A paper written by a security expert claims the new
Wi-Fi Protected Access (WPA) security standard may be less secure,
in certain scenarios, than the wireless standard it was designed to
replace.
In the paper, "Weakness in Passphrase Choice in WPA Interface,"
Robert Moskowitz, a senior technical director at ICSA Labs, part of
TruSecure, describes a number of problems with the new WPA
standard, including the ability of attackers to "sniff" critical
information from wireless traffic and to discover the value of a
wireless network's security key.
WPA is a new security standard based on work by the Institute of
Electrical and Electronics Engineers Inc. (IEEE) on the 802.11i
wireless security standard. WPA is intended to replace Wired
Equivalent Privacy (WEP), the most common standard for securing
data on wireless networks.
WPA offers a number of security improvements over WEP, including
better data encryption and the ability to authenticate users on
large networks using a separate authentication service such as
Remote Authentication Dial-In User Service, before allowing them to
join the network, according to the Wi-Fi Alliance, a wireless
industry group.
The problems with WPA centre on the use of Pre-Shared Keys
(PSKs), which are an alternative authentication tool for small
businesses and home users that do not want to use a separate
authentication server and full 802.1x key infrastructure, according
to Moskowitz, who helped design the 802.11i wireless security
standard and WPA.
As with WEP, wireless users can use passphrases for the PSK,
which can range from eight to 63 bytes. Most wireless equipment
makers allow only a single PSK to be used on a wireless
network.
Moskowitz wrote that the method that WPA devices use to conduct
"handshakes", or exchanges of information which are used to
generate data encryption keys for wireless sessions, allows
attackers who do not know a PSK to guess it using what is known as
a "dictionary" attack.
In dictionary attacks, attackers capture (or "sniff") wireless
network traffic in transit between the access point and the
wireless workstation, then use specialised software programs to
guess the key.
Other wireless security standards are also vulnerable to such
attacks. WEP keys have long been known to be insecure. More
recently, a security expert showed that Cisco Systems' Lightweight
Extensible Authentication Protocol (LEAP) standard is vulnerable to
dictionary attacks too.
However, attackers who want to compromise WEP and LEAP need to
harvest large quantities of network traffic before they can
decipher the passphrase. In contrast, WPA only requires them to
capture four specific packets of data, Moskowitz said.
Passphrases fewer than 20 characters long are unlikely to
withstand a dictionary attack, and attackers who miss those four
packets in transit can easily trick a wireless access point into
doing a new "handshake" and sending the packets to the attacker
again, he said.
Attackers who already know the PSK and have joined a wireless
network as trusted members could further exploit shortcomings in
the WPA handshake to guess another user's unique "session key,"
which would enable them to listen in on that user's wireless
session, capturing information they were sending out on a corporate
network or to the internet, Moskowitz said.
That could spell trouble for corporations which allow
contractors or other trusted third parties onto their wireless
networks, he said. The key is to use strong passwords - preferably
longer than 17 alphanumeric characters, he said.
Organisations using WPA with Pre-Shared Keys should also
consider using a random number generator to create passphrases,
rather than making them up, he said.
However, companies deploying WPA with an authentication server
have little reason to be concerned, because they do not use
Pre-Shared Keys, said Michael Disabato, senior analyst at The
Burton Group.
For other users, the Moskowitz paper should not cast a shadow
over WPA, he said. "WPA is doing what its supposed to do, providing
you do what you're supposed to do and enforce secure passwords.
"
Both Disabato and Moskowitz agreed that WPA was far more secure
than the earlier WEP standard, even considering the issues raised
by Moskowitz's paper. However, Moskowitz did take issue with
wireless networking equipment makers' implementation of WPA.
The shortcomings surrounding Pre-Shared Keys discussed in the
WPA paper were acknowledged in the 802.11i standard documents. In
their rush to offer WPA in their products, wireless equipment
makers such as Linksys Group (now owned by Cisco) did little to
address the issues with tools to make it easier to generate secure
PSKs, Moskowitz said.
Other problems, such as the requirement, with some wireless
products, that all wireless users share the same PSK on a network,
or the decision to have wireless access points broadcast the fact
that they are using PSKs instead of authentication servers just
makes the job of compromising such networks easier, he said.
Moskowitz's paper is circulating informally on the internet, but
an official copy will soon be available on the TruSecure
website.
Paul Roberts writes for IDG News Service