WEP's Weakness

WEP's initial goal was to provide a level of security that conformed to the difficulty of tapping Ethernet network traffic. In the case of wired Ethernet, you would need physical access to a network to sniff packets and intercept data. WEP's minimal security should have met at least that level of protection. Unfortunately, WEP failed because of flaws in the conception and implementation of the protocol.

Some of these flaws were a result of computational limits when the specification was being developed: the number crunching expected to be available on the Wi-Fi cards was orders of magnitudes lower than that available even in 1999. Other flaws had to do with then-current export restrictions on strong encryption, which limited one flavor of WEP to just 40 bits.

Several articles appeared on Aug. 4, 2001, about an academic paper authored by notable encryption and security experts which that explained how insufficient randomness and insufficient key space meant that a cracker could sniff relatively few packets to crack a WEP key -- just a few million packets of data at most (or a few tens of thousands at least) using software that showed up a few days after the paper was released. The paper and subsequent work showed that even a 128-bit key (really 104 bits) could be broken without an exponential increase in time -- just slightly longer.

Developments in late 2004 showed that enormously fewer packets were needed to crack most busy networks, and that networks might be crackable within just a few minutes depending on key choice and other factors.

WEP's other primary problem was bad packet integrity checking, meaning that an interloper could insert or modify data in transit without being caught.

WEP's Threat to Users and Organizations

Initially, cracking WEP required some expertise. But widely available, simple-to-use software now makes it a snap for even a casual cracker to extract a WEP key from a home or business network. Home users with less-busy Wi-Fi networks are less likely to be cracked both for reasons of intent--someone might not bother--and time. The fewer the packets, the longer it takes to crack a network and gain access to the traffic passing over it.

However, it's also been shown that an active attack could provoke an access point to produce packets in the quantities, but no software has been seen that carries out this attack.

Corporations relying on 802.1X network authentication systems that can automatically swap WEP keys after a certain number of packets may still have problems because more recently discovered methods of cracking WEP keys reduce the threshold for data interception down below the number of packets sent before the authentication system changes the key.

Corporations had been advised to only allow encrypted tunneled access using virtual private network (VPN) protocols from access points, thus limiting risk. Some networks have turned off protection at the access point, focusing efforts entirely on the VPN tunnel for this reason.

In both home and business cases, it's clear that WEP needed to be replaced with something better, and for home users, something easier to configure and not worry about.

WEP's Replacement

The IEEE task group that was responsible for security, 802.11i, developed a compromise solution that looked backwards to fix WEP and forwards to replace it without losing compatibility. The solution looking backwards is TKIP (Temporal Key Integrity Protocol), a way of fixing the flaws in WEP by creating a longer, better initialization vector (IV) of 48 bits; increasing randomness; using a master key from which other keys are derived; and mixing keys and IVs in such a way that each packet has its own unique key. The keyspace, or number of possible keys that can be used, would take 100 years of continuous transmission to exhaust.

The new spec also fixes packet integrity by using a more advanced method of detecting tampering, and putting this information in the encrypted part of the frame instead of sending it in the clear.

The forward-looking part of 802.11i adds AES-CCMP (Advanced Encryption Standard) for an essentially impregnable hiding of data that supports longer and a cryptographically more secure stream of data than TKIP. AES is quite widely used and has been adopted by the US government. The specific AES type included in 802.11i, CCMP (Counter Mode CBC-MAC Protocol), is the same length as TKIP keys: 128 bits. However, its underlying algorithm is much stronger. Most Wi-Fi chips released in late 2002 and beyond include the necessary support for AES.

The 802.11i spec in its implemented form includes support for the 802.1X and EAP (Extensible Authentication Protocol) protocols. 802.1X is a way of defining roles so that a client can connect to access point and have limited access -- a client can only talk to the access point but not see the rest of the network until the access point queries the client and relays its messages back and forth to an authentication server which confirms the client's identity. EAP is the messaging standard used to talk among the three roles.

