[Mac_crypto] 802.11 Wireless Network (Airport) Security

[R. A. Hettinga]

<http://world.std.com/~reinhold/airport.html>

Apple Airport Network Security 

This page offers some practical security tips to make Apple's  Airport wireless network more secure. Many of the suggestions also  apply to other Wireless networks using the IEEE 802.11 standard. Note that Apples new Airport 2.0 apparently just adopts the  industry standard extension for "128-bit security," which does not  solve the very grave security problems described below. 

The threats 

Threat 1. The encryption used in airport can be broken fairly  easily 

A draft paper by Scott Fluhrer, Itsik Mantin and Adi Shamir was  released on July 25, 2001 and announces new attacks on the RC4 cipher  that is the basis for Airport and 802.11b Wired Equivalent Privacy  (WEP) security. Prof. Shamir states in an e-mail accompanying the  release: 

"Attached you will find a new paper which describes a  truly practical direct attack on WEP's cryptography. It is an  extremely powerful attack which can be applied even when WEP's RC4  stream cipher uses a 2048 bit secret key (its maximal size) and 128  bit IV modifiers (as proposed in WEP2). The attacker can be a  completely passive eavesdropper (i.e., he does not have to inject  packets, monitor responses, or use accomplices) and thus his  existence is essentially undetectable. It is a pure known-ciphertext  attack (i.e., the attacker need not know or choose their  corresponding plaintexts). After scanning several hundred thousand  packets, the attacker can completely recover the secret key and thus  decrypt all the ciphertexts. The running time of the attack grows  linearly instead of exponentially with the key size, and thus it is  negligible even for 2048 bit keys." 

The paper itself, titled "Weaknesses in the Key Scheduling  Algorithm of RC4," has been posted at http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf (in PDF format) and at http://www.crypto.com/papers/others/rc4_ksaproc.ps (in Postscript). 

Macintouch previously  reported: "A group of researchers at UC Berkeley have published a  report detailing security flaws in the Wired Equivalent Privacy (WEP)  algorithm used in 802.11b wireless protocols - popularized by Apple's  Airport. The report details a number of potential attacks that allow  both decryption of traffic and disruption of services." 

The draft paper by Borisov, Goldberg, and Wagner presents a number of  practical attacks on 802.11 Wired Equivalent Privacy (WEP). The long  term solution to these problems, as the paper points out, is to  rework the 802.11 protocol to use better encryption and message  authentication algorithms. Unfortunately a huge infrastructure has  grown up around 802.11 and large numbers of modems are in use,  including the Apple  Airport line. Since the encryption and authentication is done in  firmware, changes to these algorithms will likely requires new  hardware. 

In addition to the threats detailed in the Shamir and BGW papers,  there is another problem with Airport security: Apple's Airport  software generates the network key from a password. Since most user's  pick passwords in fairly predictable ways, an attacker equipped with  a password guessing program could break into Airport much more  quickly, perhaps in a matter of minutes. 

Threat 2. 802.11b "base stations" can be used to leak information  from inside coprporate security 

All the talk of breaks to Airport/802.11 encryption may obscure a  greater threat. Tranceivers for 802.11 are small, inexpensive and  easy to install. While their range is normally limited to a few  hundred feet, the distance can be extended to several miles using  directional antennas. Given the standard architecture in most  corporate and government buildings, it is fairly easy for a malicious  individual who has access to the building to install a covert 802.11  base station. 

Equipment is available to scan for unauthourzed base stations, but  it must be used frequently. More sophisticated atackers can use  timers to insure that the covert base station is only on at, say 3am.  Microwave transverter technology could be used to shift the 802.11  signals to other parts of the microwave spectrum where standard  sniffers will never see them. 

It may be necessary for institutions concerned about network  security to employ virtual private network technology, such as IPSec,  internally as well as externally, i.e. even behind the corporate fire  wall. 

What you can do now 

Here are some very simple and practical measures that can improve  Airport security: 

Turn it on 

Many Airport users haven't even bothered to enable the security  features built into Airport, feeble though they may be. There is an  old joke about two guys hiking in the woods who spot a mean looking  grizzley bear heading their way. One of the hikers takes off his back  pack, pulls out running shoes, and starts putting them on. The other  says "You idiot, you can't outrun a hungry bear in the woods." The  first replies "I don't have to outrun the bear, I only have to outrun  you." Even minimal seurity may be effective against snoops who have  plnty of unprotected targets to choose from. If you have Airport 2,  use the higher 128-bit security setting, if possible. 

