[ISN] Researchers crack new wireless security spec

From: InfoSec News (isnat_private)
Date: Sun Feb 17 2002 - 22:34:26 PST

  • Next message: InfoSec News: "[ISN] Planes still at risk from terrorists"

    By Ephraim Schwartz 
    February 14, 2002 2:12 pm PT
    A UNIVERSITY OF Maryland professor and his graduate student have
    apparently uncovered serious weaknesses in the next-generation Wi-Fi
    (Wireless Fidelity) security protocol known as 802.1x.
    In a paper, "An Initial Security Analysis of the IEEE 802.1X Standard"  
    funded by the National Institute of Standards, Professor William
    Arbaugh and his graduate assistant Arunesh Mishra outline two separate
    scenarios that nullify the benefits of the new standard and leave
    Wi-Fi networks wide open to attacks.
    The use of public access "hot spots" are particularly vulnerable to
    session hijacking because these locations do not even deploy the
    rudimentary WEP (Wired Equivalent Privacy) protocol.
    "This problem exists whether you use WEP or not, but it is trivial to
    exploit if not using WEP," said Arbaugh.
    Dubbed "session hijacking" and "man-in-the-middle," both attacks
    basically exploit inherent problems in Wi-Fi as well as exploiting how
    the new 802.1x standard is designed.
    "Here's how session hijacking works. The hacker waits for someone to
    finish successfully the authentication process. Then you as the
    attacker send a disassociate message, forging it to make it look like
    it came from the AP [access point]. The client [user] thinks they have
    been kicked off, but the AP thinks the client is still out there. As
    long as WEP is not involved you can start using that connection up
    until the next time out, usually about 60 minutes," said Arbaugh.
    A session hijacking can occur because of the so-called race conditions
    between the 802.1x and 802.11 state machines. Arbaugh uses the analogy
    of a thief and a store owner racing for the front door at the same
    time. If the owner gets there first he locks the thief out, if the
    thief gets there first he steals everything. Because the client and
    the AP aren't synchronized, "loose consistency," the thief can tell
    the owner/client to go away and the AP still thinks he is there.
    "The robber gets there first," said Arbaugh.
    The second form of attack is called man-in-the-middle, and while Brian
    Grimm, a spokesman for WECA [Wireless Ethernet Compatibility Alliance]
    said that the Wi-Fi association was aware of the problem and that it
    had already been fixed, Arbaugh said he had not heard from WECA but
    that he "would be shocked if they solved the problem."
    The man-in-the-middle attack works because 802.1x uses only one-way
    authentication. In this case, the attacker acts as an AP to the user
    and as a user to the AP.
    "The trust assumption that is reflected from this design is that the
    access points are trusted entities, which is a misjudgement. The
    entire framework is rendered insecure if the higher-layer protocol
    also performs a one-way authentication," according to the Arbaugh,
    Mishra paper.
    One industry analyst was not surprised by the lack of security that
    802.1x offers.
    "It [802.1x] is a security feature but everybody already knew it
    wasn't really the only thing you need to do," said Gemma Paulo, an
    industry analyst specializing in networks at Instat in Scottsdale,
    (Other than the initial response downplaying the seriousness of the
    security breach from the WECA spokesman, no other response was given.  
    Grimm said an expert would return InfoWorld's call, but no additional
    response was received at press time.)
    The real problem is the fundamental way in which Wi-Fi works,
    according to Arbaugh. Although rapid rekeying of WEP keys, for
    example, which will be implemented in the next security standard
    called TKIP [Temporal Key Integrity Protocol], makes it more difficult
    to crack, Arbaugh said the entire design is just not good security.
    "You are relying on a confidentiality mechanism, and in general that
    is considered bad design," he said.
    The next generation of security is TKIP and is backward-compatible
    with current Wi-FI products and upgradeable with software. TKIP is a
    rapid re-keying protocol that changes the encryption key about every
    10,000 packets, according to Dennis Eaton, WECA chairman.
    TKIP will be available in the second quarter, said Eaton.
    But Arbaugh says TKIP does not eliminate the fundamental flaw in Wi-Fi
    "If anybody breaks TKIP, they not only break the confidentiality but
    they also break the access control and authentication so one break
    breaks everything. That is not good design. Each security mechanism
    should stand on its own," he said.
    Longer term, the IEEE Standards body intends to adopt AES [Advanced
    Encryption Standard], the same security protocol sponsored by the
    National Institute of Standards.
    "AES is state of the art encryption technology," said WECA chairman
    But AES requires hardware acceleration using a co-processor to
    off-load the encryption and decryption or it would slow the throughput
    down to an unacceptable level, according to Eaton as well as Instat's
    Paulo. It also requires new Wi-Fi cards in the client devices. AES
    will be available in the first quarter of 2003.
    Arbaugh said the 802.1x specification proves what he and Mishra say in
    their paper is correct.
    "If you look at the 802.1x, they tell you the 1x protocol is insecure
    when used in a shared medium environment unless a security association
    is established. Since 802.11 doesn't do that, so by IEEE's own words
    it is insecure," Arbaugh said.
    The specification reads as follows on page 35, section 7.9, lines
    "However, it should be noted that such use can only be made secure if
    communications between the Supplicant [Client] and Authenticator
    [Access Point] systems takes place using a secure association.
    Attempting to use EAPOL in a shared medium environment that does not
    support the use of secure associations renders Port-based network
    access control highly vulnerable to attack ..."
    See www.drizzle.com/~aboba/IEEE/802-1x-d11.pdf for the entire
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 02:11:20 PST