Transcript slides

How To Not Make a Secure
Protocol
802.11 WEP
Dan Petro
What is WEP?

Wired Equivalent Privacy

Wireless LAN security protocol



Uses IEEE 802.11 a,b,g, and n
Provides certain security services
Originally 64 bits, but has been extended to 128
bits and even 256 bits

Easily broken

Why? And How?

Fundamentally poor design choices
How does WEP work?





It works like a One
Time Pad
Keystream is
pseudorandom
XOR'd with plaintext
Perfectly secret
ciphertext
Right? What's the
worst that could
happen?
Design Goals of WEP

Confidentiality


RC4 cipher and XOR
operation
Integrity

CRC of message
inside plaintext

Authentication?!*

Availability?!
Keys

Not one, but two
keys.

Primary Master Key or
just “key” (Secret)

Initialization Vector
(Well known)

Key = 40 bits

IV = 24 bits

Total = 64 bits
Failure #1

ONE TIME Pad



You must never use the same key(stream) twice.
In WEP, Key = PMK + IV

IV changes for each message

If an IV is ever used twice, the same keystream will
be used twice
IV is only 24 bits

Birthday Attack = collision every 5,000 frames.
Failure #1


What's the harm?

Cipher1 = Plaintext1  Keystream

Cipher2 = Plaintext2  Keystream
You now know Plaintext1  Plaintext2

If you happen to know one of the plaintexts, then
you can decrypt any new ciphertext that uses the
same Keystream

Full and partial knowledge


No diffusion!
Even worse: WEP does not specify how to
select IV's.
Failure #2


Integrity Failure

Linear CRC is used
for Integrity.

Not a
Cryptographically
Secure Hash Function
Linear means
distributive

CRC(a) xor CRC(b)

Equals
CRC(a xor b)

Failure #2

Arbitrary packet
forgery!


Even with
partial
knowledge.
IP Redirection Attack

Change every
IP address to
that of the
attacker outside
the network.
Failure #3

Authentication

Challenge & Response
1) Client sends request to router.
2) Router sends random 128 byte string to client
in plaintext
3) Client sends back the same string, encypted
with the Key
4) Server decrypts message, and verifies that
the contents match the string sent.
Failure #3



But we can change the contents of any
message, remember?
Obverse one valid authentication.
Now just change the contents of this captured
response to be the random string you need!

Easy as that, now you're authenticated.

This is actually worse than no authentication!
Failure #4



Getting a “Known Plaintext Attack”

WEP does not mask the size of frames

You can see exactly how long each message
is.
Mix that with TCP/IP, and you get a known
plaintext attack
ARP messages are very short, and of known
length. (28 bytes + some plaintext headers)

The vast majority of routers send gratuitous
ARP messages constantly
Failure #4 1/2

ARP Replay Attack

ARP is stateless

One ARP packet read can be replayed over
and over

Hosts will respond with fresh traffic as
responses

Allows for an arbitrary amount of traffic to be
generated in use with other attacks.

Upgrade the attack to “Chosen Plaintext”
Failure #5

The Cafe Latte Attack


Clients keep a list of
favorite AP's



No authentication
One's they've
used before
When powering on,
they try to connect to
those AP's
Stimulate traffic from
client, crack key
Failure #5 1/2





Rouge AP's
WEP network with
SSID “Protected”
Attacker makes
another AP with the
same SSID
Victim connects to the
wrong AP
Now you have a Manin-the-Middle
Failure #6

If the PMK is known, all bets are off


WEP does not specify how PMKs are chosen
or exchanged.
It's a standard “Shared Secret” problem!

Social Engineering

Use a Rouge AP

Dictionary attacks

Out of Band attacks

Does your company have a piece of paper with
the key laying around? It probably does.
Failure #7

Denial of Service

Firstly, it is legal to jam 2.4GHz signals

Just not cell phones!

802.11 Wifi is naturally vulnerable to this
But not Bluetooth!
Associate / Disassociate Packets are unencrypted



If there is a single malicious user on your network, he can
bring the whole thing down

ARP Cache Poisoning

DOSS (Denial of Service... with Style)
Failure #7 1/2

Airpwn




First “displayed”
at Defcon 12
Intercepts data just
like with a Rouge AP
Responds to HTTP
traffic before the real
web server can
Result?

Anything you
want!
The Breaks

What really breaks WEP is RC4

Fluhrer, Mantin and Shamir attack


Andreas Klein


Discovered that the first few bytes produced is
highly non-random
Even more correlations between key and
keystream found
Tews, Weinmann, and Pyshkin. (PTW)

Built upon Klein's analysis and built Aircrackptw

(Now Aircrack-ng)
References and links

Intercepting Mobile Communications: The
Insecurity of 802.11


Wikipedia


http://en.wikipedia.org/wiki/Wired_Equivalent_
Privacy
Weaknesses in the Key Scheduling Algorithm of
RC4


http://www.isaac.cs.berkeley.edu/isaac/mobico
m.pdf
http://www.drizzle.com/~aboba/IEEE/rc4_ksap
roc.pdf
Any copyrights applicable to these slides including images are copylefted under the GLP v3