Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Fast Packet Keying" Improvements to WEP

Posted by michael on from the what-me-worry dept.

Weedstock writes: "BBC Tech News has an article about the latest development in wireless networking security. It seems that RSA Security has improved the encryption system used by the protocol. Will this new update finally make wireless networking secure? You can also find a list of papers about wireless security issues here." RSA has a press release about their changes to WEP being accepted by the 802.11 committee.

88 comments

  1. Fast packet keying again ? by tempmpi · · Score: 4, Redundant

    http://slashdot.org/article.pl?sid=01/12/17/185320 6&mode=thread

    --
    Jan
    1. Re:Fast packet keying again ? by Anonymous Coward · · Score: 0
      Don't just moderate down dissenting opinion, think about its validity.

      If it's offtopic, I'll moderate it down as such whether it's valid or not.

  2. Don't embed engryption.. by zcat_NZ · · Score: 3, Interesting

    My own view is simple; encryption shouldn't be done at the hardware layer. Assume that everything on the network is wide open and use SSH / SSL on each protocol or an encrypted VPN.

    This way you can be sure everything is encrypted consistently from the host machine all the way to the client, even when your packets pass through 'unknown' equipment.

    The other advantage of this approach is that you can get all your hardware cheap on ebay because everyone else is abandoning them as 'not secure enough' :)

    --
    455fe10422ca29c4933f95052b792ab2
    1. Re:Don't embed engryption.. by Detritus · · Score: 3, Interesting

      The conservative approach is to use both link and end-to-end encryption.

      --
      Mea navis aericumbens anguillis abundat
    2. Re:Don't embed engryption.. by zcat_NZ · · Score: 1

      I'd like to know what holes you're referring to!
      The last one I'm aware of was about 6mo ago, fairly difficult to exploit, and we patched for it the same day.

      Reading back it appears the bigger issue is people driving by and stealing bandwidth, which just using SSH doesn't really solve. Put the access point on it's own network, set up so the only place you can connect from the unencrypted network is to your VPN server, that way both issues are addressed. Oh, except the windows implementation of PPTP is rather flawed too (you didn't provide a reference, so neither will I, but at least mine exists :) so yeah, it's not totally black-and-white.

      The real problem is that people want to just plug the card in and have everything configure itself automagically. WEP gets closer to providing this while still being marginally secure. VPN's and stuff take some setting up.

      --
      455fe10422ca29c4933f95052b792ab2
    3. Re:Don't embed engryption.. by Craig+Davison · · Score: 1

      Unless you use that VPN for everything, your DNS requests are still visible and there's a possibility of spoofed DNS replies.

      --
      Hands in my pocket
  3. I know... by The+Paradox · · Score: 3, Insightful
    ...that it isn't fashionable - or geeky - or (mostly) smart - to thumb one's nose at security issues. But frankly... I'm not that worried about 802.11b's encryption problems. Why? I use 802.11b over my home network, totally unencrypted. I live on a dead-end court, so "war drivers" aren't an issue, especially since the access point I'm using has an effective range that makes me turn the 'top the right way to get reception when I'm on the other side of the house (not centered, because of layout issues).

    Yes, I know, perhaps it's stupid of me, and I'm planning to set up some kind of security. But for many users out there - the people who wanna be able to check their email from the kitchen - weak security is just not a problem. Just so long as the spooks don't start wanting wireless access... :D

    --
    Pain(n): when you're telnetting into a box doing somethin cool, and some luser calls for help with a 'critical error' ad
    1. Re:I know... by Anonymous Coward · · Score: 2, Insightful

      its great that you dont care. this doesnt change the fact that someone can use your wireless connection to do something illegal and you're going to have a very difficult time proving that it wasnt you. this also doesnt stop others from snooping everything you do over your wireless connect. just because you personally have no interest in security doesnt make it a non issue. in fact, its makes it more of an issue because lots of people feel like you--they could care less about keeping up with security. its up to those who care to make things safe and secure for those who dont.

