better-designed encryption systems use algorithms such as MD5 or SHA-1 for their Integrity Check Values. The CRC-32 Integrity Check Value has a weakness that allows an attacker to modify an encrypted message and easily fix the Integrity Check Value so the message appears authentic.
So in relation to encryption and integrity, WEP fares rather badly. How does WEP fare in the areas of identification, authentication, authorisation and accountability? Not well either.
WEP defines two forms of authentication: Open System (no authentication) and Shared Key authentication. These are used to authenticate the wireless client to the access point. The idea was that authentication would be better than no authentication because the user has to prove knowledge of the shared WEP key, in effect, authenticating himself. In fact, the exact opposite is true: If you turn on authentication, you actually reduce the total security of your network and make it easier to guess your WEP key.
Shared Key authentication involves demonstrating the knowledge of the shared WEP key by encrypting a challenge to the access point, and the access point successfully decrypting that challenge. The problem is that a monitoring attacker can observe the challenge and the encrypted response. From those, he can determine the RC4 stream used to encrypt the response, and use that stream to encrypt any challenge he receives in the future. So by monitoring a successful authentication, the attacker can later forge an authentication.
So with open authentication, any wireless device that knows the WEP key will be accepted by the access point.
Hence, WEP is now considered to be a very poor choice for WIFI security. In response, the Wi-Fi Alliance, an industry trade group, created a standard called Wi-Fi Protected Access (WPA).
At the time, elements of WPA were actually taken from a work in progress IEEE standard called 802.11i. 802.11i was a new, in development standard aimed at a new generation of devices and had no backward compatibility requirements for WEP, meaning completely new wireless hardware would have to be produced to take advantage of it.
Thus, WPA in effect an interim measure designed to work with the constraints of WEP based systems, so that rather than a wholesale change/removal of wireless hardware, customers could upgrade software and firmware to gain the benefits of WPA. This was an attractive proposition from the point of view of the device manufacturers as it reduced redevelopment costs. But was it enough?
WPA offered a set of new features to alleviate the problems of WEP. A protocol called TKIP was added to WEP encryption. TKIP has been designed to ‘wrap’ around WEP and improve the main security issues.
- The size of the IV has been doubled to 48 bytes which is also added to the MAC address and original WEP key per frame.
- TKIP offers ‘re-keying’, where multiple encryption keys are changed on the fly at a configurable timeframe (defaults to per 10000 frames).
(WEP alone uses the same encryption key. Thus with WPA, even if you managed to determine an encryption key, you have a very limited time in which you can use it to decrypt data before it changes again.)
WPA also has replaced the ICV with the Message Integrity Code (MIC) which eliminates some of the weaknesses with ICV.
CISCO and CKIP
While the WPA and WPA2 standards were being agreed to, Cisco added an extra feature to WEP to improve one of its major weaknesses – that of poor confidentiality via encryption. This is called the CKIP protocol. CKIP is a Cisco proprietary protocol that essentially does the same thing as TKIP does in WPA. This was designed to alleviate the immediate encryption concerns with WEP. CKIP however was not widely adopted as most vendors (Cisco included) opted to use the WPA standard as the interim measure.
WPA2 is simply the complete 801.11i standard that was referred to earlier. It is actually very similar to WPA, as WPA used much of this standard. The main difference is the inclusion of the AES encryption protocol, which is an alternative to TKIP/WEP encryption. To support AES you need specialised hardware and thus require a new generation of wireless devices to support.
Advanced Encryption Standard (AES), also known as Rijndael, is an encryoption algorithm adopted as an encryption standard by the US government and is designed to replace the widely used by aging Data Encryption Standard (DES)
Frame integrity is now handled by a protocol called CCMP (with the simple name of "Counter Mode with Cipher Block Chaining Message Authentication Code Protocol"). CCMP is built around AES.
802.1x / EAP Authentication
Encryption is only part of the WIFI security picture. Even with an unbreakable encryption algorithm, if a malicious user was able to authenticate to the access point, they would be able to participate on the wireless network like any other authorised wireless client as the access point would exchange encryption keys with this seemingly ‘trusted’ client.
WPA/WPA2 adopted IEEE 802.1x / EAP authentication (WPA Enterprise), rather than re-invent the wheel. 802.1x was originally designed as a port based network access control that ensured that a user could not access the network unless authorised. Note the word "user", whereas WEP could only offer "system" authentication.
EAP is a complex standard described in detail later. However the IEEE did recognise that EAP added complexity and thus, added pre-shared keys for authentication (WPA Personal).
Note: Pre shared keys are common in IPSEC/L2TP for authentication as well.
When WPA Personal uses pre-shared keys (PSK) for authentication, a common password or passphrase is configured on each wireless device and the access point. This is used to authenticate the client with the access point. Once this takes place, encruption keys can be exchanged and traffic can flow between client and access point.
However, if you do not make your pre-shared key long, you are susceptible to an offline dictionary attack where an attacker grabs a few packets at the time a legitimate station joins the wireless network and then can take those packets and attempt to recover the PSK used.
In addition, management of the PSK as the network grows becomes a major issue. It needs manual configuration on all WIFI clients. Thus, changing the PSK would be time consuming and result in downtime.
