LEAP Security Vulnerabilities??
Steven M. Bellovin
smb at research.att.com
Sat Jun 15 17:37:54 UTC 2002
In message <20020613212153.GN71564 at overlord.e-gerbil.net>, Richard A Steenberge
n writes:
>
>On Thu, Jun 13, 2002 at 02:34:29PM -0500, Stephen Sprunk wrote:
>>
>> WEP's only real failure was the failure to specify keying; vendors (and
>> users) with less security experience interpreted this to mean static
>> keys were sufficient.
>>
>> The choice of RC4 was unfortunate given the above problem, but the
>> coming switch to AES should fix that.
>
>Most existing wireless APs cannot keep up with 802.11b doing RC4 (which is
>EXTREMELY light on the cpu) at line rate.
RC4 if used properly is light-weight. 802.11 is employing it in an
unnatural environment, and that causes trouble, including performance
issues.
More specifically -- RC4 is a stream cipher, which means that it must
be employed over a reliable underlying data stream. It's perfect above
TCP, for example. But 802.11 is a packet environment, with no
underlying stream. Accordingly, the base RC4 key -- 40 bits or 112
bits -- is combined with a 24-bit number (sometimes a counter,
sometimes random, but in either case sent in the clear in the packet)
to form an actual RC4 key that's used to encrypt just a single packet.
The problem is that key setup is roughly as expensive as encrypting 300
bytes or thereabouts. So all those 40-byte TCP ACK packets are a lot
more expensive for crypto processing than they should be.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
More information about the NANOG
mailing list