Slashdot Mirror
Security evaluation of 802.11i
Uberhacker.Com writes "Server Pipeline features an interesting report on the security viability of 802.11i. As most observers of the WLAN industry are aware, the security features found in the original standard were woefully inadequate. To a certain degree, these deficiencies reflected the perception that security services are normally implemented at layer 3 and above. 802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
...if the backdoor password is 12345
The 'i' is for insecure of course. What else could it possibly stand for?
My office has been taken over by iPod people.
I line the interior of my house and roof with tin-foil, so I think my Wireless network should be pretty safe.
(obligatory post, sorry)
Check out the best P2P sharing website: MEDIACHEST.COM
Because then there will be no more letters. P.S. Yes, I DID read the article before posting and it kinda implied this point too!
Hulk SMASH Celiac Disease
Why is it that applying security at a higher layer is a bad thing? The data is what needs to be secured, not the headers of the packets... I don't care if people know I'm sending data to my credit card company, I do care if they know what my login and password is though... Am I missing something? Why is it so important to apply security to the lowest layer?
---
Programming is like sex... Make one mistake and support it the rest of your life.
AES!=SECURE! It's how you implement it and use it that makes you secure!
AES is the buzzword of the moment. The real question: is 802.11i implemented in such a way that it is secure from the get-go (even at the expense of usability), and implemented in such a way that it can be upgraded quickly and easily should exploits be found.
Well?? I don't give a damn what algorithm it uses, I just want it to use the algorithm CORRECTLY.
I use a not allowed shared 802.11 connection!
"AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
If it's really secure, why does our favourite tree-letter-agency allow it for normal citizens? So much for paranoia...
Comment removed based on user account deletion
You can't throw pretty sounding state of the art encryption schemes at something and call it secure. WEP's failing was not a bad algorithem, RC4 isn't new by any means, but its nothing to turn your nose to. When used properly, it can do the job. But WEP used predictable session id's, a tiny key space, and a whole host of recomended but "optional" wep concepts that the manufacturers ignored because they were all harder to implement.
Wep was designed with the model:
1. pretty acronyms.
2. mumnle mumble mumble
3. SECURITY!!!
You could use AES in wep and it would still be breakable, the key exchange was piss poor, making the entire system piss poor.
I didn't read the article, this was just me bitching at the slashdot post, and people who believe fancy new encryption = security automagically.
--Nuintari
slashdot : where an opinion can be wrong.
All through the time I spent developing WLAN software, security was always the bottleneck. We always had to keep one thing at the back of our minds - if security isn't improved, all this work is gonna get flushed down the drain!
Fears about security have prevented WLAN from achieving all that it can potentially achieve. It was ridiculously easy for someone to break into a wireless LAN. 802.11i was seen to be the saviour, but the infighting among the various stakeholders always prevented the mechanisms defined under 802.11i from being accepted globally.
I hope things will change for the better now!
Yellow substance good on hot dogs ... no, wait.
I don't need no estinkin'
Jeepmeister
Is this new 802.11 product going to do well? With new technologies on the horizon such as WiMax will companies and businesses invest anymore money to upgrade or rollout an 802.11 product?
Naval expression, I believe. All the sailors gather (or muster) on deck and the captain inspects 'em. If their kit is all in order, they've passed muster.
Real Daleks don't climb stairs - they level the building.
Here is the problem: Most people *still* aren't going to turn on encryption, and 802.11i doesn't address one of the biggest regions people don't turn on encryption:
Encryption makes configuring your wireless network 10x harder for the average person.
As the article recognizes, "the lack of a single, universally accepted standard will inevitably lead to implementation and interoperability challenges."
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
So what is the average user supposed to do? Just keep waiting, I guess...
Comment removed based on user account deletion
It's that yellow, sometimes yellowish, goop people put on hot dogs, duh.
"I think so, Brain, but 'instant karma' always gets so lumpy." - Pinky
"Decepticons FOREVER!!!" - Ravage
It's "pass muster"...muster is a roll call of troops or an inventory. To pass muster is to have enough x on hand for the job.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
...to crack WEP, according to Airsnort. Whew!
The Army reading list
yeah, hopefully, they also go to 2 letters standards, otherwise we wouldn't have got Gigabit ethernet over copper (aka 802.3ab)
#include "coucou.h"
If I'm looking at your traffic, and your headers are not encrypted, then I can determine which packets may be interesting (the ones to credit card company, commercial sites, etc) and which packets aren't interesting (web surfing, MUDing, email). Makes the job of the hacker much easier, only needing to break the encryption on packets that have a much higher probability of containing good information
Don't pick up the pho*(@)$*@&@!@ NO CARRIER
muster is something you double-time to so the skuttlebutt about your chit being revoked isnt true and you wont be forced to go AWOL. d'uh.