WPA adopted 802.1x / EAP for authentication. EAP is an authentication framework, not a specific authentication mechanism. The EAP provides some common functions and a negotiation of the desired authentication mechanism. Such mechanisms are called EAP methods and there are a myriad of options and standards available. This flexibility has the disadvantage of being complex and difficult to understand the intricacies of every option.
The table below is a summary of the most applicable options. They are not the exhaustive list, but the others are not listed because they are either not applicable or are missing required features.
|802.1x EAP Types Feature/Benefit||TLS||TTLS||PEAP||LEAP|
|Client Side Certificate Required||Yes||No||No||No|
|Server side certificate required||Yes||Yes||Yes||No|
|WEP Key Management||Yes||Yes||Yes||Yes|
The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary EAP implementation by Cisco Systems.
There is no native support for LEAP in any Windows operating system but is supported by third party supplicants (IEEE speak for client software). Support for other operating systems is unclear. This protocol is known to be vulnerable to dictionary attacks as it is based on shared secret passwords. Cisco still maintains that LEAP can be secure if sufficiently complex passwords are used.
EAP-TLS is an IETF open standard, and is well-supported among wireless vendors. It offers a good deal of security, due to using digital certificates and Public Key Infrastructure (PKI). Its main disadvantage is the management overhead to set up and maintain a PKI as well as client-side certificates. This factor has led to few deployments compared to other EAP solutions.
The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. A compromised password is not enough to break into EAP-TLS enabled systems because the hacker still needs to have the client-side certificate. When the client-side certificates are housed in smartcards, this offers the most secure authentication solution available because there is no way to steal a certificate from a smartcard without stealing the smartcard itself. Any physical theft of a smartcard would be immediately noticed and revoked and a new smartcard would be issued.
There are client and server implementations of it in Microsoft, Cisco, Apple, Linux, and open source. EAP-TLS is natively supported in MAC OS 10.3 and above, Windows 2000 SP4, Windows XP, Windows Mobile 2003 and above, and Windows CE 4.2.
EAP-TTLS and PEAP
EAP-TTLS and PEAP both do not use client side certificates. Instead they use PKI certificates only on the authentication server which is used to create a secure TLS tunnel to protect user authentication. PEAP was developed by Microsoft and Cisco and EAP-TTLS developed by Funk Software.
PEAP is natively supported in MAC OS 10.3 and above, Windows 2000 SP4, Windows XP, Windows Mobile 2003 and above, and Windows CE 4.2.
The server side implementation of PEAP/EAP-MSCHAPv2, called IAS (Internet Authentication Service), is also included in Windows 2003 server.
We will not discuss the differences between PEAP and EAP-TTLS here, except to say that PEAP has now overtaken EAP-TTLS in terms of popularity.
802.1x consists of 3 main components.
- A client (supplicant)
- An ‘authenticator’ (access point)
- An ‘authentication server’ (RADIUS).
EAP is the mechanism used by all 3 components to communicate authentication information.
In a large wireless network, a means is required to provide central authentication for clients. A RADIUS server fills this need. The RADIUS protocol is the industry standard for AAA (Authentication, Authorisation and Accounting). Many Radius servers exist, and Microsoft provide a built in Radius Server with Windows Server called IAS which integrates with Active Directory. Other Radius servers can integrate with 3rd party authentication mechanisms (RSA keys and smartcards for example)
Bringing it all together
The key goal of any wireless network is to ensure confidentiality, integrity and availability. Without proper authentication, encryption is of limited value as it would be impossible to determine if the data has been tampered with.
802.1x / EAP provide the means to centrally manage who and what can access the wireless network. This also provides us with detailed accounting records of who or what has attempted to access the network (Accountability).
The mutual authentication offered by some EAP methods also means that a client can be sure that it is accessing the correct access point and not a malicious access point set up to lure clients into connecting to it and giving up sensitive information.
TLS and PEAP are the two best choices for wireless authentication. TLS offers more security than PEAP due to client certificates required as well as user credentials (two factor authentication). However PEAP is much easier to set up and deploy than TLS because you do not have to implement a PKI solution (which is a whole project in itself). In addition, when using an Active Directory integrated Radius server, authentication can be restricted to particular groups of users and computers and AD account lockout policies will be enforced.
If we combine this with the MAC address filtering and VLAN access lists described in section 2.1.4 we have a holistic solution that addresses the key security requirements.
- An encryption mechanism that changes keys frequently and is unique for each client, so that by the time you have brute forced a encryption key, it has already been discarded and a new key has been generated
- An authentication mechanism that requires the user to have a valid Active Directory user account, optionally a valid Active Directory Computer Account and optionally a valid client certificate issued by a trusted Certificate Authority (EAP/TLS)
- An authentication mechanism that ensures that the client can ensure that the access point it is connecting to is known and trusted via a server side digital certificate.
- An authentication mechanism that is centrally managed, so when users or computers are disabled they are unable to access all wireless services.
- Centralised location for logging of access requests and their outcomes
- Filtering so that only pre-defined MAC addresses can authenticate to an access point
- Access lists that ensure that the Wireless VLAN can only access authorised parts of the network.
In the next part to this post, we will discuss some additional security mechanisms for WIFI, as well as a WPA/PEAP example implementation.