Use strong Passwords 

The Apple Airport system security depends on the strength of the  network password. As we said out above, to take full advantage of the  limited security Airport provides you must use a password with at  least 40-bits of randomness. The Diceware.com page has  instructions for simple ways to select words at random using ordinary  dice. There are also scripts that  will do this . Using dice is more secure, but the scripts are  probably adequate for this purpose. We suggest you use one of the  following formats for selecting your airport network and  administrative passwords: 
Four Diceware words, for example: bater ark acorn     haney 
Three Diceware words plus one random digit, for example: until wrote sappy 3 The random digit can simply be     the result of a single dice roll, i.e. a number from 1 to 6. 
Nine random letters, for example: MZV EWD CHZ 

The Diceware  FAQ has instructions for selecting random letters using dice. You  can also use our Passgen applet. Just select the "CCC CCC CCC" template from the drop down  list. To change your password, launch the Airport Admin Utility. Make  sure that the Enable Encryption (using WEP) box is checked and  then select Change Network Password . Obviously all other users  of the Airport network must be informed of this change in advance,  preferably by some method other than ordinary email. 

Note: Apple's Airport 2.0 and many 3rd party vendors  offer 802.11 modems with "128-bit" keys. You will need even stronger  passwords to use these effectively. The secret part of these keys is  only 104-bits. We recommend at least a 6 word Diceware passphrase if  your software acccepts password input. An 8 word Diceware passphrase  is prefered as it offers the full 104-bit strength. If you must enter  a hexadecimal password, use at least 26 Hex digits. These can be  generated using the Passgen applet by selecting the HHHH HHHH HHHH HHHH template from the drop  down list. 

Caution: Some 802.11 implementations do not hash the password  before using it as a key. In these cases hexadecimal passswords  should be used if the option is available, otherwise use random  characers, 

Change passwords frequently 

The amount of time needed to break an Airport or 802.11 password  can can range from a matter of hours or less to several days. It all depends on  how heavily loaded the network is. Since most networks are not  used heavily, you can gain some protection from the new attacks by  changing your network password frequently -- preferably every day.  You can generate a list of passwords using the Passgen "CCC CCC CCC" template  (use two CCC CCC CCC passwords for 128-bit sustems) and supply them  to users on a weekly or monthly basis. They will then have to use the  Airport Admin Utility to change the network password when they log in  every morning. 

For extra credit you might want to change passwords twice a day,  say at 7 pm and 7 am. Only those who stay late will have to log in  twice and an attacker will have half as much time to crack your  password. 

Review base station placement 

Airport has limited range, so by careful placement of the base  stations you may be able to minimize the areas outside your building  where an attacker can receive a strong signal. For example you may  want to place a base station near the center of an inside wall rather  than by a window. However you should consider that more sophisticated  attackers can use high gain directional antennas to extend Airport's  range. 

Alert security personnel 

Make your security staff aware of the Airport threat and suggest  that they investigate individuals operating laptops in the company  parking lot. Make sure they know what high-gain WEP antennas look  like so they can identify them. 

Place the Airport network outside of your corporate firewall. 

The BGW paper suggests placing wireless networks outside of the  corporate firewall. This can limit a successful intruder's ability to  access corporate databases. It may reduce the protection afforded to  the wireless networked computers themselves, however. Another  possibility is to have a separate fierwall for wireless users. 

Develop and disseminate a policy on wireless networks 

If your organization wishes to maintain security, it is vital that  only approved wireless installations be permitted. You may wish to  scan your building(s) periodically to look for unauthorized base  stations. 

Superencrypt with IPsec 

The most effective solution, by far, is to use separate strong  encryption programs, such as IPsec, to secure all data moving over  the Airport network, and perhaps the entire corporate network. This  is the one solution that affords protection against all known Airport  attacks. A proper IPsec installation takes considerable care and  effort, however. 

