THE INTERNET PROTOCOL JOURNAL
# Source : http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac177/about_cisco_ipj_archive_article09186a00800c83e4.html
#
IEEE 802.11
by Edgar Danielyan
Introduced in 1997, the IEEE Standard 802.11 for wireless local-area networks has seen modifications and improvements in the past years and is promising a brighter wireless future, so yearned for by many of us. However, during its lifetime, the standard also has had a few setbacks, which are reminders that nothing is perfect in this world, much less in networking. This article provides a brief but comprehensive introduction to IEEE 802.11 wireless networking, its present and future, and highlights some of its security, performance, and safety aspects.
IEEE 802.11
The initial IEEE Standard 802.11 was published by the Institute of Electrical and Electronics Engineers (IEEE) in 1997. That standard is known as IEEE 802.11-1997 and is now updated by the current stan-dard, IEEE 802.11-1999. The current standard has also been accepted as an American national standard by the American National Standards Institute (ANSI) and has been adopted by the International Organization for Standardization (ISO) as ISO/IEC 8802-11:1999. The completion of IEEE 802.11 in 1997 set in motion the development of standards-based wireless LAN networking. The 1997 standard specified a bandwidth of 2 Mbps, with fallback to 1 Mbps in hostile (noisy) environments with Direct Sequence Spread Spectrum (DSSS) modulation, and bandwidth of 1 Mbps with Frequency Hopping Spread Spectrum (FHSS) modulation, with possible 2-Mbps operation in friendly (noise-less) environments. Both methods operate in the unlicensed 2.4-GHz band. What is less known about IEEE 802.11 is that it also defines a baseband infrared medium, in addition to the DSSS and FHSS radio specifications, although its usefulness seems somewhat limited. There are also several task groups inside the 802.11 working group itself that work on substandards of 802.11:
802.11D: Additional Regulatory Domains
802.11E: Quality of Service (QoS)
802.11F: Inter-Access Point Protocol (IAPP)
802.11G: Higher data rates at 2.4 GHz
802.11H: Dynamic Channel Selection and Transmission Power Control
802.11i: Authentication and Security
The IEEE 802 group has an official Web site at www.ieee802.org , and IEEE 802.11 has an official Web site at www.ieee802.org/11/ .
DSSS
Direct Sequence Spread Spectrum (DSSS) is one of the modulation techniques provided for by the IEEE 802.11 and the one chosen by the 802.11 Working Group for the widely used IEEE 802.11b devices. DSSS modulation is governed in the United States by FCC Regulation 15.247 and in Europe by ETSI Regulations 300-328. DSSS in IEEE 802.11 uses Differential Binary Phase Shift Keying (DBPSK) for 1 Mbps, and Differential Quadrature Phase Shift Keying (DQPSK) for 2 Mbps. The Higher-Rate DSSS (DSSS/HR) defined in IEEE 802.11b uses Complementary Code Keying (CCK) as its modulation scheme and provides 5.5- and 11-Mbps data rates. Because of their compatibility, all three modulation schemes can coexist using the rate-switching procedures defined in the IEEE 802.11. The Orthogonal Frequency Division Multiplexing (OFDM) used by the IEEE 802.11a is regulated in the United States by Title 47 Section 15.407 of the U.S. Code of Federal Regulation (CFR). IEEE 802.11a uses a system of 52 subcarriers modulated by BPSK or QPSK and 16-quadrature amplitude modulation. It also uses forward error correction (FEC) coding, also used by the Digital Video Broadcasting (DVB) standard with coding rates of 1/2, 2/3, and 3/4.
FHSS
Although specified by the original IEEE 802.11, Frequency Hopping Spread Spectrum (FHSS) modulation is not favored by vendors and, it seems, the 802.11 working group itself. DSSS has won the battle—very few vendors support 802.11/FHSS, and further developments with 802.11 use DSSS. Some have expressed ideas that frequency hopping in FHSS may contribute to the security of 802.11, but these are invalid expectations— the hopping codes used by FHSS are specified by the standard and are available to anyone, thus making the expectation of security through FHSS unreasonable.
Two supplements to the IEEE 802.11-1999, known as IEEE 802.11a and IEEE 802.11b, brought considerable changes and improvements to the IEEE 802.11-1999 standard.
IEEE 802.11a
IEEE 802.11a specifies a high-speed physical layer operating in the 5- GHz unlicensed band utilizing a complex coding technique known as OFDM. The data rates specified by IEEE 802.11a are 6, 9, 12, 18, 24, 36, 48, and 54 Mbps, with support for 6, 12, and 24 Mbps as a man-datory requirement. IEEE 802.11a is seen by some in the industry as the future of IEEE 802.11. Some products already implement the IEEE 802.11a, such as the chip from Atheros (www.atheros.com ) and a PCMCIA/CardBus adapter from Card Access Inc (www.cardaccess-inc.com ) based on it. However, 802.11a is not without disadvantages. The increased bandwidth of IEEE 802.11a results in a shorter operation range.
Additionally, because of the protocol overhead and interference/error correction, the real bandwidth may be considerably less than the nominal. New surveys and installation will also be required in many cases; the underlying infrastructure will also be more expensive because of the shorter operation range (about 1/3 of 802.11b) and higher density of base stations (also known as access points).
IEEE 802.11b
Probably the most widely implemented and used wireless LAN technology today, IEEE 802.11b specifies 5.5- and 11-Mbps data rates (in addition to the already specified 1 and 2 Mbps), but operates in the original 2.4-GHz band also using DSSS modulation. Most currently selling IEEE 802.11 products implement IEEE 802.1b. IEEE 802.11b- compliant devices can operate at 1, 2, 5.5, and 11 Mbps.
It is important to note that both incarnations of IEEE 802.11 use the same Media Access Control (MAC) protocol, Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA); therefore, these modifications affect only the physical layer (PHY layer in IEEE par- lance) of the standard. The 1/2- and 5.5/11-Mbps DSSS (IEEE 802.11b) networks can coexist, enabling a painless transition to IEEE 802.11b (High Rate) at 11 Mbps. Eleven to fourteen radio channels are available for use with IEEE 802.11b in the 2.4-GHz band, depending on the local legal and administrative restrictions.
