210 likes | 353 Views
WEP, WPA, and EAP. Drew Kalina. Overview. Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Extensible Authentication Protocol (EAP). WEP. Encryption method: RC4 Key size: 40 bits Hash method: ICV 802.11x authentication: optional Key distribution: manual.
E N D
WEP, WPA, and EAP Drew Kalina
Overview • Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA) • Extensible Authentication Protocol (EAP)
WEP • Encryption method: RC4 • Key size: 40 bits • Hash method: ICV • 802.11x authentication: optional • Key distribution: manual
WEP Vulnerabilities • ICV insecure – • based on CRC32 (bad) • ICV can be modified to match message contents • IV key reuse attack • Small IV allows this • IV sent as plaintext
WEP Vulnerabilities (cont) • Known plaintext attack • Lots of unencrypted TCP/IP traffic • Send pings from internet to access point • String length N can be recovered for a given IV • Packets of size N can be forged using IV
WEP Vulnerabilities (cont) • Partial Known Plaintext • Only a portion of message is known (e.g. IP header) • Can recover M octets of key stream where M<N • Extend then known key stream from M to N through probing • Divert packets to attacker by flipping CRC32 bits
WEP Vulnerabilities (cont) • Authentication forging • Use recovered key stream and IV because client specifies IV • Dictionary attacks • Key derived from vulnerable password • Realtime decryption • Dictionary of IVs and keystreams • Only 2^24 possibilities • Can be stored in 24GB disk space
WEP summary • Weak encryption with other problems • If possible, use some other protocol • Still better than plaintext
WPA • Encryption method: RC4, TKIP • Key size: 128 bits (varies) • Hash method: ICV, Michael • 802.11x authentication: can be required • Key distribution: TKIP
WPA (cont) • Michael generates MIC (Message Integrity Code) • 8 bits • Placed between data and ICV • TKIP (Temporal Key Integral Protocol) • Resolves keys to be used, looks at client’s configuration • Changes encryption key every frame • Sets unique default key for each client
WPA Vulnerabilities • Birthday attack • Get a pair D,M where D1 = MIC(M1) • When Di = D1 where Di != 1, attack is successful • Probability for success: 2^32 • If keys change during attack, forgery is garbage
WPA Vulnerabilities (cont) • Differential cryptanalytic attack • Michael results have special characteristics • M = Mi XOR Mj and D = Di XOR Dj called characteristic differentials • After characteristic differentials obtained, try to find MIC (learn parts of the key) • Probability of success 2^30 • Optimal attack exists with O(2^29)
WPA Vulnerabilities (cont) • Temporal Key • Lost RC4 Keys • Can discover TK and MIC • Can forge messages • Not a practical attack, O(2^105) • Does show susceptibility in parts of WPA
WPA Vulnerabilities (cont) • DOS • Access point shuts down for 60 seconds if forged unauthorized data detected • Possible to shut access points with little network activity • PSK • Used in absence of 802.1x, 1 per ESS (usually). • Internal person can use this, and a captured MAC address/nonce to imitate another client • Vulnerable to external dictionary attacks, if short
WPA summary • Much better than WEP (if 802.1x) • WEP2 even better using AES-CCMP • There are still vulnerabilities • Many WEP devices are upgradeable to WPA (not WPA2)
Suggestions for WPA • Rekey security associations after failures • Lower/eliminate timeouts after detecting forged packets • Currently would take 1000+ years to break with 60 second timeouts
EAP • Transmission method and framework for authentication protocols • Works with many authen. protocols such as RADIUS, Kerberos. • Uses a variety of transport methods
EAP Transport methods • EAP-TLS • EAP-TTLS • PEAP (Protected EAP) • LEAP (Light EAP)
Vulnerabilities in LEAP • Dictionary attack • Early versions of MS-CHAP weak