(From 2/14/01) : 802.1x stuff -- Researchers crack new wireless security spec
(Sorry if already posted).
February 14, 2002 02:12 PM
Researchers crack new wireless security spec
By Ephraim Schwartz
A UNIVERSITY OF Maryland professor and his graduate student have apparently uncovered
serious weaknesses in the next-generation Wi-Fi (Wireless Fidelity) security protocol known
as 802.1x.
In a paper, "An Initial Security Analysis of the IEEE 802.1X Standard" funded by the National
Institute of Standards, Professor William Arbaugh and his graduate assistant Arunesh Mishra
outline two separate scenarios that nullify the benefits of the new standard and leave Wi-Fi
networks wide open to attacks.
The use of public access "hot spots" are particularly vulnerable to session hijacking because
these locations do not even deploy the rudimentary WEP (Wired Equivalent Privacy) protocol.
"This problem exists whether you use WEP or not, but it is trivial to exploit if not using WEP,"
said Arbaugh.
Dubbed "session hijacking" and "man-in-the-middle," both attacks basically exploit inherent
problems in Wi-Fi as well as exploiting how the new 802.1x standard is designed.
"Here's how session hijacking works. The hacker waits for someone to finish successfully the
authentication process. Then you as the attacker send a disassociate message, forging it to
make it look like it came from the AP [access point]. The client [user] thinks they have
been kicked off, but the AP thinks the client is still out there. As long as WEP is not involved
you can start using that connection up until the next time out, usually about 60 minutes,"
said Arbaugh.
A session hijacking can occur because of the so-called race conditions between the 802.1x
and 802.11 state machines. Arbaugh uses the analogy of a thief and a store owner racing
for the front door at the same time. If the owner gets there first he locks the thief out, if the
thief gets there first he steals everything. Because the client and the AP aren't synchronized,
"loose consistency," the thief can tell the owner/client to go away and the AP still thinks he is
there.
"The robber gets there first," said Arbaugh.
The second form of attack is called man-in-the-middle, and while Brian Grimm, a
spokesman for WECA [Wireless Ethernet Compatibility Alliance] said that the Wi-Fi
association was aware of the problem and that it had already been fixed, Arbaugh said he
had not heard from WECA but that he "would be shocked if they solved the problem."
The man-in-the-middle attack works because 802.1x uses only one-way authentication. In
this case, the attacker acts as an AP to the user and as a user to the AP.
"The trust assumption that is reflected from this design is that the access points are trusted
entities, which is a misjudgement. The entire framework is rendered insecure if the
higher-layer protocol also performs a one-way authentication," according to the Arbaugh,
Mishra paper.
One industry analyst was not surprised by the lack of security that 802.1x offers.
"It [802.1x] is a security feature but everybody already knew it wasn't really the only thing
you need to do," said Gemma Paulo, an industry analyst specializing in networks at Instat in
Scottsdale, Ariz.
(Other than the initial response downplaying the seriousness of the security breach from the
WECA spokesman, no other response was given. Grimm said an expert would return
InfoWorld's call, but no additional response was received at press time.)
The real problem is the fundamental way in which Wi-Fi works, according to Arbaugh.
Although rapid rekeying of WEP keys, for example, which will be implemented in the next
security standard called TKIP [Temporal Key Integrity Protocol], makes it more difficult to
crack, Arbaugh said the entire design is just not good security.
"You are relying on a confidentiality mechanism, and in general that is considered bad
design," he said.
The next generation of security is TKIP and is backward-compatible with current Wi-FI
products and upgradeable with software. TKIP is a rapid re-keying protocol that changes the
encryption key about every 10,000 packets, according to Dennis Eaton, WECA chairman.
TKIP will be available in the second quarter, said Eaton.
But Arbaugh says TKIP does not eliminate the fundamental flaw in Wi-Fi security.
"If anybody breaks TKIP, they not only break the confidentiality but they also break the
access control and authentication so one break breaks everything. That is not good design.
Each security mechanism should stand on its own," he said.
Longer term, the IEEE Standards body intends to adopt AES [Advanced Encryption Standard],
the same security protocol sponsored by the National Institute of Standards.
"AES is state of the art encryption technology," said WECA chairman Eaton.
But AES requires hardware acceleration using a co-processor to off-load the encryption and
decryption or it would slow the throughput down to an unacceptable level, according to Eaton
as well as Instat's Paulo. It also requires new Wi-Fi cards in the client devices. AES will be
available in the first quarter of 2003.
Arbaugh said the 802.1x specification proves what he and Mishra say in their paper is
correct.
"If you look at the 802.1x, they tell you the 1x protocol is insecure when used in a shared
medium environment unless a security association is established. Since 802.11 doesn't do
that, so by IEEE's own words it is insecure," Arbaugh said.
The specification reads as follows on page 35, section 7.9, lines 34-39.
"However, it should be noted that such use can only be made secure if communications
between the Supplicant [Client] and Authenticator [Access Point] systems takes place using
a secure association.
Attempting to use EAPOL in a shared medium environment that does not support the use of
secure associations renders Port-based network access control highly vulnerable to attack ..."
See drizzle.com for the entire specification.
Copyright 2001 InfoWorld Media Group, Inc. |