I ask for a car and I get a computer. How's about that for being born under a bad
... sniff... sniff... do i smell somethin rotten here?
could it be that the default keys are all 1 bit ? ... for users convenience of course.
"There is nothing more frightful than ignorance in action." Johann Wolfgang von Goethe
from the segessem-terces-ylotot dept.
Reversal:
totoly-secret-messeges
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
No.
Because then you don't necessarily know if you're connecting to an attacker's access point or not. This is mostly why security doesn't belong at L2 -- you don't care or trust the next hop, you trust the endpoint (or at least some faraway gateway that gets you into the endpoint).
--Dan
Comment removed based on user account deletion
"802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators" No, not really. I would much rather use Serpent (the AES runner-up) than Rinjdael (the AES standard) for my encryption. As one of "the most paranoid security administrators," I'm rather annoyed that speed was chosen over security for the AES standard.
In soviet russia, You ask not what country do for you, but what you do for country!
Oh wait...
As a person working in the network security arena for nearly 15 years the problem is divulging your internal topology. Now this might not bother you at home for corporations that deal with real data (see $$$) are very concerned about this.
I have worked with the air fortress and it encrypts at the layer 2 level so no network topology can be determined.
Very nice but it would be even better is it didn't require a client or that the client was ubiquitous with the driver.
Nick Powers
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
Mark my words. This will suck. In the future, instead of driving by in the VW van, stinking hippies will be induced by this new security to break and enter your home so they can steal your SSID and keys from your browser. This will get ugly real fast. I'm sticking with linksys/admin for the safety of the children.
Comment removed based on user account deletion
Nah, man, it's almost lunchtime. He was asking someone to pass the mustard.
Engineering and the Ultimate
We already have other and better options. Just disable WEP and use IPsec on your accesspoint.
:) - that should do the trick.
Yeah - it's a little bit slower when the en/de/cryption is done on the client but in most cases you won't notice. And on the AP you can use a crypto accelerator.
If you don't want to use a PC as AP just use http://www.m0n0.ch/wall/ in combination with http://www.soekris.com/net4501.htm (they ship with cases too
To be realistic, if you (as a programmer) are sending data that you know at the design stage that you want to keep private, you should be ancrypting it at the APPLICATION layer. If you are going to send data that you want transmitted securely, you shouldn't depend on the lower levels to do something which may or not be present. However, if you are using it as a way to keep unautorised user out of the network, you could do something similar by signing the packets as they are sent. This would cost you speed though, and it is easier to just encrypt with whatever cipher is in style at the time and check if the packet is valid.
There have been a few interesting ideas if not brilliant, but not properly executed. I'm no encryption guru, but simple username and password based security isn't all that bad, as long as the medium they're transmitted over is secure. The problem, though is how to "make" them secure.
At some point you have to start trusting the network, and stop worrying about how big your key is, or how long it takes to crack. Use a VPN for work. Use SSL for private email. Don't auto login to websites. If people start assuming they're secure because their first hop is, they're screwed, no matter how thick that first layer is to crack.
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
No, they only have 2 dot-separated groups of at most 3 alpha-numeric characters each... so 2 digits and 1 letter, or 1 digit and 2 letters, but never 2 digits _and_ 2 letters :P
The main problem here isn't HOW secure you can make something, but IF you secure it or not. There are already many options available to make an 802.11b network nice and secure. Just do your homework and you can get it done.
The problem is, all these devices are shipped for easy setup. Easy setup means "security off". People set up their networks and quit there. No wonder everyone thinks WiFi is insecure. It's a network, just like a wired network. Go through the steps to secure the wireless network too fellas. If we can get people to turn on the security features right away, or do as Apple does and ship stuff with all ports closed and security functions on, then we'll be in a better place. Sure, it may make setting up your WiFi network a bit more cumbersome or time-consuming in the beginning, but that extra five minutes is well worth it.
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
Personally, I don't see why they don't use public-key systems for this stuff. Why doesn't each client just generate a keypair and use that to exchange a random session key?
Crypto 101: don't encrypt any redundant or easy-to-guess data.
Completely wrong. Crypto 101: don't try and work around unknown flaws in the crypto at higher protocol levels - you're doomed to be chasing your tail forever. Use a secure protocol, and rely on it. AES in EAX mode will be secure no matter how redundant or easy-to-guess your data is.
