Security evaluation of 802.11i 179
Uberhacker.Com writes "Server Pipeline features an interesting report on the security viability of 802.11i. As most observers of the WLAN industry are aware, the security features found in the original standard were woefully inadequate. To a certain degree, these deficiencies reflected the perception that security services are normally implemented at layer 3 and above. 802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
Except of course... (Score:4, Funny)
Re:Except of course... (Score:2, Funny)
Re:Except of course... (Score:2)
Sorry man, wasn't funny. Too obvious.
It's gonna cost me karma, but I thought you should know for the next time you tell a joke.
What's the 'i' for? (Score:2, Funny)
Re:What's the 'i' for? (Score:2, Funny)
No, the i is to make the protocol more marketable and appealing to Mac users ;p
*ducks*
Security? (Score:2, Funny)
(obligatory post, sorry)
Security? (Score:5, Interesting)
Comment removed (Score:5, Insightful)
Re:Security? (Score:4, Informative)
AES et. al. means that noone can eavesdrop on your conversation - It's encrypted form end to end. That means if your talk to your bank via https over an AES secured connection, your connection is secured to thier web server at layer 2, while your passwords etc. - session data - are encrypted at layer 4.
That way, if someone does somehow break into your converstaion, the session data is still protected.
AES secures the physical layer, the other systems secure the actual conversation.
Soko
Re: (Score:2, Troll)
Re:Security? (Score:2)
So broadcasting that info in the clear over the airwaves isn't the best idea for security.
Re:Security? (Score:2)
Re:Security? (Score:2, Insightful)
Who'd a thought it?
Re:Security? (Score:5, Insightful)
Yup your L2 is secured and your L4 is as well when we get ipsec in place your l3 will also be secured.
It's all breakable it's just a question of time vs computing power. There is only one known unbreakable encryption method the one time pad (quantom encrypt is realy just pad generation and distribution with the added benifit of being tamper evident)
AES secures Layer 2, the physical layer might be secured via fairiday(sp?) cages, directional anetena's guys, guys with guns etc. But only the realy paranoid worry about that to much.
Overall is a good idea to secure each and every layer as it just adds to the ammount of computation required to decrypt what you want.
Re:Security? (Score:4, Informative)
Extreme Example: I may check mail from a corporate mail server. My mail session is encrypted via SSL but you can still tell which server I am communicating with. Let us say someone knew that an employee of my company lives in my town, and they wanted to find out which house that employee (me) lived in so that they could start monitoring their physical mailbox for some important letter.
If they came to my town, which uses 802.11b WISPs which 1/2 of don't use encryption because WEP is so breakable (I wish they'd turn it on to protect from casual tapping, but oh well, at least my email is sent over SSL), they could drive around for a few minutes sniffing until they triangulated the signal that was sending packets to that corporate mail server.
Am I worried about this happening? Not so much, because I have a P.O. box
Additionally, many people don't have the ability to tunnel their unencrypted data (like port 80 web traffic) to obtain ubiqitous encryption over wireless. I personally think that is the next evolution of wireless routers (including easy but secure VPN services on the router itself which can be used in conjuction or in place of lower level encryption). But until it becomes easy for the masses having a strong, common low level encryption technology is key.
Re:Security? (Score:5, Informative)
Please stop abuseing the phrase "security through obscurity." The catch phrase was meant to apply to one and only one case: The practive of obscuring encryption algorithms. Bruce Schneier's thesis was that an encryption system that relied on a secret or hidden algorithm was not secure. The phrase "security through obscurity" does not apply to anything else.
Some forms off security relies on obscurity. Encryption is just a fancy word for data obscurity. Passwords, secure tokens, and RSA private keys should all be kept hidden or obscured. It should not be to hard to think of many forms of physical and data security that include some form of obscurity.
One of the advantages to using encryption at the link layer is that it is harder to perform traffic analysis if an attacker can't determine the destination of the packet. Another advantage is access control. Only hosts that know the secret key can join the network. Both of these advantages are forms of security.
Re:Security? (Score:2)
Since we're talking about wireless, and the fact that a random sniffer can't determine where the packets are going, how does a legitimate computer on the network determine where the packets are going?