    2. Re:I know... by Anonymous Coward · · Score: 0

      can someone stop and tell me how this is insightful?

      the guy explains to us that he doesnt care about security and then tells us all about how he doesnt because he lives on a dead end road. ... im stumped, who cares?

    3. Re:I know... by Anonymous Coward · · Score: 0

      The same thing could be said for capitalization, grammar, and punctuation. ;)

  4. yawn by jeffy124 · · Score: 3, Redundant

    old news

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
    1. Re:yawn by rusti999 · · Score: 1

      What's wrong with Slashdot lately? This is not the first time within the last month when duplicate topics are posted.

  5. Been said many times, but.. by infiniti99 · · Score: 2, Informative

    Just use a form of VPN to get your security over a wireless network. Remember, ethernet isn't secure either.

    It is probably better to use your own encryption tools anyway, since built-in schemes will likely be obsoleted eventually.

  6. To hell with WEP. by matt-fu · · Score: 1

    IPSec is what I'm planning to use to make my future wireless LAN be secure.

    Old 486 laptop with broken screen + OpenBSD + some 802.11 card = "no kids breaking into your network via wireless" for under $100.

    1. Re:To hell with WEP. by Anonymous Coward · · Score: 0

      Speaking of IPSec, I was wondering but have yet to find if IPSec works under MacOSX. I'd really dig that. I'm too busy/lazy to find out for myself though..

    2. Re:To hell with WEP. by ConsumedByTV · · Score: 2

      Do you know of any good instructions on how to set up IPSec under any *nix?

      --


      "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
    3. Re:To hell with WEP. by Anonymous Coward · · Score: 0

      check here

  7. What I want to know is... by TheSHAD0W · · Score: 2

    Can I get this for my Linksys hardware in a firmware update?

    1. Re:What I want to know is... by Waffle+Iron · · Score: 3, Interesting
      Can I get this for my Linksys hardware in a firmware update?

      I'd like to know that too, but for my WaveLan cards. And if it can't be upgraded, I want a refund on the $20 extra per card I paid to get "128-bit" (yeah, as if) encryption.

  8. IPSec *yawn* by Anonymous Coward · · Score: 1, Informative

    IPSec solves this problem. And the much more common of someone plugging into a wire or hub between point A and point B. And the man-in-the-middle problem, for some networks. For some reason people seem to think it'l only work with IPv6 but it works fine with IPv4. You don't need to pay extra for a card that supports >40 bit encryption, either. All you need is an OS that supports it. Even Microsoft supports IPSec these days. Why are people still worrying about 802.11-level encryption when true end-to-end encryption is better and cheaper?

    1. Re:IPSec *yawn* by Anonymous Coward · · Score: 0

      Its called being able to plug and play, dude. When Joe blow can buy any NIC and AP and quickly establish an IPSEC tunnel to the other side of it, it will be used. Otherwise, it will never be practical.

  9. 2.4 GHz to 900 MHz Transverter for Wireless LAN by Anonymous Coward · · Score: 1, Interesting

    Offtopic, but here is a link for a project to attempt converting 2.4 GHz 802.11b wireless LAN cards down to the 900 MHz band to help overcome non line-of-sight issues.

    here's the link

    1. Re:2.4 GHz to 900 MHz Transverter for Wireless LAN by XNormal · · Score: 1

      Sorry, the 2.4G unlicensed band is 83 MHz wide while the 900 MHz band is just 26 MHz. Downconverting will spill into cellular and other frequencies in use.

      I'm not saying it will not work, but if you are going to step on someone else's frequencies you may as well convert to other frequencies.

      --
      Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
    2. Re:2.4 GHz to 900 MHz Transverter for Wireless LAN by Anonymous Coward · · Score: 0

      Eh? you only downconvert one channel, which are 22 MHz wide

  10. old news by f00zbll · · Score: 2, Redundant

    This article has been out for a while. move on, nothing to see here. You're probably gonna have to complain to get your 802.11 wireless lan cards updated.