Distance, Power, and Speed Issues
It is obvious that all three of these parameters of wireless systems are interconnected. However, as with other radio-based technologies, the external conditions (such as the line of sight in case of outdoor use) greatly affect the operation of IEEE 802.11 devices.
Antennae
Antennae used with IEEE 802.11b devices may be grouped into two categories: omnidirectional and point-to-point. Obviously, omnidirectional antennae are the easiest to use, because they do not require positioning. Omnidirectional antennae are used in most base stations, as well as in most access cards. However, because of their nature, omnidirectional antennae do not work well over longer distances, unless used with external amplifiers; and these are not always legal or appropriate to use. Directional, or point-to-point antennae, on the other hand, require careful positioning and are used outdoors. Although the typical range for an omnidirectional antenna system is 150 ft (45m), configurations with high-gain directional antennae can work on distances up to 25 miles (about 40 km). In localities where amplifiers are allowed, the maximum distance may be considerably increased and is limited only by the line of sight.
Among other factors affecting the operational range of IEEE 802.11b devices are the base-station placement (when used in the infrastructure mode) and radio interference. As mentioned earlier, IEEE 802.11b devices will auto-configure for the highest possible speed and fall back to lower speeds when circumstances so require.
Performance Issues
Aside from obvious factors that affect performance (such as antennae, distance, radio interference) there are numerous other, more subtle issues. In the infrastructure mode, when all devices have to register with the base station(s), the load on the base station(s) increases with the number of clients and may reach a point when the performance reaches unacceptable lows. For example, Apple's AirPort Base Station (Version 2) can support up to 50 simultaneous clients. However, the actual performance of the whole system also depends on the kind of traffic. In particular, isochronous traffic (time-sensitive traffic, such as some types of video, audio, and telemetry), as well as multicast traffic, are particularly taxing for IEEE 802.11 networks and are better kept off the wireless LAN. However, several groups are currently working on extensions to 802.11 to provide for such kinds of traffic in a future version of the standard.
IEEE 802.11 Base Stations and Clients
All IEEE 802.11 devices can be grouped into one of two groups: base stations or clients. Base stations can function as clients; however, not all clients can function as base stations. The reason for this is that base stations are required to provide certain network services to clients (association, distribution, integration, reassociation, and so on) that not all client hardware, firmware, or software can or intended to provide.
These considerations apply when the infrastructure mode of IEEE 802.11 is deployed. In ad hoc networks, where there are no base stations, all clients communicate directly with each other, reminiscent of a traditional shared Ethernet network, with all nodes sharing equal rights and responsibilities. As noted earlier, 11 to 14 radio channels are available, but separate networks may coexist on the same frequency (using different network IDs (Service Set Identifiers [SSIDs]), albeit with performance penalties.
The workings of 802.11 devices also differ in the infrastructure and ad hoc modes. In the infrastructure mode (Figure 1), clients associate (and optionally authenticate) themselves with a base station, and the presence of the base station is necessary for the operation of the network.
Complex 802.11 networks may be built using the infrastructure mode, with numerous base stations providing coverage over relatively large physical areas, and clients may roam within this roaming domain, which theoretically may extend from a single building to the entire campus or town. The Spanning-Tree Protocol (STP) is usually used in these cases to provide loop-free bridging in this wireless LAN.
In the ad hoc mode (Figure 2), base stations are not used and are not necessary, because all nodes of the wireless LAN have direct reachability (that is, they "see" each other). This mode is usually used in circumstances where all devices are in close proximity to each other (such as a floor or office) and when omnidirectional antennae are used.
IEEE 802.11 Roaming and Mobility
IEEE 802.11 provides for roaming and mobility of 802.11 client devices and allows clients to roam among multiple 802.11 base stations that may be operating on the same or different frequencies (channels). This is achieved through the use of beacon frames, which are used to synchronize 802.11 devices and, in the infrastructure mode, to associate with a base station.
There are two ways to scan for existing 802.11 networks: active and passive scanning. In active scanning mode, the 802.11 device sends out "probe" frames, soliciting "I am here" responses from existing 802.11 devices. In the passive mode, the devices just listen for beacon frames, which are periodically transmitted by the active devices. In addition, the IEEE 802.11 Task Group F is working on the IAPP, which is to provide better and interoperable mobility and roaming mechanisms.
Security of IEEE 802.11
Up to this point IEEE 802.11 could be considered an absolute success; however, security of IEEE 802.11 is not quite on par with other aspects of the standard. Although an entire chapter (Chapter
of the standard is dedicated to authentication and privacy, it is now the common consensus that designers of IEEE 802.11 did not excel in this area. Two reports widely covered in the media, "Your 802.11 Wireless Network Has No Clothes" [7] , and ?"Intercepting Mobile Communications: The Insecurity of 802.11" [6] , shed light on the apparent shortcomings of the standard, or to be more exact, on its "vulnerability by design." They demonstrated that although the designers were well aware of the need to plan for authentication and privacy, the actual implementation was not an excellent one. The WEP algorithm, used to provide authentication and privacy in 802.11 wireless networks, is the problem.
WEP
Before discussing the security weaknesses discovered in IEEE 802.11, we quote the aim of the Wired Equivalent Privacy (WEP) algorithm as specified in the IEEE 802.11 standard document:
"Eavesdropping is a familiar problem to users of other types of wireless technology. IEEE 802.11 specifies a wired LAN equivalent data confidentiality algorithm. Wired equivalent privacy is defined as protecting authorized users of a wireless LAN from casual eavesdropping. This service is intended to provide functionality for the wireless LAN equivalent to that provided by the physical security attributes inherent to a wired medium."
As you see, the aim of WEP is to provide a level of privacy equivalent to that of a wired LAN. The wording of standard is very important here: the developers of the standard did not intend to provide a level of security superior to or higher than that of a regular wired LAN, such as Ethernet. The very name of the algorithm, "Wireless Equivalent Privacy," signifies the actual intention of the developers. However, as the practice has shown, the level of security roughly equivalent to the level of security provided by wired LANs is not sufficient—and it is the assumption that "it is OK if wireless LANs are as secure as wired LANs" that is wrong. Other problems, such as the choice of Cyclic Redundancy Check 32 (CRC-32) instead of Message Digest Algorithm 5 (MD5) or some other secure hash algorithm, just worsen the problem.
