Wireless Authentication and Association - USALearning

Wireless Authentication and Association

Table of Contents

Authentication: the Standard Is `Null' ........................................................................................... 2 Association and RSSI ....................................................................................................................... 9 `Hidden' SSIDs ............................................................................................................................... 11 Notices .......................................................................................................................................... 12

Page 1 of 12

Authentication: the Standard Is `Null'

Authentication: the Standard Is `Null'

The default authentication had a basic security flaw. By default, systems can be set to null authentication.

? All systems requesting authentication will be granted. ? The SSID must still match for association. ? Higher-level security protocols (encryption, etc.) still deny data

access.

**009 So, authentication. You know, engineers sometimes just miss the mark, and when the original 802.11 standard was written they just missed the mark in a couple of ways. This is one of them.

Does anybody remember something called a WEP key? Okay, Wired Equivalent Privacy. Now, a WEP key never guaranteed security. As a matter of fact, the term WEP was what? Wired Equivalent Privacy, it means it's only as good as a wired network, and a wired network doesn't have encryption or security, right? So they weren't really making much of a promise when they said WEP.

9

Page 2 of 12

But here's the problem, authentication, what's authentication do?

Student: Identify the party you're trying to talk with.

Joe Mayes: Right, at least in one direction that you're really talking to someone who matches your description for who you think you're talking to, right?

So what would happen is in this environment here's my laptop complete with a wireless antenna. There's my AP, and who's authenticating to whom here?

Student: It's usually left up to the AP because it's somebody wanting to get in.

Student: The AP is authenticating to the laptop that it is the AP it says it is.

Joe Mayes: Yeah, that's an interesting question. Who's authenticating? Is this one-way or two-way authentication?

Student: It's two way.

Joe Mayes: It's one-way authentication.

Joe Mayes: Uh-huh, and what you're getting is the laptop, I'm sorry, the AP sends a string to the laptop. The laptop then takes that string, encrypts it with the WEP key. So this

Page 3 of 12

is an unencrypted string. The laptop sends it back as an encrypted string, and what did it encrypt it with?

Student: The WEP key.

Joe Mayes: The WEP key. So basically what happened at that point is the access point already knew the WEP key. It's testing to see whether the laptop knows the WEP key.

So if the laptop uses the WEP key, and is successful at encrypting this packet, what happens over here? The laptop or, I'm sorry, the access point can then decrypt the packet with the WEP key, verify that it's the right WEP key, because it successfully decrypted it and let you on.

Worst thing in the world you can do.

Student: Sorry, so did you just say that the U string, which is the WEP key, comes out of the access point in clear?

Joe Mayes: Well, it's not the WEP key. It's clear text. It's just a text string, but the laptop then encrypts it with the WEP key. So now you get the same string sent back encrypted, and the access point decrypts it, and if it works then it's the right WEP key, and that's its authentication method. It uses the WEP key for authentication.

Absolute worst thing on earth you can do. Where are my security people? Who is a cryptologist here in

Page 4 of 12

the room? How many cryptologists in the room? Okay, I guess I'm going to have to. I'll substitute for a cryptologist, okay?

Here's why it's a terrible thing. If you are a cryptologist, if you are a code breaker, if you want to break and hack computers, the ideal thing in the world you can have is to have the encrypted and the unencrypted version of the same string, because then you just keep trying WEP keys until the unencrypted one, or until the encrypted one, excuse me, until the encrypted one is successfully broken and looks just like the unencrypted one. Because now you know when you have the right value, you're not guessing that you've got the right value. You actually know because you've got the unencrypted one right here. All you have to do is, find out which key decrypts it and puts it back to the unencrypted value.

So it's a terrible thing because it is breakable because it gave you the encrypted and the unencrypted version of the same thing. It's worse than terrible. What's the worse than terrible? I mean, that's bad enough from a cryptographer's standpoint, cryptology standpoint. What makes it even worse?

Student: If you know the encryption algorithm along with that you'd be good.

Joe Mayes: Well, once you've broken the WEP key at the

Page 5 of 12

authentication level, it's the same key that can be used to encrypt all of the data after you associate. You just didn't break the authentication key. You broke the data encryption key also because they use the same key twice. They use the WEP key for the authentication, and for the data encryption later, correct?

So if I can capture the authentication of the authentication exchange I can break the WEP key and also capture all the data.

So, having said all that, what do you think the most secure method of authentication is?

Using the original 802.11 the most secure authentication is no authentication, because at least you left the WEP key hidden.

Performing the authentication actually makes your system less secure because you're going to reveal the WEP key, and that's kind of counterintuitive until you hear the explanation. So when you're ever setting a system up and it says, "Do you want to use authentication for the association," you're going to say no, at least initially.

We'll show you a better way to do that as we go here, but a brand new system just out of the box if it gives you the option to authenticate or not authenticate using the WEP key, the right answer is not authenticate with the WEP key, because if you authenticate with the WEP key you're

Page 6 of 12

going to expose it. Once you've exposed it it's easy to do, and then it breaks everything.

So by default systems should be set to null authentication, and null authentication means everybody gets on, but at least they didn't violate the WEP key at the same time.

So if once you've passed the authentication side, what's the second step?

Student: Association.

Joe Mayes: The second step is association. That's where you exchange MAC addresses and name values, and now you become listed as an associated client to that access point.

In the older days, when all you had was this, what they would do is you would still use a higher-level encryption like the Layer-3 encryption, an encryption at the IP level, and if you had encryption running at the IP level what would happen is that the authentication would be bypassed because it's null. The association would occur, and then you would request an IP address, and you couldn't read the IP address because the DACP reply was in the authenticated IP stream.

So you'd be associated on Layer 2, but you couldn't see any IP data. You couldn't see anything because all the IP streams were encrypted, and you didn't have the encryption on your side for the IP stream.

Page 7 of 12

So that was the original state of affairs. This is like circa 1999, 2000, 2001, 2002, is they brought out a flawed system in WEP, Wired Equivalent Privacy, which means you had to turn, essentially, WEP off to be more secure, and then you would use some other alternate encryption to secure your data to keep unauthorized people from getting on the network. We had to fix that, right? That couldn't exist. That couldn't be good enough.

Page 8 of 12

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download