1 / 30

Intercepting Mobile Communications: The Insecurity of 802.11

Intercepting Mobile Communications: The Insecurity of 802.11. By Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero Knowledge Systems UC Berkeley In Proc. of ACM Mobicom, 2001. What’s on your wireless network?.

cecilwallace
Download Presentation

Intercepting Mobile Communications: The Insecurity of 802.11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intercepting Mobile Communications: The Insecurity of 802.11 By Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero Knowledge Systems UC Berkeley In Proc. of ACM Mobicom, 2001

  2. What’s on your wireless network? • 802.11 (Wi-Fi) networks are ubiquitous today • Types of encryption: • Open (No encryption) • WEP • WPA/WPA2

  3. So what is WEP? • WEP is Wired Equivalent Privacy • Link-layer encryption • Defined in the IEEE 802.11 standard • “Least common denominator” Wi-Fi encryption • Goals of WEP • Confidentiality • Access control • Data integrity

  4. First, let’s introduce the players • Message: What you’re encrypting • CRC: To verify the integrity of the message • Plaintext: The message + CRC • Initialization vector (IV): A 24-bit number which plays two roles that we’ll meet in a moment Message CRC IV Key

  5. First, let’s introduce the players • Key: A 40 or 104-bit number which is used to build the keystream • Keystream: What is used to encrypt the plaintext • Ciphertext: What we end up post-encryption Keystream Ciphertext

  6. WEP encryption step-by-step Message CRC • Step 1: Compute CRC for the message • CRC-32 polynomial is used

  7. WEP encryption step-by-step Keystream = RC4(IV, k) • Step 2: Compute the keystream • IV is concatenated with the key • RC4 encryption algorithm is used on the 64 or 128 bit concatenation

  8. WEP encryption step-by-step plaintext Message CRC XOR Keystream = RC4(IV, k) IV Ciphertext • Step 3: Encrypt the plaintext • The plaintext is XORed with the keystream to form the ciphertext • The IV is prepended to the ciphertext

  9. WEP decryption step-by-step IV Ciphertext Keystream = RC4(IV, k) • Step 1: Build the keystream • Extract the IV from the incoming frame • Prepend the IV to the key • Use RC4 to build the keystream

  10. WEP decryption step-by-step Ciphertext XOR Keystream = RC4(IV, k) Message CRC • Step 2: Decrypt the plaintext and verify • XOR the keystream with the ciphertext • Verify the extracted message with the CRC

  11. Attack Practicality • Feasibility of mounting an attack • Equipment capable of monitoring 2.4GHz frequencies (e.g., off the shelf firmware) • Transmit at the same frequency for active attackers • Full access to the link layer for both active and passive attackers

  12. Risks of stream cipher • Possible plaintext recovery • The availability of ciphertexts, keystream reuse • Partial knowledge of some of the plaintexts • Per-packet IV in WEP cannot prevent keystream reuse attacks.

  13. Risks of stream cipher • How to find keystream reuse? • It’s carried in plaintext in the “encrypted” message! • Key k rarely change, IV reset to 0 after initialization • It’s only 24 bits! • There are no restrictions on IV reuse! • How to obtain plausible candidates for the plaintext?

  14. Can be either IP or ARP You know more about the plaintext than you think you know AA AA 03 00 00 00 08 ?? DSAP SSAP CTRL ORG Code Ether type • With 802.11, you know the first eight bytes of a packet • Many IP services have packets of fixed lengths • Most WLAN IP addresses follow common conventions. • Many IP behaviors have predictable responses

  15. Risks of stream cipher • How to obtain plausible candidates for the plaintext? • Well defined structured: IP header fields, contents, traffic patterns (previous slide) • Send IP traffic/emails/spam from an Internet host under the attacker’s control to a mobile host • Send broadcast packets to an access point and observe their encrypted form

  16. Risks of stream cipher • Its possible to build a decryption dictionaries • A table of the keystreams corresponding to each IV • One time effort • Not rely on key size • Key management • A single key is shared for an entire network • A higher chance of IV collision • Difficult to replace compromised keys

  17. Summary: Risks of stream cipher • Use of stream ciphers is dangerous (the reuse of keystream). • Any protocol that uses a stream cipher must take special care to ensure that keystream never gets reused. • In light of this, a protocol designer should give careful consideration to the complications that the use of stream ciphers adds to a protocol when choosing an encryption algorithm.

  18. Potential Attacks to break message authentication • CRC algorithm • The CRC is a linear function • First-order polynomial: y = mx + b • Key property when b is 0: f(x+y) = f(x) + f(y) • The CRC is an unkeyed function

  19. Message modification • An attacker can make arbitrary modifications to an encrypted message without fear of detection • Takes advantage of CRC’s linearity and unkeyed nature. • Need to know some of the plaintext, but not all! Bob Alice ciphertext plaintext encryption algorithm plaintext decryption algorithm Trudy C and C’ are the original and modified cyphertext c is the CRC-32 function Δ is the change in the message

  20. Message injection • An attack is able to inject arbitrary traffic into the network with a pair of plaintext and ciphertext • Takes advantage of CRC’s unkeyed nature and IV reuse. • Need to know all of the plaintext Trudy Bob ciphertext plaintext encryption algorithm plaintext decryption algorithm C is the original cyphertext P is the original plaintext RC4(v,k)is the keystream for IV v M’is the new message c is the CRC-32 function

  21. Authentication spoofing • An attack can defeat the shared-key authentication mechanism • Takes advantage of IV reuse, WEP challenge mechanism for new mobile stations Monitor the exchange and learn an IV-keystream pair Trudy Authenticate mobile stations authentication request nonce (128 bytes) nonce encrypted using the learned IV-keystream pair success if decrypted value equals nonce

  22. Message Decryption • With the ability to modify transmitted packets, an attacker can trick an access point into decrypting some ciphertext for him • IP redirection Trudy Alice • Eavesdrop encrypted frame • Build encrypted IP header with the desired destination IP address • Send frames • Receive unencrypted data at Internet-connected computer

  23. Message Decryption Trudy Alice

  24. Message Decryption • Reaction attacks • No need for connectivity to Internet • Only for TCP traffic • Viewed as a side channel attack • Suggest using a secure MAC Monitor the reaction of a TCP packet (whether there is a ACK) Trudy For a ciphertext C, flip a few bits and adjust CRC to get C’ Infer some bits in plaintext based on whether C’ passes TCP checksum 24

  25. Message Decryption 25

  26. Summary: Potential Attacks to break message authentication • It’s importance to use a cryptographically secure message authentication code. • Any unkeyed function falls short from defending against the attacks discussed here. 26

  27. How hard to crack WEP? • Attacks greatly aided by automated tools • Authors of “The Final Nail in WEP’s Coffin” broke 40-bit key in under 15 minutes and 104-bit key in under 80 minutes • FBI agents demonstrated it in 3 minutes in 2005 • http://www.informationweek.com/management/compliance/160502612 • “Usually it takes five to ten minutes”

  28. Countermeasures • DON’T USE WEP! • Use WPA or WPA2 with a strong key • Change the default settings on your wireless router • Use VPN

  29. Lessons • Reuse past design and • Offer new designs for public reviews.

  30. Conclusion • The paper demonstrated major security flaws in the WEP protocol and described several practical attacks. • WEP should not be counted on to provide strong link-level security, and that additional precautions be taken to protect network traffic.

More Related