Wi-Fi Security's Network Problems

Promise: WPA Personal is a simple way to secure wireless networks without having to type keys in manually, buy everything from one vendor, or install bloated client-side software that only works on a Windows PC.

Players: The standard is driven by the Wi-Fi Alliance, but unlike previous Wi-Fi standards it's too high up the stack to involve the IEEE. Broadcom's proprietary system is popular in the home market, but Microsoft is catching up fast.

Prospects: Basic support for WPA Personal is mandatory in all newly released Wi-Fi products as of this month, but the Wi-Fi Alliance's tests assume that encryption keys have already been shared. There's little chance of agreement on a secure way to share them anytime soon.

With security such an important concern for wireless networks, most new Wi-Fi gear has long supported Wi-Fi Protected Access 2 (WPA2), the latest standard for encrypting data sent over the air. As of this month, all Wi-Fi gear will, as the Wi-Fi Alliance is making WPA2 compatibility a mandatory part of its interoperability tests. But there are two kinds of WPA2, and most Wi-Fi phones and many other gadgets support only the lesser version, which was originally designed for home networks.

When the Wi-Fi Alliance came up with WPA2, it segmented the market into two categories: WPA Enterprise and WPA Home. WPA Enterprise is a nearly complete implementation of the IEEE's 802.11i specification, aimed at large corporate networks that can afford RADIUS servers and full-time support personnel. WPA Home was a lighter subset, intended to be less secure, but simple to set up and used only in consumer electronics.

Only one of those intentions has been realized. The home version is less secure, but it isn't simple enough for home users, and it's being used in the enterprise, too. As a result, the Wi-Fi Alliance has renamed it WPA Personal. The Alliance is also considering ways to simplify key management. Several vendors have come up with proprietary systems, but at present the only sure way to transfer keys for WPA Personal is to type them in manually--a process that scales from inconvenience to potential deal-breaker as networks get larger.

OVEREXTENDEDThe problem with WPA Enterprise is its complexity. It relies on the Extensible Authentication Protocol (EAP) to exchange encryption keys, which at a minimum requires an authentication server. On its own, that wouldn't matter to most IT departments, but EAP itself isn't enough. It in turn relies on various extensions, the choice of which is usually dictated by the type of server and the authentication credential.

For example, the IETF has standards for EAP based on passwords and digital certificates, and the Trusted Computing Group (TCG) has demonstrated one using Trusted Platform Module (TPM) chips. Most vendors also have their own proprietary versions: Microsoft shops can get easy integration with Active Directory, while Cisco shops get a system that can use dictionary passwords, but (at least so far) without the risk of dictionary attacks.

Critically, client devices need to support the same type of EAP as the network they're joining. This is usually enabled through software called a supplicant, and no EAP type has supplicants available for every device. Users of proprietary systems are thus at the mercy of a single vendor--Microsoft won't make its software available for Linux--and even standards aren't widely supported.Even if every software vendor were willing to support every EAP type, that wouldn't solve the problem. Most Wi-Fi phones and bar-code readers just don't have the compute power to run an EAP supplicant, so they can't use WPA Enterprise at all. Networks that include these must allow clients the option of dropping down to some less secure connection method, which means WPA Personal or something worse.

KEYS WITHOUT KEYBOARDS

WPA Personal uses the same 128- and 256-bit AES encryption as WPA Enterprise, but omits the requirement for EAP. Instead, the standard just assumes that all clients already have a key and uses that as an authentication credential. This is very easy for products to support because most 802.11 radio chips now include AES in hardware. What they don't include is a way to exchange the symmetric AES keys.

To simplify things further, WPA Personal uses a single key for every client on the network. In contrast, WPA Enterprise gives every client a unique key, randomly generated for each session or even each packet. In this respect, WPA Personal is similar to Wired Equivalent Privacy (WEP), the notoriously easy-to-break security built into the original 802.11 specification. However, WEP had many other known problems, all of which have been fixed. The original WPA fixed some problems in the way that WEP implemented its RC4 algorithm, and it added support for longer keys. WPA2 ditched RC4 in favor of AES and made keys longer still.

