Transcript WEP Security - ODU Computer Science

Intercepting Mobile
Communications: The
Insecurity of 802.11
…or “Why WEP Stinks”
Dustin Christmann
1
Introduction
This presentation will discuss the
inadequacies of WEP encryption
 We’ll discuss the theoretical weaknesses of
the WEP standard
 We’ll discuss the types of attacks that can
exploit those weaknesses
 We’ll discuss the speed of “real world”
attacks on WEP

2
Agenda
What’s on your network?
 What is WEP?
 Theoretical weaknesses of WEP
 Types of attacks on WEP
 How well do these attacks work in the
“real world”?
 Countermeasures

3
What’s on your wireless network?
802.11 (Wi-Fi) networks are ubiquitous
today
 Types of encryption:

– Open (No encryption)
– WEP
– WPA/WPA2
4
So what is WEP?
WEP is Wired Equivalent Privacy
 Link-layer encryption
 Defined in the IEEE 802.11 standard
 “Least common denominator” Wi-Fi
encryption
 Goals of WEP

– Confidentiality
– Access control
– Data integrity
5
So how does
WEP work?
6
First, let’s introduce the players







Message: What you’re
encrypting
CRC: To verify the integrity of
the message
Plaintext: The message + CRC
Initialization vector (IV): A 24bit number which plays two roles
that we’ll meet in a moment
Key: A 40 or 104-bit number
which is used to build the
keystream
Keystream: What is used to
encrypt the plaintext
Ciphertext: What we end up postencryption
Message
IV
CRC
Key
Keystream
Ciphertext
7
WEP encryption step-by-step
Message
CRC
Step 1: Compute CRC for the message
 CRC-32 polynomial is used
8
WEP encryption step-by-step
IV
Keystream
Key
Step 2: Compute the keystream
 IV is concatenated with the key
 RC4 encryption algorithm is used on the 64 or
128 bit concatenation
9
WEP encryption step-by-step
Message
IV
CRC
Ciphertext
Keystream
Step 3: Encrypt the plaintext
 The plaintext is XORed with the keystream to
form the ciphertext
 The IV is prepended to the ciphertext
10
WEP decryption step-by-step
IV
Ciphertext
Keystream
Key
Step 1: Build the keystream
 Extract the IV from the incoming frame
 Prepend the IV to the key
 Use RC4 to build the keystream
11
WEP decryption step-by-step
Ciphertext
Message
CRC
Keystream
Step 2: Decrypt the plaintext and verify
 XOR the keystream with the ciphertext
 Verify the extracted message with the CRC
12
What are the
main weaknesses
of WEP?
13
Initialization vector (IV)
It’s carried in plaintext in the “encrypted”
message!
 It’s only 24 bits!
 There are no restrictions on IV reuse!
 The IV forms a significant portion of the
“seed” for the RC4 algorithm!

14
CRC algorithm

The CRC is a linear function
– First-order polynomial: y=mx+b
– Key property when b is 0: f(x+y) = f(x) + f(y)

The CRC is an unkeyed function
15
RC4 cipher
Some seeds are “weaker” than others
 By extension, some IV values are weaker
than others
 Weak seeds = more easily calculated
keystreams

16
Defragmentation
Not necessarily a weakness
 Part of 802.11 standard

– Affects WPA and WPA2 encryption as well
17
What are some
potential attacks
on a WEP
network?
18
First, you know more about the
plaintext than you think you know
AA AA 03 00 00 00 08 ??
DSAP




SSAP
CTRL
ORG Code
Ether type
Can be either
IP or ARP
With 802.11, you know the first eight bytes of a
packet
Many IP services have packets of fixed lengths
Most WLAN IP addresses follow common
conventions.
Many IP behaviors have predictable responses
19
Message modification





Takes advantage of
CRC’s linearity and
unkeyed nature.
C is the original
cybertext
c is the CRC-32
function
Δ is the change in the
message
Need to know some
of the plaintext, but
not all!
C '  C  , c (  )
20
Message injection







Takes advantage of
CRC’s unkeyed nature
and IV reuse.
C is the original
cybertext
P is the original plaintext
RC4(v,k) is the
keystream for IV v
M’ is the new message
c is the CRC-32 function
Need to know all of the
plaintext
P  C  RC 4v, k 
C '  M ' , c( M ' )  RC 4(v, k )
21
Authentication spoofing





Takes advantage of IV reuse
Takes advantage of WEP
challenge mechanism for new
mobile stations
Access point sends
unencrypted 128-bit value
Mobile station returns the
same value encrypted
Monitor the exchange and…
– Learn an IV-keystream
pair
– Authenticate on the
mobile network
P  C  RC 4v, k 
22
Fragmentation attack





Takes advantage of defragmentation and IV
reuse
Takes advantage of knowledge of plaintext of at
least first eight bytes of 802.11 data
Each data includes 4 bytes of checksum
An 802.11 frame can be divided into 16
segments
The access point will defragment the frame
before forwarding, allowing the transmission of
16 * (known bytes of keystream – 4 bytes) of data
23
Full keystream recovery using
fragmentation






Send a 64-byte frame to a broadcast address in
16 segments
Eavesdrop the defragmented 68-byte frame
Send a 1024-byte frame to a broadcast address in
16 segments
Eavesdrop the defragmented 1028-byte frame
Send a 1496-byte frame to a broadcast address in
2 segments
Eavesdrop the defragmented 1500-byte frame
24
IP redirection
y IP Header
IP Header






x
Ciphertext
Message
Takes advantage of defragmentation
Eavesdrop encrypted frame
Build encrypted IP header with the desired destination IP
address
Configure the 802.11 headers for segmented transmission
Send frames
Receive unencrypted data at Internet-connected computer
25
So how easy do
these techniques
make a WEP network
to compromise?
26
Answer: Darn easy
Attacks greatly aided by automated tools
 Authors of “The Final Nail in WEP’s
Coffin” broke 40-bit key in under 15
minutes and 104-bit key in under 80
minutes
 FBI agents demonstrated it in 3 minutes in
2005

– http://www.informationweek.com/management/compliance/160502612
– “Usually it takes five to ten minutes”
27
Countermeasures
DON’T USE WEP!
 Use WPA or WPA2 with a strong key
 Change the default settings on your
wireless router
 Use VPN

28