  11. not that secure by xtp · · Score: 5, Informative

    The press releases are designed to soothe security-minded corporate customers and disguise the remaining technical issues with WEP, such as
    1. the key-mixing technique was diluted in strength so that the overhead of firmware upgrades would be acceptable. The "improved" technique has been changed a few times as weaknesses were discovered. It is quite possible that the new WEP can be cracked as thoroughly as the original.
    2. the key-mixing technique requires that a new temporal key be set up every 16K packets - a sign of weakness. The 802.1X procedures for setting up the temporal keys have not been finalized and contain weaknesses.
    3. it is debateable whether the 802.1X temporal key procedures, once finalized, will be practical at higher PHY rates of 802.11g or 802.11a since the rate of temporal key updates must be greater than the lower rates needed for 11b.

    It is more foolproof to rely on IPSEC as other posters observe. The argument against IPSEC and for wireless link crypto is based on the perceived overhead of forcing everything on an internal enterprise network to run IPSEC so that the wireless subnet can be secure. For SOHO setups this should not be an issue.

    1. Re:not that secure by hawkfan · · Score: 5, Interesting

      The argument against IPSEC and for wireless link crypto is based on the perceived overhead of forcing everything on an internal enterprise network to run IPSEC so that the wireless subnet can be secure.

      Using IPSEC on the wireless network only requires the wireless stations and a gateway to run IPSEC. The IPSEC gateway acts like a normal router to the rest of the network. You can even do transparent gatewaying based on proxy-arp.
      Our laptops use 802.11b cards without WEP and 2 Linux machines with Prism2 based cards operating in HostAP mode. One AP handles the encryption and allows handoff to the other via proxy-arp depending on which AP has the link to a particular station on their own wired subnet. The primary AP acts as a router to the rest of the unencrypted wired lan. All the stations on the wireless lan are configured to drop all but the IPSEC traffic. This not only protects against spoofing and hijacking on the wireless lan but also gives strong encryption to the traffic.
      After the pleasant experience I had with Freeswan on the wireless network I'm considering bringing IPSEC to the rest of the wired network.

    2. Re:not that secure by swillden · · Score: 3, Insightful

      All the stations on the wireless lan are configured to drop all but the IPSEC traffic.

      Bravo! This is the absolutely crucial element that most people miss. If any of the wirelessly-connected stations accept any non-authenticated traffic, they're vulnerable to being compromised, which, in turn, compromises the entire network, wired and wireless.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:not that secure by swillden · · Score: 3, Insightful

      The "improved" technique has been changed a few times as weaknesses were discovered. It is quite possible that the new WEP can be cracked as thoroughly as the original.

      Remember, it's a *good* thing that the new technique has been cracked a few times. Had serious (or even rudimentary) cryptanalysis been applied to the original protocol, we'd never have gotten into this mess. RSA Data knows how to create good cryptography, and wireless networking is important enough that many other people will take a hard look at this new protocol before it's implemented.

      the key-mixing technique requires that a new temporal key be set up every 16K packets - a sign of weakness

      Very possibly. It certainly seems not to leave a whole lot of margin for improvement in the face of any new attacks. However, I don't know how much conservatism is built into the 16K number.

      It is more foolproof to rely on IPSEC as other posters observe.

      Absolutely. As long as all hosts have firewalls that drop all non-IPSEC traffic. However, it's worth remembering that the original intent of WEP was to build something that approximated the security of a wired network. Although the first attempt failed utterly, if the upgraded protocol can just make all passive attacks infeasible and make active attacks fairly difficult then the original intent will have been achieved.

      Had it been designed by knowledgeable cryptographers, WEP would have been as strong as IPSEC, which would have been great. As things are now, the patched system won't ever be as good as WEP could have been, but it probably will be as strong as it needs to.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:not that secure by sigwinch · · Score: 2
      Had it been designed by knowledgeable cryptographers, WEP would have been as strong as IPSEC, which would have been great.
      I see this as a blessing in disguise: the popularity of wireles + WEP's insecurity == people are learning how to do end-to-end security. The techniques learned and the software perfected will help everywhere.
      --

      --
      Kuro5hin.org: where the good times never end. ;-)

  12. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  13. will it make it secure? by Lumpy · · Score: 3, Interesting

    not unless it's a firmware update that fixes all current equipment. There is alot of 802.11b stuff out there. much of it is 24-40 bit only. Most everyone using it hasn't a clue about firmware updates or even security problems for that matter (The sheer number of open 802.11b networks I can snif that have no encryption is proof of that.