How WEP Works
Let's now look at the workings of WEP. WEP uses a secret key shared between 802.11 nodes to encrypt 802.11 frames (Layer 2). It also uses a checksum (CRC-32) to provide data integrity. The checksum itself is also encrypted using the shared secret key. The decryption is the reverse of the encryption process: the frame is decrypted using the key and the CRC-32 checksum is computed and checked. The cipher used in WEP is RC4, a stream cipher designed by Ron Rivest, and believed to be cryptographically strong. The key is 40 or more bits long (up to 128 bits in some implementations). However, the Initialization Vector that is used during the encryption process is only 24 bits long. It is difficult to understand why the designers chose such a small number—more about this later. WEP does not provide any key management—the standard itself does not specify how the shared secret key should be managed and distributed. This leaves one of the most vulnerable parts of any cryptographic system—key distribution —open for misuse. The Borisov Goldberg Wagner Attacks (February 2001)
In their paper entitled "Intercepting Mobile Communications: The Insecurity of 802.11," Nikita Borisov, Ian Goldberg, and David Wagner describe the vulnerabilities present in WEP and attacks against it. In the introduction to their paper, they state:
"Unfortunately, WEP falls short of accomplishing its security goals. Despite employing the well-known and believed-secure RC4 cipher, WEP contains several major security flaws. The flaws give rise to a number of attacks, both passive and active, that allow eavesdropping on, and tampering with, wireless transmissions."
They go on to say that WEP fails to achieve all three of its security goals, namely confidentiality, access control, and data integrity.
As has been noted earlier, WEP uses the RC4 stream cipher with a 24- bit Initialization Vector for encryption. Borisov, Goldberg, and Wagner show that the poor design of WEP makes the system vulnerable in many areas, and one of the weakest parts of WEP is the 24-bit Initialization Vector, which may result in keystream reuse. Keystream reuse in turn permits successful cryptanalysis attacks against the ciphertext. However, what is surprising is that:
"The WEP protocol contains vulnerabilities despite the designers' apparent knowledge of the dangers of keystream reuse attacks."
Another not less important but equally poorly designed aspect of WEP is the use of CRC-32. It is known that CRCs are not cryptographically strong and are not intended to be used in place of message digest or hash functions such as MD5 or the Secure Hash Algorithm (SHA). Because of the nature of CRC, it fails to provide the required integrity protection.
Some in the industry suggest that MD5 or SHA would introduce performance penalties if used—and indeed they would—one cannot disagree. But let's not forget that CRC-32 was intended as a security measure— which it isn't—yes, it is fast, but it is also insecure. Presumably, a slower but really secure solution is better than an inadequate though fast solution.
The Arbaugh Shankar Wau Attack (April 2001)
In the paper "Your 802.11 Wireless Network Has No Clothes," [7] authors present their research of the authentication flaws in the IEEE 802.11 and demonstrate a simple eavesdropping attack against IEEE 802.11 authentication. This work is partially based on the knowledge obtained by Borisov, Goldberg, and Wagner in the paper described previously. The attack described in this work is possible even with WEP enabled; however, in that case it will also require application of attack(s) against WEP presented by Borisov et al. The authors also note that a good key management architecture would increase the security of the system; however, in their opinion only a comprehensive redesign of the standard would provide a good long-term solution to these issues.
The Fluhrer Mantin Shamir Attack (August 2001)
Scott Fluhrer, Itsik Mantin, and Adi Shamir describe a passive cipher-text-only attack against the key scheduling algorithm of RC4 as used in WEP [11]. They identify a large number of weak keys, in which knowledge of a small number of key bits suffices to determine many state and output bits with nonnegligible probability. They also show that the first byte generated by the RC4 leaks information about individual key bytes. This paper in particular shows how to reconstruct the secret key in WEP by analyzing enough WEP-encrypted packets. The authors have not tried to do this in practice—others did that.
The Stubblefield Ioannidis Rubin Implementation of Fluhrer Mantin Shamir Attack (August 2001)
In an AT&T Laboratories report published on August 21, 2001 [14], Adam Stubblefield, John Ioannidis, and Aviel Rubin describe a real-world successful implementation of the Fluhrer Mantin Shamir attack using a $100 Linksys card on a Linux machine. They report that it took less than a week from ordering the card to recovering the WEP key on a production network. This practical work has shown that no expensive hardware or software is necessary in order to break WEP. They summarize that it is the poor implementation of reasonable secure technologies (such as RC4) that is responsible for WEP weaknesses.
WECA's Response
The Wireless Ethernet Compatibility Alliance (WECA) is the organization responsible for certifying compliance with the IEEE 802.11 standards. It also awards the WiFi (Wireless Fidelity ) industry mark to the products that have passed IEEE 802.11 compliance testing.
In response to the Berkeley paper, WECA has published an official statement, clarifying its understanding of the situation. The main line of this statement is that poor security is better than no security, as well as that WEP was not intended to be a panacea for all security needs. The statement correctly notes that the biggest security threat is the failure to use available protection methods, including WEP.
IEEE 802.11 Chair's Response
In response to the research made at UC Berkeley and the University of Maryland, the Chair of the IEEE 802.11 Working Group, Stuart Kerry, has published a Chair's response intended to clarify some of the issues around the security of IEEE 802.11. He denied allegations made in the media that the security weaknesses of WEP are due to the closed standardization process. In fact, because WEP is a part of IEEE 802.11, it was developed through an open process, like other IEEE standards. The IEEE 802.11 Working Group itself is open to all interested parties to participate. He also rejects the viewpoint that frequency-hopping wireless networks would be less vulnerable to security attacks. It is evident that this is not true because both hopping codes and timing are unencrypted and are available to the attacker. Reminding us that the goal of WEP was to provide a level of security comparable to wired LANs, he states that the IEEE 802.11 Working Group is currently working on improvements to WEP to incorporate better security into the next version of the standard.
