Slashdot Mirror
Wireless LAN Encryption Standard Broken
doug13 writes: "A Rice University student cracks 802.11x encryption protocol in a week. Here is how he did it." We mentioned the cryptographic paper that underlies this attack a few days ago.
← Back to Stories (view on slashdot.org)
Then I can associate with your access point, use the microsoft-bug-of-the-day to send a trojan to one of your mobile users, and then use *their* VPN connection to attack your network.
You *need* end-to-end encryption with strong authentication on *all* media (wired and wireless); it's ridiculous to assume that an end-user's workstation will provide what WEP can't.
How about adding a wireless IDS, and VPN access routers into your mix?
And yes, my networks have both, and wired network equivalents, or a NICE BIG FAT SIGNOFF from the client stating that they've chosen to mitigate their risk in other ways.
I'm not sure you said what you meant. If it is an SSL connection to buystuff.com then your traffic is already encrypted. If you introduce a proxy into this you will break the SSL. The salient point about WEP that people tend to ignore is that it is not designed to provide security, only Wired Equivalent Privacy. And indeed, even with the recent announcements 802.11 is at least as secure as running Ethernet cables through your parking lot.
The problem of being able to access someone elses 802.11 network is totally different than the problems with WEP.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
For one thing, most of these attacks rely on sophisticated equipment that isn't readily available for people to use. And as the authors point out, the simple fix is to use end-to-end encryption (e.g., SSH) instead of expecting the WEP do it for you -- just as you would if you were on a broadcast network through your ISP (e.g., Roadrunner).
There is a threat of abuse from people with serious resources (e.g., the governments of developed nations), but even that threat is small. For now.
While I am occasionally one to lambast the hypocracy of slashdot (promoting products of the MPAA despite the MPAA's thus-far-successful attack on Free Software through movie and DVD reviews ... though the latter seem to have thankfully been discontinued), and while I concurr with your criticism (the link should not be to a format promoted by a company all those with conscience should be boycotting), this is, I think, reflective of lax editorial work rather than outright hypocracy. The link was submitted by a reader, not a slashdot editor.
... anyone analyzing the statistics of the logs will gain a false impression of people's preferences WRT the document's format, thus promoting PDF at a time we really don't want to be doing so.
That having been said, would the slashdot editors please change the link to point to the HTML version of the document? Boosting the clickthroughs to a proprietary format from an offensive company at the expense of clickthroughs to an open format (HTML) isn't helpful regardless
Just my 2 cents, of course.
The Future of Human Evolution: Autonomy
Agreed, but what needs to be done to make an 802.11b connection secure is combining a base station with a proxy server running SSH, tunneling the most common protocols (HTTP, SSL, FTP, NNTP, NTP, Telnet for the masochists). If there's no proxy tunneling my SSL connection to www.buystuff.com, then my credit card number will go through the air, completely insecure.
A Unix box with an 802.11 card running sshd and natd/ipfw could solve this problem; thing is that it'll cost about 4x more than just the base station, and most people don't understand why it's so necessary.
-jon
Remember Amalek.
He didn't crack any encryption, he merely showed a real world implementation of someone elses work using cheap hardware ...
Oh, like that will stop them from tossing him in the jail when they bust into his house.
Not.
--- Will in Seattle - What are you doing to fight the War?
> i'm not very well versed in encryption schemes,
> but why is it that the encryption schemes in
> DeCSS, Adobe PDF, and now 802.11 are so 'easily'
> broken, as opposed to 3DES or RSA that are
> being used in SSH & SSL? why aren't these
> algorithms being applied in 802.11?
A very simple reason underlies all of this: cost.
You see, your PC has a whole lot more horsepower than a PC card, both in terms of CPU and in terms of memory. It can easily afford the memory space and CPU cycles to perform beefier algorithms. PC cards, on the other hand, are much more limited, due to the fact that in order to make any profit, they have to be made for as little money as possible (believe it or not, pretty much all 802.11 radios are sold with exceedingly low profit margins. You'll notice the cheaper ones have lesser or no WEP capabilities, for instance). A few things sacrificed to cost: CPU speed, FLASH space, and RAM size. This is an environment where 80MHz is a high-powered CPU, and 1MB is alot of storage capacity/memory space. WEP encryption is only one of many, many other options that have to fit in there. Now, one option is to put the encryption into its own hardware. That frees up CPU cycles, plus some RAM space and FLASH (though not all by a long shot). However, hardware encryption adds to the cost of the PC card. In other words, it's real hard to win in these situations. This is why all manufacturers of WiFi radios recommend using VPN over a wireless connection, and not relying on WEP. WEP is there to help (it'll at least stop the random script kiddie from setting their card to associate to "ANY", walking through your parking lot and hopping on your LAN), but it was never meant to be the end-all-be-all of security for wireless connections.
