Misplaced Pages

#335664

47-462: 802.11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have security vulnerabilities. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of a draft of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of

94-670: A Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40-bit keys with an even higher success probability. In 2008 the Payment Card Industry Security Standards Council (PCI SSC) updated the Data Security Standard (DSS) to prohibit use of WEP as part of any credit-card processing after 30 June 2010, and prohibit any new system from being installed that uses WEP after 31 March 2009. The use of WEP contributed to

141-560: A 2001 disclosure of a severe design flaw in the algorithm, WEP was never again secure in practice. In the vast majority of cases, Wi-Fi hardware devices relying on WEP security could not be upgraded to secure operation. Some of the design flaws were addressed in WEP2, but WEP2 also proved insecure, and another generation of hardware could not be upgraded to secure operation. In 2003, the Wi-Fi Alliance announced that WEP and WEP2 had been superseded by Wi-Fi Protected Access (WPA). In 2004, with

188-498: A 24-bit IV, there is a 50% probability the same IV will repeat after 5,000 packets. In August 2001, Scott Fluhrer , Itsik Mantin , and Adi Shamir published a cryptanalysis of WEP that exploits the way the RC4 ciphers and IV are used in WEP, resulting in a passive attack that can recover the RC4 key after eavesdropping on the network. Depending on the amount of network traffic, and thus

235-411: A four-step challenge–response handshake: After the authentication and association, the pre-shared WEP key is also used for encrypting the data frames using RC4. At first glance, it might seem as though Shared Key authentication is more secure than Open System authentication since the latter offers no real authentication. However, it is quite the reverse. It is possible to derive the keystream used for

282-551: A group from the U.S. Federal Bureau of Investigation gave a demonstration where they cracked a WEP-protected network in three minutes using publicly available tools. Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir, which can additionally be used to break WEP in WEP-like usage modes. In 2006, Bittau, Handley , and Lackey showed that

329-674: A preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP. To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake: CCMP is based on the Counter with CBC-MAC (CCM) mode of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects

376-543: A printable ASCII character, which is only a small fraction of possible byte values, greatly reducing the space of possible keys. A 128-bit WEP key is usually entered as a string of 26 hexadecimal characters. 26 digits of 4 bits each gives 104 bits; adding the 24-bit IV produces the complete 128-bit WEP key (4 bits × 26 + 24-bit IV = 128-bit WEP key). Most devices also allow the user to enter it as 13 ASCII characters (8 bits × 13 + 24-bit IV = 128-bit WEP key). 152-bit and 256-bit WEP systems are available from some vendors. As with

423-544: A string of 10 hexadecimal (base 16) characters (0–9 and A–F). Each character represents 4 bits, 10 digits of 4 bits each gives 40 bits; adding the 24-bit IV produces the complete 64-bit WEP key (4 bits × 10 + 24-bit IV = 64-bit WEP key). Most devices also allow the user to enter the key as 5 ASCII characters (0–9, a–z, A–Z), each of which is turned into 8 bits using the character's byte value in ASCII (8 bits × 5 + 24-bit IV = 64-bit WEP key); however, this restricts each byte to be

470-479: Is a vendor-specific feature provided by several vendors such as 3Com . The dynamic change idea made it into 802.11i as part of TKIP, but not for the WEP protocol itself. CCM mode CCM mode ( counter with cipher block chaining message authentication code ; counter with CBC-MAC ) is a mode of operation for cryptographic block ciphers . It is an authenticated encryption algorithm designed to provide both authentication and confidentiality . CCM mode

517-462: Is an obsolete, severely flawed security algorithm for 802.11 wireless networks . Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide comparable to that of a traditional wired network . WEP, recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits), was at one time widely used, and was often the first security choice presented to users by router configuration tools. Subsequent to

SECTION 10

#1732794235336

564-419: Is concatenated with a 24-bit initialization vector (IV) to form the RC4 key. At the time that the original WEP standard was drafted, the U.S. Government's export restrictions on cryptographic technology limited the key size . Once the restrictions were lifted, manufacturers of access points implemented an extended 128-bit WEP protocol using a 104-bit key size (WEP-104). A 64-bit WEP key is usually entered as

