WiFi Security Setup Guide
|DataPro Tech Info > WiFi Security Setup Guide|
- WEP (Wired Equivalent Privacy)
WEP Encryption was first ratified by the IEEE in 1999. It used a weakened implementation
of the RC4 Stream Cipher. The available key lengths were advertised as 64-bits and 128-bits, giving
users a perceived level of security that they were used to seeing. Many people found solace in
the familiarity, however the WEP key lengths were misrepresented, as both versions of the key
included a 24-bit initialization vector (IV), making the actual key lengths 40-bits and 104-bits.
- WPA (WiFi Protected Access)
WPA Encryption was created to fix the problems evident in WEP. WPA uses a form of the RC4
(a less flawed form than WEP) stream cypher, and also an integrated form of user authentication,
which was almost completely absent from the original WEP spec. Using the Temporal Key Integrity Protocol
(TKIP), a hashing algorithm to encode and verify the integrity of the data. It also uses a public-key
encryption system called Extensible Authentication Protocol (EAP) to only allow authorized users access
to a WiFi network. WPA was a temporary fix to the problems inherent in WEP encryption. WPA2, or 802.11i,
is the official security standard and it was ratified fairly recently (June 2004).
- WPA2 (WiFi Protected Access 2) or 802.11i
WPA2 is the full and official implementation of the security measures needed to fix all the
flaws of WEP. Ratified in June of 2004, only more recent network hardware comes equipped to handle
WPA2. Using Advanced Encryption Standard (AES) block cypher instead of the RC4 stream cypher, right
away WPA2 is more difficult to defeat. On top of the AES cypher, WPA2 uses 802.1x authentication using
EAP and an authentication server, Robust Security Network (RSN) to log and learn from associations, and
Counter-Mode/CBC-Mac Protocol (CCMP) to verify data integrity and source. Combined, these pieces make a
very formidable whole to any potential WiFi thieves.
There were several large technical faults built into WEP, but also the implementation of WEP
was flawed. WEP encryption is off by default, so often it was simply never turned on by those setting up
their own networks. Also WEP encryption had no provisions built into it for key rotation, so users
were always transmitting using the same single key. This made cracking WEP even easier. The technical
faults of WEP were numerous, the most glaring of which were:
- The Initialization Vector (IV) was the first 24-bits of the packet being transmitted. Thanks
to a flaw in the RC4 stream cipher, specifically the key scheduling algorithm, the IV was sometimes
transmitted in the clear (unencrypted). If a cracker were so inclined, they could "listen" to
packets coming out of a client and after enough IVs had been collected they could crunch the
numbers and crack the WEP cypher.
- After the discovery of the statistically weak and therefore interesting packets with unencrypted
IVs, most manufacturers changed their firmware to filter out the IVs that would lead to cracking the
key. Because of this, the tools being used to crack WEP keys became useless...that is until a new
statistical attack was devised that did not need the weak IVs to function. It still took advantage
of weaknesses surrounding the key scheduling algorithm, but this new attack needs only half as many
packets as the weak IV method.
WPA implementation was much more effective than WEP at keeping prying eyes from wireless data.
There were still weaknesses, however. It was discovered that a user-generated passphrase for WPA was
easier to guess at than initially thought. The Pairwise Master Key (PMK), that is the key used to
encrypt the data, is derived from the user-generated passphrase, the network SSID, the length of the
SSID, and a randomly chosen value. This data was then hashed 4,096 times to create a key that was 256-
bits long. The problem was, a majority of the data was readily available, making the parts that aren't
that much easier to guess at. Several people devised brute-force dictionary attacks to guess at the
passphrase used to generate the key. In the end it was determined that passphrases made up of fewer
than 20 characters were not very effective at defeating interested parties.
WPA2 lacks the key-encryption problems that WPA suffered from, thanks to key scheduling and
client authentication algorithm evolution. As it is relatively new, no large holes are evident in
WPA2, but you can be sure that eventually someone will discover a weakness. It is likely that said
weakness will take far more work to exploit than the past problems, so if you are on the lookout for
new wireless hardware, you would do well to ensure that you are buying WPA2-compliant hardware.
NetStumbler is a program used for finding, mapping, and probing WiFi networks.
Kismet serves a similar function as NetStumbler, though it also includes packet analyzing tools
for intrusion and penetration testing.
KisMAC is another network finding tool, again including some tools that go beyond simple detection.
AirSnort is an encryption key recovery tool. It analyzes packets and attempts to recover the data
from the available information.
Aircrack is a toolset for capturing and decrypting encrypted packets. Excellent network integrity tool.
WepLab (Linux, Windows)
Weplab is a toolset designed to both test network integrity and teach users how WEP works, it's
various vulnerabilities, and how to best secure your network using WEP.
A tool for testing WPA vulnerabilities.
Despite some indications to the contrary, there is a difference between security and encryption.
Security involves taking what are normally common-sense precautions to prevent interested parties from
accessing your data. Encryption is a form or subset of security. This section eschews encryption entirely
to focus on what precautions you can take besides simply encrypting your data.
Focus your signal
In a standard wireless network the Access Point uses an omnidirectional antenna, shooting signal in every
direction for a limited distance. If you know where your client computers are and also that they won't be
moving very much (if it all), then you can do several thing to ensure that signal is only going where it
needs to be:
- Replace the omnidirectional antenna with a directional or sector antenna.
- Use a signal shield or attenuator to force the omni antenna to be directional.
Remember, even if your data is encrypted, there are still packet flying in every direction, and as has
been discussed the way network encryption is cracked is by capturing and inspecting packets. The fewer
packets in the air where they don't need to be, the harder it will be to crack your network.
Change your network key
Even with automatic key rotation and scheduling in WPA and WPA2, changing your network passphrase every
so often is a good idea.
Conduct random log surveys
Occasionally logging into your Access Point to see which devices are connected and checking your logs
for device names that you don't recognize is a good way to passively test your own network.
Filtering connections by MAC address can ensure that unwanted devices are not connecting to your network.
Enabling the software-based security features.
Making a guide for enabling things like MAC filtering and log viewing can be a difficult
proposition, as the menu options vary between manufacturers. Looking up any of these software-related
options in your manual or on the manufacturer's website should yield enough information on how to enable
and use the options in your Access Point.
Common conventions for using encryption are good insofar as enabling, however when choosing a
passphrase for your network, it is best to be as unique as possible. Randomly choosing a combination of
number and letters is a good way to ensure that dictionary attacks will not work on your network. Also
choosing passphrases of secure length, at least 20 characters, can help ensure that your passphrase is
not quickly cracked. WEP keys usually must be a certain length depending on what bit length key you want
use, which is another inherent weakness in the implementation of WEP. Some manufacturers use their own
algorithms for allowing a client to use a passphrase of any length which is then parsed into an acceptable
key length for WEP to use. WPA and WPA2 allow you to use key lengths that are much longer.
Again, how you enable encryption can be different from manufacturer to manufacturer, though the
menu options should look fairly similar. Generally, enabling encryption is one of the first options you see
when you enter an AP's configuration utility. More advanced options can be found under an "Advanced" or
Written by Flynn Martin
for DataPro International Inc.|
Unauthorized duplication strictly prohibited.