    They need to make this a part of the driver and make the driver force a firmware update and enable it by default if securing wireless is important. Otherwise this is only an expected feature of the new stuff that I'll buy in about 2-3 years.

    --
    Do not look at laser with remaining good eye.
    1. Re:will it make it secure? by PMan88 · · Score: 1

      some people don't need encryption for their wireless networks. they are not top secret information. i have a wireless network which i never bothered to encrypt. mostly because it doesn't do much but also because im too lazy to

  14. Credit where credit is due? by William+Tanksley · · Score: 3, Interesting

    I wonder... The press release quotes a PhD from Hifn and a marketing droid from RSA, and says that RSA and Hifn developed this together.

    I know RSA's the big name here, but I wonder whether they merely contributed the name, not the research.

    -Billy

    1. Re:Credit where credit is due? by Anonymous Coward · · Score: 1, Informative

      The web page at RSA security lists someone from RSA Labs as being a co-author for the IEEE paper, wasn't the same name as the marketing droid.

      See http://www.rsasecurity.com/rsalabs/technotes/wep-f ix.html

  15. Not the whole problem by nsayer · · Score: 2, Interesting

    Rotating the keys quickly will not solve the only problems with WEP. In general, encrypting stuff isn't enough. The receiver of encrypted data must insure that the data was not changed in route. Since the packet validator in WEP is CRC rather than something cryptographically strong, it is possible to perform replay attacks, or even worse, replay modified packets and have them be received as if they were legitimate. Even if it is not possible to decrypt packets, the ability to modify and reinject packets and have them be received creates some big problems.

  16. darn by NotAnotherReboot · · Score: 3, Funny

    I rather enjoy going to colleges' student centers and reading everyone's email. Hope this won't change my ways.

  17. Possible solution? by alexburke · · Score: 2

    How about using private/public key cryptography? A randomly-generated private/public keypair can be blown into WiFi cards during manufacturing. When a card hops onto a network, it exchanges public keys with all devices on the network, and seamlessly encrypts all data to that device with the appropriate key. Make it built right in and mandatory. (The size of the key and selection of the algorigthm are left as an exercise for the reader.)

  18. Fast Packet Keying by afidel · · Score: 3, Interesting

    Already implemented in Cisco's newest firmware, acu and drivers (both Linux and Windows). Since the old firmware wasn't even vulnevable to airsnort unless there were VERY determined hackers out there Cisco gear hasn't been vulnerable at all. With the new firmware they also implemented per packet hashing so spoof attacks are foiled.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  19. Problems... by Tom7 · · Score: 2, Insightful


    - every card knows every other card's public key, so the storage requirement grows polynomially with the size of the network (not good).
    - key exchange is a non-trivial step; in order to have adequate security you need to protect against man-in-the-middle attacks.
    - using fixed keys is probably not so smart, since recovering the device would mean that you could decode all messages previously sent to that device, and a device with a compromised key could never be used securely again.

  20. Re:NOT FIRST POST! by Anonymous Coward · · Score: 0

    You're pretty sad, even I have better things to do...

  21. Not terribly acuurate. by MulluskO · · Score: 2
    PS2's all-important backward compatibility with PS One games means that PS2's 4×-speed DVD drive must be able to read PS One's Super Discs based on the CD-ROM/XA format, which, ironically, Sony developed in the late 1980s for use with a never-released Super Nintendo game-console peripheral. PS2, like its PS One predecessor, also plays audio CDs. PS2-targeted games come on both copy-protected CDs and DVDs, and the console also plays DVD-Video discs if you buy the $19.99 remote-control accessory. Memory cards let users store saved game states and other personal data for use when they play friends' consoles (Reference 8). PS2 accepts two such cards.


