Slashdot Mirror
Replacing WEP for Wireless Security
i.r.id10t writes "Over at infoworld.com they have an article about the organization that certifies wireless LAN products under the Wi-Fi name revealed new specifications Thursday for how vendors should make their products more secure. The guidelines call for new mechanisms to replace the current security system, based on WEP, which has come under fire for being too easy to circumvent. The certification body, Wi-Fi Alliance, plans to lay the mechanisms out as optional features beginning in February and require them for Wi-Fi compliance about six months later, said Dennis Eaton, chairman of the Wi-Fi Alliance."
between Wi-Fi alliance and the successors of SNORT. this is good news! It will create jobs and nobody has to die.
The guidelines call for new mechanisms to replacement the current security system, based on WEP (Wireless Encryption Protocol), which has come under fire for being too easy to circumvent.
The last I checked, WEP stood for Wired Equivalent Privacy. Has to make you wonder how technically accurate the rest of the article is...
That trying to base wireless security on wired security will not work. There will always be a workaround if WEP is used/based on. The only way you're going to be able to secure wireless networks is through authorization and encryption. Tons of companies have already done this, and it seems to be transparent to them.
If a and b in c, and a can create b, and a can create a, and b can create b, and b cannot create a, then a created c.
I think it's great that wireless standards are expanding to include better security, but I think the real problem is with the way the products ship from the manufacturers. WEP would be a "good enough" security protocol for the average application, IF IT WAS USED CONSISTENTLY.
But every wireless product I've ever used (and there have been a lot of them) shipped by default with WEP disabled, I guess to make it more plug-and-play. In my mind if you want to make wireless networking more secure, start by shipping the products with WEP enabled by default, and require the user to configure a unique SSID and WEP passphrase when they setup the equipment.
I mean, you could have a rock-solid encryption protocol, but if nobody is using it... what's the point?
Which I always took to mean "this is just as secure as if you had a wired network jack sitting out in the street which anyone who found it could use to connect to your network."
This does seem to be a reasonably accurate descripion of the security level, and this is how I explain it to the execs here who want to set up wireless at home.
Have you read the Moderator Guidelines yet?
Great! More non-standard possibly incompatible implementatins ahead.
This would actually help a lot, as long as "activated" doesn't mean "password set to 1234".This article also didn't say anything about vender support, especially whether all the existing 802.11b gear will get new firmware. This is a really big deal for someone like a Uni or Wireless ISP where students/customers are going to try to buy the cheapest stuff they can find and expect it to work.
Several comittee members of the Warchalk Standards Organization met today to hammer out a new standard for Warchalking. They claim that the current warchalking symbols are too easily recognized by the media and authorities, and leave little room for future expansion.
when I have first read the title it looked for me as "Replacing WEP for great justice"?
Seriously, can't they just umm... adopt others' work?
Contrary to the popular belief, there indeed is no God.
I've found that most manufacturers get around the current WEP issues by using a method called weak key avoidance. This doesn't use a sequential init vector, therefore rendering the attack invunerable to things such as airsnort.
However, Cisco APs won't do that with my Orinoco cards. Orinoco APs won't do that with Cisco cards. Which is why I'd welcome some sort of standard "WEP plus" method implemented across the board. As each manufacturer implemented their own weak key avoidance algorithm via a firmware update on the cards and the AP itself, it should be a trivial task to implement a standard method, assuming the WiFi standards group doesn't make any stupid mistakes and require more powerful hardware. Wireless has been the hot technology lately, educational institutions have been the big users of this technology so the last thing they'll want to do is shell out hundreds of thousands of dollars for another 100 access points (in the case of Monash here in Melbourne).
Also remember that WEP 128 (RC4) is NOT part of the Wi-Fi standard! I think they should address this one while they're at it as well.
Wireless manufacturers are doing such a poor job now "wizardizing" or even simply mentioning security concerns in the setup of the access point/wireless card, you could have DH encryption on the thing and 70% of the AP's out there would still be wide open.
