WPA - An accident waiting to happen

By Joel Snyder and Rodney Thayer
Network World, 10/04/04

Original Article On Network World Web Site

WPA is an industry specification the Wi-Fi Alliance pushed into adoption. This cooperative of wireless manufacturers - worried that WEP would stall sales - took an early draft of the IEEE 802.11i wireless security standard, pulled out some harder-to-implement pieces, such as AES encryption, and created WPA. Vendors shipped certified WPA products just five months after announcing the specification.

WPA enhances security in several ways. The most obvious is in the encryption protocol. WPA uses TKIP to improve the key usage in wireless encryption. Although TKIP uses the same base encryption algorithm - RC4 - as WEP, the way it selects and changes keys resolves many of the issues surrounding WEP. WPA also improves the integrity aspects of 802.11 by making it virtually impossible to inject messages into a wireless conversation or to modify a message on the fly.

The primary improvement in WPA is the per-session encryption key. Every time a station associates, a new encryption key is generated based on some per-session random numbers and the media access control (MAC) addresses of the station and the access point. WPA sounds like a major improvement, and it is - if it's used correctly.

Unfortunately, the easiest way to use WPA actually makes it easier to crack than WEP. When 802.1X authentication is not used in WPA, a simpler system called Pre-Shared Key (PSK) is. PSK offers a long-lived password that everyone who wants to connect to the WLAN has to know. All the wireless devices we tested with the exception of the Linksys adapter card support WPA-PSK (see graphic, below.)

With WPA-PSK, if you don't make your password long, you're susceptible to an offline dictionary attack where an attacker grabs a few packets at the time a legitimate station joins the wireless network and then can take those packets and recover the PSK used. An attacker can get what he needs to guess the PSK and get out without anyone noticing. This can occur because the attacker doesn't have to be near the WLAN for more than a few seconds, and the LAN doesn't have to be very busy.

Of course, this type of attack depends on people choosing poor passwords. So if you force users to type in a 64-digit hexadecimal number when they configure their wireless connection information, then you are covered. But most folks use the passphrase mechanism built into WPA, which converts an eight- to 63-character string you type in to the 64-digit key. More than half of the products we tested only let you enter a passphrase - you can't put in the 64-digit hex key even if you wanted to.

The innate problem is that a passphrase is easy to guess. The IEEE committee that wrote 802.11i pointed out that an eight- to 10-character passphrase actually has less than the 40 bits of security that the most basic version of WEP offers, and says that a passphrase "of less than about 20 characters is unlikely to deter attacks."

As with WEP, wireless cracking tools exist that are specifically designed to recover the PSK from a WPA-protected network. We used the KisMAC tool to demonstrate that an eight-character PSK can be recovered using off-the-shelf tools against any product using such a short password with only a few days of work.

WPA with 802.1X authentication - sometimes called WPA-Enterprise - yields a very tight network. 802.1X offers strong positive authentication for both the station and the WLAN infrastructure, while deriving a secure, per-session encryption key that is not vulnerable to any casual attack. This security comes with a cost because 802.1X authentication requires a significant infrastructure including 802.1X-compliant RADIUS server with a digital certificate, and client software for every user that supports 802.1X and whichever authentication mode you use.

If you're looking for the best wireless security you can get today, 802.1X authentication combined with WPA's improved encryption is the closest thing we've got to an ideal solution. Finding good products at all prices that combine 802.1X and WPA is not difficult. However, WPA-based products should give way quickly as more 802.11i-based products hit the marketplace this fall.

Tracking support for various WPA authentication methods
Wireless access points and switches have almost unanimous support for both WPA pre-shared keys and 802.1X authentication methods. But on the client side, the wireless NICs tested varied considerably on this point with PEAP/MSCHAPv2 standing as the lowest common denominator.
Product Type Vendor Supports WPA Pre-Shared Key 802.1X authentication methods supported in conjunction with WPA
Wireless adapters



3Com Yes LEAP, Serial authentication, EAP-TLS, PEAP/MSCHAPv2, TTLS/PAP, TTLS/MSCHAPv2
Actiontec Yes EAP-TLS, PEAP/MSCHAPv2
Buffalo Yes Not supported
Linksys No Not supported
Wireless access points Vendor Supports WPA Pre-Shared Key Supports WPA used with 802.1X*
3Com Yes Yes
Actiontec Yes Yes
Belkin Yes Yes
Buffalo Yes No
Cisco Yes Yes
Compex Yes Yes
HP Yes Yes
Linksys Yes Uses proprietary authentication system
Netgear Yes Yes
Netopia Yes No
Proxim Yes Yes
SMC Yes Yes
Wireless switches Airespace Yes Yes
Aruba Yes Yes
Trapeze Yes Yes
*While WLAN clients must support specific 802.1X authentication methods, the wireless access points and the switches merely have to support the authenticated tunnel.