Slashdot Mirror
Security evaluation of 802.11i
Uberhacker.Com writes "Server Pipeline features an interesting report on the security viability of 802.11i. As most observers of the WLAN industry are aware, the security features found in the original standard were woefully inadequate. To a certain degree, these deficiencies reflected the perception that security services are normally implemented at layer 3 and above. 802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
...if the backdoor password is 12345
The 'i' is for insecure of course. What else could it possibly stand for?
My office has been taken over by iPod people.
I line the interior of my house and roof with tin-foil, so I think my Wireless network should be pretty safe.
(obligatory post, sorry)
Check out the best P2P sharing website: MEDIACHEST.COM
Why is it that applying security at a higher layer is a bad thing? The data is what needs to be secured, not the headers of the packets... I don't care if people know I'm sending data to my credit card company, I do care if they know what my login and password is though... Am I missing something? Why is it so important to apply security to the lowest layer?
---
Programming is like sex... Make one mistake and support it the rest of your life.
AES!=SECURE! It's how you implement it and use it that makes you secure!
AES is the buzzword of the moment. The real question: is 802.11i implemented in such a way that it is secure from the get-go (even at the expense of usability), and implemented in such a way that it can be upgraded quickly and easily should exploits be found.
Well?? I don't give a damn what algorithm it uses, I just want it to use the algorithm CORRECTLY.
"AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
If it's really secure, why does our favourite tree-letter-agency allow it for normal citizens? So much for paranoia...
Comment removed based on user account deletion
You can't throw pretty sounding state of the art encryption schemes at something and call it secure. WEP's failing was not a bad algorithem, RC4 isn't new by any means, but its nothing to turn your nose to. When used properly, it can do the job. But WEP used predictable session id's, a tiny key space, and a whole host of recomended but "optional" wep concepts that the manufacturers ignored because they were all harder to implement.
Wep was designed with the model:
1. pretty acronyms.
2. mumnle mumble mumble
3. SECURITY!!!
You could use AES in wep and it would still be breakable, the key exchange was piss poor, making the entire system piss poor.
I didn't read the article, this was just me bitching at the slashdot post, and people who believe fancy new encryption = security automagically.
--Nuintari
slashdot : where an opinion can be wrong.
All through the time I spent developing WLAN software, security was always the bottleneck. We always had to keep one thing at the back of our minds - if security isn't improved, all this work is gonna get flushed down the drain!
Fears about security have prevented WLAN from achieving all that it can potentially achieve. It was ridiculously easy for someone to break into a wireless LAN. 802.11i was seen to be the saviour, but the infighting among the various stakeholders always prevented the mechanisms defined under 802.11i from being accepted globally.
I hope things will change for the better now!
Is this new 802.11 product going to do well? With new technologies on the horizon such as WiMax will companies and businesses invest anymore money to upgrade or rollout an 802.11 product?
Here is the problem: Most people *still* aren't going to turn on encryption, and 802.11i doesn't address one of the biggest regions people don't turn on encryption:
Encryption makes configuring your wireless network 10x harder for the average person.
As the article recognizes, "the lack of a single, universally accepted standard will inevitably lead to implementation and interoperability challenges."
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
So what is the average user supposed to do? Just keep waiting, I guess...
It's "pass muster"...muster is a roll call of troops or an inventory. To pass muster is to have enough x on hand for the job.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
...to crack WEP, according to Airsnort. Whew!
The Army reading list
If I'm looking at your traffic, and your headers are not encrypted, then I can determine which packets may be interesting (the ones to credit card company, commercial sites, etc) and which packets aren't interesting (web surfing, MUDing, email). Makes the job of the hacker much easier, only needing to break the encryption on packets that have a much higher probability of containing good information
Don't pick up the pho*(@)$*@&@!@ NO CARRIER
from the segessem-terces-ylotot dept.
Reversal:
totoly-secret-messeges
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
No.
Because then you don't necessarily know if you're connecting to an attacker's access point or not. This is mostly why security doesn't belong at L2 -- you don't care or trust the next hop, you trust the endpoint (or at least some faraway gateway that gets you into the endpoint).
--Dan
"802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators" No, not really. I would much rather use Serpent (the AES runner-up) than Rinjdael (the AES standard) for my encryption. As one of "the most paranoid security administrators," I'm rather annoyed that speed was chosen over security for the AES standard.
In soviet russia, You ask not what country do for you, but what you do for country!
Oh wait...
As a person working in the network security arena for nearly 15 years the problem is divulging your internal topology. Now this might not bother you at home for corporations that deal with real data (see $$$) are very concerned about this.
I have worked with the air fortress and it encrypts at the layer 2 level so no network topology can be determined.
Very nice but it would be even better is it didn't require a client or that the client was ubiquitous with the driver.
Nick Powers
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
We already have other and better options. Just disable WEP and use IPsec on your accesspoint.
:) - that should do the trick.
Yeah - it's a little bit slower when the en/de/cryption is done on the client but in most cases you won't notice. And on the AP you can use a crypto accelerator.
If you don't want to use a PC as AP just use http://www.m0n0.ch/wall/ in combination with http://www.soekris.com/net4501.htm (they ship with cases too
To be realistic, if you (as a programmer) are sending data that you know at the design stage that you want to keep private, you should be ancrypting it at the APPLICATION layer. If you are going to send data that you want transmitted securely, you shouldn't depend on the lower levels to do something which may or not be present. However, if you are using it as a way to keep unautorised user out of the network, you could do something similar by signing the packets as they are sent. This would cost you speed though, and it is easier to just encrypt with whatever cipher is in style at the time and check if the packet is valid.
