I’m infatuated with security and encryption. I realize that doesn’t necessarily fit my personality but I’m not infatuated with security because I feel my information needs to be secured — I just find that combination of technology and psychology required to secure a system (or a message) fascinating. For example, our IT department regularly sweeps the office for open wireless access points because open wireless access points could give a non-employee access to our network. At the same time, it would be trivial to follow an employee into one of our buildings and plug into a conference room network jack with full access to the network. Another example is recent SOX regulations require that you change your password every 3 months. You can’t use a password you have used before (where before is defined by the magic number 12 — you can’t use a password you have used in the last 12 rotations). This increases the chance that people will write down their password somewhere to remember it or use a really simple password, thus making the network less secure. It always reminds me of an army securing the main door to the castle not realizing the walls are filled with holes. Millions of dollars in security infrastructure undone by Bob in finance who uses his wife’s name as a password.
Up until 1976 cryptography used a method called secret key or symmetric cryptography. With this method you pick a way of mixing up a message (the cipher) and a key to feed into that method. You feed your message and the key through the cipher and the receiver of the message uses the same key and the same cipher to reverse this process. The obvious problem is getting the key safely to the receiver. You can’t encrypt it (because they would need a key to decrypt it) and you can’t pass it without encryption or anybody listening could intercept the key and decrypt the following message. There is a lot of amazing mathematics that goes into cipher based cryptography but conceptually it is an easy method to grasp. Choose a way to scramble a message, reverse that method when you want to unscramble it. The world really changed in 1976 when Whitfield Diffie and Martin Hellman introduced public key cryptography.
With public key cryptography there are two keys used. One is public and the other is private. The sender encrypts the message with the receivers published public key and sends the message. The receiver uses his private key to decrypt the message. No matter how many times I have stepped through the mathematics involved I still can’t accept the end result. Kind of like flying in a 747. Do I understand the physics behind flight? Yes. Can I make sense of the fact that a 40 ton hunk of metal just lifted off the ground? Nope. What is crazy about public key cryptography is that you can take a published key, use a well understood encryption algorithm, and encrypt a message such that it can’t be decrypted without another key. You know the key they used, you know the encryption method, yet you can’t reverse it. It blows my mind.
The problem with public key cryptography is that it is computationally expensive where symmetric cryptography is pretty easy for processors today to handle. These factors formed the basis for the HTTPS (SSL) protocol which uses public key cryptography to decide on the cipher and key for the communication and symmetric for the rest of the communication. So the conversation looks something like this:
Your browser: “hey, web server, got a sec? I’d like to chat, but I don’t want anybody to listen in.”
Web server: “Sure thing browser, here is my public key, what cipher do you want to use? Blowfish is all the rage but I’m OK with MD5 as well. I’ll need the key you are using with that cipher as well. Encrypt it with my public key and send it back.”
Your browser: “Sweet. I just chose my favorite cipher and generated a key. I encrypted these details with your public key and I’m sending it along.”
Web server: “I got it and decrypted your choices using my private key. Next time we talk, we will use symmetric cryptography as you specified. Rock on.”
So the initial setup is encrypted using processor expensive, yet secure public key cryptography. After the keys and cipher type has been agreed upon, the rest of the communication uses symmetric cryptography which is much less computationally expensive. They use public key cryptography to overcome the key problem with symmetric cryptography.
Understanding Wireless Security
There is a lot of problems with wireless security the worst of which is that it is amazingly confusing. Sadly the developers of the wireless protocol have totally ignored lessons of the past. There are two main questions you have to ask when securing a network.
Who can connect to my network?
This question matters if you have open file sharing or services you would worry people could access if they connected to your network. For example, let’s say you have a file server where you store family documents. This file server does not require authentication so if somebody pulled up outside your house and connected to your wireless network they could get at your private family documents. My argument here is you shouldn’t have open services like this. Wireless or not, it is a bad idea to have open services with data that is sensitive.
“Security experts” also spread fear by noting that a “hacker” could also connect to your network and attack your computer from behind your router. While in theory this is true the chances that one of those crazy hackers is going to pull up to your house to do this is slim. Additionally you are probably going to use your computer at some open public access point so you should make sure your computer is not susceptible to attack.
There is also the worry that your neighbor’s teenage son is going to use your wireless network to steal music or serve porn and get you in trouble. Having been a teenager at one point this seems like the most probable problem of all those mentioned but also fairly remote.
Not only can I not come up with a good reason to lock down connections to your wireless network, the solution wireless routers provide to do this is frankly kind of stupid. They call it MAC address filtering. Every network device has a unique address. You tell your router only to allow connections from specific MAC addresses (and therefore only specific computers). First of all this is absurd from a management perspective. I’m sure most computer users can find their MAC address right? Maybe they should have required the default subnet mask as well? And the file system format. Brilliant, I tell you, just brilliant. Second of all without needing to connect to the wireless network you can examine packets from allowed machines and then spoof as that machine using easily downloaded software. Finally my biggest beef with MAC address filtering is it tricks people into thinking they have secured traffic on their network.
Who can watch traffic on my network?
Regardless of who can connect to your network, when you use your wireless network your traffic is going over radio. So without connecting to your network a scary hacker can watch traffic and capture sensitive data. This means they could see what you search for on Google, read your email if you use web based email over HTTP, etc. This is an important consideration. If you deal with sensitive data over insecure protocols then this can be an issue. For me, all of our financial details are over HTTPS (e*trade, banking, etc.) and work is over a secure VPN tunnel so somebody could watch traffic all they want but the communication between me and the end server is secure.
Even if you did decide you wanted to secure the traffic on your wireless network, the wireless standards have given you only really horrible options. My favorite is the WEP key. This is a symmetric key that you configure your router to use and then tell people who use your network to use that key. This has the same problems as discussed earlier. Keys get written down, emailed around, and simple keys are chosen to make it easier to use all decreasing the security of the system. Not to mention who wants to enter a WEP key into their wireless software? Can you imagine if every time you wanted to connect to a secure site over HTTPS, you had to enter some long key into the browser? That would have been a train wreck. The death knell to this security solution is that it is an easily cracked cryptography solution. Yes, that’s right. Hundreds of years of published cryptography research, a successful implementation of HTTPS completely ignored by the wireless standard defining bodies.
Open but Aware
So in this brutally long post I have argued that MAC address filtering is useless and signal encryption is insecure and flawed. If I think I’m so smart, how would I do it?
To handle access to the network I would use an “open but aware” solution. This means anybody can connect, but I am notified if it doesn’t match a device that has connected before. I’m also notified if a device with a duplicate MAC address tries to connect. It is like my credit report. I don’t mind if people access it, I just want to know who tried. You could take it a step further and require approval from the administrator in a handshake style but none of this MAC address crap. In terms of encrypting radio traffic I would use the same handshake protocol as HTTPS which requires no interaction from the end user.
The standards are making progress but until we get an open standard that takes into account all aspects of security (strong cryptography and psychology), wireless network security will just be a source of acronyms and nothing more. Until then I wouldn’t bother with any of it and spend your time making sure your machines are secure and you use HTTPS on all sensitive transactions.