Also, I don't see how this will affect the majority of the wireless access pionts currently out there. Will the current access points be able to inherit this functionality via a BIOS flashe to support this encrytion? and if so, how many people will actually do it?
Heil Sig! -Rob
Don't trust the wire (or wireless). YOU DON'T HAVE TO!!!
Why try to create new technology for this? The problem can be solved with technology OFF THE SHELF.
Linksys makes a "VPN router" that uses IPSEC and 3DES for under $100. It works fine with windows 2000 ipsec and many many others. I use it with OpenBSD. Linksys also makes wireless access points. Combine the two devices! Problem solved.
Now if linksys would combine the two devices into 1 box and write some clear documentation for the newbies, they would have a great product!
Are you listening linksys? d-link? netgear?
Hmmm. Maybe I should go patent this idea.
I don't remember if this was ever posted to /., but this summer I was reading an article in some magazine, where supposedly a group stood across the street of some high-security military building (I want to say pentagon, but I'm not 100% sure) and was able to sniff the wireless network name. They then did a DOS on one of the APs, stole it's IP and had full access to the wireless part of the network. Now granted the wireless network was not connected to anything "too sensitive" but was used to control all of the security cameras... There's our tax dollars at work for you. It was supposedly fixed immediately once they were contacted about the whole... Just thought of this as I was reading and figured I'd share.
I'm only paranoid because everyone is against me...
Do you neglect to mention that most of them do in fact have a network port sitting unprotected on the street? Most houses do not have locks on their telephone boxes, and as such, there is nothing preventing some random kid from droping recording devices in there, and capturing all phone data. I have not heard about this being done to listen to DSL connections, but it should be doable with the right hardware.
WEP can never be a "good enough" security protocol
If you are going to quote me, do so in context. What I said was:
"WEP would be a 'good enough' security protocol for the average application..."
The key phrase here is "for the average application". Meaning, home LAN, small business, or anything where high security is not a tantamount concern. WEP is "good enough" to provide a reasonable level of deterance against the casual intruder. Is WEP an end-all-be-all security panacea? No. And I don't think anyone said it was, least of all me.
This article doesn't really give the whole story..
WPA is a renaming of SSN. This is based around a scheme called TKIP (temporal key integrity protocol).
TKIP attempts to wrap WEP in mechanisms to address all the currently known attacks against WEP. This is with the express intention of allowing it to be provided as a software upgrade to existing hardware.
TKIP does not attempt to be super secure. It does various bad things from a cryptographic standpoint. It is just that exploits haven't been discovered yet.
The mechanisms of TKIP are:
1) Key and IV mixing. The IV and the key are cryptographically mixed to avoid weak key attacks.
2) Longer IV. The IV is 48 bits, not 24. Preventing Key/IV pair reuse.
3) An MSDU level MAC (Message Authentication Code) called a MIC (to avoid overloading the term MAC). This gives proper message authentication and replay protection. The WEP ICV fails badly in this respect.
4) An 802.1x derived protocol for mutual STA-AP and AP-STA authentication and key distribution.
Things to keep in mind are..
1) TKIP fails in its goal to be backwards compatible with some existing hardware. It will not work on some manufacturers equipment, since they cannot insert the mixed key into the system at a point to replace the RC4 WEP seed.
2) This is a stopgap to hold out until real security can be provided via 802.11i, using some mode of AES.
3) It is not using vanilla 802.1x. The 802.1x spec has been rewritten in places to provide for the needs of 802.11. So it is not enough to just read 802.1x. You also need to be aware of the as yet unpublished changes in 802.1aa and 802.11i.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Last company I worked for shut down the entire WLAN service corporate-wide when a loophole was found. It took MONTHS to get it back to service, still with WEP.
Really, really. It is not that hard. Consider anything wireless to be untrusted, and require that they establish a VPN connection to your wired network. Set the clients to not accept any communications from outside this VPN. This technology has existed seemingly forever and IS tried and true.
