WEP Gets A Bit Stronger

gmr2048 writes: "CNN is reporting that RSA has helped develop "Fast Packet Keying" to strengthen WEP security. More info can be found at the RSA page. Damn, and I'm still working on my Pringles can antenna."

Damn...

[4mn0t1337]

This means I have to go back to just reading my own mail for the time being?

Just when my neighbor's online affair was getting interesting. ;)

Why do packet-level encryption ?

[Rosco+P.+Coltrane]

Seems to me that the most secure way to do wireless networking is to set up encrypted tunnels :

No bad guy will ever be able to use the network anyway.

You have the choice of encryption policy you want to use and you're in control on how secure you want the network to be.

The overhead of encrypting the packet headers is avoided (granted, the card is supposed to do that transparently, but still I have seen significant slowdowns in lag and throughput when playing with WEP).

The only drawbacks I can think of with doing your own protocol-level encryption are :

Bad guys can still see your bastion host or VPN gateway in clear and have a go at it (DoS or otherwise), and script kiddies might want to have a try because they think it's in clear, while when they see WEP in place they might not even try.

You have to set up a VPN and the infrastructure that goes with it (duh) while you don't have to with WEP.

It's a little harder for Windows users to use your service, if you use PPTP, or it's impossible altogether if you use something Windows doesn't understand, or it's costly because you have to buy third-party Windows VPN software (I don't deal with Windows users, thank God, so problem solved for me).

What about the other 12 'key contributors'?

[Zeinfeld]

From the RSA press release:

Fast Packet Keying," a new technology based on the RC4® algorithm, is designed to help organizations securely fix the WEP encryption standard. This new WEP solution, developed by RSA Security, Hifn and other members of the 802.11 committee, is designed to generate a unique RC4 key for each data packet sent over the wireless LAN.

The fix to WEP was developed by a working group in which RSA was far from being the sole contributor. It is a bit off for RSA to try to claim the glory for the fix when a significant part of the WEP problem is due to a weakness in the keying scheme of RC4.

The presentation lists as 'key contributors' Jessie Walker of Intel, Bob Beach and Clint Chaplin from Symbol, Ron Brockman of Intersil Nancy Cam-Winget of Atheros Greg Chesson, Atheros Niels Ferguson, MacFergus BV Marty Lefkowitz, TI Bob O'Hara, Blackstorm Networks Dorothy Stanley, Agere Doug Smith, Cisco Albert Young, 3COM

So when RSA wants to get votes it has a dozen 'key contributors'. But when they want to take the credit there are two.

The original algorithm was botched, in part it is claimed (by an informed source) because the original IEEE working group left the crypto to an NSA advisor. Failing to understand the specific weakness of using a stream cipher in general and the specific weaknesses of the RC4 key scheme are the major reasons for the failure of the WEP design.

One could rightly blame the original working group for failing to read up on the litterature and avoid the known flaws of RC4, only RC4 was until recently a proprietary and secret algorithm of RSA. The key scheme flaws were only publicised after RC4 was reverse engineered without RSA approval, and resulted in considerable protest by RSA.

This type of publicity grab is not good for open standards development. It encourages people to release their proposals to the press rather than to the working group.

Re:More Secure, but not?

[Zeinfeld]

Now, is the 24-bit space limitation what RSA means by, "similarity of the packet keys", or are they referring to the fact that most boards start the IV at 0 and simply increment for each packet (the end result being numerous IV collisions)?

RC4 has a specific design flaw whereby the cipherstream for k has similarities to the cipher stream for k+1. These allow an attacker with cipher text for k and k+1 to recover the plaintext of the messages and the key.

One fix is to throw away the first 256 bytes or so of the cipherstream. Another solution is to make the probability of a collision very small which is what the fast keying scheme is doing.

The main constraint on the solution is that it has to be deployable on cards that have already been manufactured and those are not particularly powerful CPU wise.

The Berkely attack is certainly a concern, 24 bit encryption is not acceptably secure. But that is not the weakness being exploited by AirSnort. There are a bunch of mixing functions defined in the presentation I have seen but there is insufficient info to know if it does indeed do the right thing.

Again, I am somewhat anoyed when cryptographic protocols are puffed in the press prematurely. I am not a member of the 802.11b group, however I will be reviewing their work product when they announce it is ready. I am not aware that this is currently the case. I would like something more than a powerpoint presentation to evaluate the protocol by.

It's pretty ridiculous

[evilviper]

I really have to laugh when I hear about people trying to 'improve' WEP. My favorite is Cisco's method of changing the key about every 10 minutes.

The solution is to get rid of WEP all together (before someone REALLY breaks it!) and switch to something which works right. IPSec, SSH, SSL, PPTP all come to mind as protocols which could solve this problem, and never have to be upgraded. Now WEP is a cat and mouse game. Companies will continue to iimprovie it, and individuals will continue to find better ways to crack it. Personally, I'll just pass on an access point all together and get a Unix box with IPSec working as the router. Easy as 1, 2,3 and a hell of a lot more secure than any WEP solutions out there.