Networking

SolutionBase: Understanding the difference between WEP and TKIP when securing wireless networks

WEP is the most popular way to secure wireless networks but it's not always the best choice, because it's still kind of new. What other option do you have? Brien Posey shows you how TKIP can help secure wireless.

Since the time that wireless Wi-Fi networks began to emerge, such networks have been scrutinized as being security risks. As a result of such scrutiny, there are dozens of techniques that can be used to secure wireless networks, and I personally believe that when security is applied correctly, it is possible to make a wireless network even more secure than most wired networks.

Before you can even hope to reach this level of security though, you need to understand the threats to wireless security, and the countermeasures against such threats. It's impossible for me to discuss all of the various wireless security threats in the amount of space that I have to work with. I do however want to use this opportunity to discuss some of the newer wireless exploits and what you can do to counter them.

Encryption, Encryption, Encryption

Wireless networks are inherently insecure. Anyone with a laptop and a wireless NIC can easily spy on anything being sent across a wireless network. This one point has received so much mainstream media attention that I was shocked to learn that as of December 2004, an estimated sixty to seventy percent of all wireless networks still do not use encryption.

Granted, a lot of these unprotected networks are home and small business networks. For most home and small business users, WEP is the only available type of encryption. Most people who choose not to enable WEP do so because they either don't know that it exists, they don't know how to enable it, or they know that WEP can be cracked, so they figure that there is no point in installing it.

That being the case, I should probably write a paragraph explaining why you should ditch your existing wireless equipment in favor of something more secure. However, I know that budgets can be tight, especially around the home or for small businesses. Although newer Wi-Fi equipment will give you better security, I know that upgrading equipment might not be an option.

If you find yourself in a situation in which WEP is the only type of encryption supported by your wireless equipment, and you can't upgrade to something better, then my recommendation is to go ahead and implement WEP encryption, even though it is flawed. There are a couple of reasons for this. First, there is no reason to just hand a hacker an unsecured network. If someone wants to hack your network, make them work for it. Besides, WEP encryption is not as easy to hack as the media makes it out to be. The hacker must capture a very large number of packets before they can break the encryption. It would take the average home user about two to four weeks to do enough Internet surfing to produce enough data to compromise a WEP key. Few hackers are patient enough to spend a month waiting on enough data to get a WEP key for a home network, especially if your neighbors have a wireless network that isn't encrypted.

For small businesses, the amount of time that it would take to produce enough data to compromise a WEP key really varies depending on the number of employees and the nature of the employee's jobs.

In either case, you can dramatically increase the security of WEP by changing your WEP keys frequently. As long as WEP keys are changed prior to enough data being transmitted to allow a hacker to decipher the keys, then WEP can be an effective form of encryption.

It is still advisable to use newer encryption techniques rather than WEP though, because there are techniques that hackers can use to acquire enough data to decipher your WEP key more quickly. One such technique involves using a laptop or a jamming device to perform a limited denial of service attack against the network. The idea is to produce interference so that about half to a third of the packets being wirelessly transmitted do not reach their destination. This causes the machine that's sending the packets to retransmit the packets that have not been received. Forcing excessive retransmissions greatly expedites the amount of time that it takes to capture the required amount of data.

One way to protect yourself against this type of attack is to configure your wireless equipment to use the smallest possible frame size. Smaller frames are less efficient than larger ones, but are much less susceptible to interference. Here's an example that's over simplified, but it gets the point across. Imagine that you had a 10 KB message to transmit and you were using a 10 KB frame size. If any portion of the frame were not received correctly, then the entire 10 KB would have to be retransmitted. However, if a 1 KB frame size were used, then the 10 KB message would be transmitted across ten different frames. If a small amount of interference was encountered, then one of the frames might be disrupted. However, only that one, 1 KB frame would have to be retransmitted rather than the entire 10 KB.

As I said, this example was grossly over simplified because it doesn't take into account the overhead associated with each frame, but I wanted to make a point. Smaller frame sizes are less efficient than larger frame sizes because there is a certain amount of overhead associated with each frame. Smaller frame sizes mean that more frames will be required, and more frames mean more overhead. Therefore, in a sense, you are placing more traffic on your network by using smaller frame sizes, but at the same time, doing so greatly limits an attacker's ability to effectively force a lot of retransmissions.

Temporal Key Integrity Protocol

When I set out to write this article, I had originally intended to talk about some of the vulnerabilities associated with TKIP (Temporal Key Integrity Protocol), which many security experts consider to be uncrackable. However, there are still so many people using WEP or no encryption at all, I felt obligated to spend some time discussing it,

Let me say up front that TKIP is substantially more difficult to crack than WEP, and in some instances may very well be impossible to crack. However, there are multiple ways in which TKIP can be implemented, and a weak implementation can lead to TKIP being cracked. Before you can understand why this is possible, you need to understand how TKIP works.