Still, a shared key can present a security risk, and it gets worse as networks get bigger. It isn't a severe problem for home networks that just have one or two clients and a single access point (AP), but it leaves enterprises vulnerable to device theft and information leaks. That's because if the key is copied from any machine, every device on the network needs to have its key changed.EAP's absence makes changing keys difficult. Simply typing them in gets harder as keys get longer, which is particularly difficult on devices without keyboards--the very things least likely to support EAP. Vendors have come up with three workarounds, but reflecting the system's origins, all are aimed mainly at home users. None work with all hardware.

BROAD BUT SHALLOW

The most popular system is Broadcom's Secure Easy Setup (SES), which has been included in most NICs and APs based on Broadcom chips since mid-2004. SES originally generated keys from a combination of a passphrase and the answers to several security questions, so it was really only designed as a mnemonic. Unlike simple passwords, the keys it generates aren't vulnerable to a dictionary attack. And unlike typing keys in manually, the passphrases and answers should be easy for users to remember. However, it isn't any help for input on devices that don't have a keyboard.

A newer version of SES negotiates a random key automatically when users push a single button on the client and the AP simultaneously, though this is potentially vulnerable to some sniffing attacks. Linksys and Buffalo Technology include physical buttons on their APs for this, and Broadcom's reference design for a Wi-Fi phone also has one. For devices without them, Broadcom software implements the button as a mouse-click in a GUI, either within the NIC's driver or an AP's SSL management interface.

Broadcom's chips are ubiquitous in the home Wi-Fi router market, but they're rare in enterprise APs. Most of these are based on chips from Atheros, which offers a similar single-button system called JumpStart. This isn't vulnerable to the same sniffing attacks as SES because it asks users for a password in addition to pushing a button, and it negotiates a key using the Diffie-Hellman algorithm.Both SES and JumpStart require their vendors' chips on the client as well as the AP, limiting their use. Atheros has published the JumpStart code under a permissive open-source license so that it can be used by other manufacturers, as well as inspected by security researchers or added to unsupported platforms in software. However, that isn't much use for devices too simple to run extra software--the very things for which enterprises are likely to need WPA Personal. And so far, no other manufacturers have taken up Atheros' offer.

HOME LAN SECURITY

Microsoft and Intel are backing a sneakernet approach, an early version of which is already included in Windows XP Service Pack 2. This generates a random key and shares it using USB flash drives, so it works with any vendor's NIC or AP. That makes it a good choice for people who take their Windows laptops home and connect to a Wi-Fi network there. It isn't enough for enterprise networks themselves yet, as devices that don't support EAP also don't run Windows XP or have USB ports.

For these devices, Microsoft and Intel propose using Radio Frequency Identification (RFID) tags. The theory is that RFID is very cheap, and many cell phone manufacturers already plan to include RFID readers inside cell phones. They also see a large potential consumer market for gadgets such as Wi-Fi picture frames, which might not have any input buttons or devices at all but could still receive a key through RFID. PCs won't include RFID as standard, but these can fall back on USB.

RFID isn't quite as secure as a USB drive because its transmissions can be sniffed using a directional antenna. However, the relatively low power of most RFID cards makes this unlikely. A bigger disadvantage is that no Wi-Fi devices actually include RFID yet, so the system isn't of any use to people using Wi-Fi phones right now. Typing keys manually will be necessary for the foreseeable future.SECURITY HOLES

Regardless of how WPA Personal keys are exchanged, enterprises don't need to rely on it entirely. PCs and other devices capable of running arbitrary software can use WPA Enterprise or a VPN, with the less secure version reserved only for devices that need it. Leaving an opening for less secure wireless links might be a scary proposition to some IT departments, but there's really no alternative that doesn't involve banning all non-EAP devices. And WPA Personal is a great improvement over WEP.

Enterprise AP vendors including Cisco, Aruba Wireless Networks, Meru Networks, Symbol Technologies, and Trapeze Networks all have ways to minimize the risk. Clients that authenticate using WPA Enterprise can be given full access to enterprise resources, whereas those that don't can be restricted to particular resources. For example, a phone can only connect to a PBX, a bar-code reader to a particular server, and guest machines to the Internet. The same kind of system can offer a completely unsecured connection that bypasses the private network and allows only Web surfing, which is useful for guest access.

Write to Chief Technology Editor Andy Dornan at [email protected].