From: Craig M Prince (cmprince@cs.washington.edu)
Date: Wed Nov 24 2004 - 07:06:27 PST
Reading Review 11-24-2004
-------------------------
Craig Prince
The paper titled "Intercepting Mobile Communications: The Insecurity of
802.11" discusses flaws with the WEP (Wired Equivalent Privacy) protocol.
This paper overviews numerous security flaws with how the protocol was
setup. The authors first show how the protocol allows messages to be
decrypted because the protocol allows the same encrpytion stream to be
used on multiple messages. This flaw can theoretically allow an adversary
to determine what certain messages say.
The bigger threats raised involve being able to modify messages and create
completely new messages. These are accomplished because the protocol uses
a simple checksum to verify message integrity which is inadequate and also
because cipher streams are reused. These first three exploits completely
demolish the security goals for which WEP was designed. However, the
authors discovered every more flaws.
WEP is supposed to provide access control to a network but the authors
showed that access can be gained through monitoring a previous
authentication sequence and using this to gain a valid cipher stream, then
use this stream to build a new authentication message. Overall, WEP has a
very poor form of authentication (not actually requiring proof of the
secret). The final flaws addressed had to do with being able to trick
others into decrypting all or part of a message.
What I really liked about this paper was that the authors don't just
provide a list of vulnerabilities to the author, but instead attempt to
convey the severity of the various vulnerabilities in addition to
suggesting design advice on how to avoid such vulnerabilities in
protocols. I especially like the TCP ACK "side-channel" attack, since it
shows how there can be subtle interplays at higher levels that can be used
to bypass security at a lower level. It also shows how even knowing just
message length leaks information even if the message itself is encrpyted.
Another thing I thought was interesting is how in numerous places they
talk about how certain implementations of WEP are "flawed" -- namely by
choosing the initialization vector (IV) poorly. They then mention how this
is advised against in the protocol, but not forbidden. Why if the protocol
authors knew it was bad, did they not forbid it? Clearly there was a
breakdown in the communication between the protocol designers and the
implementors.
I thought that the authors could have spent more time looking at how to
fix the protocol presented. Instead the authors provide only two
solutions, 1) that the protocol should have used a keyed message digest
with something besides a stream cipher, or 2) that WEP should not be used
at all. Are there other ways to make the protocol more robust, without
completely rewriting it?
Overall, I liked how this paper looked at the problems with the WEP
protocol and how it provided good design advice for security design. This
is very useful for researchers because it provides design guidance and
allows us to learn from the mistakes of others.
This archive was generated by hypermail 2.1.6 : Wed Nov 24 2004 - 07:06:29 PST