Suppose I have a picture that I have been given. This picture is not something that the owner wants shown to the world so they have given me a list of people that can see it. When someone wants to see it I ask them who they are and if their name is on the list I show it to them. However, this plan is not working out that well so the owner decides to add some requirements. Now when someone wants to see the picture they have to show ID. Still people are getting around that with fake IDs, so now the owner gives out a special code word that is unique to each person while still maintaining the requirement for ID. To make things even more secure I have a picture of each person and a copy of their ID. What I have described here is a very simple explanation of the way that some of the different levels of encryption work; from the very basic to much more complex routines. In this article we will be talking about encryption as it relates to wireless access points and we can tell you up front you will be surprised at how insecure some of them are.
Now I apologize to anyone that is actually a cryptographer; my grossly simplistic example above is probably giving you fits. Still it is accurate in the definition of encryption says that it is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can. Encryption is used to protect your data from unauthorized access. In wireless communications this is to prevent someone from grabbing your packets out of the air and reading them. Of course nothing is un-crackable so if you can encrypt it someone can find a way to decrypt it. Still the there are options available in even the cheapest wireless devices that can protect you from casual eavesdropping all of them have good points and bad in their use and configuration. We will kick things off with one of the oldest ones the Wired Equivalent Privacy.
WEP was originally thought to be able to give you the same privacy as a wired network (as the name implies). When you set it up you create a shared key that is between 10 to 58 Hexadecimal digits. There are three levels of WEP with 64-bit (WEP-40), 128-Bit (WEP-104) and 256-bit (WEP-232) the number after WEP represents the bit length of the key. There is an added initialization vector (IV) that is 24-bits long that gets joined to the personal key to make up the entire WEP Key. The end user does not see this, but ends up entering a series of ASCII (regular text) to generate the actual Key. In WEP-40 you enter 5 characters for WEP-128 you enter 13 and so on. The way WEP works is simple; when a client tries to connect the access point sends a message back in plain text for the client to encrypt and return. If the client encrypts the message properly you can get in. If not you get denied and you have to try again.
Unfortunately WEP’s simplicity is also a weakness. You see despite the length of the key (even 256-bit WEP) the 24-bit IV is static for each device. This means that if you can capture enough traffic you can recover the key based on repetition of packets on the network It is estimated that every 5,000 packets has the IV repeated in it when using WEP-40 and every 40,000 using WEP-128. This means that it is very possible to crack open a WEP network in a very short time. There are multiple tools on the internet available to do this and some can even run on your average smart phone. The record for cracking open WEP on a busy network is about 2 minutes. Now before you say “my home network is not busy” think of how often you view YouTube, Netflix, Hulu or other streaming media over a wireless connection. Even the simplest home network now sends a large amount of traffic over the air… In other words, WEP is not a good choice for anyone that wants to secure their network. In fact the use of WEP in a wireless network was the root cause of more than a few corporate network penetrations.
Moving up in the chain we come to WPA (Wi-Fi Protected Access). WPA and its follow on WPA2 were responses to problems found in WEP. They were meant to ensure your wireless data is kept secure during transmission. Unlike WEP, WPA did not use a static key. Instead it uses something called TKIP (Temporary Key Integrity Protocol) using this, the system generates a new 128 Bit Key for each packet to prevent the pattern recognition technique used to break WEP. WPA also got away from using CRC (Cyclic Redundancy Check) for packet integrity as CRC was not strong enough to spot spoofed packets in transmission. Instead WPA used a new method that was intended to provide a better mechanism for preventing spoofed, resent and captured packets. However it was discovered that even this new method and TKIP were not secure and both were quickly penetrated and broken. Thank fully the original WPA was only meant as a temporary solution until the more robust WPA 2 came out. In fact some of the core components of WPA were taken from failed attempts to strengthen WEP and contained many of the flaws that doomed the original.