That being said, IEEE is working on further security standards that require a lot more pieces (e.g. authentication servers, etc), but those standards are not yet finalized, and even when they are, the radios, access points, and servers will all cost extra.
It all boils down to this: to get a more adequate security system implemented costs more money, and most people don't want to spend more money on 802.11 equipment. (At least, that's been my personal observation, based on conversations with friends and customers of 802.11 equipment).
-Freeptop
Wrong. That wouldn't fix the 802.11b security problem at all.
The problem with this and all of the other recommendations about VPNs, SSH, etc. to "fix" the WEP problem is that they only work if every machine that uses the wireless LAN is secure. Because if one of them has an exploitable security hole, the whole network is compromised.
"But, but, those wirelessly-connected machines are outside the firewall," you say. Yeah, and they have all the keys, passwords, etc. required to slide right through that nice VPN connection and inside the network.
Face it: If you need security, and you need wireless, you have to have a firewall on every single wireless client as well as on the AP. Oh, and you'd better have a full-time admin for all of them as well, to keep up on the security patches.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Well, here's my interpretation:
3DES and RSA are two-way communication methods. Every transaction or file encryption using these methods involves a cryptographic lock that only one key can open. The security is based firmly on math, and on the fact that creating the decrypted version given the encrypted version and the key is very mathematically easy, but creating the key given the encrypted and decrypted versions is just about impossible. And just because you have one key and one lock doesn't mean that your key can be used to open anyone else's lock. The math is strong, the math is solid, and the goal-- encrypt something in such a way that it can only be decrypted if you stumble across the right key by accident-- is completely feasible.
CSS and such, however, are inherently weak because they try to do something silly. Instead of some solid, possible thing-- let's scramble this secret document such that only a specific person with a specific key can open it-- they basically try to limit the circumstances under which a person can do a certain thing. They want to sell you a DVD, and sell you a DVD player, and ensure the only way that you can get the information off of a DVD you have bought is to buy a liscensed DVD player.
This is silly. Your enemy is not some third party who is not involved in the transaction; your enemy is *your customer*. The person you are trying to keep from decrypting the movie in an unauthorized fashion-- *your customer*-- is the *exact* person you have also given a key (a dvd drive) to. The key to the encrypted transaction is available in stores all across america, and all that has to happen is that *one* person can take apart the key and figure out how it works, and they can make keys of their own. You are giving your enemy not only the encrypted message, but a *key* to that encrypted message, and then trusting that somehow, they will not find a way to make copies of that key and give it to their friends.
To be honest, the only explanation i can come up with for believing something such as CSS or ebook "copy protection" would work is if the believer in question is either unbelievably, unbelievably stupid or hideously misinformed. It just doesn't make sense; you're going to give someone a computer program or device that can decrypt this movie, but expect that they won't be able to take apart the computer program or device and figure out exactly how it works? Only a complete moron would assume that. In the case of computer programs, especially; if you are going to give my computer instructions for decrypting CSS, you have given *me* instructions for CSS. All it takes is time, and i will have disassembled your program and written my own, even if your instructions are written in machine code.
In short: you cannot have any real encryption in which people who you are trying to keep out of the tranaction are being given keys!! DeCSS was not encryption or even a workable form of copy prevention at ALL, but simply extremely complicated security through obscurity. That is why it was cracked easily. Moreover, even if it HADN'T been cracked, all it would have taken is leaked design documents or source code from ONE of many DVD liscensees, and we would all know how it worked anyway. You *cannot* have real security if *this many people* have keys, all keys are being sold in Best Buy for $200, and all keys are roughly interchangable! For it to be workable encryption, THE KEY HAS TO BE MATHEMATICAL, NOT PROCEDURAL, and ONLY THOSE PEOPLE YOU WANT TO BE ABLE TO DECRYPT THE MESSAGE AT WILL SHOULD HAVE A COPY OF THE KEY.
As to why the encryption in 802.11 is broken, i believe the answer is because its encryption method is weak and old. They *could* have used the same methods SSh uses; instead, they used a low-bit-count version of RC4. As to why they used the weak, old thing instead of something like 3DES, i haven't the foggiest idea. I would suspect it has something to do with export regulations, or perhaps that they assumed that the lowly "consumer" didn't need strong encryption, so they could use toy encryption and nobody would mind. Either that, or they purposefully meant it to get hacked so that they could sell you a more-expensive "strong" version at a later date.
Hmmm. The employees are the business, bub.
Anyway, I wasn't going to post in this article because this whole thing is a troll and perpetuates several fundamental misconceptions.
But at least you are half right.
Encryption on the link-level IS NOT security. "Security" on the link level consists of denying physical access to your link. Even then its not important.
