A new standard addresses key WEP deficiencies
The currently deployed 802.11 wireless LAN (WLAN) IEEE standard is riddled with security flaws and deficiencies. In short, the standard features no user authentication, offers no mutual authentication between the wireless device and Access Point (AP), and contains a flawed encryption protocol. The encryption protocol permits the modification of specific bits without the receiver recognizing the change, and the different encryption components (key and initialization vectors) fail to provide the encryption process with sufficient randomness. Malicious users, armed with any number of free downloadable tools, can easily break into encrypted wireless traffic.
To improve the standard and close holes in current wireless implementations, IEEE developed the 802.11i Task Group. To address each of the aforementioned flaws, this group has developed a new authentication framework that encompasses several components. First, the use of the Extensible Authentication Protocol (EAP) and 802.1x enforces user authentication and mutual authentication. Second, Message Integrity Code (MIC) detects modifications of bits during transmission. Third, the Temporal Key Integrity Protocol (TKIP) generates random values for the encryption process, which becomes much harder for an attacker to break. To permit an even higher level of encryption protection, the 802.11i standard also includes the new Advanced Encryption Standard (AES) for new WLAN implementations.
The full 802.11i standard is due for release in September 2003, but the ball is already rolling. The Wi-Fi Alliance has announced that it will now certify products based on the 802.11i standard's core components, which the alliance collectively calls Wireless Protected Access (WPA). Let's take a look at the 802.11i standard's encryption processes, then focus on how the separate components of the standard provide far better security than that of Wired Equivalent Privacy (WEP)—the protocol that the original 802.11 standard uses.
Attacking WEP Deficiencies
Wireless devices and networks that use the original 802.11 standard are vulnerable to a long list of attacks. Malicious users can easily sniff wireless traffic, modify data during transmission without the receiver's knowledge, erect rogue APs (which users can authenticate to and communicate with without knowing they're malicious entities), and quickly and easily decrypt encrypted wireless traffic. These vulnerabilities typically provide doorways to the underlying wired network, at which point more destructive attacks can begin.
Several WLAN vendors have developed security techniques and technologies to overcome 802.11 security flaws, but most of these workarounds are the equivalent of wrapping bandages around a badly bleeding, poorly constructed and implemented technology. Also, because many vendors have developed proprietary fixes to these problems, customers face an array of interoperability problems.
The new 802.11i wireless standard uses two approaches to provide better security and protection than WEP. The first approach, which Figure 1 shows, is the aforementioned TKIP implementation, which is backward compatible with the many WLAN products and networks currently implemented around the world. TKIP works with WEP by feeding it keying material—that is, data to be used for generating new dynamic keys. WEP's current implementation of the RC4 encryption algorithm provides little protection. TKIP adds complexity to the key-generation process, complicating attackers' efforts to uncover the encryption keys. The IEEE working group provided TKIP so that customers would need to obtain only firmware or software updates instead of new equipment for this type of protection.
The second approach, which Figure 2 shows, is the use of the AES algorithm in conjunction with Cipher Block Chaining Message Authentication Code (CBC-MAC)—a combination otherwise known as the CCM protocol (CCMP). AES is a much stronger algorithm than RC4 but requires more processing power. AES isn't backward compatible with current WLAN products, so you should implement this configuration only if you haven't yet deployed a WLAN.
The algorithms, technologies, and protocols that make up the new wireless standard are complex. Understanding each component and how the components work together to provide a higher degree of confidence and protection for future WLAN environments is vital. For more information about how the new standard attacks WEP's deficiencies, see the sidebar "How 802.11i Addresses WEP's Core Deficiencies," page 30.
