This week, Michael Ossmann of SecurityFocus released an alarming article on the recent advancements in wireless LAN encryption cracking that put manyWLAN networks once thought to be secure at risk. Even though the WPA standard brought us TKIP encryption in 2003 and the 802.11i standard brought us AES encryption this year, many organizations and enterprises are still using Dynamic WEP to encrypt their WLAN data to keep hackers from seeing sensitive data or gain unauthorized network access. Because Dynamic WEP was thought to be relatively safe and didn't have any special hardware/firmware/software requirements like TKIP or AES, many organizations have held off on their migration plans to the newer WPA standard -- let alone the 802.11i standard. Unfortunately, the lease on life that Dynamic WEP has given old Wi-Fi hardware has just expired.
Dynamic WEP is actually a loosely coined term that isn't an official standard, but a process gained from 802.1x and EAP authentication where a unique per user WEP key is typically rotated every10 minutes. Traditional WEP, on the other hand, uses a shared WEP key for all users and has no automated mechanism for key rotation. Because the WEP key was highly susceptible to key recovery after it had been used on 5 to 10 million packets, giving each user a unique rotating key made it nearly impossible to hack with existing cryptanalysis techniques. This worked because the WEP key rotated well before a hacker could collect even1 million packets to analyze and was far short of the 5 to 10 million packets needed to break WEP. While this rotation technique worked, it was still asolution whose temporary effectiveness hinged on the time it took to break WEP rather than a fundamentally sound design in the encryption algorithm.
This August, everything changed when a hacker named KoreK released a new piece of attack code that sped up WEP key recovery by nearlytwo orders of magnitude. Instead of the need to collect 10 million packets to crack the WEP key, it now took less than 200,000 packets. Since then, many more refined tools such as Aircrack have implemented KoreK's optimized cryptanalysis code and it's now easier than ever to crack WEP keys with lightning speed. According to Joshua Wright, deputy director of training at the SANS institute and author of ASLEAP (a very powerful password cracking tool), WEP keys have been recovered in as little as 75,000 packets. If this wasn't bad enough, active WEP attack techniques can further speed up packet collection and reduce the time it takes to break into a WEP-based network. Active attacks work much faster because the hacker will not simply listen passively for network traffic, but he will artificially increase network traffic by re-broadcasting packets designed to solicit a response from legitimate devices from the WLAN. Many routine transmissions on a network are a fixed and predicable length. Even though the hacker can't decipher their encrypted form, he can guess what they are and use them in a way to provoke traffic-generating responses. With more easy-to-use tools that promise to incorporate these more advanced forms of attacks, the end result is that even rapidly rotating WEP keys are now useless for encryption.
The IEEE standards bodythat originally ratified WEP in 1999 set out to fix things in 2001 by coming up with a completely new standard called 802.11i, which incorporated military grade AES encryption. But, because the ratification of these types of standards takes many years, the industry group called the Wi-Fi Alliance (formerly WECA) came up with their own interim standard called WPA, which was essentially "802.11i lite." But instead of mandating the processor hungry AES encryption algorithm,the grouponly required the TKIP encryption algorithm and made AES optional to accommodate the Wi-Fi hardware makers. TKIP was not a Band-Aid for WEP, it was a rewrite of the WEP algorithm which required driver- and firmware-level upgrades on all Wi-Fi equipment. For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the same RC4 algorithm that WEP relied on. Attacks on TKIP are on the horizon. AES, however, came from the NIST, whose predecessors brought us the DES standard. The NIST has a very respectable track record for producing encryption standards that have very few if any statistical or mathematical weaknesses. Breakthroughs in cryptanalysis are always possible. However, DES held up for over two decades and only succumbed to a brute force attack 22 years after it's officialrelease date in 1976, while WEP encryption couldn't even hold up for two years. There is no expectation that the new AES algorithm will beany lessreliable than DES and it will definitely notbe brute forced any time soon. AES is even trusted for military application.
Given these new developments in WEP cryptanalysis, the following recommendations should immediately be acted upon by any organization utilizing WEP or Dynamic WEP.
- Update all client "supplicant" software to support TKIP and AES encryption. Cisco, Microsoft, Funk, Meetinghouse Data Communications, and Open Source projects all have updated clients. Windows XP SP2 has built-in support while XP SP1 requires a WPA patch.
- Update firmware on all 802.11 access points to support TKIP and AES. Note that some older access points don't support AES and some don't support either. Check with the access point manufacturer.
- Update firmwares and drivers on all client 802.11 Wi-Fi network adapters or built-in Wi-Fi chipsets. This usually comes in a single software package that updates both the firmware and driver. Check with the manufacturer of the Wi-Fi adapter or the notebook manufacturer in the case of integrated Wi-Fi chipsets. Some don't support AES and some don't even support TKIP.
- Mandate TKIP encryption at a minimum immediately as a stop gap measure for all WLANs
- If possible, mandate AES encryption immediately. Since that may not be feasible given the existing hardware base, put AES migration on the fast track before TKIP exploits surface.
- If neither TKIP or AES is possible, resort to VPNs where theWLAN is put in to an untrusted network where all clients must VPN in to the trusted network using 3DES or AES encryption and strong certificate or OTP token based authentication. Note that this is not generally a desirable substitute for 802.11 TKIP or AES encryption, but it works as a quick and dirty security measure. VPNs are not desirable because they are cumbersome to deploy and they only protect down to the network layer and not down to the datalink layer. Leaving the datalink layer unprotected has its own consequences, but VPNs will at least protect your data and prevent unauthorized access.