[Dshield] Wireless MAC Authentication options.

Josh Tolley josh at raintreeinc.com
Mon Jun 20 17:21:40 GMT 2005

Willy, Andrew wrote:
> Forgive the dumb question (someone has to ask one), but, is the MAC address
> not encrypted, or does encrypted traffic begin post MAC authentication?
> We're implementing small scale wireless in a few of our offices and I'm
> interested in how security is circumvented -- several of our offices are in
> shared buildings.  We're using MAC auth and keys, however the MAC auth was
> the measure I had the most confidence in.  
> Can you elaborate (more) on how the MAC spoofing takes place?
> Thank you
> Andrew

Sure -- and someone correct me when I go wrong. The purpose of the MAC 
address is to identify the sending station at the data link layer (that 
is, between two stations on the same network). These stations don't 
identify each other by IP address, as you might think, because IP 
addresses are at the network layer, one layer higher than data link. The 
MAC address is encoded into every transceiver on the network, and 
ideally they're unique for every single one. In these respects, wireless 
ethernet MAC addresses work just like those in wired ethernet, although 
the format of the wireless frame is different from that of the wired frame.

The data isn't encrypted -- I can't actually see a way that it could be 
encrypted without breaking everything. The encryption begins later on in 
the frame. If they were, stations on the network wouldn't know the 
source or destination of packets they see, and so they wouldn't know if 
they're supposed to process the packet or not.

Most wireless hardware and the drivers for it include some capability to 
change the built-in MAC address to something else. This is useful in 
case two devices on a network end up with the same MAC address (because 
with the same MAC address, communication would be impossible). But it 
also makes it possible for someone who has snooped a MAC address by 
simply listening to transmissios to change his address to something 
that's valid on the network. Then he can talk to the access point 
without any problem (unless the other station with the matching MAC 
tries to talk on the network or is listening when the attacker sends, in 
which case you'll run into problems of communication because of the 
matching MACs).

Josh Tolley
Raintree Systems, Inc.
Office Phone: (801) 293-3090
Corporate Office: (760) 509-9000

More information about the list mailing list