IEEE 802.1X
Security in 802.11 networks can be broken down into three components: authentication framework, authentication algorithm/protocol, and encryption. IEEE 802.1X is trying to address the authentication framework part of the puzzle. Although still in development, 802.1X provides a scalable, centralized framework for authentication. 802.1X may deploy a variety of authentication protocols (currently Cisco's Lightweight Extensible Authentication Protoco l [LEAP] and Microsoft's Extensible Authentication Protocol ? Transport Layer Security [EAP-TLS] are available), and it works with both wired and wireless LANs. The widely used Remote Access Dial-In User Service (RADIUS) protocol is also used in the 802.1X framework. 802.1X/LEAP is available with the Cisco Aironet 350 Series of wireless LAN devices; EAP-TLS is supported in Windows XP. Although it is still a draft, 802.1X may one day become the solution to the authentication issues of 802.11.
IEEE 802.11i
Task Group I of the IEEE Working Group 802.11 is currently defining MAC enhancements to provide enhanced security for 802.11. This is a work in progress, and no IEEE 802.11i draft exists at the time of writing.
Cisco's Solution
Cisco Systems has responded to both papers on the security of the WEP [10]. Cisco agrees that the WEP has serious shortcomings, and states that its Aironet series of wireless networking products offers many solutions to these problems: dynamic WEP keys, secure key derivation, and mutual authentication using LEAP [13] . However, Cisco agrees that improvements are needed in the standard itself.
RC4 Fast Packet Keying for WEP
In a Document Nr 550r2, "Temporal Key Hash," submitted by Russ Housley of RSA Security and Doug Whiting of Hifn to the IEEE 802.11 Working Group, they describe a solution to the WEP problem that uses a hashing technique that rapidly generates a unique RC4 key for each packet of data sent over the wireless network. This technique addresses the performance aspect of the security solution as well—the hash algorithm used in Fast Packet Keying (FPK) is much faster than traditional hash algorithms such as MD5 and SHA1 because of the special caching approach. The IEEE 802.11 Working Group has decided to include this technique in the IEEE 802.11i as an informative document. In most cases, FPK may be implemented as a firmware upgrade for the existing hardware. It is possible that when released, IEEE 802.11i may use FPK as the solution—but this decision is yet to be made. No definite plans are announced at the time of writing. For more information, see:
http://www.rsasecurity.com/rsalabs/technotes/wep-fix.html .
Health and IEEE 802.11
Concerns about safety and health effects of various wireless solutions such as mobile phones and wireless network devices periodically surface in the media. In particular, the question of whether mobile phones are linked to brain cancer and other diseases is still open. However, in response to these concerns regarding wireless networking equipment health effects, Cisco Systems has published a white paper entitled "Cisco Systems Spread Spectrum Radios and RF Safety," which explains why these devices do not present a threat to human health when correctly used. The bottom line is that devices certified as compliant with U.S. Federal Communications Commission or Industry Canada's regulations are safe to use because of their low emitted power.
Practical Uses
Many companies, such as MobileStar, Wayport, Surf&Sip, and Airwave, have begun providing IEEE 802.11b Internet access at numerous locations throughout the United States. Several international airports also provide 802.11b service free of charge to travelers. No doubt more such services will continue to appear all over the world, maybe making a dream—Internet anywhere—a reality.
Summary
IEEE Standard 802.11 brought the long-awaited standardization to wireless LAN networking. Unfortunately, it also brought various security problems. Despite that, IEEE 802.11 is widely used, and with the coming of IEEE 802.11a, it can only gain in popularity. What now remains to be done is more effective and truly secure privacy and authentication for 802.11 wireless networks.
The IEEE 802.11 Working Group is actively working to improve what has been done to date. The most improvements are obviously needed in the area of security, where Working Groups 802.1X and 802.11i are working to define better security mechanisms. In particular, 802.11 WG is working on a new release of 802.11, which will include improvements over 802.11-1999. In the meantime, consider your wireless LAN as an external, insecure network—just like the Internet—and employ additional security measures, such as Virtual Private Networks, Transport Layer Security, SSH, and IP Security Architecture—in addition to WEP.
References
[1] IEEE Standard 802-1990: "IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture," ISBN 1-55937-052-1.
[2] IEEE Standard 802.11-1999: "Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications."
[3] IEEE Standard 802.11a-1999: "Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications (5 GHz)."
[4] IEEE Standard 802.11b-1999: ?Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specificiations (2.4 GHz).?
[5] "IEEE 802.11b Wireless Equivalent Privacy (WEP) Security," February 19, 2001, Wireless Ethernet Compatibility Alliance (WECA).
[6] Nikita Borisov, Ian Goldberg, and David Wagner, "Intercepting Mobile Communications: The Insecurity of 802.11."
http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf
[7] William A. Arbaugh, Narendar Shankar, and Y.C. Justin Wan, "Your 802.11 Wireless Network Has No Clothes,"
http://www.cs.umd.edu/~waa/wireless.pdf
[8] William A. Arbaugh, "An Inductive Chosen Plaintext Attack Against WEP/WEP2," IEEE Document 802.11-01/230.
[9] J. R. Walker, "Unsafe at Any Key Size; An Analysis of the WEP Encapsulation," IEEE Document 802.11-00/362.
[10] "Cisco Comments on Recent WLAN Security Paper from University of Maryland," Cisco Systems, Product Bulletin 1327.
[11] Fluhrer S., Mantin L., and Shamir A., "Weaknesses in the Key Scheduling Algorithm of RC4," Eighth Annual Workshop on Selected Areas in Cryptography, August 2001.
[12] Stuart J. Kerry et al, "Response from the IEEE 802.11 Chair on WEP Security," IEEE 802.11 Working Group.
http://www.ieee802.org/11/
[13] "Cisco Aironet Security Solution Provides Dynamic WEP to Address Researchers' Concerns," Cisco Systems, Product Bulletin 1281.
[14] Adam Stubblefield, John Ioannidis, and Aviel Rubin, "Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, Revision 2," AT&T Laboratories Technical Report TD-4ZCPZZ, August 21, 2001.
EDGAR DANIELYAN is a Cisco Certified Network, Design, and Security Professional, as well as member of IEEE, ACM, USENIX, SAGE, and the IEEE Computer Society. Currently self-employed, he consults and writes on internetworking, UNIX, and security. His book, Solaris 8 Security, was published by New Riders Publishing in October 2001. The author is not affiliated with any of the organizations (except the IEEE) mentioned in this article.
