Inadequate wireless security was the cause of a major retailer's well-publicized data breach. This widely aired story has brought greater attention to the choice of security protocols. Part 1 of this series discusses Wired Equivalent Privacy (WEP). Part 2 will discuss Wireless Protected Access (WPA) and WPA2.
According to news media reports, hackers were able to intercept the store's 802.11 signal. They used publicly available software on a standard laptop to crack the encryption used on the network, enabling them to record passwords and credit card information.
The hackers took advantage of the fact that the store continued to use WEP, although it had been known for several years that the protocol could be easily decrypted.WEP's vulnerability stems from the simplicity of its operation.
WEP was included in the original IEEE 802.11 specification adopted in 1989. It uses the RC4 stream cipher for both authentication and encryption. The original standard called for a 40-bit key, because at the time the standard was issued, the U.S. government limited export of more robust cryptographic methods. When the export limits were lifted, the maximum key size was increased to 104 bits.
RC4 stands for "Rivest Cipher 4." It was developed by Ron Rivest, a professor at MIT. The advantage of RC4 is that it is simple to implement in software and uses relatively few processor cycles. The low processor load was a necessity because early access points (APs) had quite limited processing power.
The protocol does not include an automated method to distribute keys, so a master key must be manually configured into each AP and each laptop or other network device. The master key is usually specified as a string of hexadecimal digits.
WEP authentication methods
WEP specifies two types of authentication: Open System and Shared Key. "Open System" means no authentication. Any station can attempt to communicate. Shared Key authentication requires four steps:
- The initiating station sends an authentication request to the receiving station, which in most cases will be an AP.
- The AP sends back a clear text challenge message.
- The station uses RC4 to encrypt the message and send it back to the AP.
- The AP decrypts the message. If it matches the message sent, the requesting station has been configured with the correct key, proving that it is authorized to use the network.
The two stations are then free to exchange messages, each encrypting and decrypting using RC4 and the same key used in the authentication process.
The sending station combines the configured master key with a 24-bit initialization vector (IV) to create a 64-bit key. The IV strengthens encryption by causing successive packets to be encrypted with different keys, making it more difficult for a hacker to determine the configured key.
The standard does not specify how the IV is created. The method depends on the implementation. Some stations use a random-number generator to generate an IV for each packet, and some start at zero and increment. The IV is sent to the receiving station in clear text in each packet.
A checksum of each packet's contents is calculated using the CRC-32 algorithm and appended to the end of the packet.
The combined key, along with the text to be encrypted, is input to RC4.
- The bytes in the combined key are scrambled by the key-scheduling algorithm.
- The scrambled key is then fed to a pseudo-random generator function that uses the scrambled key to output a key byte for each byte of the packet to be encrypted.
- Each byte of the encrypted message is created by an exclusive or (XOR) of the message byte and the key byte.
- The checksum is encrypted and added at the end of the encrypted text.
The receiving station uses the configured master key and the received clear text IV to decrypt the packet text and checksum. It then calculates the checksum over the packet text. If the received checksum and calculated checksum match, the packet contents have not been altered in transit.
Shortly after the 802.11 standard appeared, cryptologists pointed out inadequacies in the protocol. Some of these shortcomings are as follows:
The IV is too short; 24 bits means only 16 million possible IVs. A busy network will use and reuse the same IV over the course of a few hours. Further, approximately 9,000 of the possible 16 million IVs are called "weak IVs." Use of a weak IV reveals more information about the configured key than other IVs.
The authentication mechanism is a source of weakness. The challenge text from the AP to the client is sent in the clear, and the client responds with the encrypted text. A hacker can use the clear text challenge, the clear text IV, and the encrypted response to forge an authentication response that will allow the hacker into the network.
As the need to replace WEP became apparent, work began in the IEEE on 802.11i, which resulted in WPA and WPA2. These protocols will be discussed in the next part of this series.
About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.