Introduction
Wireless LANs are not sufficiently protected, even if network administrators use the built-in security protocol WEP (Wired Equivalent Privacy). A seven-month investigation conducted in London found that 94% of all wireless LANS in use were inadequately protected from attacks. The Cybercrime Unit, a division of the International Chamber of Commerce, found that wireless networks are poorly secured, if they are secured at all. Drive-by hacking is becoming ever more popular: hackers drive through office districts in a car and try to penetrate company WLANs from the street where their signals can still be received.
Three researchers at the University of California at Berkeley, Nikita Borisov, Ian Goldberg and David Wagner, discovered a major security flaw in WEP encryption last year. Furthermore, in August of 2001, cryptographers Scott Fluhrer, Itsik Mantin and Adi Shamir published a paper on the weaknesses of RC4 encryption, on which WEP is based. Shortly thereafter, in late August of 2001, a student at Rice University and two employees of AT&T Labs – Research (Adam Stubblefield, John Ioannidis and Aviel D. Rubin) successfully implemented the ideas expressed in those two publications. What’s so fatal about it is that it doesn’t require any type of special equipment. All you need is a PC with a standard wireless card working with modified drivers downloaded off the Internet. With this equipment you can record and evaluate several hundreds of thousands of data packets.
How WEP Works
In many wireless LANs, the WEP key is stated as a word or byte string and is valid for the entire WLAN.
WEP currently uses two encryption depths, 64 and 128 bits. The key is derived from a 24-bit initialization vector (IV) and the actual secret key of 40 or 104 bits. The oft-cited 40-bit encryption is equivalent to 64-bit encoding. The standard does not mention anything about key management; the only requirement is that the WLAN card and the access point use the same algorithm. Usually, everyone on the local network uses the same secret key. The RC4 algorithm uses this key to generate an indefinite, pseudorandom keystream. However, the WLAN users use different IVs to prevent the data packets from always using the same RC4 key “randomly” generated on the basis of an identical WEP key.
Before a data packet is transmitted, an integrity check (IC) computes a checksum. Its purpose is to keep hackers from altering the data during the transmission. RC4 then generates the keystream from the secret key and IV. Then WEP concatenates the data and IC with the keystream using the exclusive-or (XOR) function. First the IV is transmitted in plain text, then the encrypted data. By regenerating the RC4 keystream from the IV and the known key, the recipient can finally decrypt the data by running XOR.
Weak point: Initialization Vector
40- or 64-bit encryption allows entering four keys. However, only the first one is used.
The weakness of WEP encryption lies in its poor implementation of the IV. If, for example, a hacker uses an XOR function to mathematically link two packets of a session that have been processed with the same IVs, that is, identical RC4 keys, then he can compute the key.
As the initialization vector is 24 bits long, it will be duplicated in a busy access point – sending 1500 byte packets at a transmission rate of 11 Mbps – after no more than five hours. During this time, a maximum of 24 GB is transmitted. It is therefore realistic to record data transmissions over several hours and using a notebook in order to get packets with identical IVs and consequently, identical RC4 keys.
As the standard says nothing about generating the IV, not all of the manufacturers are using the entire 24-bit field for the IV. The IV may even duplicate itself faster, in which case less has to be recorded. Lucent WLAN cards, for example, reset the IV to 0 each time they were initialized, and then counted upwards. Recording the data streams of several users in a WLAN, the hacker will sooner encounter packets with duplicate IVs.
Fluhrer, Martin and Shamir also found that there are weak initialization vectors that provide clues to a byte of the key with 5% certainty. After recording four to six million packets (some 8.5 GB), there is a sufficient number of weak IVs to determine the entire WEP key.
It gets even easier if the WEP key, instead of being required in Hex format by the WLAN software, consists of an ASCII string. Because only normal characters and numbers can be entered, the number of possible combinations is lessened. Thus the degree of hit certainty stated above increases, and it only takes one to two million recorded packets to determine the key.
Hacker Tools on the Internet
While Adam Stubblefield thoroughly describes the practical attempt in his paper without publishing the hacker software, there are now free tools available on the Web. Similar to Stubblefield’s, the programs use a WLAN card with a Prism-2 chipset. This includes, among others, the models Compaq WL100, D-Link DWL-650, Linksys WPC11 and SMC 2632W, which are all available on the market. This chipset has been selected because there is a Linux driver (WLAN-NG) for it that allows packet recording without logging on to the network. The programs search for the so-called weak initialization vectors and, after having recorded five to ten million packets, deliver the WEP key within a second.
Active Attacks Are Possible
Because the passive attack described above (the recording of packets) works reliably, active attacks have lost some of their importance. They can also be used, however, to sneak information into the target LAN. Let’s assume that a hacker knows the original data and the encrypted result. He would thus be able to replace the data with his own without knowing the key. The recipient will identify the information as correct. This is once again based on a mathematical XOR function.
The hacker might also try to manipulate not the data per se, but the IP target address instead. As most LANs are connected to the Internet, the hacker can alter the target address so that data that are sent from a station within the wireless LAN are decrypted at the access point and sent in plain text to the hacker over the Internet.
Effective Remedies
Striving to enhance WEP security, RSA Security – the creator of RC4 encryption, and Hifn – a California-based company specializing in Internet security (www.hifn.com), have been working on the development of encryption algorithms as well. The institutions have announced the new encryption solution RC4 Fast Packet Keying. Different RC4 keys are generated in rapid succession for every data packet transmitted. Both sides use an RC4 128-bit key, the Temporal Key (TK). Every sender uses a different keystream as the TK is linked with the sender’s address. To this a 16-bit IV is added, which once again results in a 128-bit RC4 key. RC4 Fast Packet Keying has been designed so that existing wireless LANs can be updated with firmware and driver software updates.
Cisco Goes Its Own Way
Cisco has made quite a number of improvements to the Aironet series, which, however, can only be used if no components other than those from Cisco are used. The first step towards more WLAN security is mutual, rather than unilateral, authentication. LEAP (Lightweight Extensible Authentication Protocol), which has been developed by Cisco, enables authentication against Cisco’s Radius Server (Access Control Server 2000 V2.6).
Cisco uses the shared-key method to generate responses to mutual requests. Irreversible and unidirectional hash keys make attacks from reproduced passwords impossible.
Cisco uses dynamic, user- and session-based WEP keys that can be generated by the system without any additional administrative effort. Each user receives unique session keys for each session that is not shared with any other user. The broadcast WEP key is encrypted with LEAP authentication prior to sending. Only the user with the matching session key can work with the WEP key.
Combined with the Access Control Server 2000 2.6, it is possible to establish guidelines for repeated authentication. Users have to authenticate themselves regularly and are assigned a new session key with each log-in. The initialization vector is modified for every session, preventing hackers from using predefined sequences and creating decryption tables derived from these sequences.
Ultimately, these precautions do not provide absolute protection, since the IV and WEP key encryption mechanism continues to be used unaltered. Constant key changes, however, do reduce vulnerability to hack attacks considerably. Any attacks based on decryption tables are doomed to failure. If keys change so frequently that the recorded packets are no longer sufficient for an evaluation, then the chances for a successful hack attack are practically nill.
IEEE is concentrating on developing an updated WEP standard (www.ieee.org). In this standard, RC4 is to be replaced by a newer encryption protocol. Under particular discussion is AES (Advanced Encryption Standard) in Office Codebook mode.
This article was written in cooperation with VNU Business Publications.