E-mail: edd@danielyan.com
# Source : http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac177/about_cisco_ipj_archive_article09186a00800c83e4.html
#
IEEE 802.11
by Edgar Danielyan
Introduced in 1997, the IEEE Standard 802.11 for wireless local-area networks has seen modifications and improvements in the past years and is promising a brighter wireless future, so yearned for by many of us. However, during its lifetime, the standard also has had a few setbacks, which are reminders that nothing is perfect in this world, much less in networking. This article provides a brief but comprehensive introduction to IEEE 802.11 wireless networking, its present and future, and highlights some of its security, performance, and safety aspects.
IEEE 802.11
The initial IEEE Standard 802.11 was published by the Institute of Electrical and Electronics Engineers (IEEE) in 1997. That standard is known as IEEE 802.11-1997 and is now updated by the current stan-dard, IEEE 802.11-1999. The current standard has also been accepted as an American national standard by the American National Standards Institute (ANSI) and has been adopted by the International Organization for Standardization (ISO) as ISO/IEC 8802-11:1999. The completion of IEEE 802.11 in 1997 set in motion the development of standards-based wireless LAN networking. The 1997 standard specified a bandwidth of 2 Mbps, with fallback to 1 Mbps in hostile (noisy) environments with Direct Sequence Spread Spectrum (DSSS) modulation, and bandwidth of 1 Mbps with Frequency Hopping Spread Spectrum (FHSS) modulation, with possible 2-Mbps operation in friendly (noise-less) environments. Both methods operate in the unlicensed 2.4-GHz band. What is less known about IEEE 802.11 is that it also defines a baseband infrared medium, in addition to the DSSS and FHSS radio specifications, although its usefulness seems somewhat limited. There are also several task groups inside the 802.11 working group itself that work on substandards of 802.11:
802.11D: Additional Regulatory Domains
802.11E: Quality of Service (QoS)
802.11F: Inter-Access Point Protocol (IAPP)
802.11G: Higher data rates at 2.4 GHz
802.11H: Dynamic Channel Selection and Transmission Power Control
802.11i: Authentication and Security
The IEEE 802 group has an official Web site at www.ieee802.org , and IEEE 802.11 has an official Web site at www.ieee802.org/11/ .
DSSS
Direct Sequence Spread Spectrum (DSSS) is one of the modulation techniques provided for by the IEEE 802.11 and the one chosen by the 802.11 Working Group for the widely used IEEE 802.11b devices. DSSS modulation is governed in the United States by FCC Regulation 15.247 and in Europe by ETSI Regulations 300-328. DSSS in IEEE 802.11 uses Differential Binary Phase Shift Keying (DBPSK) for 1 Mbps, and Differential Quadrature Phase Shift Keying (DQPSK) for 2 Mbps. The Higher-Rate DSSS (DSSS/HR) defined in IEEE 802.11b uses Complementary Code Keying (CCK) as its modulation scheme and provides 5.5- and 11-Mbps data rates. Because of their compatibility, all three modulation schemes can coexist using the rate-switching procedures defined in the IEEE 802.11. The Orthogonal Frequency Division Multiplexing (OFDM) used by the IEEE 802.11a is regulated in the United States by Title 47 Section 15.407 of the U.S. Code of Federal Regulation (CFR). IEEE 802.11a uses a system of 52 subcarriers modulated by BPSK or QPSK and 16-quadrature amplitude modulation. It also uses forward error correction (FEC) coding, also used by the Digital Video Broadcasting (DVB) standard with coding rates of 1/2, 2/3, and 3/4.
FHSS
Although specified by the original IEEE 802.11, Frequency Hopping Spread Spectrum (FHSS) modulation is not favored by vendors and, it seems, the 802.11 working group itself. DSSS has won the battle—very few vendors support 802.11/FHSS, and further developments with 802.11 use DSSS. Some have expressed ideas that frequency hopping in FHSS may contribute to the security of 802.11, but these are invalid expectations— the hopping codes used by FHSS are specified by the standard and are available to anyone, thus making the expectation of security through FHSS unreasonable.
Two supplements to the IEEE 802.11-1999, known as IEEE 802.11a and IEEE 802.11b, brought considerable changes and improvements to the IEEE 802.11-1999 standard.
IEEE 802.11a
IEEE 802.11a specifies a high-speed physical layer operating in the 5- GHz unlicensed band utilizing a complex coding technique known as OFDM. The data rates specified by IEEE 802.11a are 6, 9, 12, 18, 24, 36, 48, and 54 Mbps, with support for 6, 12, and 24 Mbps as a man-datory requirement. IEEE 802.11a is seen by some in the industry as the future of IEEE 802.11. Some products already implement the IEEE 802.11a, such as the chip from Atheros (www.atheros.com ) and a PCMCIA/CardBus adapter from Card Access Inc (www.cardaccess-inc.com ) based on it. However, 802.11a is not without disadvantages. The increased bandwidth of IEEE 802.11a results in a shorter operation range.
Additionally, because of the protocol overhead and interference/error correction, the real bandwidth may be considerably less than the nominal. New surveys and installation will also be required in many cases; the underlying infrastructure will also be more expensive because of the shorter operation range (about 1/3 of 802.11b) and higher density of base stations (also known as access points).
IEEE 802.11b
Probably the most widely implemented and used wireless LAN technology today, IEEE 802.11b specifies 5.5- and 11-Mbps data rates (in addition to the already specified 1 and 2 Mbps), but operates in the original 2.4-GHz band also using DSSS modulation. Most currently selling IEEE 802.11 products implement IEEE 802.1b. IEEE 802.11b- compliant devices can operate at 1, 2, 5.5, and 11 Mbps.
It is important to note that both incarnations of IEEE 802.11 use the same Media Access Control (MAC) protocol, Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA); therefore, these modifications affect only the physical layer (PHY layer in IEEE par- lance) of the standard. The 1/2- and 5.5/11-Mbps DSSS (IEEE 802.11b) networks can coexist, enabling a painless transition to IEEE 802.11b (High Rate) at 11 Mbps. Eleven to fourteen radio channels are available for use with IEEE 802.11b in the 2.4-GHz band, depending on the local legal and administrative restrictions.
