In the first part of Wifi Demystified we explained the basic and advanced Wifi configuration and settings. In this section, we will get acquainted with the various security configurations in a typical WLAN network.
Security mode disabled
Now it is perfectly alright to disable your Security mode (set the option on the gateway to “None”), but that will allow any Wifi client to connect to your AP and utilize it’s bandwidth thus hampering the performance of the intended audience. However, it is observed that most APs in India have no security mode set against them are vulnerable to attacks.
Wired Equivalent Privacy, is the basic security mode in all the APs. It consists of 64-bit or 128-bit encrypted passkey. The next part is a little confusing : A 64-bit WEP key in Hexadecimal format is 10 characters long while in the normal ascii (or alpha-numeric) format is 5 characters long. The more secrure 128-bit key in 26 characters in Hexadecimal format and 13 characters in ascii format. Now, some routers may not even have an option for both 64-bit as well as 128-bit keys, or they might display something like WEP-40 or WEP-104 (since 64-bit key is actually derived from a 40 bit key and a 128-bit key is derived from a 104-bit key). I have also seen some routers which will not thrown an error if you do not put more than 5 or 13 characters for the respective mode, since they probably account for the user’s ignorance and truncate it internally.
Another notion, present in only a few APs is the key-index. You can set upto 4 WEP keys and then decide a “key-index” or “default key” from these 4, which will be the actual key used.
Although WEP key is better than having security disabled, it is a fairly easy security to crack. Even a moderate cracker will be able to crack the WEP key in a few minutes as softwares are available for doing these. (Maybe I’ll write a separate post on just WEP key cracking next).
This section is further sub-divided for better understanding.
Wifi Protected Access is essentially a Certification program by the Wifi Alliance which was created in response to the concerns about the weakness of WEP as a security mode. However WPA was a certification based on IEEE’s 802.11i draft which was still scrutinized by the community. When the draft was finally ready, implementing the full standards, a huge number of Wifi products based on WPA had already flooded the market and hence it came to be known as WPA2 and the new products had to be backward compatible with WPA.
TKIP /AES-CCMP : WPA uses the Temporal Key Integrity Protocol or TKIP as an encryption method which makes it a lot harder to crack then WEP. The WPA2 security however used the more advanced AES (Advanced Encryption Standard) algorithm which is used by the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption protocol. This protocol makes it impossible for crackers to crack the passphrase, unless of course, the cracker has a super computer at his disposal, in which case it’s just a matter of a few months or years :-).
Both these encryption types accept a pass-phrase (a password), of 8 to 63 characters long, the longer and more random, the better.
Both WPA and WPA2 can be configured in the Personal as well as Enterprise modes.
Personal : Personal mode is also referred to as WPA(WPA2)-PSK or PreShared Key. In this mode you simply setup a passphrase (between 8-63 characters) and share it with users who you wish to connect to your AP. This is usually the default mode to be set in home or SOHO APs since it does not require any additional infrastructure.
Enterprise : In Enterprise mode, the authentication between the Clients and APs happen over the 802.1X authentication protocol. In order to achieve this, there needs to be an external RADIUS server with user credentials in the network (or atleast reachable by the AP). Setting up a RADIUS Server and 802.1X infrastructure is complex and out of the scope of this post, but briefly this is how it works :
The client tries to associate to the AP. The AP sends the Client’s information to the RADIUS Server (this usually happens over a wired connection). The RADIUS server does the authentication and authorization of the user. If the AP gets a “Go Ahead” from the RADIUS, it allows the Client to associate.
As you can see, this is a complex procedure and usually not used in Homes or SoHo environments, which is why most APs may not even have an option to set it.
This completes the WPA/WPA2 configuration settings. Now, just to make sure we are on the same page, WPA2 uses AES-CCMP while WPA uses TKIP for encyption (WPA2 could use TKIP, but that would beat the purpose of the standard). Both WPA and WPA2 can be configured in the Personal as well as Enterprise modes, but Enterpise mode is too complex for home users and should opt for the simpler yet as powerful Personal mode.
So, if your Wifi network has some old clients (more than 3-5 years), it is best to have the security mode set to WPA-Personal and encryption to TKIP. However, if all are relatively new machines, a WPA2-Personal and AES-CCMP pair would make your Wifi almost impenetrable.
Wireless Protected Setup, is a new Security Configuration methodology. Using WPS, clients can connect to the AP by the simply the push of a button or entering a simple 10 digit Pin code. Needless to say, WPS must be supported both by the AP as well as the Client. WPS is just a convinient way to associate clients and APs and it “sits” on top of the traditional security methods, WPA and WPA2. Thus, before initiating WPS, the WPA parameters should be configured on the AP.
WPS works in two scenarios, Push button method and Pin method.
Pin Configuration method : Some APs will have a WPS pin printed on a label on the device. In other cases, the Client-side generates a unique pin everytime WPS is initiated and this pin has to be entered on the AP (Yes, you read correct. It’s NOT the other way round).
Push Button method : To support this method, both the AP and client either need to have an extra push-button on the device or a soft-pushutton clickable on the Wifi config UI, to initiate WPS.
In both the above cases the basic working is the same : Once WPS is initiated by either of the methods, the Client has 2 minutes to do the same before the session expires. For example, once the button is pressed on the AP, the user should press the WPS button(either hard or soft) on the Client within 2 minutes to get connected. No client can connect after two minutes. If requried, the process needs to be re-initiated. Similarly, once a CLIENT generates a WPS pin, it should be entered and saved on the AP within these 2 minutes for a successful association. This two minute gap is called the Walk period.
Now the attentive user will see the obvious flaw in this system : If a button has been pressed on the AP, any client with WPS capability in the vicinity can associate itself. Well, that’s true, but the other client has to do that within the Walk time. Also, WPS is meant more for convinience than for tighter security, so yeah, there is a trade-off involved here.
MAC Access Control List lets an AP control which and how many clients will connect to it. However, not all APs have an option to limit the number of clients. Wifi MAC ACLs have a notion on “blacklists” and “whitelists”. When a “blacklist” ACL is applied, all the clients whose MAC addresses are in that list will be prevented from associating with the AP. Conversely, when the ACL is of type “whitelist”, only the Clients whose MAC addresses are in the list will be allowed to associate, rest all will be rejected. This allows a more broader control on who can or cannot connect to the WLAN.
With this, we have covered the Wifi basics from a layman’s point of view. However, this information should be enough for anyone to configure a Wireless home router in a satisfactory working mode.