There have been a few interesting ideas if not brilliant, but not properly executed. I'm no encryption guru, but simple username and password based security isn't all that bad, as long as the medium they're transmitted over is secure. The problem, though is how to "make" them secure.
At some point you have to start trusting the network, and stop worrying about how big your key is, or how long it takes to crack. Use a VPN for work. Use SSL for private email. Don't auto login to websites. If people start assuming they're secure because their first hop is, they're screwed, no matter how thick that first layer is to crack.
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
The main problem here isn't HOW secure you can make something, but IF you secure it or not. There are already many options available to make an 802.11b network nice and secure. Just do your homework and you can get it done.
The problem is, all these devices are shipped for easy setup. Easy setup means "security off". People set up their networks and quit there. No wonder everyone thinks WiFi is insecure. It's a network, just like a wired network. Go through the steps to secure the wireless network too fellas. If we can get people to turn on the security features right away, or do as Apple does and ship stuff with all ports closed and security functions on, then we'll be in a better place. Sure, it may make setting up your WiFi network a bit more cumbersome or time-consuming in the beginning, but that extra five minutes is well worth it.
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
Crypto 101: don't encrypt any redundant or easy-to-guess data.
Completely wrong. Crypto 101: don't try and work around unknown flaws in the crypto at higher protocol levels - you're doomed to be chasing your tail forever. Use a secure protocol, and rely on it. AES in EAX mode will be secure no matter how redundant or easy-to-guess your data is.
I'm pretty sure your information about Kerberos is wrong - the Kerberos people had better cryptographers than to make a mistake like that. There were other cryptographic mistakes, though - in particular they tried to encrypt and authenticate with a single pass of the block cipher, a problem that wasn't correctly solved until IACBC and IAPM were proposed by Jutla in late 2000.
Xenu loves you!
The weak key problem has been addressed by all manufacturers via firmware updates. You are now forced to do dictionary attacks which require a large number of packets and resources. Still hackable, but not nearly as easy.
You need to read the article (which I didn't read). I don't need to read it since I know about the changes already. You'll find the key exchanges when combined with a true AAA provide a secure solution.
With that said, we're talking about transmissions that are easily monitored and disrupted at will. So while 802.11i is a step forward for wireless, just being wireless means that it will always be less "secure". I certainly wouldn't want wireless as a part of a critical availibility network.
The AES process was designed with the help of the worldwide cryptographic community for maximum openness and public participation. The winning algorithm was designed by two Belgians; it's way too simple to hide any chicanery in. It has now seen more cryptanalysis than any other algorithm ever except DES - which, incidentally, IBM/the NSA secretly wired to make *more* secure - and held up well. There's not a reputable cryptographer anywhere in the world who thinks there's a serious chance of AES being broken in a way that would do an attacker any real good.
The NSA approved all five finalists for the AES algorithm. If you really believe they can really break all five, then you might as well give up and start forwarding the plaintext of your email to nsa.gov now.
There's just no sane way to maintain the belief that the NSA somehow rigged the whole thing so they could read your messages. Don't let me deny you your tinfoil hat though.
Xenu loves you!
Last I heard, it look like the Courtois and Pierpzyk attack wouldn't fly. And wasn't that attack *more* effective against Serpent than against Rijndael anyway?
Even the designers of Serpent would say that they believe there are no practical attacks against AES. I voted for Serpent myself, but I still believe Rijndael is an excellent cipher the whole community can rally behind, and overwhelmingly that's what the crypto community is doing.
Xenu loves you!
I'll take the unpopular opinion here... WEP is a good thing and serves a vital function. By activating WEP, even with all the flaws, you are essentially "locking the door". Yes, it is a paper door with a crappy lock, but that isn't the point. The lock is there to tell you you're not supposed to be in as much as it is to keep you out.
The point is by securing the network at all you are putting up the equivalent of a "private property" sign. Legally, it helps a great deal. I can see a defense argument for an unsecured AP that is shouting it's SSID into a 2 block radius. However, if you have to crack it, then there is no question about legality -- you are breaking the law.
No, don't rely on WEP for security. Use and IPSec tunnel on top of it if you want security. But WEP *does* serve a great purpose in wifi -- covering your ass legally.
-Charles
Learning HOW to think is more important than learning WHAT to think.
"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths." [PDF]
Of course, in this context, "NSA-approved cryptography consists of an approved algorithm; an implementation that has been approved for the protection of classified information in a particular environment; and a supporting key management infrastructure." I suspect 99.99% of civilian users of any encryption lack an NSA-approved key management system...
Facts do not cease to exist because they are ignored. - Aldous Huxley
Out of curiosity, why?
I don't recall the details, but an attack was found a few years ago that allows the key to be recovered if the attacker can get the first few bytes of the keystream. Doing it requires the first few bytes of many related keystreams, and getting the keystream from the ciphertext requires that the attacker have the plaintext. With WEP, RC4 is rekeyed for every packet, and the first few bytes of each packet are highly predictable, so an eavesdropper can fairly easily gather enough data to mount the attack.
Got any links so I can read up on the why and wherefore?
Google turns up plenty. Here is the original paper, which has all of the dirty details. Here is a paper that describes how to use it to attack WEP. And, of course, if you'd like to read code that implements the attack, look at Airsnort.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.