WPA Part 3: WPA Fixes

As previously mentioned, WPA was created to correct the deficiencies of WEP. It accomplished this by combining a connected series of upgrades and additions to the existing WEP protocol. In short, this basically means that WPA works with WEP and fills in the gaps as required.

WPA is actually a combination of two separate solutions. One solves the problems associated with privacy and encryption (TKIP), and the second adds the necessary component required for authentication. However, WPA is not just a fix for enterprise users who require authentication servers such as Radius. It also must be acceptable for home/small office users who only need to worry about getting their wireless connection to the internet. In a case like this, WPA supports the ability to only provides privacy enhancements.

This is possible due to the way the encryption keys are created. Within an enterprise network, they keys are created by the authentication server. Since a SOHO WLAN does not have this extra component, WPA allows the devices to use a pre-shared key. This will be discussed more in depth as we look at the one major security flaw that threatens WPA users.

TKIP

The Temporal Key Integrity Protocol corrects almost every problem WEP created. It does this by figuratively wrapping the insecure WEP component and covering over/plugging up its flaws. This section outlines how each of the problems was corrected.

IV Collision (Short IV)

IV collisions are possible due to their 24-bit size. To correct this problem, TKIP implements a 48-bit IV value. This increase in size provides enough unique IV values to last up to 900 years, or in other words, make a collision is practically impossible.

The problem is where can all this data be stored? The 802.11 header only allows room for a 24-bit IV value. The solution, as designated within TKIP, was to split the IV value into two parts; a 16-bit value that is used to fill the 24-bit IV field and a 32-bit value that is appended to the data prior to the WEP encryption process.

Weak IVs

The new IV solution also helps to fix the weak IV problem. If you noted, only 16-bits of the total 48 are used to fill a 24-bit field. The reason for this is found in the way TKIP corrects for statistically weak IV values. The first 8-bits of the IV are actually duplicated into the second 8-bit field, with some slight alterations. The results are that the exposed 24-bit IV value is now immune to the statistical flaws that plague WEP.

Replay & Forgery Attacks

WEP does not have a packet counter. In other words, a packet can be injected repeatedly into a network. To stop this, TKIP implemented a sequence counter (TSC). This enhancement assigns each packet with a sequential number and monitors received packets to be sure they have an acceptable counter value. Any packet that falls outside the tolerant range is rejected. Again, it is the 48-bit IV that provides this function. In other words, the designers of TKIP consolidated several security fixes into just one enhancement. This was a wise choice because the TKIP IV creation process is done outside the scope of the original WEP design. By doing this, the legacy WEP process was left untouched. TKIP simply surrounded it with security.

MIC

WEP uses the ICV to provide integrity validation for each packet. Unfortunately, this process is not secure. TKIP corrects this by incorporating a completely new integrity validation structure into each packet. Known as MIC, or message integrity check (aka message authentication check...except MAC was already taken), this enhancement not only provides integrity to but it also help to prevent forgery attacks.

First, the original ICV value is only 4-bytes. This is not strong security and can easily be cracked. The new ICV is 12-bytes, which is a significant increase. The additional 8-bytes are created by an encryption algorithm known as Michael. While Michael is an improvement, it is not safe against brute force attacks. As a result, Michael includes a protection mechanism that detects invalid ICV values and automatically responds by resetting the passwords and shutting down the network.

Second, when the MIC value is created, it uses the source and destination address. With these values tied into each packet, it is easy to detect a forgery. As a result, an attacker cannot send a packet from their device into the network.

Dynamic Keying

WEP keys are all static. The same pre-shared key is used by all nodes for each packet that is transmitted. The only way this key is changed, is if someone manually alters it. This fact only makes the WEP cracking flaw even more dangerous. Once an attacker has the key, they can go back and use it over and over.

TKIP is based on the concept of providing a temporal key. In other words, they key changes every 10,000 packets. This all but stops any attempt at cracking the pre-shared key impossible. Even if an attacker obtained the key to one 10,000 packet section, they would have an old password.

In addition, when using TKIP a node can be assigned a key from an authentication server. This eliminates problems associated with having a pre-shared static password. If someone steals a laptop with this authentication information already entered, they could gain access to the network simply by using stolen credentials. In addition, there are programs available that can read and decrypt stored WEP keys from a computers register. An attacker would only need a few minutes with a computer to extract this information for their own malicious activities. Dynamic keying using an authentication server can keep all sensitive information from being stored on a node.

WPA Problems

WPA has done marvels with what it was given. Most of the holes in WEPs security were plugged. However, with any new system comes new problems, and this is also true with WPA.

Cracking the Pre-shared password

If the wireless network does not use an authentication server, it must obtain its primary master key from the pre-shared key. This PMK is then used to create a MIC value that is used to validate an initial four way handshake that authenticates the node to the access point. The MIC is created using the source and destination address, plus some random data and the PMK. Unfortunately, ALL of the information required to create the MIC (and the MIC value itself) is passed as plain text during the initial four way handshake.

As a result, an attacker can work backwards using a brute force dictionary attack and the captured information, to crack the PSK. Once they have the PSK, they too can connect to the wireless network. Of course, this does assume an attacker can capture the initial four way handshake, which is easy because and attacker can force the handshake to occur by knocking everyone off line. Second, an attacker has to create a dictionary list that contains the password to be cracked. If an administrator uses a password of greater than 20 characters, the attack will not be successful.

MIC Denial of Service Attack

The MIC is created using Michael, which includes a built in protection mechanism to prevent brute force attacks. As a result, any attempted attack on a MIC value will result in a complete disconnect of all wireless devices for one minute, and a password change. The problem is that this 'attack' response only requires two invalid MIV values in one minute. While the attack is very difficult, it is possible for an attacker to essentially cause the wireless network to perform a Denial of Service attack on itself.

Summary of WPA

WEP has serious security flaws. The solution to this was WPA, which has done a remarkable job patching the problems given what it had to work with. While WPA helped to secure users with legacy equipment, there are still unresolved issues and a few new ones. The WPA-PSK password attack and MIC DoS threat are issues that need to be understood before blindly trusting in WPA to secure the wireless network and its data. In addition, because RC4 is nearing its end of life, wireless users must look to 802.11i (WPA2) as the goal. For more information on the internals of WPA, check out Real 802.11 Security: Wi-Fi Protected Access and 802.11i