security technologies built into 802.11 std. presented by t.r.santhosh
TRANSCRIPT
Security Technologies built into 802.11 std.
Presented by
T.R.Santhosh
4/14/2008 2
Outline
Introduction to 802.11 Standard.Security Technologies embedded into
802.11;– Wired Equivalent Privacy (WEP)
• How it works• Drawbacks
– Wi-Fi Protected Access (WPA)
WPA2
4/14/2008 3
Introduction to 802.11802.11 is IEEE standard for Wireless LAN.Specifically, the 802.11 standard addresses:
– Functions required for an 802.11 compliant device to operate either in a peer-to-peer fashion or integrated with an existing wired LAN
– Operation of the 802.11 device within possibly overlapping 802.11 wireless LANs and the mobility of this device between multiple wireless LANs
– MAC level access control and data delivery services to allow upper layers of the 802.11 network
– Several physical layer signaling techniques and interfaces – Privacy and security of user data being transferred over
the wireless media
4/14/2008 4
Wired Equivalent Privacy (WEP)
WEP was included as the privacy of the original IEEE 802.11 standard ratified in September 1999.
WEP uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity.
Two methods of authentication can be used with WEP: – Open System authentication – Shared Key authentication.
4/14/2008 5
How WEP works
WEP uses the RC4 algorithm to encrypt the packets of information as they are sent out from the access point or wireless network card. As soon as the access point receives the packets sent by the user’s network card it decrypts them.
The actual encryption logic in RC4 is very simple. The plain text is XOR-ed with a keystream. The security of RC4 comes from the secrecy of the packet key that’s derived from the keystream.
4/14/2008 6
How WEP works Contd.,So what’s a packet key?
– The packet key is formed by combining a pre-shared password, a state array and an initialization vector (IV).
Pre-shared Password: – The same pre-shared password is used by all users for
each packet that is transmitted. State Array:
– It’s a series of numbers which are scrambled and then used by RC4 to construct the key stream.
Initialization Vector (IV):– The IV is a 3-byte random number generated by the
computer. It’s either prepended or appended to the cipher text and sent to the receiver who strips the IV off before decrypting the cipher text.
4/14/2008 7
RC4 Algorithm
The RC4 algorithm consists of 2 main parts: – The Key Scheduling Algorithm:
• The KSA process involves creating a scrambled state array . This state array will now be used as input in the second phase, called the PRGA phase.
– The Pseudo Random Generation Algorithm:• The state array from the KSA process is used here to
generate a final key stream. Each byte of the key stream generated is then Xor’ed with the corresponding plain text byte to produce the desired cipher text.
4/14/2008 8
RC4 Algorithm Contd., Key Scheduling Algorithm
– State array is the array of values equal to the index you want to use in the algorithm. The Index for WEP by default is 256. The components required for the KSA are the values of the variables i and j, the index value, the pre-shared password and its length.
– The algorithm which uses these values to generate a final keystream is outlined below.
for i from 0 to 255 S[i] := I
endfor j := 0 for i from 0 to 255
j := (j + S[i] + key[i mod keylength]) mod 256 swap(S[i],S[j])
endfor
4/14/2008 9
RC4 Algorithm Contd.,Pseudo Random Generation Algorithm (PRGA)
– A pseudorandom number generator (PRNG) is an algorithm that generates a random sequence of numbers. The PRGA is responsible for creating the streaming values used to encrypt the plaintext, which is based on the state array, the output of the KSA .
– The methodology that the PRGA follows is outlined below. i := 0
j := 0 while GeneratingOutput:
i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(S[i],S[j]) output S[(S[i] + S[j]) mod 256]
endwhile
4/14/2008 10
How RC4 Works - Example Let’s illustrate the above concepts in the form of an example.
– The plain text that is to be encrypted is TEST.– The password which will be used here is 6258.– The initial values of our variable are as follows:
• i=0 j=0 password=6258 pass length=4 index=4
Following the algorithm we get: – Step-1
State array: State[0]=0 State[1]=1 State[2]=2 State[3]=3 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [0 + S[0] + K[0]] mod 4 = 6 mod 4 = 2 Swap(State[0] , State[2]) = Swap(0,2) State[0]=2 State[1]=1 State[2]=0 State[3]=3 Step-2
If the loop continues after the fourth iteration we will get,
Final State Array: State[0]=1 State[1]=0 State[2]=3 State[3]=2
4/14/2008 11
How RC4 Works Contd., Once the KSA state array is ready, the PRGA procedure is initialized. The
procedure is as follows: Initially i=0 j=0 K[0]=6 K[1]=2 K[2]=5 K[3]=8
First Loop: State[0]=1 State[1]=0 State[2]=3 State[3]=2i=1;j=0+State[1]=0+0=0Swap(State[1], State[0]) = Swap(0,1) State[0]=0 State[1]=1 State[2]=3 State[3]=2z = State[State[1] + State[0] mod 4] = State[1] = 1 z1 = 00000001
Once all the iterations are over, we will get the key and the encrypted text will be
T xor z1 = 01010100 xor 00000001 = 01010101 = U E xor z2 = 01000101 xor 00000001 = 01000100 = D S xor z3 = 01010011 xor 00000001 = 01010010 = R T xor z4 = 01010100 xor 00000010 = 01010110 = U
4/14/2008 12
How to crack WEP Each client Wi-Fi network card and access point in a WEP-protected
network shares the same WEP key. Encryption uses the RC4 algorithm, a stream cipher. It is essential
that the same key never be used twice with a stream cipher. To prevent this from happening, WEP includes a 24-bit initialization vector (IV) in each message packet.