    Not true, we have a PS2, and we don't have a special remote, and we watched a movie on the conslole it last night using an ordinary dual shock controller that came with the system. It's also documented in the manual. I think this author may be thinking about the Xbox, but I don't have one of those.

    My playstation may have a more recent firmware than the author's, we bought it this Christmas. I notice you can view version info when you boot it. Does anyone else have a PS2 that does this?
    --

    Too busy staying alive... ~ R.A.
    1. Re:Not terribly acuurate. by zeno_2 · · Score: 1

      No, I have one of the original ps2's that was sold when they came out, and mine plays DVD disks fine.

      I think with the XBOX you do need to buy the DVD kit but not sure.

      My ps2 has a menu that i can access with my ps2 controller, for ff, rewind, play, all the normal stuff.

    2. Re:Not terribly acuurate. by Anonymous Coward · · Score: 0

      I think this was meant to be attatched to another story. This must be what happens when you anger the Katz.

  22. keying eh! by Anonymous Coward · · Score: 0

    I bet I can key your car faster than these packets can.

  23. The problem with WEP by XNormal · · Score: 3, Interesting

    The real problem with WEP isn't the weak method it uses to generate RC4 keys. I've seen with my own eyes many networks that don't even have encryption enabled.

    The real problem is that encryption is:

    A. Optional.
    B. Difficult to set up.

    WEP isn't close to being "wire equivalent" because wires are, by default, pretty secure. You don't need to manually enable 'no-public-hub-ports-on-external-walls' mode with a wired Ethernet.

    A wire isn't just a way to get the bits from A to B - it also acts as a user interface for associating machines with networks. I bet you didn't think of the patch panel in the server room as a user interface, right? Actually, it's a pretty good user interface. It's much more intuitive than any GUI and very reliable (ok, so it's a little messy, but so is my desktop :-)

    Here's an idea for how WEP could have been much closer to 'wired equivalent':

    When you set up the device on your machine it scans for available networks and shows a list. You choose one. It then tells you to press a key at the same time as pressing a button on the access point.

    If you have physical access to the access point you can do it yourself. Otherwise you call the admin on the phone and after checking your identity (usually it's just a matter of recognizing your voice) the admin tells you to press the key '...now!'. That's it. You're on the network, with securely configured strong encryption.

    This can be much more secure that it appears - the key is exchanged using Diffie-Hellman key exchange so eavesdropping is not possible. Man-in-the-middle attacks are difficult in a shared medium such as wireless where everyone hears everyone else: if the two participants are careful they can detect such attacks. To prevent attempts to 'take a ride' and join the network at the same time as another machine the access point will verify that there are no other attempts to join the network within a certain period before or after the time window for 'simultaneous' button presses (actually within plus or minus a few hundred milliseconds).

    Now, what are the chances of some company actually implementing this?

    --
    Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
    1. Re:The problem with WEP by Anonymous Coward · · Score: 0

      Wires secure?

      I know of quite a lot of companies that one could, as visitor, lend a cable from a machine. Doesnt take long time, and they usually has NO security if you have got the cable.

      They could force so only machine with MAC adress zzzyyyyxxxx do work at swich port z - and that anything else connected there should alarm the admin - but nearly no-one does that.

      You could also break into an company, make it look like they were going to steal something like the watercooler ;-) - and kick in a cable to the ethernetswitch, take the cable outside, and have a drop and check their network. Quite a lot of companies doesnt check for intrusions from inside.

      I think WEP was a nice idea, but the RC4 was implemented wrong, FAR to easy to crack. Lucent have shown in their drivers how to fix the RC4 problem. And Cisco have shown how one can implement 802.11x, which have the advantage of changing so often, so even spoofing is hard. Good enough for simple security, I think

    2. Re:The problem with WEP by XNormal · · Score: 1

      Wires secure?