Sources of IPsec information and software include: 
NetBSD     IPsec FAQ 
IPsec     Webopedia page 
PGP 
FreeSwan 

A Frequent Key Changing Proposal for 802.11 

[We are revising these proposals in light of the RC4 attacks and  hope to issue a new version shortly. -- agr] 

WF1 

In WF1 the 802.11 WEP keys would be changed many times each hour,  say every 10 minutes. A parameter, P , determines how many time per  hour the key is to be changed, where P must divide 3600 evenly. The  WEP keys are derived from a master key, M, by taking the low order N  bits (N = 40, 104, whatever) of the SHA1 hash of the master key with  the date and time (UTC) of the key change appended. 

WEPkey = Bits[0-N](SHA1(M | yyyymmddhhmmss)) 

M can be any size, up to, say, 256 bytes. This allows direct entry  of a passphrase. 

WF1 would eliminate the dictionary attack described in the paper.  Note that since the master key is not limited to 40 bits, WF1 would  also reduce the value of direct attacks on 40-bit keys. In this  regard, it is worth noting that IV collisions also facilitate a  direct attack on the encryption. If an attacker accumulates n packets  with the same IV, he can attack all the packets at the same time,  reducing the time required by a factor of n, if n isn't too big.  Since the time required to crack 40-bit RC4 on a single workstation  is on the order of a week, even a factor of 3 reduction is  significant. 

WF1 does not completely eliminate the problem of IV collisions.  With a 24-bit IV, some are inevitable. Each IV collision has the  potential of compromising the data in both packets. But WF1 does  allow the rate at which they occur to be reduced and controlled. The  rate of collisions varies linearly with the period between key  changes. If there are R packets per second and the time between key  changes is T where T =3600/P, then the expected number of collisions  in the time interval T is roughly (T*R)^2/2^25, so the rate of  collisions is roughly T*R^2/2^25. 

WF1 also does not eliminate the authentication attacks described  in Part 4 of the paper. However most of the attacks described there  require multiple attempts to succeed and the shortened key window  might make them more difficult to mount. 

Clearly good synchronization of the time-of-day clock on each node  is essential in WF1, but protocols already exist that can do this  over a network. Small synchronization discrepancies can be handled by  the 802 retry mechanism and should look very much like a short RF  outage. 

The BGW paper mentions that some 802.11 modems reset their IV  counter when they are initialized. If a key change counts as an  initialization, then this proposal runs the risk of creating  additional collisions. However it should be possible to test modems  for this property and refuse to enter the key changing security mode  if such a modem is installed. Manufacturers could eliminate this  behavior with a firmware change and there would be no impact on other  uses of the modem. Similarly modems that do not change the IV for  each packet could be barred. 

Unless I have missed something, WF1 could be implemented as an  option in 802.11 driver software. It might also be possible to  implement WF1 with currently available 802.11 software by using a  scripting language. Note that a crude version of WF1 can be  implemented today with no new software at all: just change the WEP  key every night. A weekly WEP key list could be distributed to  authorized users by paper mail or encrypted e-mail. 

WF2 

WF2 would change keys periodically just like WF1, however the  packet sender's address would also incorporated in the hash. 

WEPkey = Bits[0-N](SHA1(M | Sender's address |  yyyymmddhhmmss)) 

WF2 requires that hubs encryption programming be changed. Assuming  most hubs are programmed in firmware, this will generally require new  hubs. However existing client modems can still be used. WF2 will  essentially eliminate IV collisions if the keys are changed at least  every few hours. 

WF2 still does not eliminate the authentication attacks. However  since we have to change the hub programming anyway, it might be  possible to add tests to detect possible attacks. 

Neither WF1 nor WF2 eliminates data leaks from WEP, but they do  reduce them considerably. Stronger security measures, such as SSL and  IPsec, should be used to protect sensitive data traveling over  802.11, but the same can be said of wired Ethernet. 

These suggestions are hypothetical and have not been implemented  or tested. If you try them, please let us know how they worked. 

References 

Designing  Airport Networks , Apple Computer. 

Airport is a trademark of Apple Computer. 

Arnold G. Reinhold 

2001-2-13, Rev. 2001-8-29. 2001-11-24, 2002-3-13 

-- 
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'