Distance, Power, and Speed Issues
It is obvious that all three of these parameters of wireless systems are interconnected. However, as with other radio-based technologies, the external conditions (such as the line of sight in case of outdoor use) greatly affect the operation of IEEE 802.11 devices.
Antennae
Antennae used with IEEE 802.11b devices may be grouped into two categories: omnidirectional and point-to-point. Obviously, omnidirectional antennae are the easiest to use, because they do not require positioning. Omnidirectional antennae are used in most base stations, as well as in most access cards. However, because of their nature, omnidirectional antennae do not work well over longer distances, unless used with external amplifiers; and these are not always legal or appropriate to use. Directional, or point-to-point antennae, on the other hand, require careful positioning and are used outdoors. Although the typical range for an omnidirectional antenna system is 150 ft (45m), configurations with high-gain directional antennae can work on distances up to 25 miles (about 40 km). In localities where amplifiers are allowed, the maximum distance may be considerably increased and is limited only by the line of sight.
Among other factors affecting the operational range of IEEE 802.11b devices are the base-station placement (when used in the infrastructure mode) and radio interference. As mentioned earlier, IEEE 802.11b devices will auto-configure for the highest possible speed and fall back to lower speeds when circumstances so require.
Performance Issues
Aside from obvious factors that affect performance (such as antennae, distance, radio interference) there are numerous other, more subtle issues. In the infrastructure mode, when all devices have to register with the base station(s), the load on the base station(s) increases with the number of clients and may reach a point when the performance reaches unacceptable lows. For example, Apple's AirPort Base Station (Version 2) can support up to 50 simultaneous clients. However, the actual performance of the whole system also depends on the kind of traffic. In particular, isochronous traffic (time-sensitive traffic, such as some types of video, audio, and telemetry), as well as multicast traffic, are particularly taxing for IEEE 802.11 networks and are better kept off the wireless LAN. However, several groups are currently working on extensions to 802.11 to provide for such kinds of traffic in a future version of the standard.
IEEE 802.11 Base Stations and Clients
All IEEE 802.11 devices can be grouped into one of two groups: base stations or clients. Base stations can function as clients; however, not all clients can function as base stations. The reason for this is that base stations are required to provide certain network services to clients (association, distribution, integration, reassociation, and so on) that not all client hardware, firmware, or software can or intended to provide.
These considerations apply when the infrastructure mode of IEEE 802.11 is deployed. In ad hoc networks, where there are no base stations, all clients communicate directly with each other, reminiscent of a traditional shared Ethernet network, with all nodes sharing equal rights and responsibilities. As noted earlier, 11 to 14 radio channels are available, but separate networks may coexist on the same frequency (using different network IDs (Service Set Identifiers [SSIDs]), albeit with performance penalties.
The workings of 802.11 devices also differ in the infrastructure and ad hoc modes. In the infrastructure mode (Figure 1), clients associate (and optionally authenticate) themselves with a base station, and the presence of the base station is necessary for the operation of the network.
Complex 802.11 networks may be built using the infrastructure mode, with numerous base stations providing coverage over relatively large physical areas, and clients may roam within this roaming domain, which theoretically may extend from a single building to the entire campus or town. The Spanning-Tree Protocol (STP) is usually used in these cases to provide loop-free bridging in this wireless LAN.
In the ad hoc mode (Figure 2), base stations are not used and are not necessary, because all nodes of the wireless LAN have direct reachability (that is, they "see" each other). This mode is usually used in circumstances where all devices are in close proximity to each other (such as a floor or office) and when omnidirectional antennae are used.
IEEE 802.11 Roaming and Mobility
IEEE 802.11 provides for roaming and mobility of 802.11 client devices and allows clients to roam among multiple 802.11 base stations that may be operating on the same or different frequencies (channels). This is achieved through the use of beacon frames, which are used to synchronize 802.11 devices and, in the infrastructure mode, to associate with a base station.
There are two ways to scan for existing 802.11 networks: active and passive scanning. In active scanning mode, the 802.11 device sends out "probe" frames, soliciting "I am here" responses from existing 802.11 devices. In the passive mode, the devices just listen for beacon frames, which are periodically transmitted by the active devices. In addition, the IEEE 802.11 Task Group F is working on the IAPP, which is to provide better and interoperable mobility and roaming mechanisms.
Security of IEEE 802.11
Up to this point IEEE 802.11 could be considered an absolute success; however, security of IEEE 802.11 is not quite on par with other aspects of the standard. Although an entire chapter (Chapter
of the standard is dedicated to authentication and privacy, it is now the common consensus that designers of IEEE 802.11 did not excel in this area. Two reports widely covered in the media, "Your 802.11 Wireless Network Has No Clothes" [7] , and ?"Intercepting Mobile Communications: The Insecurity of 802.11" [6] , shed light on the apparent shortcomings of the standard, or to be more exact, on its "vulnerability by design." They demonstrated that although the designers were well aware of the need to plan for authentication and privacy, the actual implementation was not an excellent one. The WEP algorithm, used to provide authentication and privacy in 802.11 wireless networks, is the problem. WEP
Before discussing the security weaknesses discovered in IEEE 802.11, we quote the aim of the Wired Equivalent Privacy (WEP) algorithm as specified in the IEEE 802.11 standard document:
"Eavesdropping is a familiar problem to users of other types of wireless technology. IEEE 802.11 specifies a wired LAN equivalent data confidentiality algorithm. Wired equivalent privacy is defined as protecting authorized users of a wireless LAN from casual eavesdropping. This service is intended to provide functionality for the wireless LAN equivalent to that provided by the physical security attributes inherent to a wired medium."
As you see, the aim of WEP is to provide a level of privacy equivalent to that of a wired LAN. The wording of standard is very important here: the developers of the standard did not intend to provide a level of security superior to or higher than that of a regular wired LAN, such as Ethernet. The very name of the algorithm, "Wireless Equivalent Privacy," signifies the actual intention of the developers. However, as the practice has shown, the level of security roughly equivalent to the level of security provided by wired LANs is not sufficient—and it is the assumption that "it is OK if wireless LANs are as secure as wired LANs" that is wrong. Other problems, such as the choice of Cyclic Redundancy Check 32 (CRC-32) instead of Message Digest Algorithm 5 (MD5) or some other secure hash algorithm, just worsen the problem.
