A new paper by a leading security expert says that the new Wi-Fi Protected Access (WPA) security standard may be less secure, in certain scenarios, than WEP, the wireless standard it was designed to replace.
In the paper, "Weakness in Passphrase Choice in WPA Interface," Robert Moskowitz, a senior technical director at ICSA Labs, part of TruSecure, describes a number of problems with the new WPA standard, including the ability of attackers to "sniff" critical information from wireless traffic and to discover the value of a wireless network's security key.
New and Improved?
WPA is a new security standard based on work by the Institute of Electrical and Electronics Engineers (IEEE) on the 802.11i wireless security standard.
WPA is intended to replace Wired Equivalent Privacy (WEP), the most common standard for securing data on wireless networks. WPA offers a number of security improvements over WEP, including better data encryption and the ability to authenticate users on large networks using a separate authentication service such as Remote Authentication Dial-In User Service, before allowing them to join the network, according to the Wi-Fi Alliance, a wireless industry group.
The problems with WPA center on the use of Pre-Shared Keys (PSKs), which are an alternative authentication tool for small businesses and home users that do not want to use a separate authentication server and full 802.1x key infrastructure, according to Moskowitz, who helped design the 802.11i wireless security standard and WPA.
As with WEP, wireless users can use passphrases for the PSK, which can range from 8 to 63 bytes. Most wireless equipment makers allow only a single PSK to be used on a wireless network, Moskowitz said.
Open to Attack
Moskowitz writes that the method that WPA devices use to conduct "handshakes," or exchanges of information that are used to generate data encryption keys for wireless sessions, allows attackers who do not know a PSK to guess it using what is known as a "dictionary" attack.
In dictionary attacks, attackers capture (or "sniff") wireless network traffic in transit between the access point and the wireless workstation, then use specialized software programs to guess the key.
Other wireless security standards are also vulnerable to such attacks. WEP keys have long been known to be insecure. More recently, a security expert showed that Cisco Systems' Lightweight Extensible Authentication Protocol (LEAP) standard is vulnerable to dictionary attacks too.
However, attackers who want to compromise WEP and LEAP need to harvest large quantities of network traffic before they can decipher the passphrase. In contrast, WPA requires them to capture only four specific packets of data, Moskowitz said.
Passphrases with fewer than 20 characters are unlikely to withstand a dictionary attack, and attackers who miss those four packets in transit can easily trick a wireless access point into doing a new "handshake" and sending the packets to the attacker again, he said.
Attackers who already know the PSK and have joined a wireless network as trusted members could further exploit shortcomings in the WPA handshake to guess another user's unique "session key," which would enable them to listen in on that user's wireless session, capturing information they were sending out on a corporate network or to the Internet, Moskowitz said. That could spell trouble for corporations that allow contractors or other trusted third parties onto their wireless networks, he said. The key is to use strong passwords--preferably longer than 17 alphanumeric characters, he said.
Organizations using WPA with Pre-Shared Keys should also consider using a random number generator to create passphrases, rather than making them up, he said. However, companies that are deploying WPA with an authentication server have little reason to be concerned, because they do not use Pre-Shared Keys, according to Michael Disabato, senior analyst at The Burton Group. For other users, the Moskowitz paper should not cast a shadow over WPA, he said.
"WPA is doing what it's supposed to do, providing you do what you're supposed to do and enforce secure passwords," he said.
Still More Secure
Both Disabato and Moskowitz agreed that WPA was far more secure than the earlier WEP standard, even considering the issues raised by Moskowitz's paper. However, Moskowitz did take issue with wireless networking equipment makers' implementation of WPA.
The shortcomings surrounding Pre-Shared Keys discussed in the WPA paper were acknowledged in the 802.11i standard documents. In their rush to offer WPA in their products, wireless equipment makers like Linksys Group (now owned by Cisco) did little to address the issues with tools to make it easier to generate secure PSKs, Moskowitz said.
Other problems--such as the requirement, with some wireless products, that all wireless users share the same PSK on a network, or the decision to have wireless access points broadcast the fact that they are using PSKs instead of authentication servers--just make the job of compromising such networks easier, he said. Moskowitz's paper is circulating informally on the Internet, but an official copy will soon be available on the TruSecure Web site, he said.