Offline brute force attack on WLAN public hotspot service using 802.1X EAP-MD5

Abstract

It is well known that 802.1X EAP-MD5, which is a security authentication protocol of WLAN pubic hotspot service, has a considerably big problem. The authentication performance of 802.1X EAP-MD5 drops very much compared to 802.1X EAP-TLS, which is commercialized as well. However, its implementation and operation are very easy. In this reason, domestic Wireless ISP(WISP) adopted EAP-MD5 as an authentication protocol due to its convenience. In this paper, we propose offline Brute Force Attack(BFA) using passive monitoring in addition to the drawbacks of EAP-MD5. If offline BFA is being used, anybody can easily find out user``s password. What is more, it does not take long time. We considered two factors: user``s password length and the attacking computing power. For starters, we can passively monitor Nespot, which is being offered by KT. We also test the required attack time on the increase of password length. We can make two alternative measures for WISP to solve the vulnerabilities. First is to increase the entropy of the password. By using 92 characters, users can increase the entropy of the password without increasing the password length. Secondly, we can increase the password length until the attack is impossible. Cryptographically secure key is currently 128 bit. So by this method, the user randomly makes an authentication password which has same amount of entropy to 128 bit and register the service with the password. Then user must encrypts the authentication password with a short user password user can remember and stores the encrypted authentication password to a hard disk. During the authentication process, user can decrypts the stored authentication password with his or her password and uses the decrypted password for EAP authentication. Through the paper, we will demonstrate how vuInerable the WLAN public hotspot service being offered today is. The current situation is that WISPs could not help but choose the EAP-MD5 and 802.11 i is not standardi...