1 / 21

WEP – Wireless Encryption Protocol

WEP – Wireless Encryption Protocol. A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University. WEP – Wired Equivalent Privacy. A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University. WEP: Weak Encryption Protocol. A. Gabriel W. Daleson

Download Presentation

WEP – Wireless Encryption Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. WEP – Wireless Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University

  2. WEP – Wired Equivalent Privacy A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University

  3. WEP: Weak Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University

  4. “It seemed like a good idea at the time” • Let’s make it at least as difficult to eavesdrop on wireless traffic as wired traffic… • …which, by the way, is not that hard to eavesdrop on to begin with. • So, instead, let’s just add some neat encryption to 802.11 a/b/g.

  5. Ideas, Good and Bad • WEP is based on RC4 • RC4 is a stream cipher • We use an initialization vector (IV)

  6. In the Beginning, there was the Plan (for WEP-PSK) Alice and Bob share a private shared key (PSK) K, and Alice wants to send Bob the message m. • Alice calculates m1, the message m followed by its CRC. • Alice takes an IV v and uses the stream RC4(v,K) to generate a session key k of the same length as m1.

  7. In the Beginning, there was the Plan (for WEP-PSK) cont. • Alice sends Bob the ciphertext (v,k XOR m1). • Alice picks a new IV for each packet.

  8. RC4 • RC4 is old. (1987) • There are known attacks, including a weak key being generated with probability 1 in 256 • RC4 is a stream cipher; we’re probably much better off with a block cipher for this sort of application

  9. Initialization Vectors • The only requirement of the IV is that it be 24 bits long. • Some Wi-Fi cards start with an IV of 0x000000 when they’re plugged in and just increment the IV with each packet sent. • It’s perfectly legal WEP to never change the IV at all!

  10. More Initialization Vectors • Even if the IVs are chosen randomly, the Birthday Paradox tells us that the chance of finding two packets with the same IV is 1 in 212.

  11. THE 11TH COMMANDMENT Thou shalt not encrypt two plaintexts with the same key, lest Eve and her Evil Empire crack your code and make a fool of ye. (Shamir 17:29)

  12. Why? • Suppose – f’rinstance – Alice used WEP with the same IV on two messages, m and n, and sent Bob (and thus Eve) the ciphertexts M and N.

  13. Why? cont. 1 • Eve – thanks to the fact that the IVs are included as plaintext along with the ciphertexts – will detect this awful mistake, and note that M = m XOR k and N = n XOR k. • Eve will then calculate M XOR N, and the two ks will cancel out; this is just m XOR n.

  14. Why? cont. 2 • If Eve was able to mount a known plaintext attack, she now has the other plaintext. • Even if she wasn’t, the plaintexts will be patterned enough that simple frequency analysis can get both.

  15. The IV Dictionary Attack • Eve thus sits and sniffs traffic, building a dictionary of ciphertexts, IVs, and keys (once she gets them). • Every collision of IVs makes her job easier. • She gets matches in virtually every other set of 4096 packets.

  16. Other issues • If the AP requires WEP use, Eve can use the keys she finds to encrypt her own messages and thus inject traffic. • The PSK is no defense; even if it’s perfectly random and 4096 bits long, there will still only be 224 streams in use.

  17. Defenses • The problem is that there aren’t enough streams, right? • So make some more! • Only problem is, now it’s no longer WEP as far as the standard is concerned.

  18. Easy Defense 1 • Instead of using a static PSK and only 224 IVs, make more of the key vary from packet to packet. • This is basically how SSL does it. (There, the whole 128-bit key can be random.)

  19. Easy Defense 2 • Get rid of RC4. (Use AES instead.) • At least, no stream ciphers. • Big benefit! No longer stuck using ECB mode – feedback modes like CBCs are possible.

  20. One Last Note • Where is encryption (or security, for that matter) in the OSI stack? • To use feedback modes, we need the guarantee of linearity – which TCP promises. • So why are we doing this down in the link layer?

  21. The OSI Stack • 802.11 a/b/g + WEP, TCP, and IPSec • Which layer(s) of the stack should we include confidentiality? integrity? linearity? Should these be restricted to certain layers?

More Related