Skip to content

Secure Communication

In a wired network, physical security is complicated but manageable. You can restrict physical access to routers, switches, and network hardware. You can provide a complex authentication mechanism for proving that users are who they say they are. You can set up Virtual LANs or virtual private networks for even more security. Even if an attacker were to plug into your wireless network, it would be difficult to penetrate further with these kinds of security measures in place.

The wireless network world is not nearly this secure. In fact, it is not secure at all. Disassembling your network packets and transmitting them wirelessly means that anyone within reach can see them. A wily attacker could join or passively monitor your network from a mile away with a high-gain antenna, and you would never see him.

The drawbacks of WEP (802.11b)

The IEEE specifications for 802.11a/b/g all provide a form of encryption called Wired Equivalent Privacy (WEP). WEP operates at the Media Access Control layer (MAC) layer or the Data Link Layer, between the physical layer (radio waves) and the Network Layer (TCP). Most WEP products implement a 64-bit shared key, 40 bits of which are used for the secret key and 24 bits for the initialization vector (IV). The key is installed at the wired network AP and must also be entered into each client.

Anyone who knows the secret key (unless you’re the only user on the network, this key is shared, so it’s not all that secret) can participate in a WEP network. Secret keys are generally either plaintext words or somewhat longer combinations of hexadecimal numbers.


There are two major problems with WEP:

  • Encryption is handled at the Data Link Layer, so if you connect to a WEP network with your notebook, the communication between your notebook and the access point is encrypted. All packets are decrypted at the access point and sent from there in the clear.
  • Other computers that also have the secret key for this WEP network can read all packets sent to and from your computer. The secret key is a “shared” key, which means that all devices that encrypt packets must use the same key, making the key even easier to deduce. Once you are connected to a WEP network, you can do the packet sniffing you want with a tool like Ethereal.

A team of cryptographers from the University of California at Berkeley, as well as several other groups have identified weaknesses in the way that WEP keys are generated and used, effectively making the number of bits in the key immaterial. Even though many manufactures have added extra bits to the key length, up to 152 bits, the longer key length provides minimal protection, because WEP is not a well-designed cryptographic system. I (spooky) will post more about WPA in next coming posts.

So why would you want to use WEP on your wireless network at all? Consider it a first line of defense. While it is definitely possible to crack its keys and gain access to a WEP network, someone who is looking for free wireless access will choose an open network when given the choice. However, you must take stronger measures.

Consider not using WEP at all. There are other alternatives that provide stronger encryption and authentication and I will discuss more about it. However, if you want an easy going setup, WEP is your way to go or you ticket. To keep your WEP network as secure as possible, keep these guidelines in mind:

Make your secret key difficult to crack. Once a hacker has captured enough frames from your encrypted network, he needs to run a tool to guess your secret key. There is no different from a hacker running crack against a password database. The more complex your key, the less likely a standard dictionary attack will crack it. Choose a long, complex key that utilizes non-alphanumeric characters. If you can, use hexadecimal strings. Use the longest key that your hardware will support. If you have access points and clients that support 128-bit WEP, by all means use it. However, some implementations of WEP have weaknesses that allow attackers to recover the key even without mounting a dictionary attack.

Change your secret key often. WEP key attacks rely on two methods: a dictionary attack or the collection of large amounts of frames data in order to deduce the secret key. Obviously, you provide less of a chance for an attacker to break your key when you change it often. However, this option becomes more cumbersome with large networks, giving you the classic key-distribution problem.


Use WEP in combination with other security measures. If your network uses equipment from a single manufacture, you may able to take advantage of nonstandard security features. Cisco and Proxim, for example, support rapid WEP key rotation and dynamic rekeying. If all of your clients can take advantage of these features, use them. You should also consider whether the various IP tunneling or VPN solutions will fit into your network infrastructure.

Several security measures that come standard with many access points are almost useless in protection your wireless network.

Disabling SSID broadcast

This creates a “hidden” network by causing the access point to suppress the broadcast of SSID information. In order to join a network with SSID broadcast disabled, the client must manually enter the SSID. If you don’t know the SSID, you can’t join the network. In reality, Kismet and other wireless network scanners can easily pick up the SSID by monitoring traffic from clients of the “hidden” network.

MAC address filtering

Most access points allow you to set up a list of allowed network cards by entering their MAC address. If the access point sees a MAC address that is not on the list, it will not allow that device to associate. So only authorized network cards can join the network. In reality, Kismet and other wireless scanners can easily pick up MAC addresses by monitoring client traffic on the wireless network. Spoofing a MAC address is very easy under Linux and other operating systems, allowing easy access to the network.  Also, wireless network cards can be easily stolen. The MAC address filter only authenticates a device, so anyone can use it.

IP address filtering

Similar to MAC address filtering, this technique allows you to set up a list of allowed IP addresses that can send TCP/IP traffic on the network. Other machines may be allowed to associate with the access point, but they would not be able to participate in any TCP/IP network. So only known IP addresses are allowed to communicate on the network. In reality, any network sniffer or analyzer, such as Ethereal or tcpdump, can easily find IP addresses in use on any given network. Spoofing IP addresses is even easier than spoofing MAC addresses.


Reference

  • Security of the WEP Algorithm (http://www.issac.cs.berkeley.edu/issac/wep-faq.html)

~ Contributed by Spooky

Tagged with , .

1 comment

By admin October 2, 2009

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. spooky says

    This post is great.
    Try more different … :)

    October 11, 2009, 7:08 pm



Some HTML is OK

or, reply to this post via trackback.

« »