3 Weaknesses in 802.11 security he IEEE 802.11 standard defines wired Equivalent Privacy(WEP) to protect wireless transmissions WEP employs the RC4 symmetric stream cipher using an encryption key that is shared by all participants in the wireless network. 802.11 defines 64-bit WeP keys but most suppliers also support 128-bit keys. 802.11 does not define how keys are distributed. A WEP key consists of two parts: a 24-bit Initialisation Vector(Iv and a secret key. The Iv is transmitted in plain text in the headers of 802.11 packets and can therefore be easily intercepted Armed with the Iv there are well-documented techniques available to"crack" WEP encrypted transmissions given sufficient sample data. The solution is to use dynamic Wep keys that change frequently The 802. 11 standard defines very basic wireless client authentication that also uses the WeP key. The industry has adopted the 802.1x authentication framework(see section 7 entitled"Wireless Authentication" ) to overcome the deficiencies of the 802.11 standard. Recently the University of Maryland has documented potential security risks with the 802. 1x protocol. Today's solution is to use mutual authentication to prevent "man in the middle"attacks and dynamic WEP keys that are distributed over secure, encrypted channels. Both these techniques are supported by the Transport Layer Security (tLs) protocol. Further enhancements include per-packet keying and message integrity checks-these are proposed enhancements to the 802 1 1i security standard 4 Madge Wireless LAN architecture The Madge wireless LAN architecture consists of three components: Wireless Clients, which communicate with Access Points, which in turn can communicate with and can be controlled by Access Servers. Wireless clients are typically laptop computers with a wireless Network Interface Card(NIC) installed to allow access to the wireless network. An Access Point(AP)provides radio coverage to a particular area(known as a cell)and connects to the wired network. Both 802. 11b (11Mbps LANs at 2.4 GHz) and Bluetooth APs are supported An Access Server (i.e. the Enterprise Access server or EAs)provides control, management and advanced security features to the Enterprise wireless network Wireless-side 802.11 Corporate Switched or Routed Access Point Intranet Network Enterprise Access server cts as gateway for all wired to wireless Bluetooth 802.11 Access point Access Point Figure 2: Enterprise Access Server in Gateway Mode A Madge wireless infrastructure can be connected to existing wired networks in a number of ways. Common architectures include deploying the EAs in " Gateway Mode"or "Controller Mode". In Gateway Mode(see figure 2 above) the EAs is placed between the AP network and the rest of the enterprise network. The Eas therefore controls all traffic flow between the wired and wireless networks and acts as a firewall WWP-001 Copyright@ 2002-2003 Madge Limited. All rights reserved Page 23 Weaknesses in 802.11 security The IEEE 802.11 standard defines Wired Equivalent Privacy (WEP) to protect wireless transmissions. WEP employs the RC4 symmetric stream cipher using an encryption key that is shared by all participants in the wireless network. 802.11 defines 64-bit WEP keys but most suppliers also support 128-bit keys. 802.11 does not define how keys are distributed. A WEP key consists of two parts: a 24-bit Initialisation Vector (IV) and a secret key. The IV is transmitted in plain text in the headers of 802.11 packets and can therefore be easily intercepted. Armed with the IV there are well-documented techniques available to “crack” WEP encrypted transmissions given sufficient sample data. The solution is to use dynamic WEP keys that change frequently. The 802.11 standard defines very basic wireless client authentication that also uses the WEP key. The industry has adopted the 802.1x authentication framework (see section 7 entitled “Wireless Authentication”) to overcome the deficiencies of the 802.11 standard. Recently the University of Maryland has documented potential security risks with the 802.1x protocol. Today’s solution is to use mutual authentication to prevent “man in the middle” attacks and dynamic WEP keys that are distributed over secure, encrypted channels. Both these techniques are supported by the Transport Layer Security (TLS) protocol. Further enhancements include per-packet keying and message integrity checks – these are proposed enhancements to the 802.11i security standard. 4 Madge Wireless LAN architecture The Madge wireless LAN architecture consists of three components: Wireless Clients, which communicate with Access Points, which in turn can communicate with and can be controlled by Access Servers. Wireless clients are typically laptop computers with a wireless Network Interface Card (NIC) installed to allow access to the wireless network. An Access Point (AP) provides radio coverage to a particular area (known as a cell) and connects to the wired network. Both 802.11b (11Mbps LANs at 2.4 GHz) and Bluetooth APs are supported. An Access Server (i.e. the Enterprise Access Server or EAS) provides control, management and advanced security features to the Enterprise wireless network. Wired-side Wireless-side Switched or Routed Network Corporate Intranet Enterprise Access Server Bluetooth Access Point 802.11 Access Point 802.11 Access Point Acts as gateway for all wired to wireless traffic Figure 2: Enterprise Access Server in Gateway Mode A Madge wireless infrastructure can be connected to existing wired networks in a number of ways. Common architectures include deploying the EAS in “Gateway Mode” or “Controller Mode”. In Gateway Mode (see figure 2 above) the EAS is placed between the AP network and the rest of the enterprise network. The EAS therefore controls all traffic flow between the wired and wireless networks and acts as a firewall. WWP-001 Copyright © 2002-2003 Madge Limited. All rights reserved. Page 2