One of the things that made WEP so vulnerable was the use of a shared key. Any time WEP encrypts data, the encryption is based on the shared key, plus three semi-random digits. The shared key is static and is never changed unless an Administrator does so manually. It's the static and long term nature of the shared key that makes WEP vulnerable to cracking.

Like WEP, TKIP relies on shared keys, but the shared keys are usually dynamic in nature. TKIP is designed to use 802.1x and a RADIUS server to generate, rotate, and distribute shared keys. This approach guarantees that shared keys are changed very frequently. To the best of my knowledge, a wireless network encrypted with TKIP that is also using 802.1x and RADIUS has yet to be cracked.

The problem with TKIP is that 802.1x and RADIUS are not requirements. TKIP is designed so that if hardware constraints prevent the use of 802.1x, then a preshared key can be used as the basis for key establishment. Although the TKIP specification permits each client to use a different preshared key, the only existing real world implementations use a single preshared key for the entire network. Is this starting to sound familiar?

Before you come to the conclusion that TKIP is no better than WEP because of the way that it uses preshared keys, there is a big difference that you need to understand. In a WEP environment, the preshared WEP key is combined with three other digits and is used to encrypt the data being transmitted. In TKIP, the preshared keys are used to generate Pairwise Transient Keys (PTK). It's the way that the PTKs are generated and distributed that produces the vulnerability.

The keys are distributed via a four way handshake process and are created by using a repetition of the first two packets of the handshake, the two MAC addresses involved in the handshake, and the preshared key. A network sniffer can easily expose the handshake process (and the bits included in it) and the MAC addresses of the hosts involved in the process. Since this information is so easy to get, all you need is the preshared key, and you can start spoofing PTKs (or you could even create legitimate PTKs).

So the million dollar question is how do you get the preshared key? It isn't quite as easy as getting a WEP key, but it can be done. In WEP, an administrator enters a short pass phrase and the pass phrase combined with three extra digits is used to encrypt traffic. In a TKIP environment, the preshared key is always going to be 256 bits long. Few administrators are going to create and remember a 256 bit (32 character) pass phrase. Therefore, what ever pass phrase the administrator enters is combined with other data and then hashed to produce the preshared key.

The process works like this: The pass phrase is concatenated with the ESSID and the ESSID's length. The resulting string is then hashed 4,096 times to create a 256 bit key. Right now, you are probably thinking that it would take an eternity to crack a 256 bit shared key that has been hashed over 4,000 times. It might not be as difficult or as time consuming as you think though.ï¿? According to the 802.11i standard, a typical pass phrase has about two and a half security bits per character. When you take into account the ESSID, a pass phrase of X characters would have approximately 2.5X+12 security bits.

This means that a 20 character pass phrase would have an average of just 62 security bits. A high end PC could break the encryption through brute force in less than a day. As you can see, a word to the wise would be that if you are planning on using TKIP with shared keys, then you should really consider making your pass phrase over 20 characters long to prevent it from being cracked too easily.

The only piece of the puzzle left is the tool that you would use to perform the brute force crack with. At the moment, I am not aware of a brute force password cracker for the preshared key, but then again, I am not a professional hacker either. What I can tell you is that the preshared key is created based on applying the PBKDF2 cryptographic method to a combination of the pass phrase, the ESSID, and the ESSID's length. If you are not familiar with PBKDF2, it is based on the PKCS #5 version 2.0 cryptography standard that is commonly used to encrypt passwords. Therefore, if someone wanted to either download or create a brute force password cracker that could decipher the preshared key, they would simply need to look for (or write) a cracker based on PBKDF2.

OK, so it is possible to derive the preshared keys by dissecting the PTKs, but doesn't TKIP still use PTKs even if 802.1x and RADIUS are in use? Yes it does, but you have to remember that in an 802.1x environment the keys change as often as the administrator wants them to. This can be every week, every hour, or even every couple of minutes. Since the PTKs are based on keys, if the keys change, the PTKs will change as well. By the time someone deciphers the key by analyzing the PTKs, the key will either have already been changed or will be about to expire.

Not perfect, but better than WEP

As you can see, TKIP combined with 802.1x and RADIUS is by far the safest choice for encrypting data flowing across a wireless network. You can further protect the security of your data by implementing additional encryption at the TCP/IP level. For example, you could encrypt data with IPSec prior to transmitting it. The reason why you might want to do this is because although TKIP has yet to be cracked when used in conjunction with 802.1x and RADIUS, there have been reports of hackers combining man in the middle attacks with denial of service attacks in an effort to intercept and manipulate strongly encrypted data flowing across wireless networks.

The actual technique is very complicated. The technique involves setting up a laptop with two different wireless NICs. One NIC is used as a jammer to block access to a legitimate access point. The other NIC is used as a rogue, software based access point. The laptop is also running a RADIUS server in the background. The idea is that clients latch on to the hacker's machine rather than the legitimate access point, and data is exposed as a result. This is why additional levels of encryption are advisable.

Editor's Picks