Network security people have long warned about the dangers of unsecured 802.11 wireless networks. Failing to enable even basic security measures on a wireless network will leave your computers–and your private data–exposed to any wireless hackers that might be in living your neighborhood, or simply driving by your house. So how do you keep the information streaming across your wireless network secure?

The recommendation for many years has been to enable WEP encryption. WEP (Wireless Equivalent Privacy) was the very first security mechanism for 802.11 wireless networks. It provided data privacy by encrypting the data contained within each wireless network packet. WEP provides a greater level of privacy than found on a open wireless networks, and insured that your data could not be “sniffed from the air” by someone using a scanning or packet capturing tool. However, in the present day, it has been proven that WEP itself is not secure–and therefore neither is your WEP-encrypted wireless network.

When WEP was introduced back in 1999, no one realized that its design contained a serious flaw that could be used to discover the secret key a WEP-protected network used to encrypt its wireless network traffic. Eventually, the flaw was discovered and published, and tools crack WEP appeared on the Internet. The WEP key used by any 802.11 network could be eventually discovered regardless of how large of a WEP key was used. Recently, improvements in wireless cracking tools have reduced the WEP key discovery time from days or hours to only minutes.

Despite the known flaws in WEP, its replacement, 802.11i, was many years away from being ready for commercial use. To help prevent WEP-based attacks on wireless networks, the Wi-Fi Alliance created the Wi-Fi Protected Access (WPA) standard based on a subset of the functionality of 802.11i WPA is actually an implementation of the 802.1x/EAP authentication protocol and the Temporal Key Integrity Protocol (TKIP) parts of the 802.11i standard (802.11i itself later came known as WPA2). WPA is also referred to as WPA Personal and WPA-PSK.

Like WEP, WPA also uses a secret passphrase to encrypt the data in wireless packets. WEP, however, uses the same key for every packet; once the passphrase is discovered, the network traffic is readable by an eavesdropper. The only defense is to change the WEP key on all access points and wireless devices–after which the new key can be easily discovered again.

WPA uses a different method for encrypting packets by hashing its passphrase with the wireless network’s SSID to produce a 256-bit key. This key is then used as the encryption key by all of the devices on the wireless network. Unlike WEP, which uses the same key to encrypt all packets, WPA uses TKIP to create per-packet key mixing to automatically and periodically change the encryption key used for each packet. TKIP also has a integrity checking mechanism which prevents collision, forgery, and replay packet attacks from being accepted by the network.

What you need to use WPA

WPA is supported by all modern wireless software and firmware. The OS X and Linux operating systems also support WPA, as does Windows Vista and Windows XP with Service Pack 2. If you find that you have an operating system, access point, or wireless NIC that cannot be upgraded to support WPA, now is the time to plan that upgrade you’ve been putting off.

The basic steps for configuring a secure 802.11 wireless network using WPA are as follow:

1. Upgrade the firmware in all wireless NICs and wireless access points in your network.
2. Upgrade the wireless software on your computers, including installing all available security updates.
3. Set all wireless clients and wireless access points to use WPA Pre-Shared Key (WPA-PSK) security.
4. Set the WPA key exchange algorithm of all wireless clients and wireless access points to TKIP.
5. Create a WPA shared key that is completely random and a full 63-characters in length.
6. Configure all wireless clients and wireless access points to use the same WPA shared key.
7. Set the key renewal interval in each wireless access point to 3600 seconds.

Choosing a WPA Passphrase

The most common weakness found in the use of WPA-PSK is the choice of the passphrase used to derive the encryption keys. As with all passphrases, the stronger (that is, longer, pseudo-random, and complex) the better. Consider the following five passphrases:

butterflies

HOMEWIFI

SurfsUpd00d!

DMEkaXO47enlMSYJGjdVmSLyz7AYU3WQrVj6InWJ2n9Ey12p6Qe4jmGdP44eGja

h0!j3=]+lr>xFd{o\x|?2o(5&c@-0v.B_#M$>U ;*”!o’vx%7d,A-b<qE^~Tu3″

The first password is a short word that is commonly found in an English dictionary. This passphrase can be discovered by commonly available wireless cracking software in a matter of seconds.

The second passphrase is an example of using the SSID of the WAP itself. This is a very bad (and unimaginative) choice for a passphrase, as the SSID of a wireless network is easily discoverable. Do not use obvious information as a source for your passphrases.

The third passphrase is long and is not a dictionary word or phrase. It is stronger and would take longer to discover than the first two passphrases, but not too much longer.

The fourth passphrase is composed of 63 random, mixed-case alphanumeric characters. This is an excellent choice for a passphrase because it is very long, composed of many different and randomly chosen characters, and does not appear in any dictionary. This would be an extremely difficult password to discover, especially when using a short key rotation interval.

The final passphrase is also 63 random characters, chosen from all of the printable ASCII characters. While this is also an excellent passphrase for the same reasons, some software may have difficulty storing specific characters in a database or configuration file. Certain characters, like # % - ‘(”), may be incorrectly written or read, resulting in a password that does not work. Some hash algorithm implementations may also incorrectly hash some of these characters as well.

Here are some WAP passphrase recommendations:

• The WPA standard specifies that the passphrase it uses must be between 8 and 63 characters, so use them all.
• To generate random passphrases, try using the Ultra High Security Password Generator at grc.com.
• If you choose a passphrase with non-alphanumeric characters, assume that it may not work on some wireless devices until you have verified that it does.
• Never store passphrases on a networked computer. Keep your list of passphrases on a password-protected USB flash drive so you can copy-and-paste the passphrase when configuring your WAP and computer’s wireless software.

This entry was posted on Saturday, May 5th, 2007 at 12:17 am and is filed under JDMurray. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.