Reality Check – Wireless Lessons from the Real-World
Debunking Wireless Myths: Wireless Networks are Intrinsically Insecure
By Larry Allhands – Apprion Wireless Advisor
Securing a wireless network is serious business for any IT professional, but how secure do you need to be to truly
protect your network from being attacked and ultimately compromised, and which techniques will best afford the desired results? WEP, WPA PSK, WPA
Enterprise, WPA2 PSK, WPA2 Enterprise; with all of the wireless security standards and options available and conflicting advice of supposed wireless
experts, it's no wonder confusion reigns supreme resulting in the perpetuation of urban legends. To develop a comprehensive wireless security plan,
it is essential to know the facts, so we will first discuss the various wireless security options available.
Wireless Security Options
- WEP (Wired Equivalent Privacy) – A deprecated wireless security protocol initially introduced in 1999 to secure 802.11 wireless networks. In 2001, many serious cryptological weaknesses were identified resulting in WEP being compromised within a matter of minutes.
- WPA (WiFI Protected Access) – A wireless security system developed in response to the weaknesses of WEP. WPA was designed to replace WEP while the full security standard (802.11i) was being developed in the form of WPA2. WPA implements the majority of the 802.11i standard and was specifically designed to work with first generation (pre-WPA standard) wireless network interface cards.
- WPA2 (802.11i – WiFI Protected Access) – A wireless security system utilizing the full mandatory elements of the IEEE 802.11i standard. WPA2 employs a new AES-based algorithm, CCMP, which is considered fully secure. WPA2 will not work with some older network cards.
- PSK (Pre Shared Key) – A "shared secret" which is shared between two parties using some secured channel prior to use. PSKs may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits and may be used in the following forms:
- Password - dog679leg
- Passphrase - Spiderman beat Batman in 1994
- Hexadecimal string - 4E102AB2511CEE541
- Enterprise (802.1x RADIUS authentication) – Enterprise is meant for use with an 802.1x authentication (RADIUS) server, which distributes different keys to each user after authenticating credentials. This is the most secure wireless networking technology in existence today.
Wireless Myth: WPA PSK & WPA2 PSK have been cracked in a matter of minutes
Details: When people refer to WPA being cracked, they are referring to one of two known exploits relating to the WiFi Protected Access (WPA) security standard. The most recent exploit, documented in late 2008, has to do with a TKIP (Temporal Key Integrity Protocol) algorithm flaw that was inherited from backward compatibility with WEP. This TKIP flaw allows an attack that decrypts short individual packets in 12-15 minutes and, using a QoS flaw, replay those packets with modified data. The hacker can't crack and view all the traffic but would probably be able to perform ARP/DNS spoofing/poisoning. This is not a WPA crack but an encryption method exploit. Luckily WPA supports two encryption methods, TKIP and AES (CCMP).
Solution #1: While the TKIP exploit is not very serious, the use of AES (CCMP) removes any threat of this attack.
Prior to the TKIP exploit, in late 2004, many headlines stated that WPA had been cracked. In reality, the standard had never been cracked, but the WPA PSK implementation with a weak "shared secret" had been cracked. Here is how it works; a hacker uses a tool to scan the wireless airwaves for access points and wireless clients. When he finds a wireless client, he kicks him off the target access point by injecting DeAuth packets between them. Then the hacker watches as the client re-associates, completing the handshake with the access point. In doing so, he recovers the encrypted "shared secret" (The PSK). Now the hacker has captured the encrypted key file on his computer, but he must use a brute force dictionary attack to actually get a working PSK and gain access to network resources.
A dictionary attack varies from a brute force attack slightly. Where a brute force will simply try every combination of characters in a password, a dictionary attack will use a list of common words and pass phrases first to try and guess a password. The hacker will most likely try a dictionary attack first hoping for a quick break. If the password is randomly generated, he will be forced to use the brute force method.
- The time it takes a brute force attack to guess a password is a function of the computing power (Number of attempts per second), and the length of the random password. For instance, if a hacker can test 100 words per second, and you used a single character random password consisting of a-z, A-Z, and 1-0 (72 characters) it would take approximately .72 seconds to crack it.
- 72^1 character combinations / 100 character combinations per second = .72 seconds
- If we move from a single character to an eight character random password we get the following:
- 72^8 character combinations / 100 character combinations per second = 7222041363087.36 seconds or approximately 319,849 years.
- Once the hacker has successfully guessed your password, he will have the plain text PSK and will be able to freely access your network resources.
Solution#2: If you use WPA or PWA2 PSK, make sure you use a long random key. Most experts recommend a 20 character key for minimum security, but you may use a key up to 63 characters long for very high security. There are many random WPA key generators on line, use one to ensure a truly random key. Finally, rotate your keys annually, this will ensure your WPA PSK network is very secure.
 Larry Allhands is a Senior Systems Architect at Apprion. Larry has over eight years experience designing and deploying high security
wireless networks for municipal law enforcement and industrial environments. He was the primary design architect of the security model accepted by the California Department Of
Justice for running highly sensitive Computer Aided Dispatch (CAD) data over wireless 802.11b and CDMA connections in 2002.
|
