1 / 21

WEP Weaknesses

WEP Weaknesses. Or “What on Earth does this Protect”. Roy Werber. Goals. Authorization Prevent unauthorized access to network Privacy The P in WEP Make it feel like LAN Maintain data privacy from outsiders. Basic Flaws. Bad design

cher
Download Presentation

WEP Weaknesses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WEP Weaknesses Or “What on Earth does this Protect” • Roy Werber

  2. Goals • Authorization • Prevent unauthorized access to network • Privacy • The P in WEP • Make it feel like LAN • Maintain data privacy from outsiders

  3. Basic Flaws • Bad design • Each component is good, but not suited to datagram environment • No key management • One key for all • Bad implementation

  4. Stream Ciphers • C = P  S • Key streams must never be reused • C1  C2 = (P1  S)  (P2  S) = P1  P2 • Forgery is easy – Bit flip attack • If M2 = M1  X • Then C2 = C1  X

  5. Stream Ciphers And Datagram • Key streams must never be reused • Encryptor and decryptor must remain synchronized • Bad for datagram environment • Without Random Access property encryption process starts for each packet •  Different key for each packet

  6. WEP Solution • ICV – Prevents forgery • Checksum on the data prevents bit flipping • IV – Prevents key reuse • Each packet a new key that starts a new stream is used

  7. ICV Prevents Forgery? • Uses CRC-32 checksum • CRC-32 is linear: • CRC(A  B) = CRC(A)  CRC(B) • RC4 is transparent to XOR • C = RC4 ( [M,CRC(M)] ) • C’ = C  [X,CRC(X)] = [M,CRC(M)]  S  [X,CRC(X)] = RC4 ([M X, CRC( M X)])

  8. IV Prevents Key Reuse ? • IV space is very small : 224 • Birthday attack: • 50% chance of collision after only 4823 packets • 99% collision after 12,430 packets = 3 seconds in 11 Mbps traffic • Assuming random IV selection (Some implemented IV as a counter from 0) • Assuming IV changes. Its optional

  9. After IV Match Is Found • Pattern recognition on the XOR’d plaintext • ICV tells if the guess is correct • After only a few hours of observation, you can recover all 224 key streams • Get active: • Send Spam to the network • Get the victim to send e-mail to you • Known plaintext  Key stream

  10. Authentication • SSID • Shared Key • MAC

  11. Authentication Problems • SSID – Easy to get by sniffing, it is broadcasted (If WEP encryption deployed – access by key) • MAC – It is broadcasted • Can be spoofed

  12. Challenge (Nonce) Response ( RC4 [Nonce] under shared key) How to Authenticate without the Key AP STA Decrypted nonce OK? • Simple Attack: • Record one challenge/response with a sniffer • Use the challenge to decrypt the response and recover the key stream • Use the recovered key stream to encrypt any subsequent challenge

  13. Types Of Attacks • IV re-use attack to decrypt traffic • We already seen it • Replay Attack • Trivial • Statistical attacks • IP Modification • Active attack to inject traffic • Bit flip attack to recover key stream

  14. Improvement Techniques “Grow” a partial keystream, Use key table

  15. FMS Attack • Fluhrer, Martin and Shamir found a class of RC4 keys called “weak keys” • If the first 2 bytes of enough key stream are known -> The RC4 key is discovered • The first 8 bytes of WEP packet is a known SNAP-SAP header • AirSnort implements this attack • Recovers key after 20,000 packets = 11 seconds

  16. IP Modification IP redirection: • Change the destination of an encrypted packet to a machine controlled by the attacker on the wired network. • Send modified frame to AP that will decrypt it and send to attacker machine • Derive keystream from this ciphertext, plaintext pair • Attacker can reuse keysteam to send/receive WLAN traffic

  17. Inject Traffic • If there is a known cipher plaintext pair • The cipher can be modified to any message • Correct CRC is calculated and inserted • Uses: • Unauthorized traffic can be sent • User commands can be altered. (telnet ,ftp, etc)

  18. Bit Flipping Attack

  19. Practicality • Available cheap equipment • Laptop and wireless card • Tools: AirSnort, Netstumbler, Kismet • Easy to sniff, harder to transmit

  20. Main Points • WEP was badly designed • WEP was badly implemented • I didn’t even speak about DoS attack, MITMs, Impersonating to AP • Treat wireless the way you treat remote traffic

  21. Thank You!

More Related