S 2.384 Selection of suitable crypto-methods for WLAN
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator, Head of IT, IT Security Officer
To guarantee secure operation of a WLAN, it is necessary to completely secure the communication over the wireless interface. Without adequate encryption, there is a risk that unauthorised persons could read the data transmitted over the WLAN. Likewise, an inadequately protected WLAN offers a point of attack to any LAN it is connected to. Furthermore, the integrity of the data must be ensured so that manipulations to these data can be detected. Use of a (mutual) authentication procedure among the WLAN components is also important.
In the IEEE 802.11 and 802.11i WLAN standards, various cryptographic methods are described which can be used to secure a WLAN. They must be selected and applied depending on the area of application, required protection level, and size of the organisation.
Wired Equivalent Privacy (WEP)
WEP is the oldest and most common encryption standard for WLANs and is described in the IEEE 802.11 standard. WEP only offers an absolute minimum of protection against unintentional reading of data and accidental logins.
WEP is currently considered to be outdated and insecure since a number of security gaps have been found. WEP should therefore be considered unsuitable for use in securing WLANs and should not be used any more.
If no other cryptographic methods other than WEP are available and the WLAN components will continue to be operated anyway, then WEP should be activated. In this case, the maximum key length should be selected and the key should be changed regularly by hand (at least once per day). Such a decision is to be documented, and all users of the WLAN must be informed of the decision. Such an inadequately secured WLAN may only be used in uncritical areas, for example when it is only used to access the Internet. It must be ensured, though, that no sensitive data is transmitted over the WLAN or is accessible over its connected WLAN components when the WLAN has only been secured using WEP.
WPA, WPA2, and IEEE 802.11i
IEEE 802.11i is considered to be the new security standard for WLANs, parts of which correspond to Wi-Fi Protected Access 2 (WPA2) from the Wi-Fi Alliance. In contrast to WPA, which corresponds to Draft 3.0 of IEEE 802.11i and which was also published by the Wi-Fi Alliance, WPA2 and IEEE 802.11i use the Advanced Encryption Standard (AES) as the encryption algorithm. In WPA, just like in WEP, RC4 is still used as the encryption algorithm. Both WPA and WPA2/IEEE 802.11i provide additional protection using the optional Temporary Key Integrity Protocol (TKIP) through dynamic key generation.
Furthermore, in WPA2 and IEEE 802.11i the use of CCMP as the implementation method for AES is prescribed to ensure integrity.
If possible, a WLAN should be secured everywhere and consistently using WPA2 and CCMP (but at least WPA with TKIP) since they use stronger algorithms for encryption and ensuring integrity. Weaker methods are unacceptable according to the current state of the art.
Pre-shared keys (PSK) can be used for user authentication. These keys are used the first time a connection is established for the purpose of providing authentication to another WLAN component. If pre-shared keys are used, then it must be ensured that the keys are significantly longer than the usual six to eight characters since the security of the encrypted data depends on the key length. This method is only practical, though, for small WLAN installations; an EAP method according to IEEE 802.1X should be used for large WLANs.
The following table provides a better overview of the various security mechanisms:
WEP | WPA | 802.11i (WPA2) | |
---|---|---|---|
Encryption algorithm | RC4 | RC4 | AES |
Key length | 40 or 104 bits | 128 bits (64 bits for authentication) | 128 bits |
Key | Static | Dynamic(PSK) | Dynamic¿(PMK) |
Initialisation vector | 24 bits | 48 bits | 48 bits |
Data integrity | CRC-32 | MICHAEL | CCMP |
TKIP and CCMP
The Temporary Key Integrity Protocol (TKIP) is based on WEP as a downward-compatible solution, but it does not eliminate its main weaknesses. For TKIP, IEEE 802.11i solved the problem of poor integrity checks in WEP through the additional use of the MICHAEL method (for checking message integrity). TKIP and MICHAEL should be understood as temporary solutions.
CCMP stands for CTR Mode (Counter Mode) with CBC-MAC Protocol (Cipher Block Chaining Message Authentication Code). In this case, the plain text is not encrypted directly with AES, but instead with a counter formed from the symmetric key. The actual result of the encryption is then obtained by XOR-ing a block of the plain text with the AES-encrypted counter. In addition, the Cipher Block Chaining method (CBC) is used to ensure data integrity.
The use of IEEE 802.1X is required in this case to manage and distribute the keys. A key length of 128 bits is used in IEEE 802.11i.
Extensible Authentication Protocol (EAP)
The Extensible Authentication Protocol (EAP) according to the IEEE 802.1X standard can be used for additional protection of the authentication procedure. EAP is described in detail in RFC 3748. In this case, the user logs in to an authentication instance, e.g. a RADIUS server, and this instance checks for access authorisation before handing over the session key. EAP supports a series of authentication methods, and so certificates and two-factor authentication procedures can also be used.
EAP methods which can be used in a WLAN include, for example:
- EAP-TLS
In EAP-TLS, which is defined in RFC 2716, mutual authentication is performed based on X.509 certificates. For authentication, the partner to be authenticated must prove that it knows the private key corresponding to the public key known by its communication partner. Subsequently, methods must be established to distribute and manage the corresponding certificates. The establishment and operation of a Public Key Infrastructure (PKI) requires careful planning (see for example S 2.232 Planning the Windows CA structure in Windows 2000 and higher). The keys themselves are exchanged over a tunnel secured using TLS. - EAP-TTLS
In EAP-TTLS, in contrast to EAP-TLS, the WLAN client does not have to possess its own certificate. Only the server needs a valid certificate in EAP-TTLS. Using a tunnel secured with TLS, other possibly less secure methods can be used for client and/or user authentication. EAP-TTLS is, like EAP-TLS, a key-generating method, i.e. a new session key is created every time a communication link is established. - EAP-PEAP
EAP-PEAP is also a key-generating method and, similarly to EAP-TTLS, only the authentication server requires a valid X.509 certificate. In contrast to EAP-TTLS, though, only other EAP methods can be used for client authentication in the secured tunnel such as EAP-MSCHAPv2 or EAP-TLS, for example. In this case, combination with EAP-MSCHAPv2 is interesting for networks which primarily use Windows 2000 or Windows XP as the client operating system since this method is supplied with the operating system.
Additional EAP methods are described in the IEEE 802.1X standard or in the Secure WLAN technical guideline from BSI.
In general, for larger installations it makes sense to implement EAP user authentication according to IEEE 802.1X.
Modern WLAN components support IEEE 802.11i, and therefore already support WPA2. When purchasing new WLAN components, always check beforehand to see if the components also support the corresponding EAP methods.
Key management
The cryptographic keys used to protect communications or for authentication must be changed regularly (see S 2.388 Appropriate key management for WLAN).
For all WLAN components, it must be ensured that they do not accept any cryptographic methods with a lower level of protection than the selected method when establishing a connection to other WLAN components. Connections to such components must be rejected.
Review questions:
- Has an adequate encryption standard been implemented?
- Use of WEP: Does the quality of the passwords used conform to the current state of the art?
- Use of WEP: Are the passwords/keys changed regularly (at least once per day)?
- Use of WEP: Has the decision on the use of WP been documented?
- Use of WEP: Is the use restricted to uncritical areas?
- Use of WEP: Has it been ensured that no sensitive data is transmitted?
- Is there a regulation governing the use of algorithms and procedures that conform to the current state of the art?
- Use of pre-shared keys (PSK): Does the quality of the passwords/keys used conform to the current state of the art?
- Are EAP methods used for additional protection of the WLAN?