      I said pretty secure, which is enough for most people most of the time. Your scenario of a malicious visitor connecting wires is far less likely than a drive-by attack by a curious geek with a laptop. Just think about the chances of getting caught in each of these scenarios.

      --
      Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
  24. IPsec instead of WEP by cotu · · Score: 1
    The notion that IPsec has lots of overhead is largerly bogus. As a proof, I wrote simple wrappers around sendto/recvfrom for ESP transport mode with hmac-md5 and no encryption. It interoperates with Freeswan with manual keying just fine. The total code footprint was about 6k, 5k of which was the md5 hmac. Encryption could easily be added, and for a point to point application like AP/host you don't *really* need tunnel mode, though if they were smart they use IPv6 and link local addressing with autoconfiguration -- you're going to need router advertisements for mobility eventually, after all.

    Of course, aside from the completely bone headed reuse of RC4 keystream, the actual Hard Problem is key distribution. Why the 802.11 guys want to revinvent this is a complete mystery to me. IPsec has IKE -- which is about to get a face lift in the form of either JFK, IKEv2 or most likley a combination of these proposals. IPsec also has KINK (Kerberized IPsec) which is about to go to last call. Eventually, I expect that AAA (DIAMETER) based IPsec keying will be formalized since they're already toeing that line in many areas.

    Yet, the 802.11 folks still want to roll their own. Ick. How this will all play out with fast mobility (ie so you can run voip instead of circuit switched voice on CDMA/802.11 dual mode phones that will eventually appear) will be very interesting. My guess is that it won't until somebody takes an integrated look at security, quality of service, admission control, etc. I have some hope that the IETF protocols will eventually get this right, but the best I can hope for the L2 folks is that we can turn all of this krufty L2 wheel-reinvention off.

  25. the complete recipe by xtp · · Score: 1

    "fast packet rekeying" is not the same as changing the base keys or master keys (knowledge shared by the endpoints and key distribution system).
    Rather, it refers to a technique of using regular
    'ol WEP to encipher each packet, but using a different key FOR EACH PACKET. These per-packet keys are computed on the fly using a hash function-like method that scrambles the real key and thus increases the difficulty of attacking the underlying RC4. This technique has been called "key mixing" - a better term than "fast packet rekeying" IMHO - because it avoids confusion with "rekeying" whereby key material is exchanged between endpoints. Rekeying every 16K packets is required in addition to key mixing in order to avoid the passive key recovery methods (airsnort).

    By the way, the "real" problem with RC4/WEP is that WEP uses the initial 256 bytes of the RC4 cipherstream. The best "fix" for WEP would be to simply discard all the key flogging trickery, but that approach was rejected because of overhead and difficulty of retrofitting NIC cards that have dedicated RC4 hardware.

    It should also be pointed out that spiffing up the WEP does not eliminate attacks whereby 3rd parties inject messages. The rest of the fixup work for WEP involves specifying a separate message authentication function that prevents imposters from sending messages. A good example of what can happen in the absence of authentication is the recent well-publicized weaknesses in Universal Plug and Play. One problem was that an unsolicited UPNP NOTIFY message, if bogus and accepted, initiated a bad chain of events.

    Similarly, a rekeying procedure using something like 802.1X is vulnerable to hijacking if the rekey messages are not protected with an authentication function. The bad guy can, in theory, instruct the endpoints to switch to a new key. Of course it's not quite as easy as that because the messages may not be easily forgeable. But if there are ways to forge such messages and there is no authentication function, then the system is wide open.

    There is a fair chance that 11b vendors will subset WEP updates in a manner that will may separate message authentication as a configurable option. The result will be a better WEP, but in a system context that can still be compromized although not as easily as before.

  26. What I want to know is... by Anonymous Coward · · Score: 0

    Why do you insist on poiting your inanity at +1? Do you think anyone really gives a shit?

  27. Dead end court by leighklotz · · Score: 2

    I live on a dead-end court too. Two of my neighbors have open 802.11 networks. If I didn't need a static IP address I'd consider dropping my DSL and using theirs; with connection bonding I'd get faster downloads than either of them ;-)