1 / 18

An Inductive Chosen Plaintext Attack against WEP/WEP2

An Inductive Chosen Plaintext Attack against WEP/WEP2. William A. Arbaugh University of Maryland, College Park waa@cs.umd.edu. Talk Outline. Introduction WEP/WEP2 IP Walker/Berkeley Attacks Attack Overview Attack Details Conclusions. 802.11 Hdr. ICV. Data. Encapsulate. Decapsulate.

monicaellis
Download Presentation

An Inductive Chosen Plaintext Attack against WEP/WEP2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Inductive Chosen Plaintext Attack against WEP/WEP2 William A. Arbaugh University of Maryland, College Park waa@cs.umd.edu William Arbaugh, University of Maryland

  2. Talk Outline • Introduction • WEP/WEP2 • IP • Walker/Berkeley Attacks • Attack Overview • Attack Details • Conclusions William Arbaugh, University of Maryland

  3. 802.11 Hdr ICV Data Encapsulate Decapsulate 802.11 Hdr IV Data WEP/WEP2 • Encryption Algorithm = RC4 • Per-packet encryption key = IV concatenated to a pre-shared key • WEP: 24 bit IV • WEP2: 128 bit IV • WEP allows IV to be reused with any frame • Data integrity provided by CRC-32 of the plaintext data (the “ICV”) • Data and ICV are encrypted under the per-packet encryption key William Arbaugh, University of Maryland

  4. ICV 24 luxurious bits Encrypted under Key +IV using a Vernam Cipher 802.11 Hdr IV Data How to Read WEP Encrypted Traffic (1) • 50% chance of a collision exists already after only 4823 packets!!! • Pattern recognition can disentangle the XOR’d recovered plaintext. • Recovered ICV can tell you when you’ve disentangled plaintext correctly. • After only a few hours of observation, you can recover all 224 key streams. William Arbaugh, University of Maryland

  5. How to Read WEP Encrypted Traffic (2) • Ways to accelerate the process: • Send spam into the network: no pattern recognition required! • Get the victim to send e-mail to you • The AP creates the plaintext for you! • Decrypt packets from one Station to another via an Access Point • If you know the plaintext on one leg of the journey, you can recover the key stream immediately on the other • Etc., etc., etc. William Arbaugh, University of Maryland

  6. Observations • Walker/Berkeley attacks require either: • Depth and post analysis • Cooperating agent for known plain text • Can we do better? William Arbaugh, University of Maryland

  7. Inductive Chosen Plain Text • Base Case: Recover an initial pseudo random stream of length n from known plain text. • Inductive step: Extend size of known pseudo random to n+1 by leveraging the redundant information in the CRC. William Arbaugh, University of Maryland

  8. Base Case • Find initial pseudo random stream of size n. • Identify DHCP Discover messages from externals, e.g. size, and broadcast MAC address. • Known source (0.0.0.0), destination (255.255.255.255), header info • Allows the recovery of 24 bytes of pseudo random stream: Let n = 24 William Arbaugh, University of Maryland

  9. Inductive Step • Create a datagram of size n-3 representing an ARP request, UDP open, ICMP etc. • Compute ICV and append only the first three bytes. • XOR with n bytes of pseudo random stream. • Append last byte as the n+1 byte William Arbaugh, University of Maryland

  10. n-3 3 ICV-1 ICV 802.11 Hdr IV  Data Data byte Iterate over the 255 possibilities Encrypted Data Pseudo Random Steam byte n+1 Inductive Step William Arbaugh, University of Maryland

  11. Inductive Step 5. Now send datagram and wait for a response. 6. If no response, try another of the 254 remaining possibilities. 7. If there is a response, then we know: The n+1 byte was the last byte of the ICV, thus we have matching plaintext and ciphertext which gives us the n+1 byte of the pseudorandom stream. William Arbaugh, University of Maryland

  12. ICV-1 ICV 802.11 Hdr IV Data Data n+1 ciphertext byte byte  byte n+1 pseudo byte Encrypted Data Pseudo Random Steam After Response n-3 3 n+1 plaintext byte byte  byte n+1 William Arbaugh, University of Maryland

  13. Attack Cost • Assume moderately aggressive attacker: • ~100 attacker transmissions per second • NOTE: ICV failures will not be passed to OS and thus the attack is difficult to observe (failed ICV counter not withstanding) • 1.6 hours to recover 2300 byte MTU regardless of IV and key size in worst case • ~40 minutes in average case William Arbaugh, University of Maryland

  14. WEP Costs • 46 hours to build full dictionary of <IV, pseudorandom> with one attacking host (~35GB) • But, the attack is embarrassingly parallel. • Four attacking hosts: 11.5 hours • Eight attacking hosts: 5.75 hours William Arbaugh, University of Maryland

  15. WEP2 Costs • Prohibitive to build entire dictionary in terms of space and time, but we don’t need to do so. • Because, we can still find enough <IV,pseudorandom> pairs to find and attack a vulnerable host on the LAN and recover key actively, e.g. blind scans and blind attacks. William Arbaugh, University of Maryland

  16. This Attack Works • Because of the redundant information provided by the CRC, and • Because of the lack of a keyed MIC William Arbaugh, University of Maryland

  17. Stopping/Mitigating the Attack • Add a keyed MIC (stops attack) • Adding a replay window (mitigates attack) • Modifying the CRC such that it can’t be: • Easily determined by an attacker • Not linear (bit flipping attack) (mitigates attack) William Arbaugh, University of Maryland

  18. Conclusions • Fundamental problem is that both WEP and WEP2 vulnerable to packet forgery. • It’s easy to dismiss this attack (and the Walker/Berkeley attacks) as “academic”. However, it’s only a matter of time before the attacks are implemented/scripted and released …What then? William Arbaugh, University of Maryland

More Related