210 likes | 523 Views
802.11 Security – Wired Equivalent Privacy (WEP). By Shruthi B Krishnan. Agenda for the presentation. Introduction 802.11 Wireless LAN – brief description Goals of WEP Confidentiality in WEP Data Integrity in WEP Access Control in WLANs Security loopholes and attacks on WEP
E N D
802.11 Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan
Agenda for the presentation • Introduction • 802.11 Wireless LAN – brief description • Goals of WEP • Confidentiality in WEP • Data Integrity in WEP • Access Control in WLANs • Security loopholes and attacks on WEP • Lessons to be learnt
Introduction • History of wireless technology • Inception of wireless networking took place at the University of Hawaii in 1971. It was called ALOHAnet. • Star topology with 7 computers • Spanned 4 Hawaiian islands with the central system in Oahu • In 1997, world’s first WLAN standard– 802.11– was approved by IEEE • Wired Equivalent Privacy – security standard proposed by 802.11 • Has many loopholes and has been completely broken
802.11 Wireless LAN – brief description Distribution system • Stations • Wireless medium • Access Points • Distribution System • Basic Service Set (BSS) • Extended Service set (ESS) Access Points Wireless Medium Mobile stations Mobile stations
802.11 Wireless LAN – brief description (cont’d)Network services • Distribution System services • Association • Disassociation • Reassociation • Station services • Authentication • Deauthentication • Privacy Inside the network Outside the network Successful Association/ Reassociation Successful Authentication Disassociation Deathentication Authenticated and Associated Unauthenticated and Unassociated Authenticated and Unassociated
Goals of WEP • Confidentiality • Uses stream cipher RC4 for encryption • Data Integrity • Uses cyclic redundancy check • Access control • Shared key authentication
Confidentiality in WEP • One-time pad vs Stream ciphers • Perfect randomness is compromised for practicality • RC4 algorithm used for encryption of data frames Plaintext Ciphertext + KEY Keystream IV
Confidentiality in WEP – (cont’d)WEP keys and Initialization vector (IV) • Shared secret key • Shared among all users • Changed infrequently • Original standard – 40 bit key. Later implementations used 104 bit key • WEP uses set of up to 4 keys • Key distribution problems • Initialization vector • 24 bits • Prepended with the secret key • Need to be random to prevent key reuse or IV collision • IV sent in clear
Data Integrity in WEP • Computes Integrity Check Value (ICV) • ICV is appended with data frame and encrypted • CRC-32 algorithm used • Efficient in capturing data tampering • Cryptographically insecure
Confidentiality and data integrity in WEP 40 or 104 bit key CRC-32 Plaintext RC4 IV Plaintext ICV Keystream + Plaintext ICV Frame Header IV Plaintext ICV 3 bytes pad Key index 4 bytes
Access Control in WLANs • Open System Authentication • Shared key authentication Request for access Challenge text, R Encrypt R using WEP Mobile station Access Point
Security loopholes and attacks on WEPAttacks on shared key authentication Request for access Challenge text, R1 Encrypt R1 using WEP (C1) Good guy Access Point Keystream = R1 C1 + Request for access Challenge text, R2 Encrypt R2 using WEP (C2 = Keystream R2) + Bad guy Access Point
Security loopholes and attacks on WEP - (cont’d)Attacks due to keystream reuse Plaintext Plaintext Ciphertext + • Improper IV management • IV-space is small • Implementation dependent • Sent in clear • Recovery of plaintexts • Decryption dictionary attacks • Independent of keysize + + Keystream + Ciphertext Plaintext Plaintext
Security loopholes and attacks on WEP - (cont’d)Attacks due to CRC Δ = Plaintext + Plaintext • CRC is good for message authentication, but bad for security • Both CRC checksum and RC4 are linear and can be easily manipulated • CRC is unkeyed • Attacker can inject messages into the system Δc = ICV + ICV Plaintext ICV Δ Δc + + Plaintext ICV
Security loopholes and attacks on WEP - (cont’d)Attacks exploiting the Access Points Mobile station Access Point Attacker Change destination address
Security loopholes and attacks on WEP - (cont’d)Attacks exploiting the Access Points TCP ACK Message with flipped bits Mobile station Access Point Intercepted ciphertext with flipped bits TCP ACK • Access points can be used to monitor TCP/IP traffic • Recipient send an ACK only if TCP checksum is correct • TCP checksum remains unaltered if Pi ex-OR Pi+16 is 1. Attacker Modify any Pi and Pi+16
Security loopholes and attacks on WEP - (cont’d)Attacks on RC4 used by WEP • Research by Scott Fluhrer, Itsik Mantin and Adi Shamir • First byte of plaintext has to be known. For WEP implementations, it is 0xAA • Set of weak keys that correspondingly reveal some part of the secret key • Format of weak IVs • First byte (B) can range from 0x03 to 0x07 • Second byte has to be 0xFF • Third byte (N) can be any known value between 0 & 255. • Probability to find a byte of secret key for 60 different values of N is non-negligible • Several successful experiments based on this attack • Popular key-recovery programs like Airsnort use this analysis
Lessons learnt from the failure of WEP • Key shared by all users of the system • Key is changed infrequently • No Perfect forward secrecy • Manual key management • Key reuse due to non-random IVs • Random IVs are not insisted upon • Short IVs • No protection for replay attacks • Use of unkeyed CRC instead of SHA1-HMAC • Encryption cipher used was weak • WEP was not publicly reviewed before it became a standard WEP is insecure!!
References • The Institute of Electrical and Electronics Engineers (IEEE) website http://www.ieee.org • 802.11Wireless Networks- The Definitive Guide By Matthew S. Gast, O’REILLY Publications. • History of wireless http://www.ac.aup.fr/a38972/final_projectIT338/history.html • Intercepting Mobile Communications: The Insecurity of 802.11 By Nikita Borisov, Ian Goldberg, and David Wagner http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html • Weaknesses in the Key Scheduling Algorithm of RC4 By Scott Fluhrer, Itsik Mantin and Adi Shamir http://www.crypto.com/papers/others/rc4_ksaproc.pdf • Unsafe at any key size: an analysis of the WEP encapsulation By J. Walker http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zi%p • Your 802.11 Wireless Network has No Clothes By William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan, Department of Computer Science, University of Maryland http://www.cs.umd.edu/~waa/wireless.pdf • Popular WEP cracking software http://airsnort.sourceforge.net/ http://sourceforge.net/projects/wepcrack/