[48758] in North American Network Operators' Group
Re: LEAP Security Vulnerabilities??
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Jun 15 18:34:38 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: Richard A Steenbergen <ras@e-gerbil.net>
Cc: Stephen Sprunk <ssprunk@cisco.com>,
"Hyska, Jason [JJCUS]" <JHyska1@CORUS.JNJ.com>, nanog@merit.edu
Date: Sat, 15 Jun 2002 13:37:54 -0400
Errors-To: owner-nanog-outgoing@merit.edu
In message <20020613212153.GN71564@overlord.e-gerbil.net>, Richard A Steenberge
n writes:
>
>On Thu, Jun 13, 2002 at 02:34:29PM -0500, Stephen Sprunk wrote:
>>
>> WEP's only real failure was the failure to specify keying; vendors (and
>> users) with less security experience interpreted this to mean static
>> keys were sufficient.
>>
>> The choice of RC4 was unfortunate given the above problem, but the
>> coming switch to AES should fix that.
>
>Most existing wireless APs cannot keep up with 802.11b doing RC4 (which is
>EXTREMELY light on the cpu) at line rate.
RC4 if used properly is light-weight. 802.11 is employing it in an
unnatural environment, and that causes trouble, including performance
issues.
More specifically -- RC4 is a stream cipher, which means that it must
be employed over a reliable underlying data stream. It's perfect above
TCP, for example. But 802.11 is a packet environment, with no
underlying stream. Accordingly, the base RC4 key -- 40 bits or 112
bits -- is combined with a 24-bit number (sometimes a counter,
sometimes random, but in either case sent in the clear in the packet)
to form an actual RC4 key that's used to encrypt just a single packet.
The problem is that key setup is roughly as expensive as encrypting 300
bytes or thereabouts. So all those 40-byte TCP ACK packets are a lot
more expensive for crypto processing than they should be.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
