CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.6  Wireless

2.6.2  802.11x 1 2 2.6.4  Vulnerabilities

To protect an 802.11b network from unauthorized, use and “snooping”, you can enable packet encryption via WEP. Different cards have different levels of support for WEP. WEP works by using a RC4 encryption scheme, (Refer to encryption for details on RC4) with a key that can be 40, 64 or 128 bits in length. (New models released in the 2^nd half of 2002 now offer 256-bit encryption.) The design in 802.11 for RC4 uses a shared key. The access point sends a random number at the registration request. The receiving node assigns the key with a secret key that was pre-shared. The access point checks the results and allows the node to sign on. Data between the devices is encrypted by one of the values listed.

The method described is known as one-way authentication. Stated another way, the access point knows it is from some group of computers that has the pre-shared key and cannot identify a specific computer.

Given this, it is possible for a rogue computer to pretend it is an access point.

When enabling WEP (Wired Equivalent Privacy) on a network, the encryption key must be the same among all the devices, including the wireless base station providing network connectivity.

Another difficulty with WEP is that it is possible to “break” this WEP encryption and gain access to the network.

The less than stellar news in the design of 802.11b and WEP is the use of RC4 has as part of the logic a number known as an initialization vector or IV that is not encrypted. Too many product offerings start the IV at the number we call 1 then use 2 for the next IV, followed by 3, etc. So, scoop up about 5 million packets of data and you can figure out the WEP pattern. In a large wireless network with heavy usage the combination of keys is used within hours, as proven by research at the University of Maryland²⁴¹ and the Berkley campus of the University of California²⁴². A single intruder sending an email to a valid email address on the wireless network further reduces security since the intruder knows what the unencrypted message contained, narrowing the search pattern. If an intruder doesn’t want to work hard they simply use the lazy approach and use a program such as Airsnort ²⁴³, wepcrack²⁴⁴ or airtraf²⁴⁵. The moral to the story is change keys often.

Although theoretically Wired Equivalent Privacy is supposed to be as secure as an actual wired network, the reality is that that isn’t the case. As you can see, the challenge with WEP is that for a variety of reasons, is it cannot withstand the attention of compromising attacks. Because of this, if you are deploying a wireless network, you should strongly consider using hardware that allows you to control access to the wireless LAN based on MAC address, or consider a tunneling protocol between wireless devices and access points.

Still, keep in mind that in most situations, WEP is better than no WEP. It will stop some potential attackers, and probably slow down others. Even if you assume that your WEP protection will be subverted, the fact that you attempted to employ that protection is one way to demonstrate that you were not negligently making your wireless network available to the world with no protection whatsoever.

2.6.2  802.11x 1 2 2.6.4  Vulnerabilities