intercepting mobile communications: the insecurity of 802.11 nikita borisov ian goldberg david...
TRANSCRIPT
Intercepting Mobile Intercepting Mobile Communications:Communications:
The Insecurity of 802.11The Insecurity of 802.11
Nikita Borisov Ian Goldberg Nikita Borisov Ian Goldberg David WagnerDavid Wagner
UC Berkeley Zero-Knowledge Sys UC Berkeley Zero-Knowledge Sys UC Berkeley UC Berkeley
Presented byPresented by
Kunjan NaikKunjan Naik
AgendaAgenda
IntroductionIntroduction WEP protocolWEP protocol
Brief description Brief description Security goals Security goals
Keystream reuse attacksKeystream reuse attacks Attacks involving message Attacks involving message
authenticationauthentication CountermeasuresCountermeasures ConclusionConclusion
Typical ScenarioTypical Scenario
Ad-Hoc Network
Infrastructure Network
WEP ProtocolWEP Protocol
Wired Equivalent PrivacyWired Equivalent Privacy Link Layer Security ProtocolLink Layer Security Protocol Goals :Goals :
Confidentiality : Protection against Confidentiality : Protection against eavesdropping eavesdropping Access Control : Restrict Access Control : Restrict accessibility accessibility Data Integrity : Correctness of data Data Integrity : Correctness of data
RC4 and Stream CiphersRC4 and Stream Ciphers
RC4 encryption is Vernam CipherRC4 encryption is Vernam Cipher RC4 is a stream cipherRC4 is a stream cipher Generates pseudo random Generates pseudo random
keystream fromkeystream fromthe key( IV || Key)the key( IV || Key)Encryption
key
Pseudo-random number generator
Plain text data byte
Cipher text byte
WEP ProtocolWEP Protocol
Mobile station shares key with Access PointMobile station shares key with Access Point Transmitting a message MTransmitting a message M
Compute checksum of M and append it Compute checksum of M and append it to Mto M Generate keystream using RC4(IV,Key) Generate keystream using RC4(IV,Key) Xor <M,C(M)> with keystream Xor <M,C(M)> with keystream Transmit IV and cipher text Transmit IV and cipher text
Upon receivingUpon receiving Reverse steps Reverse steps
Packet Format and Packet Format and EncapsulationEncapsulation
Encryption Algorithm = RC4Encryption Algorithm = RC4
Key length = 40. IV length = 24Key length = 40. IV length = 24
C = RC4(IV,K) xor <M, C(M>C = RC4(IV,K) xor <M, C(M>
Message CRC
Keystream = RC(IV,k)
Cipher TextIV
XOR
WEP AuthenticationWEP Authentication
Authentication key distributed out-of-bandAuthentication key distributed out-of-band
Access Point generates a “randomly generated” Access Point generates a “randomly generated” challengechallenge
Station encrypts challenge using pre-shared Station encrypts challenge using pre-shared secretsecret
Denial of service attackDenial of service attack
Shared secret distributed out of band
Challenge (Nonce)
Response (Nonce RC4 encrypted under shared key) Decrypted nonce OK?
So What are the So What are the Problems?Problems?
Shared key mechanism Shared key mechanism Same shared key in the Same shared key in the networknetwork
Attacks based on Keystream ReuseAttacks based on Keystream Reuse IV collision IV collision
Decryption DictionariesDecryption Dictionaries Message modification Message modification Message injection.Message injection.
Shared key mechanismShared key mechanism
Single key or array of shared keys Single key or array of shared keys betweenbetweenall mobile stations in the networkall mobile stations in the network
key length is just 40 bits.key length is just 40 bits. Key management is a misnomerKey management is a misnomer Shared keys changes rarely.Shared keys changes rarely. Chances of IV collision Chances of IV collision
proportional to number of users.proportional to number of users.
IV CollisionIV Collision
P1 and P2 packets with same IVP1 and P2 packets with same IV C1 = P1 xor RC4(IV,Shared Key)C1 = P1 xor RC4(IV,Shared Key) C2 = P2 xor RC4(IV,Shared Key)C2 = P2 xor RC4(IV,Shared Key) C1 xor C2 = P1 xor P2C1 xor C2 = P1 xor P2 Attacker knows the Xor of two plaintextsAttacker knows the Xor of two plaintexts Given P1 or P2 easy to find otherGiven P1 or P2 easy to find other More packets with same IV : More easierMore packets with same IV : More easier Dragging cribs, frequency analysis Dragging cribs, frequency analysis
methodsmethods
Key ReuseKey Reuse
Shared key same in both directionsShared key same in both directions Keystream depends on IV as Key is Keystream depends on IV as Key is
fixedfixed IV included in unencrypted portion of IV included in unencrypted portion of
messagemessage IV reset to 0 when initializedIV reset to 0 when initialized Easy to find collisionsEasy to find collisions After 16 million packets ( worst case ) After 16 million packets ( worst case )
IV repeatsIV repeats
How to find keystream How to find keystream reuse?reuse?
IV space - 2^24 possibilitiesIV space - 2^24 possibilities Collision after few minutes on a busy APCollision after few minutes on a busy AP WEP standard recommends IV to be WEP standard recommends IV to be
changed (but does not require) per changed (but does not require) per packetpacket
More so, IV set to 0 when re-initializedMore so, IV set to 0 when re-initialized Finding keystream reuse is therefore Finding keystream reuse is therefore
easyeasy
How to get plaintext?How to get plaintext?