ISO/IEC 8802-11:1999(E), that is, the official ANSI/IEEE 802.11 spec.
It says WEP is Wired Equivalent Privacy and makes absolutely no mention whatsoever of a "Wireless Encryption Protocol". The latter term may have grown into some level of colloquial use, but has no backing by the official standard at all.
-----Chaz
A Technical Comparison of TTLS and PEAP
ZDNet also has a good overview of the proposed solutions.
One has to wonder how much faith we should have in a body which named their original effort 'Wired Equivalent Protocol'. Anyone who believed that signals blared across the electromagnetic spectrum were equivalent to those inside of copper wires needs to take a deep breath and then leave the field of Engineering.
I for one have no faith in this body whatsoever. I use cables, and so does anyone who values their privacy.
Dr. Joseph Hairston
Superintendent, CCBC
ISO/IEC 8802-11:1999(E), that is, the official ANSI/IEEE 802.11 spec.
It says WEP is Wired Equivalent Privacy
Thanks for the correction. I had heard it called "wireLESS equivalent OF privacy", which made enough sense (given the 802.11b context) that I didn't look deeper.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If your laptop isn't linux, then you could run vncserver on your workstation, ssh to it with the VNC port forwarded, then point your laptop's vnc client to localhost, using the forwarded port.
You want it automatic? A simple shell script would do the trick.
Need a Linux consultant in New Orleans?
... if the manufacturers ship with WEP by default, then there'd be quite a few people leaving them on with the default keys... yet another problem
Actually, it looks more like a solution.
WEP, now that it's so thoroughly cracked, is useless for actual security against even a mildly-interested eavesdropper. But WEP also serves another funciton.
In much of the computing industry and culture, permissions serve another purpose - the expression of intent. A read-any file is intended to be read without bothering to ask, a read-owner-only file is intended to be private (i.e. don't break the lock without asking even if you're the sysadmin), and so on.
Many people deliberately leave their WiFi hubs open and allow them to be used (on a non-interference-with-owner's-use basis), for a variety of reasons. The configuration COULD be used to indicate intent - open = go ahead, WEP on = I want it private, etc.
But that is compromised by the practice of having WEP off by default. If WEP is on it's clear that the owner DOESN'T want you using it without at least asking permission. But if it's off, was it because the owner is granting permission, or because he just left the default in place, typically through ignorance.
Shipping with WEP on and a default key adds a clear third category:
- WEP off: It was TURNED off, a clear sign of intent to let the port be generally used (or total cluelessness).
- WEP on, non-default key: The key was changed, a clear sign that the user INTENDED the port to be reserved for those to whom the owner granted permission.
- WEP on, default key: The configuration is default. The user's just plugged it in and started using it, so his intent is not clearly expressed.
Unfortunately, every security option that's on by default means an additional barrier between a new user and getting something to work. So it represents a flood of service calls, and a heavy extra expense. Thus, vendors have an incentive to ship products with security options off by default, leaving the user wide open until they become sufficiently educated (or burned) to pay attention to plugging the security holes.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Why don't we just add public key encryption to the TCP/IP stack? When you join a WLAN you broadcast your public key, the others broadcast their's back to you. This key could be used to sign messages and to join the network you'd have to have your key signed by someone already in the network. With sufficiently long keys it's unbreakable by the script kiddie walking past.
wep is insecure. it was designed to offer some security, not be unbreakable. it is a trivial effort to pull a signal off a wire, if i really want to do it, i can. just like cracking wep.
wep wasent designed to be a complete security solution, it was meant to be discourageing to outsiders
No, it wouldn't. WEP is just broken--it can be listened into with one of a number of simple software downloads.
If you actually have sensitive material going out onto the Internet, without encryption, then who's fault is that? Being able to sniff your internet traffic is nothing compared to being able to sniff your LAN traffic.
Hmm, maybe it is time to start using all IPSec internally....