As attacks on wireless systems become more prevalent, the need to secure WPA is imperative.
There's no doubt about it, it's been an interesting time for WiFi recently. First we had a new version of the well-respected Elcomsoft password cracking suite which, by clever use of modern graphics processors, provided a major speed increase, widely (but wrongly) reported as being the end of wireless security. Then there was the annual RSA wireless security survey showing the usual depressing picture of apparently insecure corporate networks. Then tantalising hints of a new attack on WPA-TKIP emerged, one of the popular WiFi encryption schemes.
The original wireless encryption scheme, WEP, is well and truly broken in the “off the shelf tool” sense. WEP cracking using the PTW attack takes tens of seconds (two minutes worst case) to crack a full strength WEP key, and demos are readily available from security vendor pre-sales technical guys. The original paper (http://eprint.iacr.org/2007/120.pdf) is a great read for crypto geeks like me.
When WEP died, or was at least condemned, the industry faced a big problem. There were millions of WEP-supporting WiFi products in the market with a need for a stop-gap solution. The result of this was WPA-TKIP, also known as WPA1. The details are somewhat complex, but WPA1 was a masterpiece of engineering, addressing all the known issues with WEP while maintaining compatibility with the existing hardware (like WEP, WPA1 uses the RC4 cipher that was implemented in most WiFi hardware). WPA1 provided valuable breathing space as a temporary solution while newer products with better crypto were used.
All well and good. Like all crypto, though, the real problem is key management and WPA1 is still susceptible to weak keys (if you can remember your WPA1 pass phrase there's a pretty good chance it can be broken).
So a cottage industry arose to provide brute force attacks against WPA1 keys. These were easier than with WEP due to quirks of the protocol, but WEP was so easy to beat that brute force dictionary attacks were unnecessary.
Recently, Elcomsoft announced a new version of its brute force software that promised major speed increases by combining distributed processing and using the latest graphics processors as number crunchers (this is a growing trend; Sony Playstation 3s are particularly popular due to their very fast Cell processors). This was hyped by some consultants as the end of WPA1 security.
Apparently these consultants are not particularly good at maths. Each 100-fold increase in cracking speed can be mitigated by adding a single random character to the pass phrase. Smart implementors already have a full-strength random pass phrase, well out of the realistic brute force range, and most corporate versions are immune. So while the new software is impressive and useful, it doesn't make WPA1 as dead as WEP, but is maybe just a flesh wound (apologies to Python fans).
Ironically though, by the time you read this, WPA1 may be broken. The upcoming PacSec 2008 conference has an intriguing paper listed by Erik Tews called: “Gone in 900 seconds, some Crypto issues with TKIP/WPA”. Tews is the “T” in the PTW attack on WEP, so it will be interesting.
No details were available at the time of writing, but based on past performance you can expect a clever attack on the underlying encryption rather than smoke and mirrors. The smart money is on some resurrection of the RC4 “weak key” problem.
Fortunately, there are solutions already in service. WPA2 uses the AES cipher, so will probably not be affected. Early discussions suggest that WPA1 may be “fixed” by re-keying every couple of minutes, – impractical for many implementations. But systems running a strong VPN underneath the WiFi encryption will still be safe.
One of my friends observed: the problem with temporary solutions like WPA1 is that they often become permanent. While WPA1 was a masterful engineering fix, it was meant to be temporary. Its continued prevalence in the presence of newer WPA2 systems make it, and us, a victim of its own success, it would seem.
Nick Barron is a security consultant. He can be contacted at email@example.com