No question that interest in wireless technology is on the rise, even for industrial uses. Experts predict the worldwide market for wireless devices in discrete manufacturing will grow 16% annually over the next five years. But the security of these networks is a mounting concern.
One problem with wireless security has been a proliferation of shareware that can discover the “key” used to authenticate users over a wireless link. Rogue users have been able to employ this shareware and fake an authentication, ultimately getting access to the network itself.
Another difficulty has been with networks whose main means of identifying legitimate network hardware is the MAC (Medium Access Control) address assigned by the hardware manufacturer. It is also possible to find shareware able to “spoof ” MAC addresses and thereby gain access to network facilities.
Who, What, Where
Authored by Vishal Kakkad Lantronix Inc. Irvine, Calif.
Edited by Leland Teschler
In a nutshell
The newest generation of wireless devices are secure. Problems arise when new devices get put into old networks.
Modern networks can employ measures that easily thwart such primitive attempts to breach security. But there are still problems that arise from the fact that many wireless installations have grown like topsy: New links with top-notch security protocols may be add-ons to older segments vulnerable to various kinds of attacks. So it pays to know a few things about widely adopted security measures, particularly those that have not been bulletproofed.
Security methods for embedded systems have evolved to incorporate new protocols that address weaknesses of predecessors. The preferred approach today is to not depend on one means of security. Instead, networks combine security protocols, implementation frameworks, and encryption methods to safeguard any wireless environment. All in all, the newest techniques make it safer than ever to deploy embedded devices for remote monitoring.
It is useful to review how wireless security methods have evolved from the early standard, called WEP, to the current standard, called WPA2.
WEP, the first security scheme for wireless networks, stands for Wired Equivalent Privacy. It was part of the original IEEE 802.11 specification for wireless LANs defined in 1999, which also introduced an authentication scheme called Open System/Shared Key. Authentication here means making sure a user on the network is indeed who he claims to be.
There was an update to the standard in 2001, but commercial deployment of WEP only really gathered steam in the 2000 to 2002 time frame. It was widely used within enterprise environments and for personal use. And many enterprises haven’t bothered to replace WEP despite its well-known vulnerabilities.
The Open System Authentication feature of 802.11 lets a network client identify itself only with its MAC address. To authenticate that the MAC address sent is real, Shared Key Authentication employs a four-step challengeresponse handshaking process. It used a WEP encryption key as a means of authentication. The shortcoming of this method is that it’s possible to find shareware able to do the cryptoanalysis needed to determine the WEP key. That’s because WEP’s 24-bit IV (initialization vector) is too short. With a busy network, the IVs could reoccur in the 802.11 frames within an hour or so. This results in the transmissions of frames that are too similar. If a hacker can collect enough frames based on the same IV, he/she can determine the shared secret key. And WEP uses a static key, so a hacker who gets the key can decrypt any of the 802.11 frames from that point onwards.
There is another problem with WEP. It checks message integrity by calculating a CRC-32 checksum on the unencrypted bytes in the payload and then encrypting that value with the WEP key. But it is relatively easy for a hacker to change the bits in the encrypted payload. The receiving node wouldn’t notice that the contents of the frame were modified.
A point should be made about encryption keys. They are analogous to the PIN on a bankcard; it’s not wise to leave them out in public. With WEP they must be distributed over a secure channel outside 802.11 to remain protected. WEP does not provide any mechanism to refresh the encryption keys nor does it provide any protection against replay attacks, where previously captured frames can be used to hack into the wireless network.
Wireless 802.1x is another security protocol originally designed for Ethernet networks and adapted for use on wireless LANs. The three main elements of wireless 802.1x are an authenticator, a supplicant, and an authentication server. Wireless clients act as supplicants, i.e., nodes asking for access to other clients on the network. An authenticator verifies their credentials. A LAN port can act as an authenticator, a supplicant, or both. The authentication authority is typically a Remote Authentication Dial-In User Service (Radius) server. Radius is just a networking protocol that provides centralized access, authorization and accounting management for connection to a network service. It can determine permissions between authenticators and supplicants.
While 802.1x addresses many security shortcomings of the original 802.11 standard, it unfortunately perpetuates many WEP weaknesses.
