Slashdot Mirror
Security evaluation of 802.11i
Uberhacker.Com writes "Server Pipeline features an interesting report on the security viability of 802.11i. As most observers of the WLAN industry are aware, the security features found in the original standard were woefully inadequate. To a certain degree, these deficiencies reflected the perception that security services are normally implemented at layer 3 and above. 802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
...if the backdoor password is 12345
Why is it that applying security at a higher layer is a bad thing? The data is what needs to be secured, not the headers of the packets... I don't care if people know I'm sending data to my credit card company, I do care if they know what my login and password is though... Am I missing something? Why is it so important to apply security to the lowest layer?
---
Programming is like sex... Make one mistake and support it the rest of your life.
AES!=SECURE! It's how you implement it and use it that makes you secure!
AES is the buzzword of the moment. The real question: is 802.11i implemented in such a way that it is secure from the get-go (even at the expense of usability), and implemented in such a way that it can be upgraded quickly and easily should exploits be found.
Well?? I don't give a damn what algorithm it uses, I just want it to use the algorithm CORRECTLY.
"AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
If it's really secure, why does our favourite tree-letter-agency allow it for normal citizens? So much for paranoia...
Comment removed based on user account deletion
You can't throw pretty sounding state of the art encryption schemes at something and call it secure. WEP's failing was not a bad algorithem, RC4 isn't new by any means, but its nothing to turn your nose to. When used properly, it can do the job. But WEP used predictable session id's, a tiny key space, and a whole host of recomended but "optional" wep concepts that the manufacturers ignored because they were all harder to implement.
Wep was designed with the model:
1. pretty acronyms.
2. mumnle mumble mumble
3. SECURITY!!!
You could use AES in wep and it would still be breakable, the key exchange was piss poor, making the entire system piss poor.
I didn't read the article, this was just me bitching at the slashdot post, and people who believe fancy new encryption = security automagically.
--Nuintari
slashdot : where an opinion can be wrong.
All through the time I spent developing WLAN software, security was always the bottleneck. We always had to keep one thing at the back of our minds - if security isn't improved, all this work is gonna get flushed down the drain!
Fears about security have prevented WLAN from achieving all that it can potentially achieve. It was ridiculously easy for someone to break into a wireless LAN. 802.11i was seen to be the saviour, but the infighting among the various stakeholders always prevented the mechanisms defined under 802.11i from being accepted globally.
I hope things will change for the better now!
Is this new 802.11 product going to do well? With new technologies on the horizon such as WiMax will companies and businesses invest anymore money to upgrade or rollout an 802.11 product?
Here is the problem: Most people *still* aren't going to turn on encryption, and 802.11i doesn't address one of the biggest regions people don't turn on encryption:
Encryption makes configuring your wireless network 10x harder for the average person.
As the article recognizes, "the lack of a single, universally accepted standard will inevitably lead to implementation and interoperability challenges."
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
So what is the average user supposed to do? Just keep waiting, I guess...
you don't have to be totally hack-proof, just moreso than any other potential target. :)
-ninjaneer
...to crack WEP, according to Airsnort. Whew!
The Army reading list
from the segessem-terces-ylotot dept.
Reversal:
totoly-secret-messeges
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
No.
Because then you don't necessarily know if you're connecting to an attacker's access point or not. This is mostly why security doesn't belong at L2 -- you don't care or trust the next hop, you trust the endpoint (or at least some faraway gateway that gets you into the endpoint).
--Dan
That's security through obsurity, really, isn't it?
AES et. al. means that noone can eavesdrop on your conversation - It's encrypted form end to end. That means if your talk to your bank via https over an AES secured connection, your connection is secured to thier web server at layer 2, while your passwords etc. - session data - are encrypted at layer 4.
That way, if someone does somehow break into your converstaion, the session data is still protected.
AES secures the physical layer, the other systems secure the actual conversation.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
It has to do with applicability.
If you insist that security be applied at the application layer, you are insisting that all application programmers include security provisions in their software. And then, the security routines must go through peer review and analysis for at least a cursory inspection for vulnerabilities.
If you apply the security at the link layer, then you're securing a different thing. You're securing all communication across that link. There is an overwhelming desire to accomplish this in wireless transmission because of the inherent lack of control over the data path (since the transmission must be broadcast, anybody can communicate on the line).
Higher layer security is still necessary, but you need the lower layer security to avoid unwanted guests on the network.
Actually, some kinds of data are -more- secure when they're only encrypted at a higher layer. If you know certain things about the encrypted data (like port numbers or hostnames or timestamps or the like), it's easier to do traffic analysis: you have some known plaintext to search for. If nothing else, you're providing more data for a brute-force attack.
Crypto 101: don't encrypt any redundant or easy-to-guess data. That's why PGP compresses data before encrypting it.In World War 2, the allies searched for the phrase "Heil Hitler" in encrypted German messages. It worked with surprising frequency. Many of the attacks against Kerberos 4 rely on excessive encryption: if you're sending a request from a specific host, it's kind of silly to encrypt the name of the host that's requesting a ticket. It's just one more bit of plaintext to search for. That's why Kerberos 5 moved more information to plaintext.
--
To be realistic, if you (as a programmer) are sending data that you know at the design stage that you want to keep private, you should be ancrypting it at the APPLICATION layer. If you are going to send data that you want transmitted securely, you shouldn't depend on the lower levels to do something which may or not be present. However, if you are using it as a way to keep unautorised user out of the network, you could do something similar by signing the packets as they are sent. This would cost you speed though, and it is easier to just encrypt with whatever cipher is in style at the time and check if the packet is valid.
