Posted by Dave
5 Star Support Security Specialist
Many computer users have a small wireless network at home even if they only have
one computer and it is a laptop. Referred to as a WLAN (Wireless Local Area
Network) this kind of network offers ease of connectivity as well as
portability, allowing you to easily move around and still remain connected. The
standard for this was first released in 1999 as 802.11b and for protection, WEP
was specified. This standard is still in use today and supported by just about
all wireless routers. What many users are unaware of is that WEP is basically
broken, and not secure, even though it is still widely used to this day. In this
paper I hope to explain wireless and how it should be properly secured for
As I already stated, wireless began in 1999 with the 80211.b standard, and the
WEP security protocol was specified. WEP stands for Wired Equivalent
Privacy and was originally thought to provide a level of security and
privacy that is equivalent to what is expected in a wired LAN. In actuality, it
provided a level of security that protected against casual eavesdropping. The
other problem faced by wireless users is physical security. Although a wired LAN
is physically secure by nature of being contained in a building or room,
wireless connections have no such restrictions, as the signal is not contained
by physical structures.
Enter WEP. WEP seeks to establish similar protection to that offered by the
wired network's physical security measures by encrypting data transmitted over
the WLAN. Data encryption protects the vulnerable wireless link between clients
and access points; once this measure has been taken, other typical LAN security
mechanisms such as password protection, end-to-end encryption, virtual private
networks (VPNs), and authentication can be put in place to ensure privacy.
Unfortunately, the additional security measures that the original designers of
WEP assumed would be put in place were usually not added, especially in home
networks, but also in many commercial installations as well.
Lets take a closer look at what WEP actually is. When WEP is active in a
wireless LAN, each 802.11 packet is encrypted separately with an RC4 cipher
stream generated by a 64-bit RC4 key. This key is composed of a 24-bit
initialization vector (IV) and a 40-bit WEP key. The encrypted packet is
generated with a bitwise exclusive OR (XOR) of the original packet and the RC4
stream. The IV is chosen by the sender and can be changed periodically so every
packet won't be encrypted with the same cipher stream. The IV is sent in the
clear with each packet. An additional 4-byte Integrity Check Value (ICV) is
computed on the original packet and appended to the end. The ICV (be careful not
to confuse this with the IV) is also encrypted with the RC4 cipher stream.
This worked well in the beginning, and many thought the 128-bit encryption it
offered would be more than enough to keep you secure, but as already stated,
extra security measures were almost universally ignored in wireless
installations. By 2003, WEP was basically broken, and it had become an easy
target for many hackers. Lets take a look at the inherent weaknesses:
- Key management and key size
- Key management is not specified in the WEP standard; without interoperable
key management, keys will tend to be long-lived and of poor quality. Most
wireless networks that use WEP have one single WEP key shared between every
node on the network. Access points and client stations must be programmed
with the same WEP key. Since synchronizing the change of keys is tedious and
difficult, keys are seldom changed. Also, the 802.11 standard does not
specify any WEP key sizes other than 40 bits. Keep in mind that these keys
are also static, meaning that they never change.
- The IV is too small - WEP's
IV size of 24 bits provides for 16,777,216 different RC4 cipher streams for
a given WEP key, for any key size. Remember that the RC4 cipher stream is
XOR-ed with the original packet to give the encrypted packet that is
transmitted, and the IV is sent in the clear with each packet. The problem
is IV reuse. If the RC4 cipher stream for a given IV is found, an attacker
can decrypt subsequent packets that were encrypted with the same IV or can
- ICV Algorithm - The WEP ICV
is based on CRC-32, an algorithm for detecting noise and common errors in
transmission. CRC-32 is an excellent checksum for detecting errors, but an
awful choice for a cryptographic hash. Better-designed encryption systems
use algorithms such as MD5 or SHA-1 for their ICVs.
- Authentication messages can
be easily forged.
Despite the flaws, WEP is
better than nothing, and you should enable WEP as a minimum level of
security. Many people have taken to the streets to discover wireless LANs in
neighborhoods, business areas, and colleges using protocol analyzers, such
as AiroPeek and Airmagnet. Most of these people are capable of detecting
wireless LANs where WEP is not in use and then use a laptop to gain access
to resources located on the associated network.
By activating WEP, however,
you significantly minimize this from happening, especially if you have a
home or small business network. WEP does a good job of keeping some people
out, at least those that are honest. Beware, though, there are many true
hackers around who can exploit the weaknesses of WEP and access WEP-enabled
The solution to the weaknesses
inherent in WEP is WPA, a newer protocol that Microsoft was heavily involved
in developing. WPA is short for Wi-Fi Protected Access,
and is a standard designed to improve upon the earlier WEP standard. This
technology is designed to work with exist Wi-Fi products by making use of
software or firmware upgrades to existing hardware. It includes two major
improvements over WEP:
- Improved data
encryption through the temporal key integrity protocol (TKIP). TKIP
scrambles the keys using a hashing algorithm and, by adding an
integrity-checking feature, ensures that the keys havenít been tampered
- User authentication,
which is generally missing in WEP, through the extensible authentication
protocol (EAP). WEP regulates access to a wireless network based on a
computerís hardware-specific MAC address, which isrelatively simple to
be sniffed out and stolen. EAP is built on a more secure public-key
encryption system to ensure that only authorized network users can
access the network.
