Brief history of Wi-Fi security protocols from "oh my god, it's bad" at WPA3


The Netgear RAX-120 router.
Enlarge / The Netgear RAX-120 router.


With future developments in Wi-Fi, we can all expect to become familiar with the new 802.11 protocols in the near future. Ars looked deep into what was happening in the fall last fall, but readers seemed to have a clear answer: the time had come to specifically discuss the new Wi-Fi. security protocol, WPA3.

Before anyone can understand WPA3, it's helpful to take a look at what preceded it during The Dark Ages (the Internet): an era without a Wi-Fi network and without switch. Today 's Internet can be built on "back in my day" speeches, but those of you in your twenties or early thirties can really not remember or realize the seriousness of their problems. By the mid-1990s, a given machine could "sniff out" (read "traffic that was not intended for it") any traffic from this machine at will, even over cable networks. At the time, Ethernet was largely connected to a hub rather than a switch, and anyone with a technical penchant could watch (and often look at it) everything from passwords to web traffic to emails. on the network without precaution.

Do not let the ivory chassis, at the merry pace, fool you. src = "" width = "640" height = "271" srcset = "https: //cdn.arstechnica. net / wp-content / uploads / 2019/02 / HP_EtherTwist_Hub8-1280x542.jpg 2x
Enlarge / Do not let the ivory chassis, at the merry pace, fool you. It was dark days, my friend.

Nearer the turn of the century, wired Ethernet had largely moved from hubs (and worse, from the old thinnet coax network) to switches. A network hub transmits each packet it receives to every machine connected to it, making generalized sniffing so easy and so dangerous. In contrast, a switch only transmits packets to the MAC address for which they are intended. Thus, when the computer B wishes to send a packet to the router A, the switch does not send a copy to this summary user located on the computer C. A subtle change has made the cable networks much more reliable than they were before. And when the original Wi-Fi 802.11 standard was released in 1997, it included Wireless Encryption Protocol (WEP), which was supposed to offer the same privacy expectations that today's users expect from wired networks.

In retrospect, the predecessor of WPA3 missed the target. Wrong.

WEP – the original wireless encryption protocol

If you want to describe WEP with one word, this word must be "terrible". The initial release of WEP required a hexadecimal pre-shared key of 10 or 26 digits, which would look like this: 0A3FBE839A. The hexadecimal part (0-9 and A-F) and the 10-digit or 26-digit part were extremely serious – write one extra digit or one extra digit, and you get an error and nothing works. Put a character who was not in the 0-F range, and you have an error and nothing works.

Unsurprisingly, most people, even in business environments, have disabled this WEP early, that is, it was even activated in the first place. If you think that waiting for people to efficiently and accurately share arbitrary hexadecimal numbers at 10 or 26 digits seems unreasonable nowImagine trying to do it in 1997. About half of the workforce still did not have double-clicking.

The D-Link DI-514 802.11b is an example of a WEP router. It was a perfectly cromulent router for his time, much the same way a penny bike was a perfectly cromulent bike. "Src =" /Dlink_wireless_router.jpg "width =" 600 "height =" 584

The D-Link DI-514 802.11b is an example of a WEP router. It was a perfectly cromulent router for its time, in much the same way that a penny-farthing was once a perfectly cromulent bike.

Subsequent revisions to the WEP provided the ability to automatically chop a man-readable password of arbitrary length into these 10-digit or 26-digit hexadecimal codes, consistently between clients and routers. So, while WEP was still working on 40-bit or 104-bit raw numbers, you can at least share those numbers so that humans do not immediately revolt with torches and forks. From this transition from numbers to passwords, WEP began to see a much more intensive use.

While it was good that people were using WEP, this early security protocol was still pretty awful – it used deliberately weak encryption, but the US government still treated encryption algorithms as "guns" that could not be used. exported abroad. And even if you avoid weak encryption, you remain vulnerable to detection attempts by anyone else connected to the same network. Since all the traffic was encrypted and decrypted with the same PSK, Eve at the café could (and too often) easily intercept and read all the traffic Bob sent to the Internet. There was not really any need for skullduggery.

As if all this were not enough, WEP has serious unresolved cryptographic weaknesses that can be exploited to break down any WEP network in minutes.

Source link