Enabling WPA on Windows XP: A painful process explained step-by-step
Robert C. Jones, M.D. LtCol, USAF, Medical Corps Staff Anesthesiologist Andrews Air Force Base, Maryland E-mail: rob — at — notbob — dot — com Web site: http://www.notbob.com Note: presentation best viewed as slide show
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Update (6 Sep 04) • This presentation was written prior to Microsoft’s release of Windows XP service pack 2; Rob is still evaluating the effect of SP2 on wireless networking on several computers, and will update these slides Real Soon Now. Until then, consider these slides to refer to Windows XP SP1, and, as always, please remain calm.
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
If you have no idea what this presentation is about… •…then you need to read my extensive discussion of Wireless Internet INsecurity here: http://www.notbob.com/wlani/ •This presentation assumes some knowledge of the basics of wireless security and some competence with computers (i.e., more than just the ability to turn them on) • Why Windows XP and not Mac, Unix, BSD, Linux, Amiga…? People who use Windows (of any kind) need more help Most Windows users don’t RTFM: read the fine manual Windows XP makes WPA much harder than it has to be Windows XP has the largest installed base •All legal disclaimers in my original talk apply to this addendum CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Brief introduction to WPA •WPA = “WiFi® Protected Access” •Quick fix to broken initial wireless security method, WEP (= “Wired Equivalent Protocol”) •Why is WEP broken? For the full explanation, see my original talk. Here’s the executive summary: ➳WEP
standard implements RSA Security’s RC4 encryption improperly: http://www.rsasecurity.com/rsalabs/node.asp?id=2009 ➳Flaws in key scheduling algorithm Large number of weak keys encryption easily cracked ➳Initialization vector (IV) is sent in the clear with each chunk– subtract 24 bits of IV from encryption key length (so advertised “128 bit” security is really only 104 bits…more bits good, fewer bits bad, so this is bad) ➳As a result, attackers can sniff the information going across your WEP-protected network and crack the security in hours to days, depending on the age of your access point’s firmware and the traffic across the network; see this article: http://www.oreillynet.com/pub/a/wireless/excerpt/wirlsshacks_chap1/index.html Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Why is WPA better than WEP? (skip this slide if you don’t care)
•WPA is a subset of the upcoming IEEE 802.11i security standard; designed to be forward-compatible with 802.11i (Update: Specification finally approved; certified products due Sep 04: http://www.infoworld.com/article/04/06/25/HNwlan_1.html) •Security enhancements: ➳TKIP: Temporal Key Integrity Protocol– per-packet key mixing, message integrity check (MIC; aka “Michael”), and extended initialization vector address most of the weakness of WEP; much harder to “crack”, but not impossible: http://wifinetnews.com/archives/002453.html ➳AES: Advanced Encryption Standard--optional “enhanced” security cipher based on Rijndael cipher (gotta love the parrot: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ AES skeptics: http://www.cryptosystem.net/aes/ ; http://www.schneier.com/crypto-gram-0209.html#1)
➳Enterprise-level, port-based user authentication through 802.1x and EAP (no user authentication in WEP– only device authentication) [called “WPA Enterprise” by the WiFi Alliance] ➳Option for SOHO users: PSK (pre-shared key)– eliminates need for RADIUS References: authentication server [called “WPA Personal” by the WiFi Alliance] http://www.wi-fiplanet.com/tutorials/article.php/2148721 http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_ProtectedAccessWebcast_2003.pdf
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
WPA on Windows XP •WPA support requires upgrades to 3 things: •Your wireless Access Point (AP) You need firmware that supports WPA Most APs sold in 2004 should support WPA out of the box •Your wireless client (the actual card thing in your computer) Client also called “supplicant” (because you’re begging for access) You need firmware that supports WPA Most new 802.11g and a/b/g clients support WPA; many older 802.11b clients (pre-2003) may not be upgradeable (considered legacy devices) •Your operating system (Windows XP, in this case) You need WPA upgrades to Windows XP Microsoft helpfully does not include the updates in the automatic Windows Update function; you have to install them yourself manually (for Service Pack 1; WPA References: functionality now included in SP2) http://www.pcmag.com/print_article/0,3048,a=107756,00.asp http://www.microsoft.com/whdc/device/network/802x/WPA.mspx Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
WPA by the numbers •For this talk, we will be using a Linksys WRT54GS router, a Sony Vaio with a LANExpress AS 802.11g mini-PCI card, and Windows XP Home edition with Service Pack 1 and all critical updates •Your specific screens may look different, but the process should be the same with other wireless routers and client devices Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 1: Make sure system works without WPA • Because enabling WPA on your router will cut off communication with your client device, be sure that everything is working OK without WPA (i.e., enable WEP with 128 bit security and make sure that the connection is functional) • It is always a good idea to have a wired connection to your router in order to fiddle with settings when (when) your wireless connection goes down (e.g., when you switch from WEP to WPA, for example) • I do not ever recommend running a wireless AP without any security (in “open” mode), because I am way paranoid when it comes to network security Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 2: Enable WPA on router •Log onto router by opening your internet browser and typing in the IP address listed in your router’s manual (in this case, for Linksys, 192.168.1.1):
Never, ever check this box!
