More on AirPort/IEEE 802.11b Security

August 15, 2001
by Brad Knowles
Columnist

It's been a while since my previous article on this subject. A lot of things have happened since then.

First, I should clear up a couple of things. When I said "40-bit WEP" versus "128-bit encryption", I should have made clear that you add the WEP key to the 24-bit Initialization Vector (IV), to get the total amount of bits that are used in the encryption. This means that 40-bit WEP gives you 64-bit encryption (40+24=64), while you have 104-bit WEP keys in 128-bit encryption (104+24=128).

Secondly, I stated that there are difficulties mixing and matching cards with 64-bit encryption and cards with 128-bit encryption, but I got some responses back that indicate that other people have had no problem enabling encryption on both types of cards, and still getting them to interoperate. I think that this is a platform issue, as I am using a PowerBook G3 "Pismo" with MacOS 9.0.4 and my wife is using a Compaq Armada 4100T with Windows 95, and we're both communicating with an Apple AirPort with the AirPort 1.3 software. I suspect that other people have been using other OSes (such as Linux or FreeBSD) which have allowed them more freedom in terms of whether encryption is enabled on a card and whether that card will still interoperate with others that do not have the same bit-length of key.

Now, I previously said that the simplest attack on 802.11b security was by going after the 24-bit IV that is shared between the 64-bit and 128-bit encryption modes. This is still true. However, doing so doesn't give you the shared secret key, which would allow you to decrypt all traffic that has (or will be) captured for that node (or those nodes).

I also previously said that it should be relatively easy to perform a brute-force attack on a 64-bit key in order to recover the shared secret (on the right hardware, something that should be able to be done in a matter of just a few seconds), and compared this against previous brute-force attacks that had been done on other keys with other encryption algorithms. This is also still true.

However, a new attack on the RC4 encryption algorithm has since come to light that allow you to break the keys even faster, and avoid the brute-force attack (which would have taken quite a while longer to perform on the longer 128-bit keys). This new attack allows you to capture a few thousand packets (which can take just fifteen minutes or so on a busy network), and then crack the key in what is called "linear time" with respect to the key length -- normally, when you add a single bit of key, that makes it twice as hard to crack, and this is called "exponential time", but with linear time adding a single bit to a key means that you may crack the key in just 65 minutes as opposed to 64 minutes.

The new attack is outlined in a paper by Scott Fluhrer, Itsik Mantin, and Adi Shamir, entitled "Weaknesses in the Key Scheduling Algorithm of RC4". It is available in Postscript form at <http://www.cs.umd.edu/~waa/class-pubs/rc4_ksaproc.ps>, and you can find a copy in Adobe Acrobat form at <http://eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf>.

I should point out that Adi Shamir was one of the three people who were responsible for inventing the RSA encryption algorithm, and very few people in the industry have better crypto credentials than he does.

In addition, the attacks outlined in this paper have actually been implemented, and the implementation details have been outlined in another paper, entitled "Using the Fluhrer, Mantin, and Shamir Attack to Break WEP", by Adam Stubblefield, John Ioannidis, and Aviel D. Rubin, and available at <http://www.cs.rice.edu/~astubble/wep/> (in Postscript, PDF, and HTML forms).

I should also point out that Avi Rubin is one of the few people in the industry that has crypto credentials on par or nearly on par with Adi Shamir, and has written a number of papers, reports, books, received patents, etc... on subjects related to computer security and cryptography.

In short, any kind of illusions you may have regarding security and 802.11b networking should now be completely destroyed. If you are going to use 802.11b networking, you need to use some additional security on top of what is provided by the hardware -- either a "real" Virtual Private Network (VPN) solution that runs in software (between your machine and a gateway or firewall on the other side of the 802.11b base station), or use protocols that include their own encryption security (such as accessing your e-mail via SSL-secured web pages, or doing POP3 or IMAP over SSL to read your mail, and submitting mail via a mail server that uses SSL-enabled SMTP).

You should still use whatever encryption is available to you on the hardware (if possible, and you can work around interoperability issues with differing levels of encryption, or cross-platform problems), and you should set up "closed networks" (a.k.a., Access Control Lists, or ACLs) on the base station, so that it will accept connections only from those cards that you have configured it to know about.

Yes, both of these mechanisms can be cracked or spoofed by people who know what they're doing (or are using the right tools), but at least doing these two things makes it that much more difficult for the casual passer-by.

Nevertheless, if you use 802.11b and these mechanisms, if you're not also adding a layer of additional security in software on top of them, you should consider that everything you receive or transmit via 802.11b is being splattered in the clear in a radius of hundreds and thousands of feet from your location -- and may even be easily received by people who are miles away from you, if they have the right antenna.

If you want to learn more about this subject, Glenn Fleishman maintains a good page at <http://80211b.weblogger.com/>, including a link to a recent TidBITS article that he wrote at <http://db.tidbits.com/getbits.acgi?tbart=06520>. There is also a good list of articles relating to 802.11b security at <http://www.cs.umd.edu/~waa/wireless.html>, maintained by William A. Arbaugh (unfortunately, it doesn't yet seem to have a link to the paper by Stubblefield, Ioannidis, and Rubin).

O'Reilly (the folks who publish the peerless "Nutshell" books, as well as the "Missing Manual" books) have a very good "Wireless Development Center" at <http://www.oreillynet.com/wireless/>, which includes topics such as 802.11b, etc....

Finally, there is also the 802.11 Planet web site at <http://www.80211-planet.com/>, with the latest news, insights, announcements, and articles about 802.11 networking, products, protocols, etc....

Note that, as of today, MacOS X only supports the Apple AirPort card, and does not have any drivers for any other 802.11b cards (nor do there appear to be any drivers for other cards available from the various manufacturers). However, if you're willing to give up encryption, there are instructions and links available on using Lucent/Agere WaveLAN/Orinoco cards at <http://forums.macnn.com/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=3&t=006510>, and this may also support other cards such as Farallon SkyLine, and Cabletron.