Does my handheld have to decrypt everything it receives, whether or not it's destined for the handheld, in order to see which address it is to, and then discard it?
Re:Security? (Score:2)
In theory yes. It is not nearly as hard as it sounds. The device only has to decrypt enough to get the destination hardware address. A hardware crypto coprocessor does all the work. In practice 802.11 only encrypts the frame body. The source and destination hardware addresses and some other control fields are sent in the clear.
Re:Security? (Score:5, Informative)
You fail to understand the security community's use of "security through obscurity." In its proper context, this phrase means that one attempts to secure (for example) an implementation of a security protocol by not disseminating information about how that system works. For example, if someone creates a new asymmetric encryption algorithm, and does not subject it to publication and the scrutiny of peer review... then that's security through obscurity. Security through obscurity, for topics like encryption algos, is heavily frowned upon. Historically, peer review has proven best able to create robust protocols and implementations.
Locking down multiple layers in the network stack has another phrase that is very applicable: "defense in depth". I.e. if one of your security measures fails, you are wholly or partially protected by one or more other security measures. Defense in depth is generally considered to be a good technique to employ.
Re:Security? (Score:5, Insightful)
Re:Security? (Score:2)
Re:Security? (Score:2)
Re:Security? (Score:5, Insightful)
you don't have to be totally hack-proof, just moreso than any other potential target. :)
Interesting Traffic... (Score:2, Interesting)
Re:Security? (Score:3, Insightful)
The real problem with WEP was with the init vector. It was trivially easy to crack, given enough packets. From that point forward, Joe Pr0n and Suzi Spammer were using YOUR bandwidth to do their nefarious deeds. Would you be happy when the FBI came to your door with a search warrant for kiddiepr0n?
What about those death threats to the prez that came from your IP? With your email address?
Re:Security? (Score:3, Insightful)
If you insist that security be applied at the application layer, you are insisting that all application programmers include security provisions in their software. And then, the security routines must go through peer review and analysis for at least a cursory inspection for vulnerabilities.
If you apply the security at the link layer, then you're securing a different thing. You're securing all communication across that link. There is an overwhelming desire to accomplish th
Corporations (Score:3, Informative)
I have worked with the air fortress and it encrypts at the layer 2 level so no network topology can be determined.
Very nice but it would be even better is it didn't require a client or that the client was ubiquitous with the driver.
Nick Powers
Re:Security? (Score:4, Insightful)
Crypto 101: don't encrypt any redundant or easy-to-guess data. That's why PGP compresses data before encrypting it.In World War 2, the allies searched for the phrase "Heil Hitler" in encrypted German messages. It worked with surprising frequency. Many of the attacks against Kerberos 4 rely on excessive encryption: if you're sending a request from a specific host, it's kind of silly to encrypt the name of the host that's requesting a ticket. It's just one more bit of plaintext to search for. That's why Kerberos 5 moved more information to plaintext.
Please learn about crypto before trying to teach. (Score:3, Informative)
Completely wrong. Crypto 101: don't try and work around unknown flaws in the crypto at higher protocol levels - you're doomed to be chasing your tail forever. Use a secure protocol, and rely on it. AES in EAX mode will be secure no matter how redundant or easy-to-guess your data is.
I'm pretty sure your information about Kerberos is wrong - the Kerberos people had better cryptographers than to make a mistake like that. There were other cry
Re:Security? (Score:2)
Instead, I got an angry follow-up that was just plain wrong, missed the point, and pulled the "I think you might be wron
Re:Security? (Score:2)
It also forces anyone who wants to hack to be in the building - i.e. forces you to get through physical security. If you can work on hacking from a parking lot, you're pretty screwed.
In addition, many networks assume that the interior is trusted - that good guys are on th
Re:Security? (Score:5, Insightful)
To compare it to its non-internet equivalent, it is the difference between allowing everyone to see your phone records (anyone can look at where your packets are headed), and requiring a subpoena to disclose them to a court of law (subpoena the ISP or destination sites' logs). In neither case can they see or hear exactly what you said to the other end, but obviously the latter is much preferable for anyone interested in privacy.