I'm pretty sure your information about Kerberos is wrong - the Kerberos people had better cryptographers than to make a mistake like that. There were other cryptographic mistakes, though - in particular they tried to encrypt and authenticate with a single pass of the block cipher, a problem that wasn't correctly solved until IACBC and IAPM were proposed by Jutla in late 2000.
Xenu loves you!
The weak key problem has been addressed by all manufacturers via firmware updates. You are now forced to do dictionary attacks which require a large number of packets and resources. Still hackable, but not nearly as easy.
You need to read the article (which I didn't read). I don't need to read it since I know about the changes already. You'll find the key exchanges when combined with a true AAA provide a secure solution.
With that said, we're talking about transmissions that are easily monitored and disrupted at will. So while 802.11i is a step forward for wireless, just being wireless means that it will always be less "secure". I certainly wouldn't want wireless as a part of a critical availibility network.
The AES process was designed with the help of the worldwide cryptographic community for maximum openness and public participation. The winning algorithm was designed by two Belgians; it's way too simple to hide any chicanery in. It has now seen more cryptanalysis than any other algorithm ever except DES - which, incidentally, IBM/the NSA secretly wired to make *more* secure - and held up well. There's not a reputable cryptographer anywhere in the world who thinks there's a serious chance of AES being broken in a way that would do an attacker any real good.
The NSA approved all five finalists for the AES algorithm. If you really believe they can really break all five, then you might as well give up and start forwarding the plaintext of your email to nsa.gov now.
There's just no sane way to maintain the belief that the NSA somehow rigged the whole thing so they could read your messages. Don't let me deny you your tinfoil hat though.
Xenu loves you!
Last I heard, it look like the Courtois and Pierpzyk attack wouldn't fly. And wasn't that attack *more* effective against Serpent than against Rijndael anyway?
Even the designers of Serpent would say that they believe there are no practical attacks against AES. I voted for Serpent myself, but I still believe Rijndael is an excellent cipher the whole community can rally behind, and overwhelmingly that's what the crypto community is doing.
Xenu loves you!
I'll take the unpopular opinion here... WEP is a good thing and serves a vital function. By activating WEP, even with all the flaws, you are essentially "locking the door". Yes, it is a paper door with a crappy lock, but that isn't the point. The lock is there to tell you you're not supposed to be in as much as it is to keep you out.
The point is by securing the network at all you are putting up the equivalent of a "private property" sign. Legally, it helps a great deal. I can see a defense argument for an unsecured AP that is shouting it's SSID into a 2 block radius. However, if you have to crack it, then there is no question about legality -- you are breaking the law.
No, don't rely on WEP for security. Use and IPSec tunnel on top of it if you want security. But WEP *does* serve a great purpose in wifi -- covering your ass legally.
-Charles
Learning HOW to think is more important than learning WHAT to think.
Comment removed based on user account deletion
The weak key problem has been addressed by all manufacturers via firmware updates. You are now forced to do dictionary attacks which require a large number of packets and resources. Still hackable, but not nearly as easy.
/. post. I'm sure 802.11i has some improvements, which time will test, but my original post had little to nothing to do with wireless other than as an excuse for me to rant off on how much I hate those magic acronym weilder, such as the one in the /. post.
I know.
You need to read the article (which I didn't read). I don't need to read it since I know about the changes already. You'll find the key exchanges when combined with a true AAA provide a secure solution.
I was pointing out that magic acronyms do not equate with great security, in response to the
And I have hence read the article, but I would post to another thread to post about its merits/failings. as I said, my original post was about the broad world crypto, and how most of the world just doesn't get it.
--Nuintari
slashdot : where an opinion can be wrong.
Both lack of awareness from users and lack of sane security defaults on wi-fi hardware. Only a true tech head or systems admin would be bothered about security.
My wi-fi AP has a unique serial number and mac address stuck on a label on the box. Would it really be too differcult for a manufaturer to make a default admin password and shared key using random codes and then print these in the manual or on a sticker on the AP?
I want 802.11L to come out, how else are we going to get ludicris speed out of our networks
Again?
Never confuse volume with power.
Personally, I'm waiting for wireless ethernet over copper wire.
Think about the secret NSA cipher designs. You can't see those. What if they're weak, and you could tell by just looking at the designs in a thorough manner? Now you can't since they're secret. Security through obscurity adds another layer of security in that case.
