Re: LEAP Security Vulnerabilities??

["Steven M. Bellovin" <smb () research att com>]

In message <20020613212153.GN71564 () overlord e-gerbil net>, Richard A Steenberge
n writes:
> On Thu, Jun 13, 2002 at 02:34:29PM -0500, Stephen Sprunk wrote:
> > WEP's only real failure was the failure to specify keying; vendors (and
> > users) with less security experience interpreted this to mean static
> > keys were sufficient.
> >
> > The choice of RC4 was unfortunate given the above problem, but the
> > coming switch to AES should fix that.
>
> Most existing wireless APs cannot keep up with 802.11b doing RC4 (which is
> EXTREMELY light on the cpu) at line rate. 

RC4 if used properly is light-weight.  802.11 is employing it in an 
unnatural environment, and that causes trouble, including performance 
issues.

More specifically -- RC4 is a stream cipher, which means that it must 
be employed over a reliable underlying data stream.  It's perfect above 
TCP, for example.  But 802.11 is a packet environment, with no 
underlying stream.  Accordingly, the base RC4 key -- 40 bits or 112 
bits -- is combined with a 24-bit number (sometimes a counter, 
sometimes random, but in either case sent in the clear in the packet) 
to form an actual RC4 key that's used to encrypt just a single packet.  
The problem is that key setup is roughly as expensive as encrypting 300 
bytes or thereabouts.  So all those 40-byte TCP ACK packets are a lot 
more expensive for crypto processing than they should be.

                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com ("Firewalls" book)