WPA is designed as an
interim improvement that is to be replaced by the new IEE 802.11i
standard when completed. In order to make use of WPA, all computers on
the network must be running Windows XP Service Pack 1 or greater. It
cannot be configured on older versions of XP or Windows.
Specific improvements offered in WPA include the Temporal Key Integrity
Protocol, or TKIP. TKIP could be implemented on pre-WPA wireless network
interface cards that began shipping as far back as 1999 through firmware
upgrades. Because the changes required fewer modifications on the client
than on the wireless access point, most pre-2003 APs (Access Point)
could not be upgraded to support WPA with TKIP.
In November, 2008, a weakness in TKIP was uncovered by researchers at
two German technical universities. The weakness relies on a previously
known flaw in WEP that could be exploited only for the TKIP algorithm in
WPA. The flaw can only decrypt short packets with mostly known contents,
such as ARP messages, and 802.11e, which allows Quality of Service
packet prioritization for voice calls and streaming media.
The above weakness has led us to the latest WPA2 certification that
indicates compliance with an advanced protocol implementing the full
802.11i standard. WPA2 includes Pre-shared key mode. PSK (also known as
Personal mode) is designed for home and small office networks that don't
require the complexity of an 802.1X authentication server. Each wireless
network device encrypts the network traffic using a 256 bit key. This
key may be entered either as a string of 64 hexadecimal digits, or as a
passphrase of 8 to 63 printable ASCII characters. Pre-shared key mode is
used because shared-key WPA is vulnerable to password cracking attacks
if a weak passphrase is used. To protect against a brute force attack, a
truly random passphrase of 13 characters (selected from the set of 95
permitted characters) is probably sufficient.
In simple terms, WPA-PSK is extra-strong encryption where encryption
keys are automatically changed (called rekeying) and authenticated
between devices after a specified period of time, or after a specified
number of packets has been transmitted. This is called the rekey
interval. WPA-PSK is far superior to WEP and provides stronger
protection for the home/SOHO user for two reasons. The process used to
generate the encryption key is very rigorous and the rekeying (or key
changing) is done very quickly. This stops even the most determined
hacker from gathering enough data to break the encryption.
Recently, the Wi-Fi alliance has announced the inclusion of additional
EAP (Extensible Authentication Protocol) types to its certification
programs for WPA- and WPA2- Enterprise certification programs. This was
to ensure that WPA-Enterprise certified products can interoperate with
one another. Previously, only EAP-TLS (Transport Layer Security) was
certified by the Wi-Fi alliance.
The EAP types now included in the certification program are:
- EAP-TLS (previously
Most of the newer
model Wi-Fi CERTIFIED devices support the security protocols
discussed above, out-of-the-box, as compliance with this protocol
has been required for a Wi-Fi certification since September 2003.
certified through Wi-Fi Alliance's WPA program (and to a lesser
extent WPA2) was specifically designed to also work with wireless
hardware that was produced prior to the introduction of the
protocol, which usually had only supported inadequate security
through WEP. Many of these devices will support the security
protocol after a firmware upgrade. Firmware upgrades are not
available for all legacy devices.
What you need to do
Now that we know about WEP, WPA and WPA2, whatís next? You need to
verify your Wi-Fi access point capabilities and upgrade the firmware
if necessary so that you can configure WPA2, and then set up WPA (or
better, WPA2) on your Windows XP computer(s).
There are a number of setup steps involved to employ WPA on your
wireless network, but the time spent is well worth it for your
security and peace of mind. The setup difficulty and time involved,
as well as the specific steps you need to follow, will vary
depending on your particular hardware and wireless cards. Plan on a
couple of hours anyway. How to do this on a step-by step basis is
beyond the scope of this paper, but I can direct you to two
excellent sources to guide you through setting it all up.
One source is on about.com in the Wireless/Networking section
There is also an excellent article covering this subject on
Microsoftís XP site written by Barb Bowman located here:
These articles have been around for a while, but then, so has the
technology. Most users just havenít been aware of it. Do yourself a
big favor and update and secure your home wireless network soon. I
would recommend that you make it a priority project.
We have covered wireless network security since the beginnings of
wireless networks in 1999, to the current status of Wi-Fi in 2009.
You now have all the information you need to hopefully understand
the technology and the basics that make it work. All that remains is
for you to upgrade your wireless network to the current standards
and you will be safe and secure.
Until we meet again.