IP traffic predictable - well defined IP traffic predictable - well defined structures and message content structures and message content
Login sequences and Welcome messagesLogin sequences and Welcome messages Sniffing Authentication challenge - plain Sniffing Authentication challenge - plain
and and cipher text both cipher text both
Sending packets from outside - ping Sending packets from outside - ping Broadcast packets in both encrypted and Broadcast packets in both encrypted and
unencrypted form - for some unencrypted form - for some implementationsimplementations
Attack from both endsAttack from both ends
InternetAttacker
AP
AttackerMS
Attacker sends data
AP encrypts plaintext data
Attack from both sides Attack from both sides cont’dcont’d
Attacker will send packets from internet Attacker will send packets from internet to mobile station and AP will encrypt to mobile station and AP will encrypt them for attackerthem for attacker
Flip bits to change destination address Flip bits to change destination address to host we control - IP checksum needs to host we control - IP checksum needs to be modifiedto be modified
Sufficient number of packets with Sufficient number of packets with different IV’sdifferent IV’swill enable the attacker to build a will enable the attacker to build a decryption dictionarydecryption dictionary
Decryption DictionariesDecryption Dictionaries
Xoring cipher text and plain text gives Xoring cipher text and plain text gives keystreamkeystream
Store one to one mapping of IV to Store one to one mapping of IV to RC4(IV,Key)RC4(IV,Key)
Xor any packet with corresponding IV and Xor any packet with corresponding IV and read dataread data
Number of entries in table 2^24Number of entries in table 2^24 1500 bytes per packet - 24 GB 1500 bytes per packet - 24 GB Independent of key size - depends on IV only.Independent of key size - depends on IV only. Building table ensures immediate decryptionBuilding table ensures immediate decryption
Message AuthenticationMessage Authentication
CRC checksum for data integrityCRC checksum for data integrity CRC resilient against random errors CRC resilient against random errors
and not malicious attacksand not malicious attacks CRC is independent of IV and keyCRC is independent of IV and key CRC and RC4 are linear CRC and RC4 are linear CRC(X xor Y) = CRC(X) xor CRC(Y)CRC(X xor Y) = CRC(X) xor CRC(Y) So, changing bits in packet is easy So, changing bits in packet is easy
Message modificationMessage modification
C = RC4(IV,K) * {M,C(M)}C = RC4(IV,K) * {M,C(M)} Let M’ = M * D Let M’ = M * D D is arbitrarily chosen and * => xorD is arbitrarily chosen and * => xor C’ = C * { D, C(D) }C’ = C * { D, C(D) }
RC4(IV,K) * {M,C(M)} * {D,C(D)} RC4(IV,K) * {M,C(M)} * {D,C(D)} RC4(IV,K) * {M * D,C(M) * C(D)} RC4(IV,K) * {M * D,C(M) * C(D)} RC4(IV,K) * {M * D,C(M * D)} RC4(IV,K) * {M * D,C(M * D)} RC4(IV,K) * {M’, C(M’)} RC4(IV,K) * {M’, C(M’)}
Effectively Attacker does C’ = C * {D, C(D)}Effectively Attacker does C’ = C * {D, C(D)}
Message Injection Message Injection
Attacker needs plain text and cipher textAttacker needs plain text and cipher text Attacker has fake message F and Attacker has fake message F and
computes C(F)computes C(F) Computes C’ = {F,C(F)} xor RC4(VI,key)Computes C’ = {F,C(F)} xor RC4(VI,key) Transmits (VI, C’)Transmits (VI, C’) Reuse old IV’s and circumvent access Reuse old IV’s and circumvent access
controlcontrol Attacker can authenticate himself using Attacker can authenticate himself using
message injectionmessage injection
Message DecryptionMessage Decryption
IP redirection - Send encrypted IP redirection - Send encrypted packet to host on the internet ; IP packet to host on the internet ; IP checksum and firewall issueschecksum and firewall issues
Reaction attacks - TCP packets will Reaction attacks - TCP packets will be dropped for incorrect checksum be dropped for incorrect checksum and TCP ack for the correct packets. and TCP ack for the correct packets. Modify packet and check recipients Modify packet and check recipients reactionreaction
Attack PracticalityAttack Practicality
Use off the shelf wireless card and Use off the shelf wireless card and software radiosoftware radio
Sit outside competitor’s office and Sit outside competitor’s office and sniff packetssniff packets
Reverse engineer firmware to inject Reverse engineer firmware to inject packetspackets
Dictionaries - Has to be done onceDictionaries - Has to be done once
CountermeasuresCountermeasures
Data encryption is not enough - access Data encryption is not enough - access control through data authentication is control through data authentication is mustmust
Use block ciphersUse block ciphers Increase key length Increase key length Make checksum keyed function of Make checksum keyed function of
messagemessage Put wireless network outside firewall -Put wireless network outside firewall -
treat it as public networktreat it as public network
ConclusionConclusion
Public review is essentialPublic review is essential All three goals All three goals
Confidentiality - Attacker can read traffic Confidentiality - Attacker can read traffic Access Control - Attacker can inject traffic Access Control - Attacker can inject traffic Data Integrity - Attacker can modify traffic Data Integrity - Attacker can modify traffic
Use VPN, IPSec, SSH along with WEPUse VPN, IPSec, SSH along with WEP ESN is supposed to solve all problemsESN is supposed to solve all problems