Re:Security? (Score:2)
Re:Security? (Score:2)
Equally significant, suppose that I do exacly as you say and only encrypt application layer data while
Re:Security? (Score:2)
Maybe you don't, but there are plently of us who would perfer not to broadcast with the world information about everyone with whom we communicate.
Re:Security? (Score:2)
You can do even more... But this suffices as an example that hardware level encryption is not the last and final security feature that makes the world a better place. It's one of many.
AES, buzzword of the moment (Score:5, Insightful)
AES is the buzzword of the moment. The real question: is 802.11i implemented in such a way that it is secure from the get-go (even at the expense of usability), and implemented in such a way that it can be upgraded quickly and easily should exploits be found.
Well?? I don't give a damn what algorithm it uses, I just want it to use the algorithm CORRECTLY.
Re: (Score:2, Funny)
Re:AES, buzzword of the moment (Score:2)
Maybe if the OP offers a critique of how AES was implemented in 802.11i, then it's insightful...
Re:AES, buzzword of the moment (Score:2)
AES really secure? (Score:3, Interesting)
If it's really secure, why does our favourite tree-letter-agency allow it for normal citizens? So much for paranoia...
Re: (Score:3, Informative)
Re:AES really secure? (Score:2)
Yes, AES really is secure (Score:3, Informative)
Re:Yes, AES really is secure (Score:2)
There are attacks that have not been tested, and are undergoing some rigorous mathematical attacks now. I personally do not know the details, but it involves establishing a 1:1 mapping onto a finite field or reducing it to an algebraic cipher. One of my crypto friends is working on this right now.
AES was accepted by NIST before it was fully tested. I do not trust it, and I'm not even the most paranoid.
More info here. [cryptosystem.net]
Re:Yes, AES really is secure (Score:2)
I don't think NIST left enough time for the AES process - especially since they asked for something so novel (there were very few 128-bit block ciphers
NSA doesn't just allow it, they use it themselves. (Score:3, Informative)
Of course, in this context, "NSA-approved cryptography consists of an approved algorithm; an implementation that has been approved for the protection of classified information in a particular environment; and a supporting key management infrastructure." I suspect
Re:NSA doesn't just allow it, they use it themselv (Score:2)
ARGH! (Score:5, Insightful)
Wep was designed with the model:
1. pretty acronyms.
2. mumnle mumble mumble
3. SECURITY!!!
You could use AES in wep and it would still be breakable, the key exchange was piss poor, making the entire system piss poor.
I didn't read the article, this was just me bitching at the slashdot post, and people who believe fancy new encryption = security automagically.
Re:ARGH! (Score:3, Interesting)
Re:ARGH! (Score:2)
STill doesn't change the fact that you can't throw AES at something and get the happy land of magical computer/network security.
Re: (Score:2)
Re:ARGH! (Score:2)
Re:ARGH! (Score:2)
Re: (Score:2)
Re:ARGH! (Score:2)
802.11i appears to be a genuine attempt to create an open and secure system that is (mostly) free from the interference that crippled WEP.
Re:I wonder... (Score:2, Interesting)
The weak key problem has been addressed by all manufacturers via firmware updates. You are now forced to do dictionary attacks which require a large number of packets and resources. Still hackable, but not nearly as easy.
You need to r
Re:I wonder... (Score:2)
I know.
You need to read the article (which I didn't read). I don't need to read it since I know about the changes already. You'll find the key exchanges when combined with a true AAA provide a secure solution.
I was pointing out that magic acronyms do not equate with great security, in
Re:ARGH! (Score:3, Insightful)
I agree that "AES" isn't a magic incantation to make things secure, but TBH it's a happy day when we're having to explain that, instead of having to explain why hand-rolling your algorithms isn't such a good plan. With WinZip, it even seems we're having to explain why using a secure encrypt-then-authenticate mode with secure p
Re:ARGH! (Score:3, Insightful)
WEP's failing was exactly a bad algorithm.. the fact is that the first 200 bytes or so of any RC4 cipher stream are predictable
No, WEP's failing was the misuse of a good algorithm. RC4 is a solid, well-respected algorithm, but using it correctly requires that the first few hundred bytes of the the keystream be discarded after every rekeying operation.