The 802.11i standard comprises three primary components in two layers. The lower layer contains the improved encryption algorithms (i.e., TKIP and CCMP). The top layer contains 802.1x. The 802.1x standard is a port-based network-access control that ensures that a user can't make a full network connection—that is, can't access network resources and pass network traffic other than authentication traffic from the wireless device to the network—until he or she is properly authenticated. The 802.1x standard is like a chain on your front door. Just as the chain lets you identify people before you allow them to enter your house, the 802.1x standard lets you identify people before you allow them to enter your network.
The 802.1x standard permits user authentication, whereas WEP provides only system authentication. User authentication provides a higher degree of confidence and protection than system authentication provides. The 802.1x standard provides an authentication framework and a method of dynamically distributing encryption keys. The three primary components of this framework are the supplicant (the wireless device), the authenticator (the AP), and the authentication server (typically a Remote Authentication Dial-In User Service—RADIUS—server), as Figure 3 shows. (If the environment doesn't have an authentication server, the AP can fulfill the roles of authenticator and authentication server.) By passing frames between the wireless device and the authentication server, the AP typically acts a middleman—a good approach that doesn't require a lot of processing overhead for the AP.
The AP will let only the wireless device communicate with the authentication server until all authentication steps are completed successfully. Thus, the wireless device can't send or receive HTTP, DHCP, SMTP, or any other type of traffic until the authentication server properly authorizes the user. WEP doesn't provide such strict access control.
Another downfall of the original 802.11 standard is its lack of mutual authentication. A wireless device that uses only WEP can authenticate to the AP, but the AP or authentication server doesn't need to authenticate to the wireless device. Therefore, a malicious user can set up a rogue AP and capture users' credentials and traffic, directly under users' noses. The 802.11i standard uses EAP to confront this problem. EAP permits mutual authentication between the authentication server and wireless device and provides the flexibility of using passwords (including one-time passwords), tokens, certificates, smart cards, or Kerberos to authenticate users. To permit these options, wireless devices and authentication servers that are 802.11i-compliant offer various authentication modules that plug into 802.1x. Thus, 802.1x provides the framework from which a network administrator can add the different EAP modules. During the initial handshaking process, the two entities agree on an authentication method. Authentication of wireless users can therefore occur as part of the current infrastructure's existing authentication technology.
The 802.11i standard addresses only what takes place at the Open System Interconnection (OSI) model's data link layer. Authentication protocols reside at a higher layer, so 802.11i doesn't specify particular authentication protocols; however, the use of EAP lets different vendors use different protocols. For example, Cisco Systems uses a purely password-based authentication framework called Lightweight Extensible Authentication Protocol (LEAP). Other vendors, including Microsoft, use EAP and EAP-Transport Layer Security (EAP-TLS), which carries out authentication through digital certificates. Yet another choice is Protected EAP (PEAP), in which only the server uses a digital certificate. Figure 4, page 32, shows several new authentication methods that the 802.11i standard permits.
If you use EAP-TLS, the authentication server and wireless device exchange digital certificates for authentication purposes. If you use PEAP, the wireless device's user sends the server a password and the server uses its digital certificate to authenticate to the wireless device. In both cases, some type of public key infrastructure (PKI) needs to be in place. If your company doesn't currently have a PKI implementation, you're looking at an overwhelming and costly task just to secure wireless transmissions.
The steps that the server takes to authenticate to the wireless device are basically the same steps that a Web server and a Web browser take to set up a Secure Sockets Layer (SSL) connection. After the wireless device receives and validates the server's digital certificate, the device creates a master key, encrypts it with the server's public key, and sends it to the authentication server. Now, the wireless device and authentication server have a master key, which they use to generate individual symmetric session keys. Both entities use these session keys for encryption and decryption purposes, and the use of these keys sets up a secure channel between the two devices.
Companies might choose to use PEAP instead of EAP-TLS because of the hassle of installing and maintaining digital certificates on every wireless device. Before you purchase a WLAN product, you should understand the requirements and complications of each authentication method so that you know what you're getting yourself into and whether it's the right fit for your environment.
