Outdated Wifi WEP Encryption Can Now Be Broken In Less Than 1 Minute

Wifi networks have been around for a number of years now. At first the WEP (wired equivalent privacy) encryption algorithm was used to protect network owners from eavesdropping and misuse of their networks by others. Due to a number of security flaws, however, WEP was superseded by WPA (Wireless Protected Access) and WPA2. Nevertheless, most Wifi networks deployed today in my experience still use the old WEP encryption. Over the years, ever more clever schemes have been devised to crack the WEP encryption. The latest combination of attacks can now break the encryption scheme in less than a minute.

WEP started to fall apart in 2001 when Scott Fluhrer, Itsik Mantin, and Adi Shamir published an attack which allowed to break the cipher by analyzing about 6.000.000 intercepted frames. The number sounds quite large at first. However, users in a highly loaded network can generate the required number of frames in a number of hours. In 2004 a hacker named KoReK devised a new attack which only required 500.000 to 2.000.000 frames.

Waiting for packets can be tiresome. Unfortunately, WEP is not secured against replay attacks. This can be exploited by inserting intercepted packets back into the network to trigger response frames with unique ciphering keys from computers attached to the network. Thus, an attacker no longer has to wait for clients to generate traffic but he can trick the attached computers to automatically create the frames for him. This additionally greatly reduces the time required for an attack.

Now, researches at the Technical University Darmstadt, Germany have refined an attack strategy by Andreas Klein, which is based on the original Fluhrer, Mantin and Shamir attack. This new attack now only requires 85.000 frames to calculate the cipher key with a success probability of 95%. Together with the key replay attack WEP can now be broken in less than a minute.

All these attacks are not only theoretical in nature. Tools are available for all of them to automate the process. As a proof of concept, the TU Darmstadt researches have extended one of these tools. More information about their work can be found here.

All of this is quite scary. So if you still operate a Wifi with WEP encryption it’s time to change to WPA. If you access point does not support it yet, it’s time to throw it away and buy a new one.

Via: Heise Online

Apple claims 802.11n Wide Channels Are Not Allowed In Some Countries

Here’s a mystery for which the web doesn’t seem to have an answer for so far: Apple claims that the use of a 40 MHz Wide Channel for 802.11n Wifi is not allowed in Austria, Estonia, Germany, Japan, Latvia, Slovakia, Spain and Great Britain. Consequently, Apple.fr says the new Airport Extreme is 5x quicker than the previous product while Apple.de advertises the Airport Extreme as 2.5x quicker.

I’ve done some research as to why this should not be allowed in Germany but came up empty handed. Other web sites such as this one have the same question. Anybody got an explanation for this?

German Railway Extends Wifi On Trains Coverage

It looks like German Railways (Deutsche Bahn, DB) has had some positive feedback from their Wifi on Train pilot on the track from Dortmund to Cologne and has decided to expand the offer. Since 2005, seven high speed trains are equipped with on train Wifi which regularly run back and forth between the two cities. To connect to the Internet, Wifi to UMTS bridges were installed in the trains which used the 3G network of T-Mobile to backhaul the Internet traffic.

Now, DB has decided to extend the partnership with T-Mobile who will invest in new wireless base stations and tunnel coverage in 2007 on the tracks between Frankfurt – Hanover – Hamburg and Frankfurt – Stuttgart – Munich. The press release does not say if T-Mobile will use it’s UMTS network again or if they will deploy a new network based on Flarion’s Flash OFDM technology (now part of Qualcom) on the 450 MHz band as some rumors had it in the past (see here and here).

Deutsche Bahn will also increase the number of Wifi equipped trains to 50. Good news for me since I regularly use high speed trains between Munich and Stuttgart. Can’t wait to test it. After announcing to install power sockets at every seat this is yet another sign that DB has understood how to get new customers.

Deep Inside the Network: Wifi Authentication with EAP-SIM

In a previous post, I’ve been looking at how authentication is performed in WPA enabled Wifi networks. A growing number of GSM and UMTS devices now also include Wifi as an alternative access technology and if cellular operators decide to run Wifi hotspots, a convenient way must be found to authenticate these hybrid devices there as well. A number of different solutions exist but most of them require the user to input information. To remove this user interaction, an authentication method now known as EAP-SIM was recently specified in RFC 4186. With EAP-SIM, user interaction is no longer required when the device registers to the Wifi network, as all required authentication information is taken from the SIM card. Here is how it works:

Small_eap_sim_authentication
EAP-SIM uses the same authentication framework as described for WPA personal and enterprise authentication. The figure on the left shows the messages exchanged between the mobile station and the authentication server via an EAP-SIM capable access point during authentication. After the Wifi open system authentication and association, the access point starts the EAP procedure by sending an EAP Identity Request to which the mobile device has to respond to with an EAP Identity Response message. The identity returned to the network in this message is composed of a identity type identifier, the IMSI (International Mobile Subscriber Identity), which is taken from the SIM card, and an operator specific postfix. Alternatively, the mobile device can also send a temporary identity (pseudonym) which has been agreed with the network during a pervious authentication procedure. The pseudonym is similar to the TMSI (Temporary Mobile Subscriber Identity) used in GSM networks but has a different format and is used to hide the subscriber’s real identity from eavesdroppers.

