802.11 security – wired equivalent privacy (wep) by shruthi b krishnan
Post on 15-Jan-2016
226 views
TRANSCRIPT
802.11 Security – Wired Equivalent Privacy (WEP)
ByShruthi B Krishnan
Agenda for the presentation
Introduction 802.11 Wireless LAN – brief description Goals of WEP Confidentiality in WEP Data Integrity in WEP Access Control in WLANs Security loopholes and attacks on WEP Lessons to be learnt
Introduction
History of wireless technology Inception of wireless networking took place at the University of
Hawaii in 1971. It was called ALOHAnet. Star topology with 7 computers Spanned 4 Hawaiian islands with the central system in Oahu
In 1997, world’s first WLAN standard– 802.11– was approved by IEEE
Wired Equivalent Privacy – security standard proposed by 802.11
Has many loopholes and has been completely broken
802.11 Wireless LAN – brief description
Stations Wireless medium Access Points Distribution System Basic Service Set (BSS) Extended Service set (ESS)
Distribution system
Access Points
Wireless Medium
Mobile stations
Mobile stations
802.11 Wireless LAN – brief description (cont’d)Network services
Distribution System services Association Disassociation Reassociation
Station services Authentication Deauthentication Privacy
Successful Authentication
Unauthenticated andUnassociated
Authenticated andUnassociated
Authenticated andAssociated
Successful Association/ Reassociation
DisassociationDeathentication
Outside the network
Inside the network
Goals of WEP
Confidentiality Uses stream cipher RC4 for encryption
Data Integrity Uses cyclic redundancy check
Access control Shared key authentication
Confidentiality in WEP
One-time pad vs Stream ciphers Perfect randomness is compromised for practicality RC4 algorithm used for encryption of data frames
KEY
Plaintext
Keystream
Ciphertext+
IV
Confidentiality in WEP – (cont’d)WEP keys and Initialization vector (IV)
Shared secret key Shared among all users Changed infrequently Original standard – 40 bit key. Later implementations used 104 bit key WEP uses set of up to 4 keys Key distribution problems
Initialization vector 24 bits Prepended with the secret key Need to be random to prevent key reuse or IV collision IV sent in clear
Data Integrity in WEP
Computes Integrity Check Value (ICV)
ICV is appended with data frame and encrypted
CRC-32 algorithm used Efficient in capturing data tampering Cryptographically insecure
Plaintext ICV
Plaintext CRC-32
Plaintext ICV
RC4IV
Keystream
+
Plaintext ICV
Confidentiality and data integrity in WEP
IVFrame Header
4 bytes3 bytes
pad Keyindex
40 or 104 bit key
Access Control in WLANs
Request for access
Challenge text, R
Encrypt R using WEPMobile station Access Point
Open System Authentication
Shared key authentication
Keystream = R1 C1
Security loopholes and attacks on WEPAttacks on shared key authentication
Request for access
Challenge text, R1
Encrypt R1 using WEP (C1)Good guy Access Point
Request for access
Challenge text, R2
Encrypt R2 using WEP (C2 = Keystream R2)
Bad guy Access Point
+
+
Security loopholes and attacks on WEP - (cont’d)Attacks due to keystream reuse
Improper IV management IV-space is small Implementation dependent Sent in clear
Recovery of plaintexts
Decryption dictionary attacks Independent of keysize
Ciphertext
Plaintext
Keystream
Ciphertext +
+
Plaintext
+
Plaintext
Plaintext
+
Security loopholes and attacks on WEP - (cont’d)Attacks due to CRC
CRC is good for message authentication, but bad for security Both CRC checksum and RC4 are linear and can be easily
manipulated
CRC is unkeyed Attacker can inject messages into the system
Plaintext ICV
Δ + Δc+
Plaintext ICV
Δ = Plaintext Plaintext
= ICV ICV
Δc
+
+
Security loopholes and attacks on WEP - (cont’d)Attacks exploiting the Access Points
Mobile station Access Point
Change destination
address
Attacker
Security loopholes and attacks on WEP - (cont’d)Attacks exploiting the Access Points
Mobile station Access Point
Modify any Pi and Pi+16
Attacker
TCP ACK
TCP ACK
Message with flipped
bits
Intercepted ciphertext with
flipped bits
Access points can be used to monitor TCP/IP traffic Recipient send an ACK only if TCP checksum is correct TCP checksum remains unaltered if Pi ex-OR Pi+16 is 1.
Security loopholes and attacks on WEP - (cont’d)Attacks on RC4 used by WEP
Research by Scott Fluhrer, Itsik Mantin and Adi Shamir First byte of plaintext has to be known. For WEP implementations, it is
0xAA Set of weak keys that correspondingly reveal some part of the secret key Format of weak IVs
First byte (B) can range from 0x03 to 0x07 Second byte has to be 0xFF Third byte (N) can be any known value between 0 & 255.
Probability to find a byte of secret key for 60 different values of N is non-negligible
Several successful experiments based on this attack Popular key-recovery programs like Airsnort use this analysis
Lessons learnt from the failure of WEP
Key shared by all users of the system Key is changed infrequently No Perfect forward secrecy Manual key management Key reuse due to non-random IVs
Random IVs are not insisted upon Short IVs No protection for replay attacks
Use of unkeyed CRC instead of SHA1-HMAC Encryption cipher used was weak WEP was not publicly reviewed before it became a standard
WEP is insecure!!
References The Institute of Electrical and Electronics Engineers (IEEE) website
http://www.ieee.org
802.11Wireless Networks- The Definitive GuideBy Matthew S. Gast, O’REILLY Publications.
History of wirelesshttp://www.ac.aup.fr/a38972/final_projectIT338/history.html
Intercepting Mobile Communications: The Insecurity of 802.11By Nikita Borisov, Ian Goldberg, and David Wagnerhttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
Weaknesses in the Key Scheduling Algorithm of RC4By Scott Fluhrer, Itsik Mantin and Adi Shamirhttp://www.crypto.com/papers/others/rc4_ksaproc.pdf
Unsafe at any key size: an analysis of the WEP encapsulationBy J. Walker http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zi%p
Your 802.11 Wireless Network has No ClothesBy William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan, Department of Computer Science, University of Marylandhttp://www.cs.umd.edu/~waa/wireless.pdf
Popular WEP cracking softwarehttp://airsnort.sourceforge.net/http://sourceforge.net/projects/wepcrack/