Wi-Fi spies

New authentication and encryption techniques will protect wireless LANs from drive-by hackers.

By Jim Geier
Network World, 03/25/02

By now, the stories of hackers driving around in cars, breaking into wireless LANs with off-the-shelf tools such as AirSnort or WEPcrack have become commonplace.

Wired Equivalent Privacy (WEP), the 802.11 standard for wireless security has been discredited on a couple of counts:

* Weak encryption. To comply with federal encryption export rules that existed in 1997, the 802.11 standards group limited WEP key lengths to 40 bits. This provides a limited level of encryption that is relatively easy to compromise.

A hacker using a statistical analysis tool can crack a WEP key from a wireless LAN with typical levels of traffic in less than 24 hours.

* Static keys. Another problem is that WEP keys are common among the desktop cards and access points within the same wireless LAN, and they don't automatically change on a regular basis. To make matters worse, WEP has no key distribution method. Once you set up the keys for each user, they're difficult to change.

Network managers are reluctant to update WEP keys because of the long, tedious process of going to each end user's device to make the changes. As a result, wireless LANs using WEP have relatively weak keys banging around the network for days, weeks and even months.

The bottom line is that the current version of WEP is ineffective for protecting valuable information. Most applications need stronger, dynamic encryption and authentication mechanisms. Even if you don't think you need something stronger than WEP, you probably do.

Any wireless LAN that provides a potential path to valuable resources - even if those resources don't have anything to do with the intended wireless application - requires more security than what WEP offers.

Consider a hospital that deploys a wireless LAN to support mobile monitoring of a patient's heart rate and temperature. Because of the limited security requirements of that type of patient information, the hospital may decide that this application doesn't require encryption.

However, the wireless LAN offers a path through the network backbone to the hospital billing system. A hacker with a radio-equipped laptop sitting in a car in the hospital parking lot can easily traverse the network. This puts the hospital billing system in the hands of the hacker.

The obvious industries that require the strongest wireless security include banking and finance. In addition, the expected increase of public wireless LANs at airports, hotels and other public places will increase the potential for hackers to find ways into places on networks where they shouldn't go.

In response, companies such as Illuminet and TTS-Linx are developing public wireless LAN products that focus on strong security mechanisms that go well beyond the existing 802.11 WEP. In addition, the 802.11 working group, the Wireless Ethernet Compatibility Alliance, Wireless ISP Roaming and vendors are aggressively developing solutions to fill the wireless LAN security hole.

802.1X to the rescue

Windows XP and the majority of access point vendors support IEEE 802.1X, which is a standard defining the framework for port-based authentication and key distribution over both wired and wireless LANs.

Most people envision 802.1X as the primary enabler for wireless LAN security because it does a great job of dynamically allocating encryption keys.

Extensible Authentication Protocol (EAP) is the heart of 802.1X and facilitates the authentication process between an "authenticator" and a "supplicant" via an authentication server (see diagram below).

In the case of a wireless LAN, the supplicant is the client (802.11 network interface card) and the authenticator is the access point. The access point serves as the boundary between the protected and the unprotected parts of the network. Authentication servers approve and disapprove access, and they come in several varieties, such as Remote Authentication Dial-In User Service and Kerberos.

When an 802.1X client attempts to connect with an access point, the access point establishes a port that only lets EAP traffic through. The process continues, and the access point uses the client's identity for authentication with the authentication server.

If the authentication result is positive, the access point will enable other specific traffic (such as Dynamic Host Configuration Protocol, Post Office Protocol 3 and Simple Mail Transfer Protocol) from the client to flow through the access point to the protected side of the network. If the client logs off, the access point will disable the client's ports.

EAP alone doesn't define all the techniques for securing a wireless connection. The security solution also needs to implement an "authentication type," such the Lightweight Extensible Authentication Protocol (LEAP) or EAP Transport Layer Security (EAP-TLS).

Both of these methods include mutual authentication between client and access point. LEAP dynamically generates WEP keys within Cisco-based wireless LANs.

EAP-TLS is an authentication type that requires clients and access points to possess digital certificates, which enables the dynamic distribution of WEP keys over a secure connection. Windows XP supports EAP-TLS for wireless network authentication. Most wireless LAN vendors now support EAP-TLS as well.

An issue with these 802.1X products is that they still use WEP for encryption, which is based on relatively weak keys. However, at least 802.1X changes the keys often enough to minimize problems. Administrators can set up systems to change keys every hour, every 10 minutes or once each session.

802.11i also to the rescue

The IEEE 802.11i subgroup, also referred to as Task Group I (TGi), is developing an enhancement to the 802.11 Media Access Control Layer to incorporate 802.1X mechanisms.

TGi is working out the details, but the standard will specify the use of 802.1X and leave the choice of EAP authentication type to the implementer. The 802.11i upgrade will change keys frequently and strengthen the encryption process.

Thus, 802.11i will solve the two primary security problems with WEP: weak encryption and static keys.

The 802.11i standard should become available and integrated within products toward year-end or the beginning of next year.

Geier provides independent consulting services to companies developing and deploying wireless networks. He is the author of the book Wireless LANs and leads workshops on wireless LANs. He can be reached at jimgeier@wireless-nets.com.

Wi-Fi world
Wireless LAN services are popping up in so-called "hot spots" across the country - airports, hotels, restaurants, cafés and convention centers.

Wi-Fi guide
Wi-Fi wireless LANs are deceptively easy to install. In fact, you might already have some. The simplicity, however, masks an array of critical issues.

Wi-Fi @ work
Doctors and nurses at St. Luke's Episcopal Health System had to change the way they dealt with patients to get the most out of their wireless LAN.

Breaking news

Wireless LAN breaking news page
Keep up to date on the latest vendor, product and technology news.

Wireless breaking news page
Keep up to date on the latest vendor, product and technology news.

Newsletters

Network World on Mobile Computing newsletter
The latest news, software links, opinions and other issues involved in supporting a mobile work force.

Research

Wireless LAN research page
Learn about WLAN security and the differences between the different varities of 802.11, Bluetooth, HiperLAN and others.

Reviews

Bring in the (802.11) A team
The first look at high-speed (5GHz) wireless LAN products.
Network World, 01/28/02.

Building wireless apps just got easier
The best tool for giving mobile workers wireless access to a vertical market application is iConverse's Mobile Studio and Interaction Server.
Network World, 06/25/01.

Apply for your free subscription to Network World. Click here.

Request a reprint or permission to use this article.

Send this article to a colleague