1 / 28

Intercepting Mobile Communications: The Insecurity of 802.11

Intercepting Mobile Communications: The Insecurity of 802.11. …or “Why WEP Stinks” Dustin Christmann. Introduction. This presentation will discuss the inadequacies of WEP encryption We’ll discuss the theoretical weaknesses of the WEP standard

tass
Download Presentation

Intercepting Mobile Communications: The Insecurity of 802.11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intercepting Mobile Communications: The Insecurity of 802.11 …or “Why WEP Stinks” Dustin Christmann

  2. Introduction • This presentation will discuss the inadequacies of WEP encryption • We’ll discuss the theoretical weaknesses of the WEP standard • We’ll discuss the types of attacks that can exploit those weaknesses • We’ll discuss the speed of “real world” attacks on WEP

  3. Agenda • What’s on your network? • What is WEP? • Theoretical weaknesses of WEP • Types of attacks on WEP • How well do these attacks work in the “real world”? • Countermeasures

  4. What’s on your wireless network? • 802.11 (Wi-Fi) networks are ubiquitous today • Types of encryption: • Open (No encryption) • WEP • WPA/WPA2

  5. So what is WEP? • WEP is Wired Equivalent Privacy • Link-layer encryption • Defined in the IEEE 802.11 standard • “Least common denominator” Wi-Fi encryption • Goals of WEP • Confidentiality • Access control • Data integrity

  6. So how does WEP work?

  7. First, let’s introduce the players • Message: What you’re encrypting • CRC: To verify the integrity of the message • Plaintext: The message + CRC • Initialization vector (IV): A 24-bit number which plays two roles that we’ll meet in a moment • Key: A 40 or 104-bit number which is used to build the keystream • Keystream: What is used to encrypt the plaintext • Ciphertext: What we end up post-encryption Message CRC IV Key Keystream Ciphertext

  8. WEP encryption step-by-step Message CRC Step 1: Compute CRC for the message • CRC-32 polynomial is used

  9. WEP encryption step-by-step Keystream IV Key Step 2: Compute the keystream • IV is concatenated with the key • RC4 encryption algorithm is used on the 64 or 128 bit concatenation

  10. Message CRC WEP encryption step-by-step IV Ciphertext Keystream Step 3: Encrypt the plaintext • The plaintext is XORed with the keystream to form the ciphertext • The IV is prepended to the ciphertext

  11. WEP decryption step-by-step IV Ciphertext Keystream Key Step 1: Build the keystream • Extract the IV from the incoming frame • Prepend the IV to the key • Use RC4 to build the keystream

  12. WEP decryption step-by-step Ciphertext Message CRC Keystream Step 2: Decrypt the plaintext and verify • XOR the keystream with the ciphertext • Verify the extracted message with the CRC

  13. What are the main weaknesses of WEP?

  14. Initialization vector (IV) • It’s carried in plaintext in the “encrypted” message! • It’s only 24 bits! • There are no restrictions on IV reuse! • The IV forms a significant portion of the “seed” for the RC4 algorithm!

  15. CRC algorithm • The CRC is a linear function • First-order polynomial: y=mx+b • Key property when b is 0: f(x+y) = f(x) + f(y) • The CRC is an unkeyed function

  16. RC4 cipher • Some seeds are “weaker” than others • By extension, some IV values are weaker than others • Weak seeds = more easily calculated keystreams

  17. Defragmentation • Not necessarily a weakness • Part of 802.11 standard • Affects WPA and WPA2 encryption as well

  18. What are some potential attacks on a WEP network?

  19. Can be either IP or ARP AA AA 03 00 00 00 08 ?? DSAP SSAP CTRL ORG Code Ether type First, you know more about the plaintext than you think you know • With 802.11, you know the first eight bytes of a packet • Many IP services have packets of fixed lengths • Most WLAN IP addresses follow common conventions. • Many IP behaviors have predictable responses

  20. Message modification • Takes advantage of CRC’s linearity and unkeyed nature. • C is the original cybertext • c is the CRC-32 function • Δ is the change in the message • Need to know some of the plaintext, but not all!

  21. Message injection • Takes advantage of CRC’s unkeyed nature and IV reuse. • C is the original cybertext • P is the original plaintext • RC4(v,k) is the keystream for IV v • M’ is the new message • c is the CRC-32 function • Need to know all of the plaintext

  22. Authentication spoofing • Takes advantage of IV reuse • Takes advantage of WEP challenge mechanism for new mobile stations • Access point sends unencrypted 128-bit value • Mobile station returns the same value encrypted • Monitor the exchange and… • Learn an IV-keystream pair • Authenticate on the mobile network

  23. Fragmentation attack • Takes advantage of defragmentation and IV reuse • Takes advantage of knowledge of plaintext of at least first eight bytes of 802.11 data • Each data includes 4 bytes of checksum • An 802.11 frame can be divided into 16 segments • The access point will defragment the frame before forwarding, allowing the transmission of 16 * (known bytes of keystream – 4 bytes) of data

  24. Full keystream recovery using fragmentation • Send a 64-byte frame to a broadcast address in 16 segments • Eavesdrop the defragmented 68-byte frame • Send a 1024-byte frame to a broadcast address in 16 segments • Eavesdrop the defragmented 1028-byte frame • Send a 1496-byte frame to a broadcast address in 2 segments • Eavesdrop the defragmented 1500-byte frame

  25. y IP Header x Ciphertext IP Header Message IP redirection • Takes advantage of defragmentation • Eavesdrop encrypted frame • Build encrypted IP header with the desired destination IP address • Configure the 802.11 headers for segmented transmission • Send frames • Receive unencrypted data at Internet-connected computer

  26. So how easy do these techniques make a WEP network to compromise?

  27. Answer: Darn easy • Attacks greatly aided by automated tools • Authors of “The Final Nail in WEP’s Coffin” broke 40-bit key in under 15 minutes and 104-bit key in under 80 minutes • FBI agents demonstrated it in 3 minutes in 2005 • http://www.informationweek.com/management/compliance/160502612 • “Usually it takes five to ten minutes”

  28. Countermeasures • DON’T USE WEP! • Use WPA or WPA2 with a strong key • Change the default settings on your wireless router • Use VPN

More Related