Transcript wep

Intercepting Mobiles
Communications:
The Insecurity of 802.11
► Paper
by Borisov, Goldberg, Wagner –
Berkley – MobiCom 2001
► Lecture by Danny Bickson
21.3.04
WEP Protocol
► WEP
– Wired Equivalent Privacy
► Wireless standard 802.11
► Link layer
► Protocol goals:
 Confidentiality: prevent eavesdropping
 Access control: prevent unauthorized access
 Data integrity: prevent tampering of messages
► We
show that none of the security goals are
attained
Network Model
Internet
WEP Algorithm
Encryption
Message
CRC(M)
RC4(k,IV)
IV
Cipher
WEP Algorithm
Decryption
IV
Cipher
RC4(k,IV)
Message
CRC(M)
Confidentiality
Stream cipher properties
►
►
Given two ciphers C1,C2 –
C1 V C2 = P1 V P2.
Keystream reuse can lead to a number of attacks:
 If plaintext of one message is known, the other is
immediately obtainable.
 In the general case, known techniques for breaking reused
keystreams.
 As the number of reused keystream increases breaking them
becomes easier.
►
Two conditions required for this class of attcks to
succeed:
 Availability of ciphertexts where keystream is used more
than once.
 Partial knowledge of some of the plain texts.
Finding instances of keystream
reuse
► Shared
key k changes rarely.
► Reuse of IV causes reuse of keystream.
► IV are public.
IV Usage
► Standard
recommends (but not requires) change
of IV.
► Common PCMCIA cards sets IV to zero and
increment it by 1 for each packet.
► IV size is only 24 bits.
► Busy access point of 5Mbps will exhaust available
space in 11 hours.
► Birthday paradox: on random IV selection 5000
packets are needed w.h.p. to find a collision
Exploiting keystream reuse
► Many
fields of IP traffic are predictable.
► For example: login sequences.
► Active attack (known plaintext)
Decryption dictionaries
► Once
plaintext of encrypted message is
obtained, keystream value stored in
dictionary.
► Full table requires 24GB
► Size of dictionary does not depend of size of
key
Key management
Message Authentication
► Message
modification
► Message injection
Message Modification
► Checksum
used is CRC-32 which is a linear
function of the message:
► In other words, checksum distributes over
the XOR operation.
C(x V y) = C(x) V C(y)
► RC4 stream cipher also linear.
The attack
Given C we would like to create C’ s.t. C’
decrypts to M’ instead of M.
Cipher
D
CRC(D)
D
CRC(D)
D
CRC(D)
Message
CRC(M)
M’
CRC(M’)
=
RC4(k,IV)
Message
CRC(M)
=
RC4(k,IV)
=
RC4(k,IV)
Relation to GSM
Encryption:
C = G(M) V A5/2(IV,k)
Decryption:
1. G(M) = C V A5/2 (IV,k)
2. H(G(M)) = 0 ?
3. M = G-1(G(M))
Attack on GSM
H(C) =
H(A5/2(Iv, k) VG(M)) =
H(A5/2(IV,k)) V H(G(M)) =
H(A5/2(IV,k)) V 0 =
H(A5/2(IV,k))
Message Injection
► WEP
checksum is an unkeyed function of
the message.
► After knowing one keystream we can use it
forever.
C’ = <M’, CRC(M’)> V RC4(IV,k)
Other attacks
► IP
redirection.
Assumption: Destination address is known.
IP redirection (cont.)
► Need
to calculate IP checksum
► Several options
 IP checksum for original packet is known
 Original IP checksum is not known
 Compensate by changing another IP field
Reaction Attack
► Works
only for TCP protocol
► Pick i at random, let D be all zeros, except
for positions i and i+16.
Calc C’ = C V D.
Two options:
1. Got an acknowledgment, Pi V Pi+16 = 1
2. Else Pi V Pi+16 = 0
► Each test reveals 1 bit of information
Conclusion
► Design
of security protocols is difficult (more
than the design of network protocols)
► Combining several secure algorithms does
not mean that the result is secure
► Engineering perspective dictated selection
of cryptographic algorithms
THE END
► Thank
You!