Note: your router’s manual will give you the default password; if you lost it, you can find the defaults by searching Google for: default router passwords (without quotes); if you changed the default a long time ago and forgot it, then reset the router using the little button in the back Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 2: Enable WPA on router (cont’d)
• Note that the firmware version (2.07.1) supports WPA out of the box • You must choose Pre-shared Key (PSK) for SOHO use (unless you have a RADIUS server) • You can select TKIP or AES; TKIP is standards-based (AES implementation in WPA not standardized; will become standardized in 802.11i); UPDATE: some client chips prefer AES • Group renewal key can be left at whatever default your router manufacturer has set Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 2: Enable WPA on router (cont’d) A few words about picking a good PSK passphrase… • The “Achilles heel” of SOHO-mode WPA (“WPA-Personal”) is that users might pick weak passphrases for the PSK • As all BOFHs know, users are clueless and pick bad passphrases more often than their noses • Passphrases that are easily guessed include anything in any dictionary, names, birthdays, phrases, slang, acronyms…the worst password is your account name. • The bottom line: pick a passphrase which is as random as possible, with a mix of upper and lower case letters, numbers, and special characters (%^&*#$~@+), and which is at least 20 characters long; for more do’s and don’t’s, see: http://geodsoft.com/howto/password/password_advice.htm • Here’s a helpful passphrase FAQ : http://131.155.140.135/~galactus/remailers/passphrase-faq.html#210 • For a really good passphrase, check out Diceware: http://world.std.com/~reinhold/diceware.html • This article discusses the WPA PSK problem in gory detail: http://wifinetnews.com/archives/002452.html Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Bond with your inner ostrich… “Stevan...commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times' Web site and E-ZPass electronic toll statements. In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life. "This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it," said (Stevan), an information technology manager in New York.” http://www.cnn.com/2004/TECH/ptech/06/01/beyond.passwords.ap/index.html (obnote: managers are generally clueless feebs when it comes to actual technology, clinical medicine, etc. If they actually knew technology or medicine, they would be doing something useful with their lives instead of micromanaging and writing meaningless policies QED. Yeah, pointy haired ex-boss, you’re so vain, I bet you think this comment’s about you, don’t you?) Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 2: Enable WPA on router (cont’d) “But…my router’s firmware doesn’t give me a WPA option!” Assuming your AP can support WPA, you need to upgrade your firmware, my friend: • Linksys: http://www.linksys.com/download/ • Netgear: http://kbserver.netgear.com/kb_web_files/n101190.asp; http://kbserver.netgear.com/main.asp • Netegriti EM-500AG: http://www.discountechnology.com/products/wistron-802.11abg/EM-500AG.zip • Buffalo: http://www.buffalotech.com/wireless/_SUPPORT/downloads.php • D-Link: http://support.dlink.com/faq/view.asp?prod_id=1401 ; http://support.dlink.com/downloads/ • Microsoft: Microsoft Broadband Networking Utility (BNU) should automagically update firmware; if not, go here: http://www.microsoft.com/hardware/broadbandnetworking/15_Downloads.aspx
• SMC: http://www.smc.com/index.cfm?sec=Products&pg=Product-List&cat=5&site=c • Zyxel: http://us.zyxel.com/support/download.php
Note: representative sample of AP manufacturers; not in any particular order; if your manufacturer is not on this short list, then try their website! Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 2: Enable WPA on router (cont’d) UPDATE! 17 June 04
After buying a Netegriti (Wistron) EM-500AG a/b/g mini-PCI card for my notebook from http://www.discountechnology.com , it took quite a bit of struggling to enable WPA. Turns out that some implementations of WPA require SSID broadcasting to be turned on for supplicant authentication to work (i.e., you will get a strong signal and see the connection, but you won’t be able to use the connection to do anything [like surfing the Net]). Note that this is now safe with WPA in place (vs. during ancient WEP-only era ca. 2002); WEP + No SSID broadcast <<< safe than WPA + SSID broadcast Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 3: Enable WPA on Client start | settings | control panel | system | hardware | device manager | network adapters | your wireless adapter