611-463: Is first computed on the message to obtain a message authentication code (MAC) , then the message and the MAC are encrypted using counter mode. The main insight is that the same encryption key can be used for both, provided that the counter values used in the encryption do not collide with the (pre-) initialization vector used in the authentication. A proof of security exists for this combination, based on

658-540: Is only completely effective when WEPplus is used at both ends of the wireless connection. As this cannot easily be enforced, it remains a serious limitation. It also does not necessarily prevent replay attacks , and is ineffective against later statistical attacks that do not rely on weak IVs. Dynamic WEP refers to the combination of 802.1x technology and the Extensible Authentication Protocol . Dynamic WEP changes WEP keys dynamically. It

705-528: Is only defined for block ciphers with a block length of 128 bits. The nonce of CCM must be carefully chosen to never be used more than once for a given key . This is because CCM is a derivation of counter (CTR) mode and the latter is effectively a stream cipher . As the name suggests, CCM mode combines counter (CTR) mode for confidentiality with cipher block chaining message authentication code (CBC-MAC) for authentication. These two primitives are applied in an "authenticate-then-encrypt" manner: CBC-MAC

752-666: Is set to 1 only within data frames of type Data and within management frames of type Management, subtype Authentication. The Protected Frame field is set to 0 in all other frames. When the bit Protected Frame field is set to 1 in a data frame, the Frame Body field is protected utilizing the cryptographic encapsulation algorithm and expanded as defined in Clause 8. Only WEP is allowed as the cryptographic encapsulation algorithm for management frames of subtype Authentication." Wired Equivalent Privacy Wired Equivalent Privacy ( WEP )

799-401: Is then put through a pseudo-random function . The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below (all messages are sent as EAPOL -Key frames): The Group Temporal Key (GTK) used in the network may need to be updated due to the expiration of

846-450: Is to switch to WPA2. WPA was an intermediate solution for hardware that could not support WPA2. Both WPA and WPA2 are much more secure than WEP. To add support for WPA or WPA2, some old Wi-Fi access points might need to be replaced or have their firmware upgraded. WPA was designed as an interim software-implementable solution for WEP that could forestall immediate deployment of new hardware. However, TKIP (the basis of WPA) has reached

893-539: The TJ Maxx parent company network invasion. The Caffe Latte attack is another way to defeat WEP. It is not necessary for the attacker to be in the area of the network using this exploit. By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client. By sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and

940-569: The cryptographic hash function . If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server. [REDACTED] The four-way handshake is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing

987-568: The 802.11 network is connected to the Internet, the attacker can use 802.11 fragmentation to replay eavesdropped packets while crafting a new IP header onto them. The access point can then be used to decrypt these packets and relay them on to a buddy on the Internet, allowing real-time decryption of WEP traffic within a minute of eavesdropping the first packet. In 2007, Erik Tews, Andrei Pyshkin, and Ralf-Philipp Weinmann were able to extend Klein's 2005 attack and optimize it for usage against WEP. With

SECTION 20

#1732794235336

1034-405: The 802.11 protocol itself can be used against WEP to enable earlier attacks that were previously thought impractical. After eavesdropping a single packet, an attacker can rapidly bootstrap to be able to transmit arbitrary data. The eavesdropped packet can then be decrypted one byte at a time (by transmitting about 128 packets per byte to decrypt) to discover the local network IP addresses. Finally, if

1081-459: The AP. (Both authentication mechanisms are weak; Shared Key WEP is deprecated in favor of WPA/WPA2.) Because RC4 is a stream cipher , the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plaintext, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related-key attack . For

1128-463: The MAC to protect unicast communication. The GTK shall be a random number which also gets generated by using PRF-n, usually PRF-128 or PRF-256, in this model, the group key hierarchy takes a GMK (Group Master Key) and generates a GTK. "The Protected Frame field is 1 bit in length. The Protected Frame field is set to 1 if the Frame Body field contains information that has been processed by a cryptographic encapsulation algorithm. The Protected Frame field

1175-451: The WLAN client does not provide its credentials to the access point during authentication. Any client can authenticate with the access point and then attempt to associate. In effect, no authentication occurs. Subsequently, WEP keys can be used for encrypting data frames. At this point, the client must have the correct keys. In Shared Key authentication, the WEP key is used for authentication in

1222-514: The access point its PMK. The PMK is designed to last the entire session and should be exposed as little as possible; therefore, keys to encrypt the traffic need to be derived. A four-way handshake is used to establish another key called the Pairwise Transient Key (PTK). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address , and STA MAC address. The product

1269-467: The appropriate cryptographic keys. The RSN is a security network that only allows the creation of robust security network associations (RSNAs), which are a type of association used by a pair of stations (STAs) if the procedure to establish authentication or association between them includes the 4-Way Handshake. The standard also provides two RSNA data confidentiality and integrity protocols, TKIP and CCMP , with implementation of CCMP being mandatory since

1316-444: The attack with a personal computer, off-the-shelf hardware, and freely available software such as aircrack-ng to crack any WEP key in minutes. Cam-Winget et al. surveyed a variety of shortcomings in WEP. They wrote " Experiments in the field show that, with proper equipment, it is practical to eavesdrop on WEP-protected networks from distances of a mile or more from the target. " They also reported two generic weaknesses: In 2005,

1363-413: The confidentiality and integrity mechanisms of TKIP are not as robust as those of CCMP. The main purpose to implement TKIP was that the algorithm should be implementable within the capabilities of most of the old devices supporting only WEP. The initial authentication process is carried out either using a pre-shared key (PSK), or following an EAP exchange through 802.1X (known as EAPOL , which requires

1410-494: The development of CCM mode was the submission of offset codebook (OCB) mode for inclusion in the IEEE 802.11i standard. Opposition was voiced to the inclusion of OCB mode because of a pending patent application on the algorithm . Inclusion of a patented algorithm meant significant licensing complications for implementors of the standard. While the inclusion of OCB mode was disputed based on these intellectual property issues, it

1457-491: The end of its designed lifetime, has been partially broken, and has been officially deprecated with the release of the 802.11-2012 standard. This stopgap enhancement to WEP was present in some of the early 802.11i drafts. It was implementable on some (not all) hardware not able to handle WPA or WPA2, and extended both the IV and the key values to 128 bits. It was hoped to eliminate the duplicate IV deficiency as well as stop brute-force key attacks . After it became clear that

IEEE 802.11i-2004 - Misplaced Pages Continue

1504-611: The full 802.11i as WPA2 , also called RSN (Robust Security Network). 802.11i makes use of the Advanced Encryption Standard (AES) block cipher , whereas WEP and WPA use the RC4 stream cipher . IEEE 802.11i enhances IEEE 802.11-1999 by providing a Robust Security Network (RSN) with two new protocols: the four-way handshake and the group key handshake. These utilize the authentication services and port access control described in IEEE 802.1X to establish and change

1551-479: The handshake by capturing the challenge frames in Shared Key authentication. Therefore, data can be more easily intercepted and decrypted with Shared Key authentication than with Open System authentication. If privacy is a primary concern, it is more advisable to use Open System authentication for WEP authentication, rather than Shared Key authentication; however, this also means that any WLAN client can connect to

1598-512: The integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. RSNA defines two key hierarchies: The description of the key hierarchies uses the following two functions: The pairwise key hierarchy utilizes PRF-384 or PRF-512 to derive session-specific keys from a PMK, generating a PTK, which gets partitioned into a KCK and a KEK plus all the temporal keys used by

1645-490: The introduction of 256-bit WEP, 128-bit remains one of the most common implementations. WEP was included as the privacy component of the original IEEE 802.11 standard ratified in 1997. WEP uses the stream cipher RC4 for confidentiality , and the CRC-32 checksum for integrity . It was deprecated in 2004 and is documented in the current standard. Standard 64-bit WEP uses a 40- bit key (also known as WEP-40), which

1692-417: The key, the access point (AP) and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell

1739-483: The message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes. Use of encrypted tunneling protocols (e.g., IPsec , Secure Shell ) can provide secure data transmission over an insecure network. However, replacements for WEP have been developed with the goal of restoring security to the wireless network itself. The recommended solution to WEP security problems

1786-475: The new attack it is possible to recover a 104-bit WEP key with a probability of 50% using only 40,000 captured packets. For 60,000 available data packets, the success probability is about 80%, and for 85,000 data packets, about 95%. Using active techniques like Wi-Fi deauthentication attacks and ARP re-injection, 40,000 packets can be captured in less than one minute under good conditions. The actual computation takes about 3 seconds and 3 MB of main memory on

1833-411: The number of packets available for inspection, a successful key recovery could take as little as one minute. If an insufficient number of packets are being sent, there are ways for an attacker to send packets on the network and thereby stimulate reply packets, which can then be inspected to find the key. The attack was soon implemented, and automated tools have since been released. It is possible to perform

1880-575: The other WEP variants, 24 bits of that is for the IV, leaving 128 or 232 bits for actual protection. These 128 or 232 bits are typically entered as 32 or 58 hexadecimal characters (4 bits × 32 + 24-bit IV = 152-bit WEP key, 4 bits × 58 + 24-bit IV = 256-bit WEP key). Most devices also allow the user to enter it as 16 or 29 ASCII characters (8 bits × 16 + 24-bit IV = 152-bit WEP key, 8 bits × 29 + 24-bit IV = 256-bit WEP key). Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication. In Open System authentication,

1927-434: The overall WEP algorithm was deficient (and not just the IV and key sizes) and would require even more fixes, both the WEP2 name and original algorithm were dropped. The two extended key lengths remained in what eventually became WPA's TKIP . WEPplus, also known as WEP+, is a proprietary enhancement to WEP by Agere Systems (formerly a subsidiary of Lucent Technologies ) that enhances WEP security by avoiding "weak IVs". It

IEEE 802.11i-2004 - Misplaced Pages Continue

1974-596: The presence of an authentication server). This process ensures that the client station (STA) is authenticated with the access point (AP). After the PSK or 802.1X authentication, a shared secret key is generated, called the Pairwise Master Key (PMK). In PSK authentication, the PMK is actually the PSK, which is typically derived from the WiFi password by putting it through a key derivation function that uses SHA-1 as

2021-551: The ratification of the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and WEP-104 have been deprecated. WPA retained some design characteristics of WEP that remained problematic. WEP was the only encryption protocol available to 802.11a and 802.11b devices built before the WPA standard, which was available for 802.11g devices. However, some 802.11b devices were later provided with firmware or software updates to enable WPA, and newer devices had it built in. WEP

2068-411: The security of the underlying block cipher. The proof also applies to a generalization of CCM for any block size , and for any size of cryptographically strong pseudo-random function (since in both counter mode and CBC-MAC, the block cipher is only ever used in one direction). CCM mode was designed by Russ Housley , Doug Whiting and Niels Ferguson . At the time CCM mode was developed, Russ Housley

2115-410: Was agreed that the simplification provided by an authenticated encryption system was desirable. Therefore, Housley, et al. developed CCM mode as a potential alternative that was not encumbered by patents. Even though CCM mode is less efficient than OCB mode, a patent free solution was preferable to one complicated by patent licensing issues. Therefore, CCM mode went on to become a mandatory component of

2162-659: Was employed by RSA Laboratories . A minor variation of CCM, called CCM*, is used in the Zigbee standard. CCM* includes all of the features of CCM. It allows a choice of MAC lengths down to 0 (which disables authentication and becomes encryption-only). CCM requires two block cipher encryption operations on each block of an encrypted-and-authenticated message, and one encryption on each block of associated authenticated data. According to Crypto++ benchmarks, AES CCM requires 28.6 cycles per byte on an Intel Core 2 processor in 32-bit mode. Notable inefficiencies: The catalyst for

2209-400: Was ratified as a Wi-Fi security standard in 1999. The first versions of WEP were not particularly strong, even for the time they were released, due to U.S. restrictions on the export of various cryptographic technologies. These restrictions led to manufacturers restricting their devices to only 64-bit encryption. When the restrictions were lifted, the encryption was increased to 128 bits. Despite

#335664