The RC4 key for that packet is the IV concatenated with the WEP key.
The simplest to understand uses the fact that the 24-bit IV only allows a little under 17 million possibilities. Because of the birthday paradox, it is likely that for every 4096 packets, two will share the same IV and hence the same RC4 key, allowing the packets to be attacked.
In probability theory, the birthday problem, or birthday paradox, pertains to the probability that in a set of randomly chosen people some pair of them will have the same birthday. In a group of 23 (or more) randomly chosen people, there is more than 50% probability that some pair of them will have the same birthday. For 57 or more people, the probability is more than 99%, tending toward 100% as the pool of people grows.
4/14/2008 13
How to crack WEP Contd., If adversary catches 10,000 packets then they can get many
packets with same IV. Lets assume they are sending a test packet to the network
and capture the encrypted packet. Now they have the pieces of information:
– Plain text 1 using IV.– Cipher text 1 generated with IV.
With this they can find the keystream with the following equation
Key stream = Cipher text 1 XOR Plaintext 1 Once they find the keystream then they can decrypt all the
messages, with some simple mathematical calculations. Now with high end machines and tools, this cracking can be
done within minutes.
4/14/2008 14
Wi-Fi Protected Access WPA WPA was created by the Wi-Fi Alliance, an industry trade group,
which owns the trademark to the Wi-Fi name and certifies devices that carry that name.
WPA was designed to enhance the security of wireless networks. There are two flavors of WPA: enterprise and personal.
– Enterprise is meant for use with an IEEE 802.1X authentication server, which distributes different keys to each user.
– Personal WPA utilizes less scalable "pre-shared key" (PSK) mode, where every allowed computer is given the same passphrase. In PSK mode, security depends on the strength and secrecy of the passphrase.
Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). One major improvement in WPA over WEP is the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger initialization vector, this provides greatly improved protection against, and effectively defeats, the well-known key recovery attacks on WEP.
4/14/2008 15
Temporal Key Integrity Protocol
Temporal Key Integrity Protocol or TKIP is a security protocol used in the IEEE 802.11 wireless networks .
TKIP is a "wrapper" that goes around the existing WEP encryption. TKIP comprises the same encryption engine and RC4 algorithm defined for WEP. However, the key used for encryption in TKIP is 128 bits long. This solves the first problem of WEP: a too-short key length.
An important part of TKIP is that it changes the key used for each packet. The key is created by mixing together a combination of things, including a base key, the MAC address of the transmitting station, and the serial number for the packet.
4/14/2008 16
Temporal Key Integrity Protocol Each packet transmitted using TKIP has a unique 48-bit serial number that
is incremented every time a new packet is transmitted and used both as the Initialization Vector and part of the key. Putting a sequence number into the key ensures that the key is different for every packet. This solves another problem of WEP, called "collision attacks," which can occur when the same key is used for two different packets. With different keys, there are no collisions.
Having the serial number of the packet also be the initialization vector helps to reduce yet another WEP problem, called "replay attacks." Because a 48-bit sequence number will take thousands of years to repeat itself, no one can replay old packets from a wireless connection---they will be detected as out of order because the sequence numbers won't be right.
Example for Replay Attack:Suppose Alice wants to prove her identity to Bob. Bob requests her
password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping the conversation and keeps the password. After the interchange is over, Eve connects to Bob posing as Alice; when asked for a proof of identity, Eve sends Alice's password read from the last session, which Bob must accept.
4/14/2008 17
WPA Cont.,
In addition to authentication and encryption, WPA also provides vastly improved payload integrity.
The cyclic redundancy check (CRC) used in WEP is inherently insecure; it is possible to alter the payload and update the message CRC without knowing the WEP key.
A more secure message authentication code is used in WPA, using an algorithm named "Michael".
4/14/2008 18
Message authentication code
A cryptographic message authentication code (MAC) is a short piece of information used to authenticate a message. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's integrity to detect any changes to the message content.
4/14/2008 19
Message authentication code
4/14/2008 20
WPA Contd.,
Changes in WPA over WEP– The size of the keys and IV is increased.– Reduced the number of packets sent with
related keys.– Added a secure message verification
system.
With all the above features WPA makes breaking into a wireless LAN far more difficult.
4/14/2008 21
WPA2
WPA2 implements the mandatory elements of 802.11i. In particular, it introduces a new AES-based algorithm, CCMP, that is considered fully secure.
From March 13, 2006, WPA2 certification is mandatory for all new devices wishing to be Wi-Fi certified.
4/14/2008 22
References
http://www.intelligraphics.com/articles/80211_article.html
http://palisade.plynt.com/issues/2006Dec/wep-encryption/
http://palisade.plynt.com/issues/2007Feb/cracking-wep/
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
4/14/2008 23
References Contd.,
http://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol
http://en.wikipedia.org/wiki/Message_integrity_code
http://en.wikipedia.org/wiki/Replay_attack
http://en.wikipedia.org/wiki/Birthday_paradox
4/14/2008 24
Questions