From: Susumu Harada (harada@cs.washington.edu)
Date: Tue Nov 23 2004 - 23:36:20 PST
"Intercepting Mobile Communications: The Insecurity of 802.11"
N. Borisov, I. Goldberg, D. Wagner
This paper examines the characteristics of the Wired Equivalent Privacy
(WEP) protocol, pinpointing the three main security goals that the
protocol was meant to meet (preventing eavesdropping, unauthorized access,
and message tampering), and then showing how each of them can be defeated
by exploiting the nature of the encryption method and the message exchange
characteristics between mobile hosts and the routers.
One detail that surprised me was that the attacker can gain access to a
shared key and thus be authenticated to the network by simply observing
one authentication transaction between a legitimate client and the mobile
station. I was also struck by how simple several of the other attacks
were, such as modifying a message simply based on the original cyphertext
and the desired difference, and exploiting packets that use duplicate IVs
to deduce the plaintext message. Another interesting point that I
gathered from the paper was how fragile a security protocol such as WEP
can be in which exploitation of one aspect of the security measure (e.g.
the ability to interject messages into the network) can lead to
exploitation of the other aspects (such as then determining the key by
using a collaborationg IP host).
I do not agree with one of the authors' suggestions that the wireless
network should simply be considered to be insecure and thus be placed
outside of an organization's firewall. This does not seem a viable
solution especially when supporting mobile workers within an
organization's network is becoming a common requirement. I do however
agree with their proposal of implementing end-to-end security using
solutions such as the Virtual Private Network, wherein the goal of
confidentiality and data integrity can virtually be guaranteed.
It is surprising that a protocol which was adopted as an international
standard did not undergo a more rigorous evaluation especially with
respect to the strength of its security measures. It seems strange that
they state that the 802.11 standard "strongly recommends against IV reuse"
yet they do not require it, essentially leaving the level of security to
be dependent on the vendors' implementation. I I agree with the authors
that security protocol development should involve greater involvement by
the cryptographic community and thus avoiding the trap of developing an
implementation that may be more attractive from an engineering perspective
but fails to guarantee sufficent level of security. This topic is already
extremely relevant in today's context where more and more devices are
becoming highly mobile.
This archive was generated by hypermail 2.1.6 : Tue Nov 23 2004 - 23:36:20 PST