1 / 41

Intercepting Mobiles Communications: The Insecurity of 802.11

Intercepting Mobiles Communications: The Insecurity of 802.11. Danny Bickson ACNS Course, IDC Spring 2007. Resources. Borisov, Goldberg, Wagner. Intercepting mobile communications: the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking.

august-lester
Download Presentation

Intercepting Mobiles Communications: The Insecurity of 802.11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007

  2. Resources • Borisov, Goldberg, Wagner. Intercepting mobile communications:the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking. http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf • Guillaume Lehembre Wifi Security: WEP, WPA and WPA2 http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf

  3. WEP Protocol • WEP – Wired Equivalent Privacy • Wireless standard 802.11 • Link layer • Protocol goals: • Confidentiality: prevent eavesdropping • Access control: prevent unauthorized access • Data integrity: prevent tampering of messages • We show that none of the security goals are attained

  4. Network Model Internet

  5. WEP Algorithm Encryption Message CRC(M) RC4(k,IV) IV Cipher

  6. WEP AlgorithmDecryption IV Cipher RC4(k,IV) Message CRC(M)

  7. Confidentiality

  8. Stream cipher properties • Given two ciphers C1,C2– C1V C2 = P1V P2. • Keystream reuse can lead to a number of attacks: • If plaintext of one message is known, the other is immediately obtainable. • In the general case, known techniques for breaking reused keystreams. • As the number of reused keystream increases breaking them becomes easier. • Two conditions required for this class of attcks to succeed: • Availability of ciphertexts where keystream is used more than once. • Partial knowledge of some of the plain texts.

  9. Finding instances of keystream reuse • Shared key k changes rarely. • Reuse of IV causes reuse of keystream. • IV are public.

  10. IV Usage • Standard recommends (but not requires) change of IV. • Common PCMCIA cards sets IV to zero and increment it by 1 for each packet. • IV size is only 24 bits. • Busy access point of 5Mbps will exhaust available space in 11 hours. • Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision

  11. Exploiting keystream reuse • Many fields of IP traffic are predictable. • For example: login sequences. • Active attack (known plaintext)

  12. Decryption dictionaries • Once plaintext of encrypted message is obtained, keystream value stored in dictionary. • Full table requires 24GB • Size of dictionary does not depend of size of key

  13. Key management

  14. Message Authentication • Message modification • Message injection

  15. Message Modification • Checksum used is CRC-32 which is a linear function of the message: • In other words, checksum distributes over the XOR operation. C(x V y) = C(x) V C(y) • RC4 stream cipher also linear.

  16. The attack Given C we would like to create C’ s.t. C’ decrypts to M’ instead of M. Cipher D CRC(D) = RC4(k,IV) D CRC(D) Message CRC(M) = D CRC(D) RC4(k,IV) Message CRC(M) = RC4(k,IV) M’ CRC(M’)

  17. Message Injection • WEP checksum is an unkeyed function of the message. • After knowing one keystream we can use it forever. C’ = <M’, CRC(M’)> V RC4(IV,k)

  18. Other attacks • IP redirection. Assumption: Destination address is known.

  19. IP redirection (cont.) • Need to calculate IP checksum • Several options • IP checksum for original packet is known • Original IP checksum is not known • Compensate by changing another IP field

  20. Reaction Attack • Works only for TCP protocol • Pick i at random, let D be all zeros, except for positions i and i+16. Calc C’ = C VD. Two options: 1. Got an acknowledgment, PiV Pi+16 = 1 2. Else PiV Pi+16 = 0 • Each test reveals 1 bit of information

  21. Example attacks

  22. ARP Request

  23. Conclusion • Design of security protocols is difficult (more than the design of network protocols) • Combining several secure algorithms does not mean that the result is secure • Engineering perspective dictated selection of cryptographic algorithms

  24. Fixing WEPWPA – Wi-Fi Protected Accessand 802.11i

  25. WPA • WPA – Wi-Fi Protected Access • Draft security enhancements for 802.11 • A subset of the 802.11i proposed standard • Proposed by IEEE 802.11 TGi (Task Group i) • Design goals • Preserve packet format • Work with deployed 802.11 hardware in AP and NICs • Composed of two components • Authentication and master key generation– 802.1X • TKIP (Temporal Key Integrity Protocol) - Temporal key generation, Confidentiality and Integrity

  26. 802.11i • A proposed standard • Defines authentication, key management, confidentiality, integrity and encapsulations for 802.11 • Includes • WEP (current implemented) • Encryption: RC4; Integrity: CRC-32 • TKIP (temporary solution) • Encryption: RC4; Integrity: Michael • WRAP (Wireless Robust Authenticated Protocol) • Encryption: AES; Integrity: HMAC-MD5

  27. TKIP – Temporal Key Integrity Protocol

  28. TKIP Components • TKIP is a wrapper around WEP • A cryptographic MIC (Message Integrity Code) • A per-packet sequence number • A per-packet key mixing function • A rekeying mechanism (802.1X)

  29. TKIP MIC • MICHAEL the MIC function is designed for very low bandwidth CPU (the ones that are used by the Access Point) • Key length – 64 bits • The MIC is computed over the source address, the destination address and the data • Protects against packet modification (e.g. bit flipping) • Protects against header forgery

  30. WEP with Enabled MIC =MAC =CRC

  31. TKIP Sequence Counter • The station and the Access Point maintain a TKIP sequence counter • The transmitter increments the TKIP sequence counter each time it sends a packet • The counters are reset when new temporal keys are established • The sequence counter is mixed with the temporal key and the transmitter MAC address to create a RC4 seed key • On receipt the receiver de-mixed the key and checks that the resulting counter is indeed greater than the all the sequence counter that were encountered during this temporal key usage • Protects against replay attack

  32. TKIP Keys • TKIP is using temporal keys • The station and the Access Point periodically exchange temporal keys • Four keys • One Integrity (MIC) and one Encryption key per direction

  33. TKIP ENCAPSULATION

  34. TKIP Encapsulation • Calculate the 64 bits MIC with the MIC temporal key, over the source and destination addresses. The MIC is inserted into the message data • The sequence number, the MAC address and the temporal key are mixed to create a 128 bits RC4 seed key • The first three bytes of the key are stored in the IV field • The remaining 13 bytes are stored in a free WEP key buffer • The packet is sent to WEP processing

  35. TKIP DECAPSULATION

  36. TKIP Decapsulation • The IV and the temporal key are concatenated, to create the RC4 seed key • The key is de-mixed – to create the TKIP sequence counter. The counter is checked to be in sequence • The key, the IV and the data are sent for WEP decapsulation • After RC4 decryption, the MIC, with the temporal MIC key, is computed over the source and destination addressed and the decrypted packet , and is compared to the MIC field in the packet

  37. TKIP Notes • The TKIP temporal key must be exchanged every less then 216 packets, since the key mixing can produce 216 different IVs • The MIC and key mixing algorithms are cryptographically weak • But, all the WEP known problems are solved • TKIP is a temporary solution – until NICs and APs with new hardware arrives to the market • The 802.11i uses AES encryption

More Related