Tuesday, August 1, 2006

Lock up your bits!

Since the blogging community is probably a bit more likely than most folks to have a wireless network at home I figured that you all might find the following story to be of some interest. Even if the story is not interesting enough to read, don't miss the moral at the end.

I get to help folks set up wireless networks quite often, and the last, and most important step is usually to make it secure. Generally nobody wants to have uninvited guests using their wireless network to get on the internet or to eavesdrop on their communications. The mechanism that usually serves to secure a wireless network is an encryption protocol called WEP (for Wired Equivalent Privacy). To use WEP you define a 'key' on your wireless router, and then every wireless client needs to use the key to get access to the network (either to use the network or to read the data packets carried on the network). This WEP key is a hexadecimal number either 10 or 26 characters long (comprising either 40 or 104 bits).

As in most cryptography the length of the key determines the strength of the encryption - more bits means more possible passwords, more possible passwords means more passwords to have to guess if you want to try to guess the password. This brute force guessing is the only way to break a good encryption system, and it can take a long time, even if you can guess quite a lot of passwords per second. A typical PC can guess and test fast enough to try all possible 40-bit passwords in 40 or 50 days, so a good 40-bit system is reasonably secure. Moving up to a 104-bit key increases the time required to try all possible passwords to something like 10,000,000,000,000,000,000 years - plenty safe for most email.

Unfortunately, it is widely known that the WEP protocol is poorly designed and has flaws that allow other methods of cracking the key that do not require the use of brute force guessing of all possible passwords. For this reason it doesn't make too much difference whether you use a 40-bit or a 104-bit key, as the flaws are the real weakest link, not the size of the password. Therefore I generally recommend that people not bother with a 104-bit key and just use a 40-bit key to keep the honest folks out. It can be a real pain to use a 104-bit key and have to use (and remember) a 26 digit hex password.

However, I was curious if this really was the case - is it really that easy to crack a WEP key using the tools that exploit the known weakness? I'd hate to be suggesting not using a strong password if it really would help. So I decided to try a little test and see if I could break into my own wireless network.

The tools that can deduce a WEP key require a sample of encrypted packets to work on. These tools can gather the packets and then work on finding the key. The trick is that it takes about a million packets to be sure to find the key. A million packets amounts to quite a bit of data. I started collecting packets with the cracker and then made my network busy so that there would be packets to collect. I spent the next hour or so downloading hi-def movie previews, several hundred megabytes in all, before I had collected close to a million packets. I then had the cracker do its work, and in under a minute it told me the correct key for my network. Pretty scary, but normally it would be rather inconvenient for a hacker to wait around for a million packets to float by - if I were not trying to move as much data as possible this would have taken several days with my normal network traffic. Still, in the end it takes a lot less time to deduce the key to a wireless network than one would expect from the size of the key - WEP truly is flawed and using a longer key doesn't really buy you any security.

In researching the cracking tools I ran across something else interesting. As it turns out there is another flaw in the system that is an even greater danger to wireless networks. It seems that for lots of people choosing a hex key to securing a wireless network is an obstacle, so the router vendors have added a little utility to help out. You just enter a password you like, and the utility makes that password into a hex key to use on your network. This ends up being a really bad idea. I'll refrain from adding even more boring detail to this already coma-inducing post, but in short, the algorithm that converts a text password to a hex key ends up using only a small subset of the possible hex numbers. The resultant key is essentially a 21-bit key. This key is so much smaller than a 40-bit key that a brute force attack is very quick, taking only seconds rather than days. I had not used this sort of key generator for my router, so I looked for other wireless networks to test this on. I had no problem finding nearby WEP-protected networks, and in most cases I was able to collect a couple of sample packets (not a million) and was able to determine the key in seconds.

Everybody still awake? I'll get to the moral to this story:

Make up your own good* key for your wireless network

If you use the tool provided with your router you are likely to make a key that is entirely worthless. And don't bother with a 104-bit WEP key, they are too long to use conveniently, and even a 40-bit key is tougher than the rest of WEP.

Many newer wireless routers and cards support encryption systems that are an improvement over WEP. If you can you may want to use one of these, such as WPA, if you want to keep more than just the honest folks off your network.

* a good key is pretty much any random mix of hex digits 0-9 and A-F, just be sure to avoid the ones that might be obvious and sure to be guessed - ones like 0000000000 or 0123456789

1 comment:

wstachour said...

I've always assumed that no one in my neighborhood would bother hacking into my network, but I suppose that's a really bad starting point for security! I'll have to look into the WEP when I get home for the weekend.

Also, I gotta say that when you devote some "fun time" to trying to break into your own network, you really ARE a computer geek! (But that's what we love about you!)