It's not realy security through obscurity. The encryption stops attackers from joining a wifi network besides protecting all data passing through it. Thats a big deal because passive sniffing is one thing active attacking is another. Once they can inject packets onto your network depending on design they have breached a layer of security (then there are those that treat there wifi like the inetnet and trust none of it)
Yup your L2 is secured and your L4 is as well when we get ipsec in place your l3 will also be secured.
It's all breakable it's just a question of time vs computing power. There is only one known unbreakable encryption method the one time pad (quantom encrypt is realy just pad generation and distribution with the added benifit of being tamper evident)
AES secures Layer 2, the physical layer might be secured via fairiday(sp?) cages, directional anetena's guys, guys with guns etc. But only the realy paranoid worry about that to much.
Overall is a good idea to secure each and every layer as it just adds to the ammount of computation required to decrypt what you want.
No sir I dont like it.
Some pretty substantial information can be gleaned from headers. You may not care that people know you're sending data to your credit card company. But some people do care. Any theoretical thief now knows what bank you use, for one thing. Someone with some amount of authority or social-engineering skills could go to the bank directly and corellate their logs with your traffic and find out exactly who you are. A physical thief could notice that you're visiting porn sites and decide that since you're probably not paying much attention to outside, now would be a good time to steal your car. These are contrived examples I admit, but given time, privacy is eroded greatly by such small loopholes.
To compare it to its non-internet equivalent, it is the difference between allowing everyone to see your phone records (anyone can look at where your packets are headed), and requiring a subpoena to disclose them to a court of law (subpoena the ISP or destination sites' logs). In neither case can they see or hear exactly what you said to the other end, but obviously the latter is much preferable for anyone interested in privacy.
Random and weird software I've written.
There is definite advantage to hiding what packets are going where.
:) and because I rarely get postal mail, but it is possible.
Extreme Example: I may check mail from a corporate mail server. My mail session is encrypted via SSL but you can still tell which server I am communicating with. Let us say someone knew that an employee of my company lives in my town, and they wanted to find out which house that employee (me) lived in so that they could start monitoring their physical mailbox for some important letter.
If they came to my town, which uses 802.11b WISPs which 1/2 of don't use encryption because WEP is so breakable (I wish they'd turn it on to protect from casual tapping, but oh well, at least my email is sent over SSL), they could drive around for a few minutes sniffing until they triangulated the signal that was sending packets to that corporate mail server.
Am I worried about this happening? Not so much, because I have a P.O. box
Additionally, many people don't have the ability to tunnel their unencrypted data (like port 80 web traffic) to obtain ubiqitous encryption over wireless. I personally think that is the next evolution of wireless routers (including easy but secure VPN services on the router itself which can be used in conjuction or in place of lower level encryption). But until it becomes easy for the masses having a strong, common low level encryption technology is key.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
That's security through obsurity
Please stop abuseing the phrase "security through obscurity." The catch phrase was meant to apply to one and only one case: The practive of obscuring encryption algorithms. Bruce Schneier's thesis was that an encryption system that relied on a secret or hidden algorithm was not secure. The phrase "security through obscurity" does not apply to anything else.
Some forms off security relies on obscurity. Encryption is just a fancy word for data obscurity. Passwords, secure tokens, and RSA private keys should all be kept hidden or obscured. It should not be to hard to think of many forms of physical and data security that include some form of obscurity.
One of the advantages to using encryption at the link layer is that it is harder to perform traffic analysis if an attacker can't determine the destination of the packet. Another advantage is access control. Only hosts that know the secret key can join the network. Both of these advantages are forms of security.
Last I heard, it look like the Courtois and Pierpzyk attack wouldn't fly. And wasn't that attack *more* effective against Serpent than against Rijndael anyway?
Even the designers of Serpent would say that they believe there are no practical attacks against AES. I voted for Serpent myself, but I still believe Rijndael is an excellent cipher the whole community can rally behind, and overwhelmingly that's what the crypto community is doing.
Xenu loves you!
That's security through obsurity, really, isn't it?
You fail to understand the security community's use of "security through obscurity." In its proper context, this phrase means that one attempts to secure (for example) an implementation of a security protocol by not disseminating information about how that system works. For example, if someone creates a new asymmetric encryption algorithm, and does not subject it to publication and the scrutiny of peer review... then that's security through obscurity. Security through obscurity, for topics like encryption algos, is heavily frowned upon. Historically, peer review has proven best able to create robust protocols and implementations.
Locking down multiple layers in the network stack has another phrase that is very applicable: "defense in depth". I.e. if one of your security measures fails, you are wholly or partially protected by one or more other security measures. Defense in depth is generally considered to be a good technique to employ.
Security through obscurity isn't intrinsically bad. That's essentially how I keep people both out of my car and my home. How many tumbler combinations are there for the typical doorknob anyway?
Never confuse volume with power.
Out of curiosity, why?
I don't recall the details, but an attack was found a few years ago that allows the key to be recovered if the attacker can get the first few bytes of the keystream. Doing it requires the first few bytes of many related keystreams, and getting the keystream from the ciphertext requires that the attacker have the plaintext. With WEP, RC4 is rekeyed for every packet, and the first few bytes of each packet are highly predictable, so an eavesdropper can fairly easily gather enough data to mount the attack.
Got any links so I can read up on the why and wherefore?
Google turns up plenty. Here is the original paper, which has all of the dirty details. Here is a paper that describes how to use it to attack WEP. And, of course, if you'd like to read code that implements the attack, look at Airsnort.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.