The same 802.1X authentication system can be used to rekey regularly during a user's session by having a timeout value for the key (it's not required), and to provide unique master keys which correspond to each client from which the client and AP derive necessary keys, further reducing the risk of interception, and ensuring that no one gaining access can sniff other traffic passing over the air.

While 802.11i was ratified in mid-2004, it took until mid-2005 for firmware updates offering the full suite under the WPA2 label to appear. Most manufacturers, even of consumer gear, have full WPA2 firmware and driver upgrades available at no cost on their Web sites. But before WPA2 was available, an interim measure was needed.

The Interim Solution: WPA and 802.1X/EAP as WPA Enterprise

With security hurting the deployment of wireless LANs as well as consumer confidence over their networks being used or snooped, The Wi-Fi Alliance stepped into the void that stands between the current broken standards and 802.11i's adoption.

In early November 2002, they announced WPA (Wi-Fi Protected Access), an interim version of 802.11i that adopts TKIP-based fixes to WEP, adds the packet integrity upgrade, and introduces standardized and tested support for 802.1X/EAP network authentication, including one form of secured EAP. The Wi-Fi Alliance started certifying devices as WPA compliant in the summer, and became a required part of certification for new Wi-Fi devices as of September 2003. (802.11i has a few extras, like the AES key and quick re-authentication as a client passes among different access points, that are part of WPA2.)

WPA Personal, the consumer flavor of WPA, lowers the bar for end users to deploy security by requiring that clients and access points can use a shared network password (technically called the pre-shared key or PSK).

Unlike the passphrase employed in WEP implementations which merely converts ASCII into hex (and thus further weakens a WEP key), the WPA password actually creates a cryptopgraphic outcome that's sufficiently random to increase the difficulty in breaking a key in that unlikely event. Because consumers need only enter a password, this improves the likelihood they'll use it. WPA will fall back to WEP if even a single device on a network cannot use WPA, although only SMC Networks seems to sell equipment that supports both WEP and WPA at the same time.

(A side note: researcher Robert Moskowitz detailed in a white paper that WPA passphrases that contain dictionary words and are less than 20 characters long could be susceptible to cracking -- choose your passphrases wisely. The WPA crack is possible in part because an intruder can cause an access point to regenerate the key exchange with the client in under a minute; that key exchange is secured, but it can be extracted and then cracked offline and away from the network. Vendors have worked to solve this by removing the customer from the key creation process: Buffalo AirStation One-touch Secure Setup (AOSS), Broadcom SecureEasySetup, and Atheros JumpStart for Wireless. See this article outlining for an explanation of these systems.)

The entire industry responded fairly rapidly, and virtually all 802.11g devices added WPA support partly because the Wi-Fi Alliance mandated it in new equipment. Not all older devices were upgradable, and almost no older access points; most older devices definitely don't support the full 802.11i/WPA2 standard because they can't handle AES keys.

Several companies did release WPA upgrades for 802.11b devices, some of which were first released in 1999. (See this article for details on WPA support in older cards and where to download upgrades.)

WPA2: The Final Piece

WPA2 Support was the final piece of the puzzle for full 802.11i support. The Wi-Fi Alliance started certifying devices in winter 2005, and firmware upgrades appeared by summer for most devices, consumer and enterprise alike.

The WPA2 certification has been important for government and education that wanted security at the highest level to conform to privacy, security, and securities (financial) laws. The lack of AES encryption held back wireless deployment in a number of industries, as well.

Remaining Standards Problem in 802.1X/EAP

Companies that wanted to deploy WPA as part of an 802.1X system--what the Wi-Fi Alliance calls WPA Enterprise--faced one remaining problem. EAP is not a secure protocol: it sends its messages in the clear. A method of creating an encrypted EAP session using TLS (Transport Layer Security) appeared, and was shipped by Microsoft and others as EAP-TLS, but it requires installing client certificates on every computer that wants to connect. It also leaves some useful information in the clear, although it's seemingly impossible to exploit that information. (TLS is a slightly updated version of SSL, the last version of which TLS supports for compatibility's sake.)