Re:ARGH! (RC4) (Score:2)
Out of curiosity, why?
(Got any links so I can read up on the why and wherefore?)
Re:ARGH! (RC4) (Score:4, Informative)
Out of curiosity, why?
I don't recall the details, but an attack was found a few years ago that allows the key to be recovered if the attacker can get the first few bytes of the keystream. Doing it requires the first few bytes of many related keystreams, and getting the keystream from the ciphertext requires that the attacker have the plaintext. With WEP, RC4 is rekeyed for every packet, and the first few bytes of each packet are highly predictable, so an eavesdropper can fairly easily gather enough data to mount the attack.
Got any links so I can read up on the why and wherefore?
Google turns up plenty. Here [drizzle.com] is the original paper, which has all of the dirty details. Here [isoc.org] is a paper that describes how to use it to attack WEP. And, of course, if you'd like to read code that implements the attack, look at Airsnort [shmoo.com].
Its about time!! (Score:4, Interesting)
Fears about security have prevented WLAN from achieving all that it can potentially achieve. It was ridiculously easy for someone to break into a wireless LAN. 802.11i was seen to be the saviour, but the infighting among the various stakeholders always prevented the mechanisms defined under 802.11i from being accepted globally.
I hope things will change for the better now!
To Little to Late (Score:5, Interesting)
Re:To Little to Late (Score:2)
Also, WiMax doesn't really compete with 802.11.
Getting There... (Score:5, Insightful)
Encryption makes configuring your wireless network 10x harder for the average person.
As the article recognizes, "the lack of a single, universally accepted standard will inevitably lead to implementation and interoperability challenges."
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
So what is the average user supposed to do? Just keep waiting, I guess...
And therein lies the problem (Score:5, Insightful)
No.
Because then you don't necessarily know if you're connecting to an attacker's access point or not. This is mostly why security doesn't belong at L2 -- you don't care or trust the next hop, you trust the endpoint (or at least some faraway gateway that gets you into the endpoint).
--Dan
Re:And therein lies the problem (Score:2, Insightful)
Realistically, users are going to connect to whatever AP they can reach. I don't see how you deal with attacker APs other than by encrypting at higher levels, or adding L2 authentication/certs. The latter seems pretty undesirable.
11i is the solution to not quite the right problem.
Re:And therein lies the problem (Score:2)
There are some very, very ugly active attacks that people haven't even begun to explore.
That being said -- 11i solves the problem of, given a widely distributed network of corporate access points, how do you prevent people from rummaging around your internal network without going to a concentrator? Answer -- force them to check in w/ 11i.
--Dan
Re:Getting There... (Score:2)
And most people aren't up to average - the geeks throw the ratio all out of wack.
In order to sell products the wifi manufacturers make it as easy as possible, but they DO include security options. I'm not going to argue about that.
A) Free wireless access for me and my friends through people who don't care enough to secure their networks.
B) Keeps me employeed securing networks of those who are interested.
Re:Getting There... (Score:2)
5 million packets and 1 minute... (Score:4, Informative)
Reverse Spelling Errors (Score:4, Funny)
Reversal:
totoly-secret-messeges
Re:Reverse Spelling Errors (Score:2)
Re:Reverse Spelling Errors (Score:2)
Re:Reverse Spelling Errors (Score:2)
Twice, for extra security
Re:Reverse Spelling Errors (Score:2)
AES is good enough for the most paranoid? (Score:2, Informative)
Re:AES is good enough for the most paranoid? (Score:2, Interesting)
As a relatively new cipher, this is not unexpected. The conservative security choice would have been to choose 3DES, as the new DES.
Although it's pure speculation, it's possible Rinjdael was chosen by interested parties and deemed 'strong enough for commerce' for reasons related to catching filthy cave dwelling scum.
Reality is that which continues to exist after you stop believing in it.
AES is good enough for the most paranoid. (Score:5, Informative)
Even the designers of Serpent would say that they believe there are no practical attacks against AES. I voted for Serpent myself, but I still believe Rijndael is an excellent cipher the whole community can rally behind, and overwhelmingly that's what the crypto community is doing.
