Authentication Attacks

DoS attacks are simple, but they can achieve only limited goals. Network access can provide an attacker with much greater benefits. Because gaining physical access to a wireless network is trivial, various schemes have been developed to provide access control. The original 802.11 specification defines a rather broken authentication mechanism to limit which stations can connect to the network. The IEEE has introduced new authentication mechanisms based on 802.1x and EAP. These authentication mechanisms are covered in Chapter 7, "EAP Authentication Protocols for WLANs," and Chapter 8, "WLAN Encryption and Data Integrity Protocols." In addition, some vendors have implemented other schemes for access control, such as MAC address filters. This section describes attacks on the shared-key and MAC address filtering schemes. Attacks on the 802.1x protocols are also authentication attacks and are covered in their own section later in this chapter.

Shared-Key Authentication Attacks

The 802.11 designers created an authentication mechanism, but unfortunately, what they came up with was badly flawed. The mechanism, called shared-key authentication, is easy to forge and leaks keystream information. Fortunately, it is optional. The default authentication mechanism is open authentication, which basically doesn't do authentication, and is preferable to shared-key authentication. Even better than both of these is EAP-based authentication; this comes in various forms and is discussed in Chapter 7.

Shared-key authentication is a mutual authentication mechanism in which each side sends a random challenge. Each side proves its knowledge of the WEP key by encrypting the challenge sent by the other party. The mechanism is inherently broken because an attacker can gain enough information by observing a single successful authentication to generate his own successful authentication responses in the future.

By simply XORing together the challenge and the response, an attacker can figure out a chunk of keystream corresponding to that IV. Now the attacker has enough information to authenticate because he can reuse the IV he has sniffed and the keystream he has calculated. He simply encrypts whatever challenge is thrown at him with this keystream, and he is authenticated.

A much worse result of this flaw is that the attacker can use this mechanism to build up a dictionary of per-IV keystreams. He can do this by passive observation or successful authentication. These dictionaries are useful for decrypting messages that the attacker observes. Thus, shared-key authentication has the curious property of being more dangerous than using no authentication at all. It is quite rightly considered obsolete.

MAC Address Spoofing

Several vendors' APs have the ability to limit which stations can connect based on the MAC address. This approach has two key flaws. The first, nonsecurity flaw is that it is time-consuming to configure and is thus unlikely to be used other than by small sites. More seriously, however, is the ease with which attackers can spoof their MAC addresses. Several 802.11 card drivers allow users to specify whatever MAC address they want. An attacker can easily glean valid MAC addresses from an active network by sniffing.