In the next step, the network sends an EAP SIM Start request which contains a list of different versions of supported EAP SIM authentication algorithms. The client device selects one of the algorithms it supports and sends an EAP SIM Start response message back to the network. This message also contains a random number which is used for a number of subsequent calculations on the network side in combination with a secret (the Kc) which is shared between the mobile device and the network. This way the network is also able to authenticate itself to the client.
At this point the authentication server in the network uses the subscriber’s IMSI to request authentication triplets from the GSM/UMTS Home Location Register (HLR) / Authentication Center (AuC) (cp. e.g. Chapter 1.6.4 of my book). Two or three GSM random values and GSM ciphering keys returned by the HLR are then used to generate EAP SIM authentication keys, EAP SIM encryption keys and other values required for the EAP-SIM authentication process. These are sent in encrypted form together with the two or three GSM random values in plain text to the client device in an EAP SIM Challenge request to the mobile device.

The mobile device then uses the GSM random values received in the message and forwards them to the SIM card. The SIM card then generates the GSM Signed Response and GSM ciphering keys which used afterwards to decipher the EAP SIM parameters received. If those values are identical to the values used by the network, the mobile device is able to send a correct response message which is then verified on the network side. If verification was successful an EAP Success message is returned and the client is admitted to the network.

Small_eap_entities
The second figure on the left shows the different devices and protocols used during authentication. On the left side the mobile client sends its EAP messages via the EAPOL protocol. For the messaging between the access point and the authentication server, the RADIUS protocol can be used. The authentication sever finally communicates with the HLR/AuC via the SS-7 circuit switched signaling network and the Mobile Application Part (MAP).

Currently, only few Wifi hotspot networks run by cellular operators support EAP-SIM authentication. One that does already, however, seems to be the hotspot network run by Swiss Mobile, as they announce it as part of the network name and also sell EAP-SIM compatible combo GPRS/UMTS/Wifi cards.

Deep Inside the Network: Wifi WPA authentication

In the past, Wifi networks were criticized a lot for being insecure. In the meantime, however, the IEEE standards body and the industry have reacted and designed WPA and WPA2 (Wireless Protected Access) which is implemented in most products today. WPA and WPA2 deal with both authentication and ciphering and a lot of information is available on the net about the ciphering part. Information on the authentication part, however, is scarce. Time to change this:

Wpa
As shown in figure on the left, a client joins a network by performing a ‘pseudo’ authentication and associating to the network afterwards. In a WPA network an additional authentication and key exchange follows this procedure. The first authentication has thus become completely obsolete but has been kept in place nevertheless. The access point announces that WPA is to be used instead of the older WEP (Wired Equivalent Privacy) by including an additional WPA description parameter in beacon frames which are required to inform nearby stations of the presence of the access point. This parameter informs clients that an additional step for authentication and ciphering key negotiation is required after the association procedure. The parameter also contains additional information concerning the algorithms to be used for authentication and ciphering. First WPA implementations use TKIP (temporal key integrity protocol) for ciphering, which is described in more details below. Current devices also optionally support AES (Advanced Encryption Standard), which has become mandatory for WEP2 as also discussed below.

The figure on the left shows the four step process required by WPA in pre-shared key (PSK) mode to authenticate the client to the access point and vice versa. In addition, client and access point agree on ciphering keys during this process, which are used for encrypting user data frames once authentication is complete. In the first message, the access point sends a random number to the client. The client then uses the random number and the pre-shared key, i.e. the password the user types in once, to generate a response. The pre-shared key has a length of 8 to 64 characters. The response is sent back to the access point together with another random value. The access point then compares the response to the value it has calculated with its own secret key. If the secret keys of client and access point are identical the two values match and the client is authenticated. The access point then generates a session key which it then encrypts with the pre-shared key and sends it back to the client. The client uses its pre-shared key to decrypt the session key and acknowledges proper reception in the fourth message. This implicitly activates ciphering in both directions. In a final step the access point then informs the client of the session key used for broadcast frames. This message is already encrypted. While the session keys for individual user data frames are unique for each client, the key for deciphering broadcast frames is the same for all clients because such frames have to be decrypted by all.

By using session keys instead of the pre-shared key for ciphering it is possible to change the session key frequently to prevent brute force key generation attacks. A typical value to negotiate a new session key between the access point and a client is one hour.

Additional information on Wifi and other wireless technologies can be found in my book as advertised on the left side of this blog. And finally, if you like to trace these messages yourself, take a look at this blog entry.