Wi-Fi Protected Access (WPA) was introduced to address the vulnerabilities in WEP and the 802.11 security standard. WPA is meant to provide a software-upgradeable path for WEP wireless users. It can be viewed as an intermediary step that lets existing systems upgrade without adding new hardware.
WPA became available in 2003 and started seeing large deployments in the next two years. And many networks still use WPA. This is especially true for industrial networks where changes are at a much slower pace than in offices.
WPA uses a two-phase authentication process. It combines the open-system authentication of 802.11 with mandatory use of 802.1x to authenticate individual users or computers. The 802.1x phase of the authentication either uses Pre-Shared Keys (PSK) for small networks or Extensible Authentication Protocol (EAP) for larger networks that include a Radius server. Pre-Shared Keys are basically passwords shared over a secure channel prior to their use. I’ll explain EAP a bit later in this article.
WPA also incorporates use of the Temporal Key Integrity Protocol (TKIP), an improvement over WEP. One strength of TKIP is its use of a different key for each packet sent. Keys get generated through a mixing of the transmitting MAC address, packet number, and several other items. Included also is an 8-byte Message Integrity Code (MIC), a piece of information used to authenticate a message. The MIC is calculated and placed in the 802.11 frame.
A frame counter field in the 802.11 MAC header protects against a replay attack, where an attacker tries to copy valid packets and make them look like new data. Additionally, there is a set of four pairwise 128-bit temporal keys derived from the Master Key (either PSK or via EAP) for each client communicating with a wireless access point. And WPA also provides the option of replacing the TKIP algorithm with the even stronger Advanced Encryption Standard (AES) algorithm.
The 802.11i standard — new security architecture from IEEE for wireless networks — was published in June 2004. It formally replaces the security features of the original IEEE 802.11 standard. Wireless equipment that is compatible with the 802.11i standard carries what is called WPA2 product certification. So now IEEE 802.11i/WPA2 is the preferred option for wireless security.
WPA2 takes the security offered by WPA a step further. Like WPA, WPA2 uses a two-phase authentication process and a key management protocol. It derives mutual pairwise master keys using the EAP or PSK authentication processes, and a fourway handshake calculates pairwise transient keys — similar to WPA. WPA2 makes mandatory an encryption protocol called CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). CCMP uses the AES algorithm.
With all its security infrastructure, WPA2 would require renegotiating the security associations every time a station moves its association to a different access point. This has obvious ramifications for mobile wireless users. So WPA2 defines a mechanism to speed up this process during stream roaming. Replay protection is via a packet number field in the wireless frame and is incorporated into the encryption and MIC calculations.
Unfortunately pure 802.11i networks are few and far between. That is because it takes hardware to implement the demanding security protocols the standard mandates. So most deployments are a hodgepodge mix of the WPA and 802.11i schemes.
The best security infrastructures call for measures beyond what any single standard provides. So the practice has been to combine protocols to enhance security features. Several acronyms crop up in explanations of wireless security. They include AES, CCMP, and EAP, all protocols in this area.
AES (for Advanced Encryption Standard) is the only algorithm available to the public that the NSA (National Security Agency) deems strong enough for secret documents. The AES algorithm is a substitution permutation network (basically, a series of mathematical operations that transform blocks of input bits into output bits). It uses a key of 128, 192, or 256 bits. This length is considered cryptographically long. AES is one of the most widely used algorithms for symmetric key cryptography, and the cipher has not been broken.
AES uses Counter Mode Cipher Block Chaining-Message Authentication Code, CBC-MAC. As the name implies, it constructs a message authentication code using a counter and block cipher. Here, a counter is a function that generates a sequence that doesn’t repeat for a long time. A block cipher takes a fixed length of bits (a block) and transforms it into another block using a secret key (from the counter). The message is encrypted to create a chain of blocks such that each block depends on the proper encryption of the block before it. This interdependence ensures that a change to any of the plain-text bits will change the final encrypted block in a way that cannot be predicted or counteracted without knowing the key.
CBC-MAC produces a MIC (Message Integrity Code) that authenticates the origin of the data and serves as a check of data integrity for each wireless frame. CBC-MAC also includes a 48-bit initialization vector. The recipient must know the IV to decrypt the information. These measures give a means of protecting against replay attacks where an attacker replays old transmitted data as if it were genuine. These operations are all implemented within the Wireless MAC layer of the network model.