The words encryption and security are really reserved for end-to-end or peer to peer level.
It doesn't matter what's in between because its encrypted there. Doh!
It takes only minimal intelligence to see this.
Consider this physical representation:
A connected to B connected to C connected to D.
What kind of an idiot talks about encryption between B and C where its obviously encryption between A and D that matters?
Take this personaility test.
Doing RC4 or AES at 11 Mbps in software is no problem.
Punching a hole in a standard is not illegal. Telling other people that you have punched a hole in a standard is not illegal. Demonstrating that you have punched a hole in a standard is not illegal. Telling others about how you punched that hole in a standard isn't illegal. Distributing the product that punches the hole in a manner reasonably calculated to advance the state of knowledge or development of encryption technology when engaged in a legitimate course of study and then providing the copyright owner with notice of the findings and documentation of the research is not illegal. Distributing the hack for noncommercial purposes is not criminally illegal.
Dmitry was allegedly selling a product designed primarily to commit illegal acts. That's why he was arrested, not because he demonstrated a security hole. He found it, then he tried to profit off of it by distributing it to people who paid him. Allegedly.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
the standard wasn't engineered to protect passwords from eventual decryption, etc. instead, it's a way that a network access point can enforce a security policy so that no traffic can get through on the lowest network layers until a client has sufficently authenticated to the access point. so a wireless hub (or even a wired hub) can say "hey, identify yourself!" and the client can say "hey, this is me!" and the hub will go to a authentication server (in Microsoft's case, they say a RADIUS server) and say "hey, is this (so and so)?" and if the authentication server says yes, then the hub will let the client's traffic through.
coupled with that is a protocol where access points can enforce a policy where clients must refresh their encryption keys on a hourly basis. so a network intruder must be able to crack these keys on an hourly basis to gain access to the network. a week is a joke... these 802.11x access points will be through several iterations of keys by the time one is cracked.
(interestingly enough, the protocol also includes provisions for someone who is wandering between wireless access points where one hub can vouch for the user and cause the newer hub to forward their traffic until authentication by the server is achieved, allowing for roaming without the 3 or so second delay that would be necessary for all of this to happen).
the point of all this is that it's not there to secure your cleartext POP password.. 802.11x is there because access points (be they wireless or ethernet or whatever) are becoming more prevalent in our society in public, physically insecure places, so a protocol has to be developed so that network admins can be sure that the right people are using it.
the protocol even allows (given 802.11x aware hardware) that user levels be granted based on the authentication server, so a guest might be allowed restricted gateway access to the Internet but their traffic may be physically restricted from reaching the LAN fileserver, whereas the admin is given the red carpet.
pretty sweet, from an admin perspective.
Just raise the taxes on crack.
Stubblefield's attempt took just under a week, which included the time taken to deliver the card, set up the testbed, perform debug and then finally retrieve the key.
Ouch.
-----
In all honesty though, this -could- be a good thing for us regarding laws. Here's an American graduate student that showed an immense weakness in a standard encryption protocol. Furthermore, he did it for no profit, without violating any copyrights, and while working with AT&T.
This could be very good. People (as in general society) would be a bit leary of Dmitry Skylarov because he is Russian and becuase it was a for-profit venture.
This student, OTOH, broke this w/o profit and without breaking any copyrights.
Hopefully (though I doubt it) this can hit at least semi-mainstream news, or, at a minimum, the ears of lawmakers and security analysts.
just so you know, airport uses 802.11, which is a fairly popular standard for wireless networks.
-- free as in swatantryam - not soujanyam.
As others have noted, end-to-end encryption is the best bet. However...
If there are control functions used by 802.11 nodes that depend on WEP for their integrity/privacy, the network could still be susceptible (even if your application data is secured end-to-end).
Would someone familiar with 802.11x internals shed some light on this? Thanks.
Yes this is new, because now it's no longer theoretical. It has been known for some time that WEP has problems. This attack was based on another paper that outlined WEP's weaknesses. What's new is that these guys went ahead and actually did it, in under a week, including locating the necessary hardware. They've gone beyond discussion, and demonstrated that WEP is fundamentally flawed.
A very plausible solution, but always remember - there's always something that makes the odds hit a lot closer to home. For example, say I buy a single lottery ticket, and 6 million other people do the same. Given a pool of ~6 million choices, the pretty little balls will pop out with one lucky winner - who could be talking to Apu's shrine/whatever-the-proper-word-is at Kwik-E-Mart.
Most likely, it wouldn't happen for a long, long time (1 to 6 million packets). But every once in a while, it'd work on the first try.
(and for those of you who didn't like this: I want my two cents back. Really. I'm a poor college student, and if just half of you do just that, it's $125 in my pocket... Actually, forget that... it'd all be under siege by the girls outside the window before I knew it...)