Security in 802.11 Networks

802.11 Wireless Network Security

James D. Johns

Computer Science 630

Spring, 2005

History has shown that newer, cutting-edge technologies have been subject to an initial period of testing and debugging. Wireless network security is certainly no exception. The process of maintaining data integrity and prohibiting unauthorized access has proven to be problematic at best. While various companies have incorporated security algorithms into their products, the nature of wireless networking still provides relatively easy access to those networks. When vulnerabilities in the initial wireless security algorithms were discovered, those same companies pioneered efforts to enhance security. Unfortunately, those efforts have only recently been fully standardized.

Originally, wireless security consisted simply of filtering data transmission based on the MAC address of the client machine. This procedure was based on the theory that corporate IT departments are responsible for issuing wireless LAN cards and adapters to users and should therefore be able to maintain a corporate-wide list of MAC addresses which were in turn allowed to connect to the organization's wireless network. During the initial connection procedures, wireless access points (AP) can verify the MAC addresses of connecting workstations to ensure the corresponding network adapter is on the list of known valid MAC addresses. While this procedure was fairly effective (as MAC addresses can be forged), system administrators quickly grew tired of maintaining this list of MAC addresses, especially as wireless networks grew in popularity and size. MAC address filtering still remains a highly viable means of securing a local area network in a non-business environment, particularly when a small number of computers are connected to that network and the number of computers is not likely to change.

A similar method of limiting the IP address pool in a DHCP-environment quickly emerged. In effect, this method limited the number of valid IP addresses available via DHCP. However, this method quickly proved to be problematic. When rogue workstations did gain access to the wireless network, legitimate computers could not gain access due to a lack of available IP addresses in the address pool. This problem would be even more severe if a DHCP server issued a reserved IP address to a workstation, assuming that a server authorized for that IP address provided critical functionality for the organization.

The network industry quickly became aware that other more sophisticated methods of securing a wireless network were required. Ultimately, the requirements of wireless security fell into two distinct categories: Encryption/Data Privacy, and Authentication/Access Control.

Encryption and Data Privacy

Encryption is defined as a mechanism which provides data privacy and integrity. The data should obviously not be decrypted by any unauthorized means, while all transmitted packets should originate from the actual sender. Encryption should enforce data integrity under any circumstances. To help maintain data privacy, many network administrators also stopped broadcasting the service set identifier (SSID), an identifier for a particular wireless network. Even today, this method is still viable as a "front-line" defense against hackers for both organizational and home-based wireless networks.

Authentication and Access Control

Authentication should be mutual, and should allow wireless clients and access points full-duplex authentication, i.e. the ability to authenticate each other. In addition, a framework should be introduced in order to facilitate the transmission of authentication messages between wireless clients, access points, and in some cases, authentication servers. Obviously, only properly authorized users and/or servers should gain access to the network resources.

Wireless Equivalent Privacy (WEP)

Wireless Equivalent Privacy was the first standard for 802.11 wireless network security. When the IEEE (Institute of Electrical and Electronics Engineers) ratified the standard, the WEP security standard was included. Unfortunately, many hardware manufacturers initially failed to favor the implementation of WEP. The MAC-address filtering method was still highly popular, and this is what many vendors recommended, rather than a newer, untested standard. However, as previously noted, system administrators quickly grew tired of supporting this task. This outcry, coupled with the use of network tools to discover valid MAC addresses and impersonate valid network clients, quickly sparked an interest in WEP.

Initially, WEP was designed to provide a level of network security equivalent to a wired network. It provided standards for authentication between network clients and access points in addition to packet encryption. WEP uses RSA Security's RC4 stream cipher for packet encryption and decryption. When the 802.11 standard was released, the 40-bit packet length was used due to government export restrictions. However despite this fact, manufacturers quickly saw an opportunity and increased the packet length of their WEP key implementations to 104 bits and quickly labeled their product as "more secure" than other 40-bit implementations. This movement was pioneered by Lucent Technologies, and other companies quickly followed suit, such as Agere (152-bit) and U.S. Robotics (256-bit).

To add randomness to the encryption key, an initialization vector (IV) was added to the fixed-length encryption key. This initialization vector is 24 bits in length and is randomized for each packet encrypted. The IV is added to both the encryption key in the header field, and then used to encrypt the packet itself. Note that the initialization vector is sent in plaintext so that the receiving device knows what it needs to add to the predefined WEP key used to encrypt the packet. The addition of the initialization vector changed the overall packet sizes as follows:

40-bit + 24-bit IV = 64-bit1

104-bit + 24-bit IV = 128-bit

Hardware manufacturers support 64-bit and 128-bit key sizes on all wireless LAN devices that

...