Saturday, February 27, 2010

Is WPA Secure? - Part 1

Recently I have noticed quite a bit of conjecture surrounding the Wi-Fi Protected Access (WPA) protocol and its use. With media hysteria now promoting WPA as no longer secure, wireless security has, unfortunately, become another great unknown to many people.

In this three-part series I would like to delve into the WPA protocol and provide a background on its history, how it works and assess whether WPA is indeed insecure. By the end of this series I will have provided a foundation which will hopefully help answer two of the most common questions surrounding the wireless-security space: “Is WPA secure?” and “Should I be using WPA?”.

To be comfortable in understanding the insecurities of the WPA protocol, Part 1 of this series will provide a brief background on 802.11 security.

Designed as a basic security measure to secure 802.11 wireless networks, Wired Equivalent Privacy (WEP) was implemented to provide simple confidentiality to wireless networks. Soon after its inception, weaknesses were being discovered in the WEP protocol. Among these weaknesses were:

  • key selection weaknesses,
  • no replay protection,
  • weak message integrity checking,
  • no key rotation mechanism,
  • short initialization vector (IV),
  • pseudo-random generation algorithm (PRGA) revealed in challenge/response, and
  • key was reversible from cipher-text.

By 2007, attacking WEP had become so effective that the cracking probability of a 104-bit WEP key was:

    • 50% success after 60 seconds
    • 80% success after 90 seconds
    • 95% success after 128 seconds

Source: Tews, E, Weinmann, R, Pyshkin A 2007, Breaking 104 bit WEP in less than 60 seconds

To combat the deficiencies of the WEP protocol, the Institute of Electrical and Electronics Engineers (IEEE) decided to come up with a new, more secure protocol: WPA. Designed specifically to work within the design constraints of existing WEP hardware, WPA could be adopted with a firmware upgrade to existing WEP-enabled infrastructure.

WPA was able to improve security over its WEP counterpart by implementing the Temporal Key Integrity Protocol (TKIP). Based on the RC4 cryptographic cipher (like WEP), The TKIP algorithm was designed to overcome the security deficiencies discovered in WEP by:

  • defeating key reuse attacks,
  • defeating forgery attempts, and
  • defeating replay attacks.

Whilst these mechanisms would provide consumers with a secure alternative to the broken WEP protocol, the IEEE only intended WPA to have a 5-year life span (1999-2004). This life span would provide organisations with a transitional period for the arrival of WPA's new companion, WPA2.

Requiring a hardware upgrade from old WEP/WPA technologies, WPA2 was based on the 802.11i security specification (which was not yet ratified at the time WPA was introduced). Designed on a completely new encryption protocol, WPA2 implemented a new algorithm known as Counter Mode with Cipher Block Chaining Message Authentication Protocol (CCMP). CCMP offered several enhancements to the TKIP standard, including the use of the AES cryptographic cipher (as opposed to RC4 used in WEP/WPA). WPA2 was also given the ability to utilise the TKIP encryption protocol for backward compatibility.

Note: Vendors will often (incorrectly) refer to WPA2 as WPA2-AES. This would be fine if WPA was referred to as WPA-RC4. For the sake of consistency, I will refer to WPA2 as WPA2-CCMP throughout the remainder of this series.

Apart from brute-force attempts on weak passwords, both WPA-TKIP and WPA2-CCMP have been considered ‘secure’ up until recently. In November 2008 Erik Tews and Martin Beck, researchers at two German University, published a paper that highlighted a weakness in the TKIP algorithm. Their paper demonstrated how plain-text could be recovered from an encrypted WPA network and injected back into that network. Tews and Beck’s attack method was later enhanced by two Japanese researches whose research caused wide-spread panic among information technology (IT) journalists.

In Part 2 of this series we will take a deeper look at how the TKIP protocol works, how TKIP can be attacked, and look at answering the two pertinent questions: “Is WPA secure?” and “Should I be using WPA?”.