EAP (Extensible Authentication Protocol), despite its name, is not a single protocol. It is actually a means of negotiating the desired authentication mechanism and other functions. EAP defines the message format while individual authentication mechanisms used with EAP determine the details of the encryption. For example, wireless sessions using TKIP or AES encryption can get their pairwise master keys by authenticating and verifying the client and server through EAP.
The value of EAP is that it can be used to support different authentication schemes. This provides the means to allow for the deployment of new and more secure authentication methods as they emerge, without changing the infrastructure. EAP is implemented above the MAC layer as a port control function that manages the authenticated state of a wireless interface.
WPA and WPA2 employ 802.1x authentication with EAP. For each authentication both protocols create a new starting pairwise master key (PMK). The encryption key changes for each frame passing between the access point and client. Earlier security measures used a PMK that remained the same over an entire session and which was considered a weak point.
Though EAP can accommodate different authentication methods, it is possible for the entire EAP conversation to be sent unencrypted. This lets a malicious user inject packets into the EAP conversation or capture EAP packets for cryptoanalysis. Such a setup is especially problematic for wireless schemes because a rogue user can tap into the data stream from outside the premises.
There are several variations on EAP that can address this issue. All variations first create a secure channel with TLS (Transport Layer Security). TLS uses a Public Key Infrastructure (PKI), an arrangement that lets users having no previous contact with each other get authenticated through use of a data certificate issued by a trusted third party. EAP can negotiate within this TLS session to authenticate someone wanting access. This sequence allows use of password-based authentication protocols, which are otherwise susceptible to interception.
A variation on EAP called Tunneled EAP provides a cryptographically protected wrapper within which other protocol elements can be exchanged. It comes in a variety of flavors such as EAP-Transport Layer Security (EAP-TLS), EAP-Tunneled Transport Layer Security (EAPTTLS), and Protected Extensible Authentication Protocol (PEAP). Each has its own benefits and optimal deployment scenarios.
EAP-TLS is universally supported and is one of the most secure EAP authentication methods available. The downside of this transport-layer security method is the overhead associated with maintaining both clientside and server-side authentication certificates to establish TLS sessions. Smart cards and tokens are supported in EAP-TLS, and these can be built into remote embedded systems for unquestioned identification.
EAP-TTLS authenticates the server by a certificate and establishes the tunneled EAP session. The client can then use this secure, encrypted tunnel to authorize users and to acquire dynamic Pairwise Master Keys. EAP-TTLS also reduces the overhead in creating and distributing client-side certificates, making it particularly well suited for scalable deployment.
PEAP is another form of Tunneled EAP that operates like EAPTTLS. But it is deployed in environments that run Windows Internet Authentication Server (IAS) because IAS doesn’t support EAP-TTLS. Like EAP-TTLS, PEAP prevents eavesdropping and reduces the overhead of installing and processing individual client certificates. PEAP is scalable for systems with any number of users and defends password-based EAP methods from attacks.
Secure remote monitoring
OEMs can now incorporate networking into controls and other remote resources fairly easily. But there is no single security template that suits all deployments. Fortunately, systems that pair EAP methods with WPA and WPA2 provide a security architecture that scales well and can handle remotely monitored networks.
Any electronic device with a serial connection can be plugged into a wireless adapter with minimal software adjustments. This is a scalable way to create centralized secure access and control. For security, these adapters use AES encryption. It is also possible to institute additional defense mechanisms in the devices connected to the adapter. For example, common techniques include turning off nonessential network services and using standard network protocols like SSH (secure shell) and SSL (secure socket layer). These protocols are widely used for command line and browser access, respectively.
Today’s advanced data-security methods let companies deploy wireless connectivity and embed remote monitoring in end devices with confidence. Networking gear now comes with IEEE 802.11i-PSK (AES-CCMP) or WPA-PSK (TKIP) protocols built in. These protocols offer the highest levels of wireless security with optional support for superstrong 256-bit AES encryption and standard connection protocols like SSH and SSL.
In that sense, 802.11i/WPA2 is the preferred deployment protocol. Its infrastructure provides scalability and a level of security that goes beyond what was provided by the original 802.11 standard and WEP. But if that’s not possible, it’s best to incorporate a WPA network that can be deployed on older hardware as a minimum.