IEEE 802.11 Security Specifically WEP, WPA, and WPA2

Brett Boge, PresenterCS 450/650University of Nevada, Reno

• IEEE 802.11 standard for wireless LAN (802.11-1997)• Ratified September 1999

• WEP included• 2001 UC Berkeley

Fluhrer, Mantin, and Shamir"Weaknesses in the Key Scheduling Algorithm of RC4“

• ~2002 WPA• 2004 802.11i ratified with WPA2• IEEE 802.11-2007

Introduction / History

WEPWired Equivalent Privacy

• Part of the original 802.11 standard

• Uses RC4 for confidentiality• Uses CRC32 for integrity

• 64 bit WEP uses a 40-bit key (aka WEP-40)• Limited by the government

• 128 bit WEP uses a 104-bit key

• Deprecated in 2004

RC4

• 1987, "Rivest Cipher 4“, aka “Ron’s Code”• 1994 spread on the internet• Stream cipher

KSA (Key scheduling algorithm):

S[i] = {0,1,2,3…}j = 0for i = 0 – 255

j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j]

end

RC4

PRGA:

i = 0j = 0as long as we need output: i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap S[i] and S[j] output S[(S[i] + S[j]) mod 256]

WEP

• Uses RC4 for encryption• Uses CRC32 for integrity

Encryption:

• Fixed-sized input into a crypto function• Prevents repetition• Uniqueness important• WEP uses 24 bit

Initialization Vector

WEP “Authentication”

2 Methods

Attacking WEPFluhrer, Mantin, and Shamir

With certain weak IVs, knowing the nth byte of a keystreamallows the attacker to derive the n+1th byte.

IV’s of form (a + 3, n − 1, x) will help to provide a possible key value at index a

• 2001 “Weaknesses in the Key Scheduling Algorithm of RC4”• Key recovery• Requires a sufficiently large number of messages• Exploits weak IVs

Additional WEP Weaknesses

• No key management, shared key

• Statistical attack against duplicate IVs

• 2005 - FBI showed that WEP can be cracked in 3 minutes usingpublicly available tools

• More correlations between the keystream and the key thanshowed by Fluhrer, Mantin, and Shamir (KSA weaknesses)

• 2007 - Erik Tews, Andrei Pychkine, and Ralf-Philipp Weinmann

104bit WEP key:50% - 40,00080% - 60,00095% - 80,000

• 2002 Wi-Fi AllianceWPA stopgap until 802.11i

• No shared key, uses TKIP• 128 bit• Per-packed• Subject to old weaknesses

• Uses RC4 to run on old hardware

• Stronger Integrity, no CRC, uses MACs

WPAWi-Fi Protected Access

• 2004 Wi-Fi AllianceIEEE 802.11i-2004

• No TKIP, uses CCMP as standard• Counter Mode with Cipher Block Chaining

Message Authentication Code Protocol• Block Cipher using AES

• Mandatory for all devices bearing the Wi-Fi mark

WPA2Wi-Fi Protected Access

WPA/WPA2Authentication

Conclusion

• WEP • Many weaknesses, deprecated

• WPA• uses weaker TKIP, better than WEP• Less intensive• Supported on older equipment

• WPA2• uses AES• 802.11i standard

Despite wireless security, using a tunnel (IPsec, SSH) when on a wireless network is a good idea to double yourProtection.