EAP-TLS offers mutual authentication, however, in which the client and authentication server can verify each other's identity before the transaction starts.

Two fixes to the problem appeared in the form of EAP-TTLS (Tunneled TLS) and PEAP (Protected EAP). Both methods first start a TLS session using a server-side certificate, and then pass authentication using an inner method for the actual credentials. The inner methods are numerous with TTLS and limited with PEAP. Meetinghouse and Funk support TTLS, as well as PEAP; Microsoft and Cisco developed and promote PEAP.

Oddly, Microsoft and Cisco couldn't agree on a single PEAP version. Microsoft's PEAPv0 has one inner authentication method that's not compatible with Cisco's PEAPv1. Cisco doesn't seem entirely tied to its methods, however, and Microsoft's flavor dominates.

(Even more confusingly, Cisco has also developed a successor to its early Lightweight EAP (LEAP) standard partly because LEAP is now so easily cracked; EAP-FAST has no advantages over PEAP or TTLS, but is merely a migration path for LEAP customers not ready to deploy PEAP or TTLS.)

Microsoft has shipped PEAP updates to Windows XP and 2000, and was expected to follow with Windows 98 (both versions), NT 4.0, and Me--but it appears they've dropped that plan years ago. (A free WPA client for Windows 2000 is available from Wireless Security Corporation--now part of McAfee--to enable WPA with 802.1X/PEAP or for WPA Personal.)

Meetinghouse offers a range of PEAP support for the same platforms as for EAP-TTLS, including Linux, all modern Windows (post 95) flavors, Mac OS X, and Solaris. Apple included PEAP, EAP-TLS, EAP-TTLS, and EAP-MD5 support over 802.1X in its Mac OS X 10.3 (Panther) release. Other security software firms are fully supporting PEAP plus other secure EAP methods.

The Wi-Fi Alliance now offers testing for five EAP types for WPA/WPA2 certification: EAP-TLS (part of the original WPA test suite, although formally required, just de facto), EAP-TTLS/MSCHAPv2 (common TTLS method), PEAPv0/EAP-MSCHAPv2 (Microsoft's version), PEAPv1/EAP-GTC (Cisco's version), and EAP-SIM (of wide interest to cell operators for Wi-Fi/cell authentication convergence).

PEAP's success appears to be a given as time continues to pass and more companies give up legacy authentication in favor of EAP methods which would be fully supported under PEAP, and as third parties continue to support the encrypted standard.

All of these EAP methods still have certain amounts of risk in part because of the potential for authentication information to be wormed out of less secure systems, and then broken through brute force offline. William A. Arbaugh maintains a list of currently well-known problems; it's a constantly updated site.

With a secured EAP method, however, enterprises have an extremely low risk and extremely high protection with all that is known today. WPA Enterprise even solves the weak WPA key possibility: servers that offer WPA Enterprise issue unique keys to each user that are randomly generated and are the full maximum bit-length available.

How to Add Enterprise Security

Home users can rely on WPA Personal with a strong passphrase as the best method of protecting their network; they can even turn on WPA2 Personal if they want the added, but unnecessary, security. But even small businesses need the flexibility of user accounts and passwords that are simple for the network's users and can be revoked or have other policies applied on a per-user basis.

On the high end, large enterprises with IT staff and budgets can turn to existing RADIUS and AAA providers for full WPA Enterprise support that will features full WPA2 key support when that certification is finalized. These companies include Funk, Meetinghouse, Microsoft (Windows Server 2003), and many others.

Small- to medium-sized businesses have several options open to them that shipped in the last year or so that are designed as either a low monthly recurring cost per user for outsourced authentication or a reasonable fixed flat or per-user fee for in-house servers.

I've written about both outsourced and in-house authentication solutions at Mobile Pipeline.

Vigilance

Eternal vigilance is the price we pay for a standard that deployed faster than security improved. It took years, but we now have a robust and trustworthy replacement for broken encryption methods.