How WEP Works
Let's now look at the workings of WEP. WEP uses a secret key shared between 802.11 nodes to encrypt 802.11 frames (Layer 2). It also uses a checksum (CRC-32) to provide data integrity. The checksum itself is also encrypted using the shared secret key. The decryption is the reverse of the encryption process: the frame is decrypted using the key and the CRC-32 checksum is computed and checked. The cipher used in WEP is RC4, a stream cipher designed by Ron Rivest, and believed to be cryptographically strong. The key is 40 or more bits long (up to 128 bits in some implementations). However, the Initialization Vector that is used during the encryption process is only 24 bits long. It is difficult to understand why the designers chose such a small number—more about this later. WEP does not provide any key management—the standard itself does not specify how the shared secret key should be managed and distributed. This leaves one of the most vulnerable parts of any cryptographic system—key distribution —open for misuse. The Borisov Goldberg Wagner Attacks (February 2001)
In their paper entitled "Intercepting Mobile Communications: The Insecurity of 802.11," Nikita Borisov, Ian Goldberg, and David Wagner describe the vulnerabilities present in WEP and attacks against it. In the introduction to their paper, they state:
"Unfortunately, WEP falls short of accomplishing its security goals. Despite employing the well-known and believed-secure RC4 cipher, WEP contains several major security flaws. The flaws give rise to a number of attacks, both passive and active, that allow eavesdropping on, and tampering with, wireless transmissions."
They go on to say that WEP fails to achieve all three of its security goals, namely confidentiality, access control, and data integrity.
As has been noted earlier, WEP uses the RC4 stream cipher with a 24- bit Initialization Vector for encryption. Borisov, Goldberg, and Wagner show that the poor design of WEP makes the system vulnerable in many areas, and one of the weakest parts of WEP is the 24-bit Initialization Vector, which may result in keystream reuse. Keystream reuse in turn permits successful cryptanalysis attacks against the ciphertext. However, what is surprising is that:
"The WEP protocol contains vulnerabilities despite the designers' apparent knowledge of the dangers of keystream reuse attacks."
Another not less important but equally poorly designed aspect of WEP is the use of CRC-32. It is known that CRCs are not cryptographically strong and are not intended to be used in place of message digest or hash functions such as MD5 or the Secure Hash Algorithm (SHA). Because of the nature of CRC, it fails to provide the required integrity protection.
Some in the industry suggest that MD5 or SHA would introduce performance penalties if used—and indeed they would—one cannot disagree. But let's not forget that CRC-32 was intended as a security measure— which it isn't—yes, it is fast, but it is also insecure. Presumably, a slower but really secure solution is better than an inadequate though fast solution.
The Arbaugh Shankar Wau Attack (April 2001)
In the paper "Your 802.11 Wireless Network Has No Clothes," [7] authors present their research of the authentication flaws in the IEEE 802.11 and demonstrate a simple eavesdropping attack against IEEE 802.11 authentication. This work is partially based on the knowledge obtained by Borisov, Goldberg, and Wagner in the paper described previously. The attack described in this work is possible even with WEP enabled; however, in that case it will also require application of attack(s) against WEP presented by Borisov et al. The authors also note that a good key management architecture would increase the security of the system; however, in their opinion only a comprehensive redesign of the standard would provide a good long-term solution to these issues.
The Fluhrer Mantin Shamir Attack (August 2001)
Scott Fluhrer, Itsik Mantin, and Adi Shamir describe a passive cipher-text-only attack against the key scheduling algorithm of RC4 as used in WEP [11]. They identify a large number of weak keys, in which knowledge of a small number of key bits suffices to determine many state and output bits with nonnegligible probability. They also show that the first byte generated by the RC4 leaks information about individual key bytes. This paper in particular shows how to reconstruct the secret key in WEP by analyzing enough WEP-encrypted packets. The authors have not tried to do this in practice—others did that.
The Stubblefield Ioannidis Rubin Implementation of Fluhrer Mantin Shamir Attack (August 2001)
In an AT&T Laboratories report published on August 21, 2001 [14], Adam Stubblefield, John Ioannidis, and Aviel Rubin describe a real-world successful implementation of the Fluhrer Mantin Shamir attack using a $100 Linksys card on a Linux machine. They report that it took less than a week from ordering the card to recovering the WEP key on a production network. This practical work has shown that no expensive hardware or software is necessary in order to break WEP. They summarize that it is the poor implementation of reasonable secure technologies (such as RC4) that is responsible for WEP weaknesses.
WECA's Response
The Wireless Ethernet Compatibility Alliance (WECA) is the organization responsible for certifying compliance with the IEEE 802.11 standards. It also awards the WiFi (Wireless Fidelity ) industry mark to the products that have passed IEEE 802.11 compliance testing.
In response to the Berkeley paper, WECA has published an official statement, clarifying its understanding of the situation. The main line of this statement is that poor security is better than no security, as well as that WEP was not intended to be a panacea for all security needs. The statement correctly notes that the biggest security threat is the failure to use available protection methods, including WEP.
IEEE 802.11 Chair's Response
In response to the research made at UC Berkeley and the University of Maryland, the Chair of the IEEE 802.11 Working Group, Stuart Kerry, has published a Chair's response intended to clarify some of the issues around the security of IEEE 802.11. He denied allegations made in the media that the security weaknesses of WEP are due to the closed standardization process. In fact, because WEP is a part of IEEE 802.11, it was developed through an open process, like other IEEE standards. The IEEE 802.11 Working Group itself is open to all interested parties to participate. He also rejects the viewpoint that frequency-hopping wireless networks would be less vulnerable to security attacks. It is evident that this is not true because both hopping codes and timing are unencrypted and are available to the attacker. Reminding us that the goal of WEP was to provide a level of security comparable to wired LANs, he states that the IEEE 802.11 Working Group is currently working on improvements to WEP to incorporate better security into the next version of the standard.
