Researchers crack new wireless security spec

[InfoSec News <isn () c4i org>]

http://www.infoworld.com/articles/hn/xml/02/02/14/020214hnwifispec.xml

By Ephraim Schwartz 
February 14, 2002 2:12 pm PT

A UNIVERSITY OF Maryland professor and his graduate student have
apparently uncovered serious weaknesses in the next-generation Wi-Fi
(Wireless Fidelity) security protocol known as 802.1x.

In a paper, "An Initial Security Analysis of the IEEE 802.1X Standard"  
funded by the National Institute of Standards, Professor William
Arbaugh and his graduate assistant Arunesh Mishra outline two separate
scenarios that nullify the benefits of the new standard and leave
Wi-Fi networks wide open to attacks.

The use of public access "hot spots" are particularly vulnerable to
session hijacking because these locations do not even deploy the
rudimentary WEP (Wired Equivalent Privacy) protocol.

"This problem exists whether you use WEP or not, but it is trivial to
exploit if not using WEP," said Arbaugh.

Dubbed "session hijacking" and "man-in-the-middle," both attacks
basically exploit inherent problems in Wi-Fi as well as exploiting how
the new 802.1x standard is designed.

"Here's how session hijacking works. The hacker waits for someone to
finish successfully the authentication process. Then you as the
attacker send a disassociate message, forging it to make it look like
it came from the AP [access point]. The client [user] thinks they have
been kicked off, but the AP thinks the client is still out there. As
long as WEP is not involved you can start using that connection up
until the next time out, usually about 60 minutes," said Arbaugh.

A session hijacking can occur because of the so-called race conditions
between the 802.1x and 802.11 state machines. Arbaugh uses the analogy
of a thief and a store owner racing for the front door at the same
time. If the owner gets there first he locks the thief out, if the
thief gets there first he steals everything. Because the client and
the AP aren't synchronized, "loose consistency," the thief can tell
the owner/client to go away and the AP still thinks he is there.

"The robber gets there first," said Arbaugh.

The second form of attack is called man-in-the-middle, and while Brian
Grimm, a spokesman for WECA [Wireless Ethernet Compatibility Alliance]
said that the Wi-Fi association was aware of the problem and that it
had already been fixed, Arbaugh said he had not heard from WECA but
that he "would be shocked if they solved the problem."

The man-in-the-middle attack works because 802.1x uses only one-way
authentication. In this case, the attacker acts as an AP to the user
and as a user to the AP.

"The trust assumption that is reflected from this design is that the
access points are trusted entities, which is a misjudgement. The
entire framework is rendered insecure if the higher-layer protocol
also performs a one-way authentication," according to the Arbaugh,
Mishra paper.

One industry analyst was not surprised by the lack of security that
802.1x offers.

"It [802.1x] is a security feature but everybody already knew it
wasn't really the only thing you need to do," said Gemma Paulo, an
industry analyst specializing in networks at Instat in Scottsdale,
Ariz.

(Other than the initial response downplaying the seriousness of the
security breach from the WECA spokesman, no other response was given.  
Grimm said an expert would return InfoWorld's call, but no additional
response was received at press time.)

The real problem is the fundamental way in which Wi-Fi works,
according to Arbaugh. Although rapid rekeying of WEP keys, for
example, which will be implemented in the next security standard
called TKIP [Temporal Key Integrity Protocol], makes it more difficult
to crack, Arbaugh said the entire design is just not good security.

"You are relying on a confidentiality mechanism, and in general that
is considered bad design," he said.

The next generation of security is TKIP and is backward-compatible
with current Wi-FI products and upgradeable with software. TKIP is a
rapid re-keying protocol that changes the encryption key about every
10,000 packets, according to Dennis Eaton, WECA chairman.

TKIP will be available in the second quarter, said Eaton.

But Arbaugh says TKIP does not eliminate the fundamental flaw in Wi-Fi
security.

"If anybody breaks TKIP, they not only break the confidentiality but
they also break the access control and authentication so one break
breaks everything. That is not good design. Each security mechanism
should stand on its own," he said.

Longer term, the IEEE Standards body intends to adopt AES [Advanced
Encryption Standard], the same security protocol sponsored by the
National Institute of Standards.

"AES is state of the art encryption technology," said WECA chairman
Eaton.

But AES requires hardware acceleration using a co-processor to
off-load the encryption and decryption or it would slow the throughput
down to an unacceptable level, according to Eaton as well as Instat's
Paulo. It also requires new Wi-Fi cards in the client devices. AES
will be available in the first quarter of 2003.

Arbaugh said the 802.1x specification proves what he and Mishra say in
their paper is correct.

"If you look at the 802.1x, they tell you the 1x protocol is insecure
when used in a shared medium environment unless a security association
is established. Since 802.11 doesn't do that, so by IEEE's own words
it is insecure," Arbaugh said.

The specification reads as follows on page 35, section 7.9, lines
34-39.

"However, it should be noted that such use can only be made secure if
communications between the Supplicant [Client] and Authenticator
[Access Point] systems takes place using a secure association.

Attempting to use EAPOL in a shared medium environment that does not
support the use of secure associations renders Port-based network
access control highly vulnerable to attack ..."

See www.drizzle.com/~aboba/IEEE/802-1x-d11.pdf for the entire
specification.

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.