When a mobile node, such as a laptop, connects to the WLAN network is a process called associa- tion. To be able to do this, the mobile node needs to find a suitable access point (AP). The access points are identified using the network name (Basic Service Set IDentifier BSSID or Extended Service Set IDentifier ESSID, or short: SSID).
The access points can be configured using two methods. The first option is that the access point sends periodically the SSID in plaintext, and the mobile terminals can then decide to ask for association with this access point. Manufac- turers provide equipment pieces with a standard SSID. Naturally, lists of manufacturer’s SSID are available from the Internet. A first precaution is to change it into another one.
It is recommended to configure the access point to be mute, and just to listen to requests for associations from the mobile nodes. The first level imposes the client station to send a connection request to know the networks in range. When receiving it, AP’s in range send their SSID. This is a good precaution, but a poor protection. Hack- ers have just to wait for the arrival of a mobile station: offices opening hour is a very nice time for SSID interception. The second level imposes that AP’s do not answer to broadcasts sent by mobile stations that request for access. In this case, mobile stations must know the SSID to at- tach the network.
This may seem secure at the first glance, but the added feeling of security is futile: an attacker can get the necessary information by passively
listening to the network traffic, and as soon as the first legitimate association request is heard, it can find out about the network identifier, which will be present in the request as plaintext. Even worse—the attacker may force a legitimate node to disassociate from an access point by sending a disassociation request to it. Then the legitimate node will try to reassociate immediately, thus revealing the network name.
Note: The inhibition of SSID exchange can block the attachment of some NIC’s (network interface card) whose implementation requests for this step in their connection process.
Changing and hiding the SSID is better than nothing, but not enough!
• MAC addresses filtering: The second non- cryptographic security feature in the IEEE WLANs is MAC filtering. This method uses the unique link layer (MAC) address of the WLAN network card to identify legitimate users. The system administration uses net- work configuration tools to give to the access points a list of valid MAC addresses called ACL: access control list. The access points refuse to answer to any messages received from network cards that are not listed in the ACL. This security feature is also easy to bypass: just listen for a while network traffic, and when a legitimate node leaves the network, set your network card to use its MAC address instead, for impersonating as a legitimate node. This constitutes also a constraint for the network administrator because the introduction of a new station needs an intervention on the network. Ad- dress filtering is usable only if the park of stations is limited and stable.
MAC addresses filtering it is better than
nothing, but not perfect!
• Encryption with WEP: There are several security features that are based on cryptogra- phy. The original and most widely deployed is called wired equivalent privacy (WEP).
Wireless Local Area Network Security
It was defined in the initial IEEE 802.11 standard. WEP can be used in conjunction with the aforementioned noncryptographic features, or as such. WEP provides authenti- cation and encryption with 40 to 128 bit key length. The system is based on a shared key that is configured both to the mobile node and to the access point. Using this key, the mobile node is authenticated when it asso- ciates to the access point. The access point is not authenticated. One problem with this authentication is that since the WEP key is the same for all nodes, the nodes cannot be distinguished from each other in authenti- cation. WEP uses data encryption on the radio link for providing confidentiality and integrity. The integrity mechanism uses a linear CRC algorithm where an attacker is able to flip bits in the packet without the risk of being detected.
The weaknesses of WEP arise from the fol- lowing factors:
• The pseudo-random sequence is computed by a linear algorithm and thus, is easily predictable.
• The key is static and common to all access points and mobile stations.
• The integrity control is weak and does not efficiently filter frame alterations.
• Sequences are not numbered; this facilitates replay attacks.
• The pseudo-random sequence is initialised by the means of a 24-bit vector transmitted in clear on the air interface and thus, easily intercepted by sniffing.
Fluhrer, Mantin, and Shamir (2001) described an attack (FMS) that allows finding the secret key used in WEP in reasonable time. The WEP algorithm uses the RC4 stream cipher in a mode where the actual key used consists of two parts–a known part called initialization vector (IV), which
is concatenated with the secret key. The RC4 algorithm uses a key generation algorithm that generates a pseudo-random bit sequence from the concatenation of IV and the key, and uses the generated bit sequence for encrypting the actual data by a simple “exclusive or” operation. The problem is that the algorithm for generating the bit stream carries some patterns of the original key to the resulting bit stream.
The reason for the initialization vectors is that the RC4 algorithm produces an identical bit stream each time it is used with the same key. This would lead to a situation where knowing one bit in plaintext for one packet would mean the cor- responding bit would be known for all packets, and thus reducing the strength of the algorithm considerably. Using IVs is supposed to prevent this, but the downside is that the first 24 bits of the key are now known. And since the standard format of an IP packet is also known, this can be used to guess more bytes in the key. This repeti- tion of IVs can be used for decrypting messages even without knowing the key–if the attacker can inject traffic to the WLAN from the fixed network and collect the packets encrypted by the access point, it can get the necessary information for decrypting traffic (see, e.g., Barken, 2004).
The attack was first implemented by Stub- blefield, Ioannidis, and Rubin (2001) and is now available in common cracking tools, such as Air- Snort and WEPCrack. The attack requires several millions of packets to be captured, afterwards the actual cracking is done in seconds. Even if the FMS attack requires capturing a huge number of packets, it can be done quite fast if the attacker can inject packets to the network, and capture them encrypted.
In practice, cracking the WEP needs less than two hours and some hackers boast to do it in fifteen minutes! In order to facilitate hacker’s task, it exists some dictionaries of pseudo-random sequences, depending on the values of the initial vector. Excellent software’s for WEP cracking are also available from the Internet (e.g., Airsnort or Netstrumbler).
Wireless Local Area Network Security
• Key renewal: Since the keys can be compro- mised in a reasonable time, a mechanism has to change keys within a considerable short time. The problem in WEP is that all the nodes share the same unique ciphering key, which is static. The key should be changed in all nodes (laptops, etc.) and in the access points, simultaneously and frequently. The 802.11 protocol does not contain key updating mechanisms. Thus, this must be done manually and simultaneously on all radio devices. Even if it could be done on very small networks, in practice keys are never changed.
Key renewing is good, but not realistic!
• Authentication: Since a WLAN using WEP does not authenticate the access point, the attacker can also impersonate as an access point. To launch a man-in-the middle attack, he may force network nodes to reassociate by sending deassociation frames to it, and then let the node to associate with the attacking node. This is easy if the attacker can position himself or use such equipment so that it can overpower the access point. With modified antennae it is easy to gain transmitting power, but they may look suspicious. Here,
we have a conflict with leaking radio signal outside the premises and making man-in- the-middle attack easier–for example Wi-Fi Alliance (2003) recommend low power for access points in order to reduce leaking the radio outside company premises. Several enhancements have been introduced in order to solve some of these weaknesses. Among them, the dynamic WEP with TKIP that makes frequently the key changed. This will be included in the 802.11i standard described next.
WEP using is better than nothing, but not enough!