IEEE 802.1X
Security in 802.11 networks can be broken down into three components: authentication framework, authentication algorithm/protocol, and encryption. IEEE 802.1X is trying to address the authentication framework part of the puzzle. Although still in development, 802.1X provides a scalable, centralized framework for authentication. 802.1X may deploy a variety of authentication protocols (currently Cisco's Lightweight Extensible Authentication Protoco l [LEAP] and Microsoft's Extensible Authentication Protocol ? Transport Layer Security [EAP-TLS] are available), and it works with both wired and wireless LANs. The widely used Remote Access Dial-In User Service (RADIUS) protocol is also used in the 802.1X framework. 802.1X/LEAP is available with the Cisco Aironet 350 Series of wireless LAN devices; EAP-TLS is supported in Windows XP. Although it is still a draft, 802.1X may one day become the solution to the authentication issues of 802.11.
IEEE 802.11i
Task Group I of the IEEE Working Group 802.11 is currently defining MAC enhancements to provide enhanced security for 802.11. This is a work in progress, and no IEEE 802.11i draft exists at the time of writing.
Cisco's Solution
Cisco Systems has responded to both papers on the security of the WEP [10]. Cisco agrees that the WEP has serious shortcomings, and states that its Aironet series of wireless networking products offers many solutions to these problems: dynamic WEP keys, secure key derivation, and mutual authentication using LEAP [13] . However, Cisco agrees that improvements are needed in the standard itself.
RC4 Fast Packet Keying for WEP
In a Document Nr 550r2, "Temporal Key Hash," submitted by Russ Housley of RSA Security and Doug Whiting of Hifn to the IEEE 802.11 Working Group, they describe a solution to the WEP problem that uses a hashing technique that rapidly generates a unique RC4 key for each packet of data sent over the wireless network. This technique addresses the performance aspect of the security solution as well—the hash algorithm used in Fast Packet Keying (FPK) is much faster than traditional hash algorithms such as MD5 and SHA1 because of the special caching approach. The IEEE 802.11 Working Group has decided to include this technique in the IEEE 802.11i as an informative document. In most cases, FPK may be implemented as a firmware upgrade for the existing hardware. It is possible that when released, IEEE 802.11i may use FPK as the solution—but this decision is yet to be made. No definite plans are announced at the time of writing. For more information, see:
http://www.rsasecurity.com/rsalabs/technotes/wep-fix.html .
Health and IEEE 802.11
Concerns about safety and health effects of various wireless solutions such as mobile phones and wireless network devices periodically surface in the media. In particular, the question of whether mobile phones are linked to brain cancer and other diseases is still open. However, in response to these concerns regarding wireless networking equipment health effects, Cisco Systems has published a white paper entitled "Cisco Systems Spread Spectrum Radios and RF Safety," which explains why these devices do not present a threat to human health when correctly used. The bottom line is that devices certified as compliant with U.S. Federal Communications Commission or Industry Canada's regulations are safe to use because of their low emitted power.
Practical Uses
Many companies, such as MobileStar, Wayport, Surf&Sip, and Airwave, have begun providing IEEE 802.11b Internet access at numerous locations throughout the United States. Several international airports also provide 802.11b service free of charge to travelers. No doubt more such services will continue to appear all over the world, maybe making a dream—Internet anywhere—a reality.
Summary
IEEE Standard 802.11 brought the long-awaited standardization to wireless LAN networking. Unfortunately, it also brought various security problems. Despite that, IEEE 802.11 is widely used, and with the coming of IEEE 802.11a, it can only gain in popularity. What now remains to be done is more effective and truly secure privacy and authentication for 802.11 wireless networks.
The IEEE 802.11 Working Group is actively working to improve what has been done to date. The most improvements are obviously needed in the area of security, where Working Groups 802.1X and 802.11i are working to define better security mechanisms. In particular, 802.11 WG is working on a new release of 802.11, which will include improvements over 802.11-1999. In the meantime, consider your wireless LAN as an external, insecure network—just like the Internet—and employ additional security measures, such as Virtual Private Networks, Transport Layer Security, SSH, and IP Security Architecture—in addition to WEP.
References
[1] IEEE Standard 802-1990: "IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture," ISBN 1-55937-052-1.
[2] IEEE Standard 802.11-1999: "Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications."
[3] IEEE Standard 802.11a-1999: "Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications (5 GHz)."
[4] IEEE Standard 802.11b-1999: ?Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specificiations (2.4 GHz).?
[5] "IEEE 802.11b Wireless Equivalent Privacy (WEP) Security," February 19, 2001, Wireless Ethernet Compatibility Alliance (WECA).
[6] Nikita Borisov, Ian Goldberg, and David Wagner, "Intercepting Mobile Communications: The Insecurity of 802.11."
http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf
[7] William A. Arbaugh, Narendar Shankar, and Y.C. Justin Wan, "Your 802.11 Wireless Network Has No Clothes,"
http://www.cs.umd.edu/~waa/wireless.pdf
[8] William A. Arbaugh, "An Inductive Chosen Plaintext Attack Against WEP/WEP2," IEEE Document 802.11-01/230.
[9] J. R. Walker, "Unsafe at Any Key Size; An Analysis of the WEP Encapsulation," IEEE Document 802.11-00/362.
[10] "Cisco Comments on Recent WLAN Security Paper from University of Maryland," Cisco Systems, Product Bulletin 1327.
[11] Fluhrer S., Mantin L., and Shamir A., "Weaknesses in the Key Scheduling Algorithm of RC4," Eighth Annual Workshop on Selected Areas in Cryptography, August 2001.
[12] Stuart J. Kerry et al, "Response from the IEEE 802.11 Chair on WEP Security," IEEE 802.11 Working Group.
http://www.ieee802.org/11/
[13] "Cisco Aironet Security Solution Provides Dynamic WEP to Address Researchers' Concerns," Cisco Systems, Product Bulletin 1281.
[14] Adam Stubblefield, John Ioannidis, and Aviel Rubin, "Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, Revision 2," AT&T Laboratories Technical Report TD-4ZCPZZ, August 21, 2001.
EDGAR DANIELYAN is a Cisco Certified Network, Design, and Security Professional, as well as member of IEEE, ACM, USENIX, SAGE, and the IEEE Computer Society. Currently self-employed, he consults and writes on internetworking, UNIX, and security. His book, Solaris 8 Security, was published by New Riders Publishing in October 2001. The author is not affiliated with any of the organizations (except the IEEE) mentioned in this article.
E-mail: edd@danielyan.com
1635
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