Any driver prior to May 2003 will need to be upgraded (WPA standard finalized May 03) This card didn’t work under WPA with “shared”– needed to leave in “auto”
• Your client card manufacturer should tell you whether their latest firmware supports WPA • Follow the instructions given by your manufacturer to flash the firmware (don’t interrupt power during flashing! Very bad karma!) Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 4: Enable WPA on WinXP SP1 Update 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=009d8425-ce2b-47a4-abec-274845dc9e91&displaylang=en ; download link is on right side of page
Update 2 http://support.microsoft.com/?kbid=826942 ; download link is halfway down the page
Download and install these two updates; be sure to reboot after each one (they don’t remind you to do so); again, as of late Aug 04, the brand new Win XP SP2 update includes WPA functionality (about time!) Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Step 4: Enable WPA on WinXP (cont’d) Make sure Wireless Zero Configuration service is running: start | run | open: services.msc
Step 4: Enable WPA on WinXP (cont’d) Start | Settings | Control Panel | Network connections | Right click on wireless adapter | properties
You can try AES if you want…if it works for your network, cool… Here’s a timesaver: copy your WPA password onto the Windows clipboard from your router’s configuration screen (ctrl-C), then paste into the Network key dialogs (ctrl-V); note that Windows prevents you from copying from within the Network key field if you choose to type in the key
This happy icon means that your connection is working! (might need to hit refresh button below “configure” to
Step 4: Enable WPA on WinXP (cont’d) Start | Settings | Control Panel | Network connections | Right click on wireless adapter | properties
Note that 802.1x is mandatory for WPA (can’t change it…greyed out)
Meaningless for WPApersonal with PSK, so leave it as default (as shown)
Ta Da! Congrats!
• Now your wireless connection is the safest in the neighborhood…99.9% of attackers will now leave you alone to go after the low-hanging fruit of lusers who are still using WEP (or the 70+% of hoi polloi with no security at all)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What’s Next in Wireless Security? hint: be sure to view this as a slide show to see the words behind the pictures
• mid-2004: WPA2 (marketing term for 802.11i with RSN, as discussed in my original presentation ) – Will require hardware encryption engine on the chipset – Uses AES via CCMP (Counter-mode CBC-MAC Protocol), which is stronger than TKIP (even at same 128 bit key length) – Most newer 802.11g and a/b/g devices should be able to handle AES with firmware upgrade…older devices (pre-2003) will likely need to be upgraded in hardware (i.e., replaced) – Detailed support for 802.1x and EAP for strong user authentication – ? Strong reason to upgrade WPA to WPA2 for average users; certainly mandatory for enterprises with proprietary secrets, but probably not necessary to secure your MP3s…
from: http://www.cs.umd.edu/~waa/1x.pdf Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
excerpt of rijndael (AES) source code CIA XXIV
“They that can give up essential liberty to purchase a little temporary safety, deserve --Benjaminnor Franklinsafety.” neither liberty
“Computers have enabled people to make more mistakes faster than almost any invention in history, with the possible exception of tequila and hand guns.” --Mitch Ratcliffe
Addendum 1: WPA on Linux a work in progress (18 June 04)
• I’m in the process of upgrading my notebook to Mandrake Linux 10.0 (from 9.1); my wireless card is the Netegriti EM-500AG; stay tuned for an update on my experience… • Excellent Linux WLAN HOWTO: http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/ • For Atheros-based client cards (including mine), here’s the madwifi FAQ: http://www.mattfoster.clara.co.uk/madwifi-faq.htm • The web-based CVS viewer for the madwifi project on SourceForge is here: http://cvs.sourceforge.net/viewcvs.py/madwifi/madwifi/ • The CVS address for both the madwifi driver and the WPA module is in the FAQ, Jack: http://www.mattfoster.clara.co.uk/madwifi-2.htm • Free WPA supplicant (supports many cards, including Atheros ar521x): http://hostap.epitest.fi/wpa_supplicant/ Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Addendum 2: WPA on MacOS X Can’t forget my MacOS buddies…
• As of this writing, Apple only supports WPA on AirPort Extreme (802.11g) • Here’s a page with info on setting up WPA in MacOS X: http://www.oreillynet.com/pub/a/wireless/2003/12/18/wap
• The URL for the firmware upgrade is wrong; here’s the right one: http://www.apple.com/downloads/macosx/apple/airportex
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV