Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report


/
Send to a friend Feedback

Researchers break wireless LAN encryption algorithm

Related linksToday's breaking news
Send to a friendFeedback


Seven months after researchers at the University of California at Berkeley discovered flaws in the encryption algorithm designed to protect wireless LANs, a different group of experts has uncovered a new, more dangerous method of attack that they say should be sounding security alarms throughout the business world.

Researchers from Rice University and AT&T Labs in Florham Park, N.J., published a paper on Aug. 6 outlining a new passive attack that is capable of defeating the 128-bit version of the Wired Equivalent Privacy (WEP) encryption algorithm used to protect 802.11 wireless LANs.

In their paper, the researchers state that all industry standard 802.11 wireless LANs should be viewed as insecure and those users should "treat all systems that are connected via 802.11 as external." They also urged corporate users to "place all access points outside the firewall."

Unlike the Berkeley attack, which required skilled hackers to break the encryption keys, this new attack method "is much stronger and much easier for a generic person to carry out," said Adam Stubblefield, a graduate student at Rice and co-author of the report. "The adversary is completely passive. He can just listen to the network traffic and the victim will never know they've been compromised."

The new attack method discovered by Stubblefield and Aviel Rubin, a researcher at AT&T Labs, came one week after Scott Fluhrer at Cisco Systems and Itsik Mantin and Adi Shamir at the Weizmann Institute in Israel published a paper describing the attack in theory. Stubblefield took that paper and, using a $100 wireless LAN card he purchased from Linksys Group in Irvine, Calif., proved after less than two hours worth of coding that it was possible to recover the 128-bit secret WEP key used in wireless LANs.

However, Rubin said it's important to point out that generic 128-bit encryption is still secure and that this most recent discovery demonstrates flaws in the way WEP uses the WEP RC4 cypher. "You can take cyphers that use a 128-bit key and design or use them in an insecure way. In WEP, it's a flawed design," he said.

Though WEP today uses 64-bit encryption, the industry plans to move to a 128-bit key for additional protection in a new standard due out later this year. But, the Fluhrer paper said, existing weakness in WEP means a successful attack can be mounted against "any key size," including "the revisited version WREP2."

Fluhrer and his colleagues said that WEP could be cracked by exploiting what they called "large classes of weak keys" in the protocol that make it vulnerable to attack. The Fluhrer paper added that attackers could also target another related key vulnerability by exposing part of the key to the attacker. Attackers can "then rederive the secret part by analyzing the initial word of the key streams with relatively little work."

John Pescatore, an analyst at Stamford, Conn.-based Gartner, said his company has been telling clients for some time to run virtual private networks (VPN) to secure wireless LANs. "Treat WLANs like you do the Internet," said Pescatore. "Don't trust the security [that's] built in."

"Some of the vendors like Cisco have built in better security than WEP, but Rubin's attack against streaming crypto shows the need to run proven stuff like IPSec or [Secure Socket Layer]."

For more enterprise computing news, visit Computerworld online. Story copyright 2001 Computerworld, Inc. All rights reserved.

Related Links

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.