Transcript WEP Weaknesses

WEP
Weaknesses
Or
“What on Earth does this
Protect”
Roy Werber
Goals
 Authorization
– Prevent unauthorized access to network
 Privacy
– The P in WEP
– Make it feel like LAN
– Maintain data privacy from outsiders
2
Basic Flaws
 Bad design
– Each component is good, but not suited to
datagram environment
 No key management
– One key for all
 Bad implementation
3
Stream Ciphers
C = P S
 Key streams must never be reused
– C1  C2 = (P1  S)  (P2  S) = P1  P2
 Forgery is easy – Bit flip attack
– If
M2 = M1  X
– Then C2 = C1  X
4
Stream Ciphers And Datagram
 Key streams must never be reused
 Encryptor and decryptor must remain
synchronized
 Bad for datagram environment
 Without Random Access property
encryption process starts for each packet
  Different key for each packet
5
WEP Solution
 ICV – Prevents forgery
– Checksum on the data prevents bit flipping
 IV – Prevents key reuse
– Each packet a new key that starts a new stream
is used
6
ICV Prevents Forgery?
 Uses CRC-32 checksum
 CRC-32 is linear:
– CRC(A  B) = CRC(A)  CRC(B)
 RC4 is transparent to XOR
– C = RC4 ( [M,CRC(M)] )
– C’ = C  [X,CRC(X)]
= [M,CRC(M)]  S  [X,CRC(X)]
= RC4 ([M X, CRC( M X)])
7
IV Prevents Key Reuse ?
 IV space is very small : 224
 Birthday attack:
– 50% chance of collision after only 4823 packets
– 99% collision after 12,430 packets
= 3 seconds in 11 Mbps traffic
– Assuming random IV selection (Some
implemented IV as a counter from 0)
– Assuming IV changes. Its optional
8
After IV Match Is Found
 Pattern recognition on the XOR’d plaintext
 ICV tells if the guess is correct
 After only a few hours of observation, you
can recover all 224 key streams
 Get active:
– Send Spam to the network
– Get the victim to send e-mail to you
– Known plaintext  Key stream
9
Authentication
 SSID
 Shared Key
 MAC
10
Authentication Problems
 SSID – Easy to get by sniffing, it is
broadcasted (If WEP encryption deployed –
access by key)
 MAC – It is broadcasted
– Can be spoofed
11
How to Authenticate without the
Key
AP
STA
Challenge (Nonce)
Response ( RC4 [Nonce] under shared key)
Decrypted nonce OK?
Simple Attack:
• Record one challenge/response with a sniffer
• Use the challenge to decrypt the response and recover the key stream
• Use the recovered key stream to encrypt any subsequent challenge
12
Types Of Attacks
 IV re-use attack to decrypt traffic
– We already seen it
 Replay Attack
– Trivial
 Statistical attacks
 IP Modification
 Active attack to inject traffic
 Bit flip attack to recover key stream
13
Improvement Techniques
“Grow” a partial keystream, Use key table
14
FMS Attack
 Fluhrer, Martin and Shamir found a class of
RC4 keys called “weak keys”
 If the first 2 bytes of enough key stream are
known -> The RC4 key is discovered
 The first 8 bytes of WEP packet is a known
SNAP-SAP header
 AirSnort implements this attack
– Recovers key after 20,000 packets = 11 seconds
15
IP Modification
IP redirection:
– Change the destination of an encrypted packet
to a machine controlled by the attacker on the
wired network.
– Send modified frame to AP that will decrypt it
and send to attacker machine
– Derive keystream from this ciphertext, plaintext
pair
– Attacker can reuse keysteam to send/receive
WLAN traffic
16
Inject Traffic
 If there is a known cipher plaintext pair
 The cipher can be modified to any message
 Correct CRC is calculated and inserted
 Uses:
– Unauthorized traffic can be sent
– User commands can be altered. (telnet ,ftp, etc)
17
Bit Flipping Attack
18
Practicality
 Available cheap equipment
 Laptop and wireless card
 Tools: AirSnort, Netstumbler, Kismet
 Easy to sniff, harder to transmit
19
Main Points
 WEP was badly designed
 WEP was badly implemented
 I didn’t even speak about DoS attack,
MITMs, Impersonating to AP
 Treat wireless the way you treat remote
traffic
20
Thank You!