Maybe I have my terms mixed up, but the article doesn't seem to be much of a review. I'll summarize the article:
- 802.11i has a new authentication scheme
- 802.11i uses AES for encryption instead of RC4
What I basically gleened from the article is that that 802.11i uses some of the most advanced buzzwords in the industry. I'm not saying that I think 802.11i is fluff, but the article linked above has 8 paragraphs that could have been boiled down to 1 or 2 with the same amount of factual information.
I'll rewrite the article here:
802.11i is secure! It uses AES and a new authentication scheme! It's secure now! All those nasty wireless hackers and wardrivers are finally locked out of your network! Security is here and you can buy it from Microsoft, Cisco, Atheros, and Broadcomm.
(end)
The article really just strikes me as hype. Perhaps justified hype, but so far the leading edge of 802.11i seems to be marketing rather than facts. $DIETY forbid this hype actually catch on and people start thinking about security on their APs, but somehow I just don't see it happening.
My opinion and skepticism are of course worth the paper they're printed on here.
"AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
Actually not. There are ~3 parties in the world that have possibly the capability of cracking that. If they think it's worth it that is.
The Americans like the big brother thinking where the government is looking out for them.. Some other people like russians do not trust even their own. I would trust their stuff any day over the AES.
Not that it is bad.. It's something no amateur can break, considering the implementation is done flawlessly. For instance Winzip boasted for a while "AES Encryption".. Well, they got plain owned.
I'm glad they chose Rinjdael for speed.
It means cheaper faster ASICS which means more encryption happening.
If Serpent costs more to implement less AES will be happening.
As AES approaches "free" encryption gets thrown in everywhere, leading to a more secure national infrastructure. If Rinjdael over Serpent accelerates this process by a year or two, that might be very significant. Of course, it could also be meaningless, but we just don't know.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Hey, "Uberhacker.Com" - next time you post a link, remove the session id from it!
Must-not-watch TV!
"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths." [PDF]
Of course, in this context, "NSA-approved cryptography consists of an approved algorithm; an implementation that has been approved for the protection of classified information in a particular environment; and a supporting key management infrastructure." I suspect 99.99% of civilian users of any encryption lack an NSA-approved key management system...
Facts do not cease to exist because they are ignored. - Aldous Huxley
Don't be silly. NSA uses their own type-one algos for the serious classified stuff. They do not use AES, at any key length. Also keep in mind it isn't just NSA's job to "use" crypto, they specify its use elsewhere, so expect to see that pattern repeated i.e. DoD etc. as well. Cheers.
RC4 is a solid, well-respected algorithm, but using it correctly requires that the first few hundred bytes of the the keystream be discarded after every rekeying operation.
Out of curiosity, why?
(Got any links so I can read up on the why and wherefore?)
Wolde you bothe eate your cake, and have your cake?
I wouldn't necessarily say that WEP is woefully inadequate as much as it is extremely poorly implemented. It could have worked well but it had serious implementation issues.
As all slashdotters probably already know about:
The (in)security of WEP
Time makes more converts than reason
Out of curiosity, why?
I don't recall the details, but an attack was found a few years ago that allows the key to be recovered if the attacker can get the first few bytes of the keystream. Doing it requires the first few bytes of many related keystreams, and getting the keystream from the ciphertext requires that the attacker have the plaintext. With WEP, RC4 is rekeyed for every packet, and the first few bytes of each packet are highly predictable, so an eavesdropper can fairly easily gather enough data to mount the attack.
Got any links so I can read up on the why and wherefore?
Google turns up plenty. Here is the original paper, which has all of the dirty details. Here is a paper that describes how to use it to attack WEP. And, of course, if you'd like to read code that implements the attack, look at Airsnort.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What ever gave you the idea that you're allowed to post again?
oh, i'm not claiming AES is the NSA's super-duper-tippity-top-secret encryption, just pointing out that they allow for its use, which has gotta say SOMETHING about Rijndael. whether that something is the robustness of the algorithm or the ease of backdooring is left as an exercise.
Facts do not cease to exist because they are ignored. - Aldous Huxley
I'm guessing that the reason they don't trust 128-bit keys for TOP SECRET is they don't know how soon they will be facing serious quantum computers -- as well as walking through all known public key encryption algorithms (ones based on prime factorization, discrete logarithms, or eliptical curves) as if they were made of tissue paper, quantum computers could crack any private key system by brute-force exhaustive search as fast as a comparable conventional computer could crack one with keys of half the length. I.e. to a quantum computer, 128, 192, and 256-bit keys would be as secure as 64-bit, 96-bit, and 128-bit keys are now. The NSA needs to worry not just about what can be cracked now, but what might be crackable in a decade or two. In that light, their recommendations make a lot of sense.