As I mentioned earlier, Cisco has taken a different approach to this authentication game by implementing LEAP, which is based on passwords. No PKI is necessary, and the wireless device and server authenticate to each other by exchanging predetermined passwords.
A large concern with current WLANs is that, in the event of theft, wireless devices can be easily authenticated to the wired network. A wireless device that uses only WEP authenticates itself by proving that it has a symmetric key that the administrator manually programmed into it. Because the user doesn't need to use WEP to authenticate, a stolen wireless device can give an attacker easy access to your precious network resources. The 802.11i standard has added steps to require the user to authenticate to the network instead of simply requiring the wireless device to authenticate. By using EAP, the user will need to send to the AP some type of credential set that's tied to his or her identity.
The Answer to Our Prayers?
Until now, if you required more protection than what the original 802.11 standard provides, you had to place a firewall between the AP and the wired network. You could also install VPN software on the wireless devices to provide another, stronger layer of encryption. And as I stated earlier, vendors have come up with proprietary security solutions. The promise of 802.11i is that you won't need to apply bandage after bandage on top of this wireless technology. Instead, the technology itself will provide the necessary security.
Will the use of 802.1x, EAP, AES, and TKIP result in secure and highly trusted WLAN implementations? Maybe, but you need to understand a few factors. First, the IEEE 802.11i Working Group created TKIP as a quick fix for WEP's overwhelming problems. The protocol doesn't overhaul the wireless standard because both WEP and TKIP remain based on the RC4 algorithm, which isn't the best fit for this type of technology. The use of AES comes closer to an actual overhaul, but AES isn't backward compatible with current 802.11 implementations. Second, using all these new components and mixing them with the current 802.11 components adds more complexity and steps to the process. Security and complexity don't typically get along. High levels of protection are most often the result of simplistic and elegant solutions. These new technologies add flexibility to the ways that vendors can choose to authenticate users and authentication servers, but along with that flexibility comes interoperability problems. If a company buys an AP from company A, the wireless cards it buys from companies B and C might not work seamlessly.
Is all the work behind 802.11i for naught? No, the working group consists of extremely sharp people, and some large and powerful companies are aiding in the development of these new solutions. The result is that 802.11i provides much more protection and security than WEP ever did. However, customers who purchase these products need to understand what they'll need to do after the purchase. For example, the use of EAP-TLS will mean that each wireless device needs a digital certificate. Are your current wireless devices programmed to handle certificates? How will you achieve proper deployment of certificates to all the wireless devices? How will you handle certificate maintenance? Will the devices and authentication server periodically check a certificate revocation list (CRL) to verify that a Certificate Authority (CA) hasn't revoked certificates? Suppose a malicious entity uses a valid digital certificate to erect a rogue authentication server or AP. The wireless device would simply verify the certificate and trust that this server is the entity with which it's supposed to be communicating. If the certificate authority is compromised, the entire EAP-TLS infrastructure is compromised—as with any PKI environment.
The original 802.11 standard has gotten so much bad press and attention that you can bet the working group has dotted every i and crossed every t as they go forward with this new release. However, only the inevitable rounds of testing and real-life implementation will determine its success. To be sure, the new standard will push us farther down the road to security than we are now, but be sure to keep two factors in mind as vendors develop and release new products. First, to provide the level of assurance and security that the standard promises, vendors need to properly interpret and adhere to its specifications. Second, customers need to understand what they're purchasing and implementing in their environments. Often, customers install products and technologies without knowing exactly what a new product does and how to properly test and secure it.
Although the 802.11i wireless standard hasn't yet been completely ratified, some vendors are already developing new WLAN products that follow the new stipulations. Expect many products to straddle the fence by providing TKIP for backward compatibility with current WLAN implementations and AES for companies that are just now thinking about extending their current wired environments with a wireless component. Before you buy any wireless products, you should review the certification findings of the Wi-Fi Alliance, which has already begun assessing systems against the proposed 802.11i standard.