Advanced Wireless Security for the Masses

by Paul Asadoorian, GCIA, GCIH, Lead IT Security Specialist, CIS

Introduction

I am often asked what it is the average user can do on their home networks to secure their own wireless implementation. Quite frankly, I never have any really good answers, at least ones I am truly comfortable with. I tell them to use encryption (WEP, or Wireless Equivalent Privacy), MAC address filtering, and don’t broadcast the SSID.

Unfortunately all of these methods have significant security problems. Attackers can listen to the wireless network traffic and determine the SSID and discover which MAC addresses are authorized on the network. With this information they can easily defeat your wireless security.

WEP is a severely flawed protocol. Many tools and tactics exist to compromise it and gain access to your network, and more importantly your data. The newer WEP attack tools no longer require large amounts of wireless network traffic to be effective; they can now generate the traffic they need to perform the decryption.

In order to overcome the shortcomings of the current wireless security measures, especially WEP, the 802.11i standard was created. The new standard contained much better ways to provide security, however it was taking time to become ratified and gain vendor support. Thus WPA (Wi-Fi Protected Access) was born. It is based on a subset of 802.11i standards and therefore does not implement all the features in 802.11i, only a select few that allow it to be superior to WEP. There now exists WPA2, which is another name for the fully ratified 802.11i implementation.

Support for WPA is limited to certain access points and wireless adapters, and even more so for WPA2. This article will focus on WPA, specifically the form of WPA intended for home use and small offices, WPA-PSK (Wi-Fi Protected Access-Pre-Shared Key). It offers the best security for home use available today, and after reading this article I hope you find it easy to configure and do so on your home network. If you wish to skip the background, you can jump ahead to the details for setting up WPA-PSK.

WPA Under The Covers

Before we dive right into the actual setup of WPA, it is helpful to understand a little about how it works. There are two ways in which to implement WPA: WPA-PSK and WPA Enterprise.

• WPA Enterprise is geared towards corporations with a central authentication mechanism (such as Microsoft Active Directory). It requires that you enter a username and password before connecting to the wireless network.
• WPA-PSK is similar to WEP, requiring a key to be entered on both the access point and client. This key must be the same on both before you are allowed to connect to the network.

Both WEP and WPA-PSK will encrypt your traffic over the wireless network. However, WPA-PSK has many improved features over WEP and fixes all known problems. For example, WPA utilizes the same type of encryption algorithm as WEP (RC4), but uses 128-bit encryption instead of 40-bit encryption. This makes it more difficult to break the encryption.

A further layer of security is added: TKIP (Temporal Key Integrity Protocol). It works as follows, you give TKIP a key and it then uses that key to generate more keys, which change on a regular basis. This differs from WEP, which uses a static key.

Below is a breakdown of the differences between WEP and WPA-PSK:

WPA-PSK also contains support for replay protection. This prevents attackers from capturing packets on the network, such as when you login to a device, and playing them back on the network. Packet integrity prevents an attacker from changing the packets in transit. WPA-PSK uses a much better algorithm to accomplish this.

Setting Up WPA-PSK

So now you’re ready to take advantage of the cool new security features in WPA-PSK. In this example I will show you how to setup WPA-PSK using a Linksys WRT54G Wireless Broadband router and any WPA compatible wireless adapter in Windows XP. You can purchase a Linksys WRT54G for around $55 at your favorite computer store or web site. I found it on ZipZoomFly
for $50 after rebate with free 2nd day shipping.

Step 1 – Upgrade your wireless infrastructure

The first step is to be certain you have installed the latest firmware upgrade for your WRT54G, which can be obtained at the Linksys download site.

You will also need the latest firmware for your wireless adapter. This will depend on the adapter type you own, for Linksys products you can use the link above.

Lastly, be certain you have install Windows XP SP2 and/or the wireless update rollup from Microsoft. You may need to install additional hotfixes from Microsoft, depending on the adapter you have chosen. Refer to your wireless adapters manufacturer documentation for more information on driver updates, hotfixes and other software that you may need to update.

Step 2 – Configure the wireless security on your access point

Open your web browser and go to the management address of your access point, typically http://192.168.1.1 and enter your username and password. Then go to “Wireless” -> “Wireless Security” tab. You should have a screen that looks similar to the following:

As shown above, select “WPA Pre-Shared Key” from the Security Mode menu and choose “TKIP” for the WPA algorithm.

Here is where you can make or break the security level for your wireless network: the shared key.

It is important that you choose a really, really good shared key. This goes above and beyond what a good password should be, in fact it should be 3 times as good as your best password. Don’t kid yourself, your dog's birthday plus your favorite Star Wars character with some caps won’t work here. You need a sentence that is at least 20 characters long, mixing upper and lower case with a couple of numbers thrown in, otherwise someone could potentially brute force your shared key and compromise the security of your wireless network.

The last field is the Group Key Renewal, or how often it will generate a new key. I like a value of 60 seconds for this field so it changes the key every minute. Now click “Save Settings”.

Step 3 – Configure Windows XP

Go to the properties of your wireless adapter, then to the “Wireless Networks” tab. Under “Preferred Networks” click “Add..”. You should see a screen similar to the following:

Under Network Authentication choose “WPA-PSK”, and for Data Encryption choose “TKIP”.

Enter the same network key that you entered on your access point (remember that really, really good password?). Click “OK” and connect to the wireless network as you normally would, except now enjoy the extra protection of WPA-PSK!

WPA-PSK Security Shortcomings

While WPA-PSK is the best setup currently available for home wireless network security, it’s not perfect. The weakness lies in the shared secret, anyone who knows the shared secret can view all network traffic in clear text, hence the secret part.

The shared secret can also be compromised using specialized tools. Wireless hacking guru Joshua Wright has written a tool called coWPAtty, which will perform a dictionary-based password attack against your shared secret. It averages about 70 words/second. This is why it is important to choose a good shared secret, since it causes this process to take longer. WPA-PSK can also be difficult to manage. Each person that connects to your wireless network needs to know the key (not much of a secret anymore).

Conclusion

Despite its shortcomings WPA-PSK is an improvement over the alternatives. Do not mistake it for the end all solutions to your wireless network security woes, but do implement it and enjoy a much higher level of security than you can achieve with previous methods.

Glossary

To help sort out the wireless “alphabet soup” I have included this glossary of terms used in this paper:

• Brute Force Password Attack
• CRC32
• Dictionary Attack
• Michael – A more technical discussion of WPA includes a description of Michael, or MIC.
• SSID
• TKIP
• WEP
• WPA
• WPA2 – See 802.11i.
• 802.11i

All terms are referenced from one of the following sites:

• The SANS Institute’s Glossary of Security Terms
• The TechWeb Encyclopedia
• The IEEE Wireless Glossary

References

• Ou, George, “Wireless LAN Security Guide”, Revision 2.0 - Jan 3, 2005
• Wi-Fi Protected Access Web Cast, June 11, 2003, Wi-Fi Alliance
• Wireless Security Corporation, “WPA-PSK: A Limited Solution for Securing a Wireless Network”
• Wong, Luis Carlos, “An Overview of 802.11 Wireless Network Security Standards & Mechanisms”, October 14, 2004, SANS Reading Room

Brown University
Author: Paul Asadoorian, GCIA, GCIH
Email: paul /dot/ com /at/ brown /dot/ edu
Date: May 24, 2005