Security Problems Addressed

Now that you have seen the security mechanisms in 802.11i and WPA, it is fitting to review the vulnerabilities described in Chapter 6 and examine which ones are and are not addressed.

Reconnaissance

802.11i does nothing to address reconnaissance. However, the improvements in encryption, integrity, and authentication significantly strengthen the security of the networks behind them, so they might be less likely to be targeted. Attacks on them will be much less likely to succeed.

DoS Attacks

The disassociation, deauthentication, and transmit-duration attacks are all attacks on the MAC layer. They allow for selective DoS. Unfortunately, 802.11i does nothing to prevent this. These attacks will not be stopped until there is authentication of management and control frames. Hopefully, a future standard will address these. However, it is important to remember that because nothing can be done about radio frequency jamming or interference attacks, there will never be a complete solution to DoS attacks. Wireless networks will always be subject to DoS.

Shared-Key Authentication Attacks

802.11i solves the attacks on the flawed shared-key authentication by obsoleting this authentication method.

MAC Address Spoofing

The standard provides a way to prevent MAC address spoofing by including portions of the MAC address in the MIC calculation. TKIP does this with the padded MSDU that goes into the Michael algorithm. CCMP does this with the additional authentication data included in its MIC calculation. In addition, by providing strong alternative access control methods, it should eliminate the need for authentication based on MAC addresses. MAC address?based authentication was largely a response to not having strong alternatives to keep attackers out.

Message Modification and Replay

The MIC allows a recipient to detect any modification of messages. Because it includes a key that the attacker cannot know, the attacker cannot recalculate it. Also, because it is a hash, the attacker cannot make appropriate modifications to it by flipping bits in the MIC. Thus, the inductive attack is also defeated. Messages cannot be replayed because of the increasing packet counters (TSC in TKIP, PN in CCMP). Finally, the MIC prevents an attacker from changing the packet counter to attempt to rebroadcast a message with a new packet counter.

Dictionary-Based WEP Key Recovery

WEP keys are no longer based on dictionary words, so attackers cannot guess. However, WPA includes a standard for the creation of Preshared Master Keys based on ASCII characters. This opens up the possibility of a dictionary attack. If an attacker can guess the password that was used to generate the PMK, he should be able to successfully communicate with a protected network. If an administrator chooses to use ASCII-based PMKs, he should make sure that the passphrase used is long and includes nonalphanumeric characters. Because it is a one-time configuration and not a user password that will have to be typed more than once, it should be possible to generate it by machine.

WEP Keystream Recovery

802.11i renders WEP keystream recovery useless. CCMP uses a block-based cipher, so there is no keystream to recover. TKIP's key mixing algorithm ensures that each key, and thus each keystream, will be used only once. Although there are still chosen plaintext attacks in which an attacker might be able to recover the keystream, the keystream will not be useful for anything.

Fluhrer-Mantin-Shamir Weak Key Attack

This attack is prevented in the same manner as the preceding attack. The FMS attack relies on receiving a large number of packets encrypted with the same WEP key. CCMP does not use WEP, and TKIP changes the WEP key with each packet. In addition, TKIP specifically places a value in the middle IV octet and swaps the first and third octets of the TSC to prevent known weak RC4 keys. Therefore, even if a future attack based on the weak keys is developed, TKIP should still prevent it.

Rogue APs

802.11i does nothing to prevent rogue APs. Some of the 802.1x EAP methods address this by providing for certificates. By using certificates, the AP is required to prove its identity to the client. If the client is configured correctly, and if the software does not allow the client to circumvent the protections easily, these methods should inhibit rogue APs. There are social engineering attacks in which a rogue AP tries to mimic a real AP to capture traffic or passwords. This is why users for the most part should not be trusted to make decisions about whether an AP is or is not legitimate. It should be left to software safeguards that can verify identity without the user's input.

Security Considerations of EAP

802.11i relies on strong EAP authentication methods to generate the PMKs that serve as the basis for its security. If the underlying keys are compromised, or if the EAP methods used have flaws, the security provided by TKIP and CCMP will also be flawed. 802.11i does not specifically address the security of individual EAP methods.

There is a need for guidelines for EAP methods and the security features they should support. Jesse Walker has written a draft of such a document. Its recommendations include mutual authentication, resistance to dictionary attacks, and the ability to generate keys of at least 128 bits.

Chapter 6 mentions attacks on LEAP and PEAP. 802.11i does not remedy these. Use of strong passwords is the solution for LEAP attacks. Cisco PEAP implementation is not vulnerable to man-in-the-middle (MitM) attacks if used properly with server certificates. PEAP version 2, which is still under development as an Internet Engineering Task Force (IETF) standard, addresses PEAP MitM attacks for all vendors.