Re:AES is good enough for the most paranoid. (Score:2)
Yes, the attack is applicable to ciphers other than AES.
No it's not a practical attack. A practical attack and an academic break are completely different things.
For example, a theoretical attack that reduced key recovery time from 10^14 MIPS years to 10^6 MY is still probably impractical to break for most attackers. However, the loss of security in such a scenario would be considered serious.
Re:AES is good enough for the most paranoid. (Score:2)
We do not know whether the attack is applicable against any ciphers. However, if it will fly, then Serpent falls harder than Rijndael does - a surprising result for everyone, and evidence against the lobby that says "NIST should have gone for Serpent for security, not Rijndael for speed".
I confess at this point that, like Schneier, I'm not 100% certain that no academic attack on Rijndael
Faster is Better (Score:2)
It means cheaper faster ASICS which means more encryption happening.
If Serpent costs more to implement less AES will be happening.
As AES approaches "free" encryption gets thrown in everywhere, leading to a more secure national infrastructure. If Rinjdael over Serpent accelerates this process by a year or two, that might be very significant. Of course, it could also be meaningless, but we just don't know.
Re:AES is good enough for the most paranoid? (Score:2, Interesting)
Why use WLAN encryption at all? Use IPsec! (Score:2, Interesting)
Yeah - it's a little bit slower when the en/de/cryption is done on the client but in most cases you won't notice. And on the AP you can use a crypto accelerator.
If you don't want to use a PC as AP just use http://www.m0n0.ch/wall/ in combination with http://www.soekris.com/net4501.htm (they ship with cases too
Taking the load off the programmer (Score:4, Interesting)
Re:Taking the load off the programmer (Score:2)
I fail to see the difference between your two suggestions. Just tacking some sort of signature onto a packet (like a session id or something) would not work because it would be in the clear. There is no choice but encryption.
Re:Taking the load off the programmer (Score:2)
Using a public key cryptosystem would help by authenticating users with the access point. And then perhaps encrypting it too, with a randomly generated session key pair, one from the AP, and one from the client, so that it is encrypted and signed to keep data private, and verify the sender. The drawback is that it is slower than using a symmetric algorithm (They can be smaller: When I look at RC*, I t
Layers (Score:2, Interesting)
At some point you have to start trusting the network, and stop worrying about how big your key is, or how long it takes to crack. Use a VPN for work. Use SSL for private email. Don't auto login to websites. If people start
Security out of the box (Score:3, Insightful)
The problem is, all these devices are shipped for easy setup. Easy setup means "security off". People set up their networks and quit there. No wonder everyone thinks WiFi is insecure. It's a network, just like a wired network. Go through the steps to secure the wireless network too fellas. If we can get people to turn on the security features right away, or do as Apple does and ship stuff with all ports closed and security functions on, then we'll be in a better place. Sure, it may make setting up your WiFi network a bit more cumbersome or time-consuming in the beginning, but that extra five minutes is well worth it.
Re:Security out of the box (Score:2, Informative)
Perspective (Score:3, Insightful)
The point is by securing the network at all you are putting up the equivalent of a "private property" sign. Legally, it helps a great deal. I can see a defense argument for an unsecured AP that is shouting it's SSID into a 2 block radius. However, if you have to crack it, then there is no question about legality -- you are breaking the law.
No, don't rely on WEP for security. Use and IPSec tunnel on top of it if you want security. But WEP *does* serve a great purpose in wifi -- covering your ass legally.
-Charles
Woefully inadequate? Nah, just poorly implemented. (Score:2)
I wouldn't necessarily say that WEP is woefully inadequate as much as it is extremely poorly implemented. It could have worked well but it had serious implementation issues.
As all slashdotters probably already know about:
The (in)security of WEP [berkeley.edu]
Re:muster? (Score:2)
Naval expression, I believe. All the sailors gather (or muster) on deck and the captain inspects 'em. If their kit is all in order, they've passed muster.
Re:muster? (Score:2)
Re:muster? (Score:3, Informative)
Re:muster? (Score:2)
Re:We'll finally be secure when 802.11z comes out (Score:2)
Re:wireless has always been hard to secure (Score:2)
Re:It's all about key management (Score:2)