[iwar] [fc:Researchers.crack.new.wireless.security.spec]

From: Fred Cohen (fc@all.net)
Date: 2002-02-16 09:22:45
Next message: Fred Cohen: "[iwar] [fc:Judge.Says.Microsoft.Must.Give.States.Windows.Code]"
Previous message: Fred Cohen: "[iwar] [fc:Japan.space.agency.hacked]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200202161722.g1GHMjk02708@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Sat, 16 Feb 2002 09:22:45 -0800 (PST)
Subject: [iwar] [fc:Researchers.crack.new.wireless.security.spec]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Researchers crack new wireless security spec

By Ephraim Schwartz, InfoWorld, 2/15/02
<a href="http://www.idg.net/go.cgi?id=641645">http://www.idg.net/go.cgi?id=641645>

A UNIVERSITY OF Maryland professor and his graduate student have
apparently uncovered serious weaknesses in the next-generation Wi-Fi
(Wireless Fidelity) security protocol known as 802.1x.

In a paper, "An Initial Security Analysis of the IEEE 802.1X Standard"
funded by the National Institute of Standards, Professor William Arbaugh
and his graduate assistant Arunesh Mishra outline two separate scenarios
that nullify the benefits of the new standard and leave Wi-Fi networks
wide open to attacks.

The use of public access "hot spots" are particularly vulnerable to
session hijacking because these locations do not even deploy the
rudimentary WEP (Wired Equivalent Privacy) protocol.

"This problem exists whether you use WEP or not, but it is trivial to
exploit if not using WEP," said Arbaugh.

Dubbed "session hijacking" and "man-in-the-middle," both attacks
basically exploit inherent problems in Wi-Fi as well as exploiting how
the new 802.1x standard is designed.

"Here's how session hijacking works. The hacker waits for someone to
finish successfully the authentication process. Then you as the attacker
send a disassociate message, forging it to make it look like it came
from the AP [access point]. The client [user] thinks they have been
kicked off, but the AP thinks the client is still out there. As long as
WEP is not involved you can start using that connection up until the
next time out, usually about 60 minutes," said Arbaugh.

A session hijacking can occur because of the so-called race conditions
between the 802.1x and 802.11 state machines. Arbaugh uses the analogy
of a thief and a store owner racing for the front door at the same time.
If the owner gets there first he locks the thief out, if the thief gets
there first he steals everything. Because the client and the AP aren't
synchronized, "loose consistency," the thief can tell the owner/client
to go away and the AP still thinks he is there.

"The robber gets there first," said Arbaugh.

The second form of attack is called man-in-the-middle, and while Brian
Grimm, a spokesman for WECA [Wireless Ethernet Compatibility Alliance]
said that the Wi-Fi association was aware of the problem and that it had
already been fixed, Arbaugh said he had not heard from WECA but that he
"would be shocked if they solved the problem."

The man-in-the-middle attack works because 802.1x uses only one-way
authentication. In this case, the attacker acts as an AP to the user and
as a user to the AP.

"The trust assumption that is reflected from this design is that the
access points are trusted entities, which is a misjudgement. The entire
framework is rendered insecure if the higher-layer protocol also
performs a one-way authentication," according to the Arbaugh, Mishra
paper.

One industry analyst was not surprised by the lack of security that
802.1x offers.

"It [802.1x] is a security feature but everybody already knew it wasn't
really the only thing you need to do," said Gemma Paulo, an industry
analyst specializing in networks at Instat in Scottsdale, Ariz.

(Other than the initial response downplaying the seriousness of the
security breach from the WECA spokesman, no other response was given.
Grimm said an expert would return InfoWorld's call, but no additional
response was received at press time.)

The real problem is the fundamental way in which Wi-Fi works, according
to Arbaugh. Although rapid rekeying of WEP keys, for example, which will
be implemented in the next security standard called TKIP [Temporal Key
Integrity Protocol], makes it more difficult to crack, Arbaugh said the
entire design is just not good security.

"You are relying on a confidentiality mechanism, and in general that is
considered bad design," he said.

The next generation of security is TKIP and is backward-compatible with
current Wi-FI products and upgradeable with software. TKIP is a rapid
re-keying protocol that changes the encryption key about every 10,000
packets, according to Dennis Eaton, WECA chairman.

TKIP will be available in the second quarter, said Eaton.

But Arbaugh says TKIP does not eliminate the fundamental flaw in Wi-Fi
security.

"If anybody breaks TKIP, they not only break the confidentiality but
they also break the access control and authentication so one break
breaks everything. That is not good design. Each security mechanism
should stand on its own," he said.

Longer term, the IEEE Standards body intends to adopt AES [Advanced
Encryption Standard], the same security protocol sponsored by the
National Institute of Standards.

"AES is state of the art encryption technology," said WECA chairman
Eaton.

But AES requires hardware acceleration using a co-processor to off-load
the encryption and decryption or it would slow the throughput down to an
unacceptable level, according to Eaton as well as Instat's Paulo. It
also requires new Wi-Fi cards in the client devices. AES will be
available in the first quarter of 2003.

Arbaugh said the 802.1x specification proves what he and Mishra say in
their paper is correct.

"If you look at the 802.1x, they tell you the 1x protocol is insecure
when used in a shared medium environment unless a security association
is established. Since 802.11 doesn't do that, so by IEEE's own words it
is insecure," Arbaugh said.

The specification reads as follows on page 35, section 7.9, lines 34-39.

"However, it should be noted that such use can only be made secure if
communications between the Supplicant [Client] and Authenticator [Access
Point] systems takes place using a secure association.

Attempting to use EAPOL in a shared medium environment that does not
support the use of secure associations renders Port-based network access
control highly vulnerable to attack ..."

See www.drizzle.com/~aboba/IEEE/802-1x-d11.pdf for the entire
specification.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Secure all your Web servers now - with a proven 5-part
strategy. The FREE Server Security Guide shows you how.
http://us.click.yahoo.com/iWSNbC/VdiDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Judge.Says.Microsoft.Must.Give.States.Windows.Code]"
Previous message: Fred Cohen: "[iwar] [fc:Japan.space.agency.hacked]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST