1 / 23

Wireless security

Wireless security. Breaking WEP and WPA. Wireless security - Why?. DEMO!. Wireless security timeline. Message falsification attack on WPA. Attack on TKIP. WEP introduced. WPA introduced. WPA2 introduced. FMS attack on WEP. ChopChop attack on WEP. Fragmentation attack onWEP.

zariel
Download Presentation

Wireless security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless security Breaking WEP and WPA

  2. Wireless security - Why?

  3. DEMO!

  4. Wireless security timeline Message falsification attack on WPA Attack on TKIP WEP introduced WPA introduced WPA2 introduced FMS attack on WEP ChopChop attack on WEP Fragmentation attackonWEP PTW attack on WEP Beck and Tews attack on WEP and WPA

  5. RC4 • Was developed by Ron Rivest in 1987 • “Rivest Cipher 4” • Most widely used stream cipher • Used in i.e. SSL, WEP, WPA and TLS • Was secret until 1994 when it was leaked forifrom 0 to255 S[i] := i endfor l := keylength j := 0 forifrom 0 to255 j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j]) endfor i := 0 j := 0 whileGeneratingOutput: i:= (i + 1) mod 256 j := (j + S[i]) mod 256 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 256] endwhile

  6. Key Scheduling Algorithm (KSA) • Initializes the state • Permutes array S based on key K • Array S controls the secret state • S is later used to generate stream forifrom 0 to 255 S[i] := i endfor l := K.length j := 0 forifrom 0 to 255 j := (j + S[i] + K[imod l]) mod 256 swap(&S[i], &S[j]) endfor

  7. KSA example i K = 5 3 S = 0 2 5 4 1 3 0 2 5 6 3 4 7 5 0 5 0 6 3 4 7 1 i j forifrom 0 to 7 j := (j + S[i] + K[i mod l]) mod 8 swap(&S[i],&S[j]) endfor

  8. Pseudo Random Generation Algorithm (PRGA) • Generates a stream of pseudo random numbers • The state array is updated each iteration i := 0 j := 0 whileGeneratingOutput: i := (i + 1) mod 256 j := (j+S[i]) mod 256 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 256] endwhile

  9. PRGA example S = 2 7 4 3 1 6 7 4 5 0 3 1 i j whileGeneratingOutput: i := (i + 1) mod 8 j := (j+S[i]) mod 8 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 8] endwhile

  10. Question What problem might we encounter if the same key is used to encrypt multiple messages?

  11. Wired Equivalent Privacy (WEP) • Introduced in November 1997 • Comes in 64-bit and 128-bit strength • Uses initialization vectors to deal with the problem of key reuse • Not meant to be secure (!) • Adds Integrity Control Value (ICV) to the message to verify its correctness

  12. WEP Initialization Vector (IV) • Prepended to the key • Sent in plaintext along with the message • Only 3 bytes – reused every 224 message • Reduces key size by 24 bits (!) • 64 bit = 40 bit • 128 bit = 104 bit IV + Key = Dynamic key

  13. Fluhrer, Mantin and Shamir attack • Found a group of weak IV’s • IV’s with format X + 3 || 255 || Y • If X=0, there is a 5 % chance that the first number generated will be K[0] for any Y • Same holds for respectively for 0X13 • The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form

  14. Example IV = [ 3, 255, 7 ] K = [ 3, 255, 7, ?, ?, ?, ?, ? ] C[0] = 165 = 15  170 j = S[i] = S[1] = 0 S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0]  170 = 15 j = j + S[i] + K[i] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15  K[3] = 2

  15. Statistics

  16. Aircrack

  17. Limitations • Have to collect ~1 000 000-4 000 000 packets to get enough IV’s • Could take 2-4 weeks to collect • Weak IV’s no longer used • Have since then been optimized and new attacks have been found • Can now be broken in less than 60 seconds

  18. ChopChop attack • Truncates the message by one byte and xor with X • If ICV control succeeds, the truncated byte is X P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) ) • Decreases time of finding the key to ~30 minutes

  19. Wi-fi Protected Access (WPA) • Built around WEP to fix its flaws and provide backward compatibility • Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems

  20. Temporal Key Integrity Protocol (TKIP) • Adds a new Message Integrity Check (MIC) generated using Michael algorithm • Michael is insecure, but this was handled by countermeasures in TKIP • Replay protection, slows down attacks but do not prevent them

  21. Becks and Tews attack • Attacks a TKIP • A modified version of the ChopChop attack • Truncates the message by one byte and xor last byte with X • If ICV control fails nothing happens, increment X • If ICV control succeeds, then MIC control will fail and an error message will be sent, the truncated byte is X • Limited to networks with QoS enabled

  22. Wireless security timeline Message falsification attack on WPA Attack on TKIP WEP introduced WPA introduced WPA2 introduced FMS attack on WEP ChopChop attack on WEP Fragmentation attackonWEP PTW attack on WEP Beck and Tews attack on WEP and WPA

  23. Additional reading • Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4 • Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP) • Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin • Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds • Beck, M., Tews, E.: Practical attacks against WEP and WPA • Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack on TKIP • Ohigashi, T., Morii, M.: A practical message falsification attack on WPA

More Related