Transcript CS 378 - Network Security and Privacy

Hacking Wireless Networks
(Part II – WEP & WPA)
SCSC 555
slide 1
802.11b Overview
Standard for wireless networks
• Approved by IEEE in 1999
Two modes: infrastructure and ad hoc
IBSS (ad hoc) mode
BSS (infrastructure) mode
slide 2
Access Point SSID
Service Set Identifier (SSID) differentiates one
access point from another
• By default, access point broadcasts its SSID in
plaintext “beacon frames” every few seconds
Default SSIDs are easily guessable
• Linksys defaults to “linksys”, Cisco to “tsunami”, etc.
• This gives away the fact that access point is active
Access point settings can be changed to prevent
it from announcing its presence in beacon frames
and from using an easily guessable SSID
• But then every user must know SSID in advance
slide 3
Wired Equivalent Privacy (WEP)
Special-purpose protocol for 802.11b
• Intended to make wireless as secure as wired network
Goals: confidentiality, integrity, authentication
Assumes that a secret key is shared between
access point and clients
Uses RC4 stream cipher seeded with 24-bit
initialization vector and 40-bit key
• Terrible design choice for wireless environment
• RC4 is used properly in SSL
slide 4
Shared-Key Authentication
Prior to communicating data, access point may require client to authenticate
Access Point
Client
beacon
probe request
unauthenticated &
unassociated
OR
authenticated &
unassociated
challenge
challengeRC4(IV,K)
association
request
association
response
authenticated &
associated
Passive eavesdropper recovers RC4(IV,K),
can respond to any challenge from then
on without knowing K
slide 5
How WEP Works
IV | shared key used as RC4 seed
• Must never be repeated (why?)
• There is no key update protocol in 802.11b,
so security relies on never repeating IV
24 bits
40 bits
IV sent in the clear
CRC-32 checksum is linear in : if attacker flips some bit
in plaintext, there is a known, plaintext-independent set of CRC
bits that, if flipped, will produce the same checksum
no integrity!
Worse: 802.11b says that changing
IV with each packet is optional!
slide 6
Why RC4 is a Bad Choice for WEP
Stream ciphers require synchronization of key
streams on both ends of connection
• This is not suitable when packet losses are common
WEP solution: a separate seed for each packet
• Can decrypt a packet even if a previous packet was lost
But number of possible seeds is not large enough!
• RC4 seed = 24-bit initialization vector + fixed key
• Assuming 1500-byte packets at 11 Mbps,
224 possible IVs will be exhausted in about 5 hours
Seed reuse is deadly for stream ciphers
slide 7
Recovering Keystream
Get access point to encrypt a known plaintext
• Send spam, access point will encrypt and forward it
• Get victim to send an email with known content
If attacker knows plaintext, it is easy to recover
keystream from ciphertext
• C  M = (MRC4(IV,key))  M = RC4(IV,key)
• Not a problem if this keystream is not re-used
Even if attacker doesn’t know plaintext, he can
exploit regularities (plaintexts are not random)
• For example, IP packet structure is very regular
slide 8
Keystream Will Be Re-Used
In WEP, repeated IV means repeated keystream
Busy network will repeat IVs often
• Many cards reset IV to 0 when re-booted, then
increment by 1  expect re-use of low-value IVs
• If IVs are chosen randomly, expect repetition in O(212)
due to birthday paradox (similar to hash collisions)
Recover keystream for each IV, store in a table
• (KnownM  RC4(IV,key))  KnownM = RC4(IV,key)
• Even if don’t know M, can exploit regularities
Wait for IV to repeat, decrypt and enjoy plaintext
• (M’  RC4(IV,key))  RC4(IV,key) = M’
slide 9
It Gets Worse
Misuse of RC4 in WEP is a design flaw with no fix
• Longer keys do not help!
– The problem is re-use of IVs, their size is fixed (24 bits)
• Attacks are passive and very difficult to detect
Perfect target for Fluhrer et al. attack on RC4
• Attack requires known IVs of a special form
• WEP sends IVs in plaintext
• Generating IVs as counters or random numbers will
produce enough “special” IVs in a matter of hours
This results in key recovery (not just keystream)
• Can decrypt even ciphertexts whose IV is unique
slide 10
Do Not Do This
[Brian Lee]
Ingredients: Laptop (with 802.11b card, GPS, Netstumbler, Airsnort,
Ethereal) and the car of your choice
 Drive around, use Netstumbler to map out active wireless
networks and (using GPS) their access points
 If network is encrypted, park the car, start Airsnort, leave it be
for a few hours
• Airsnort will passively listen to encrypted network traffic and, after
5-10 million packets, extract the encryption key
 Once the encryption key is compromised, connect to the network
as if there is no encryption at all
 Alternative: use Ethereal (or packet sniffer of your choice) to
listen to decrypted traffic and analyze
 Many networks are even less secure
slide 11
Weak Countermeasures
Run VPN on top of wireless
• Treat wireless as you would an insecure wired network
• VPNs have their own security and performance issues
– Compromise of one client may compromise entire network
Hide SSID of your access point
• Still, raw packets will reveal SSID (it is not encrypted!)
Have each access point maintain a list of network
cards addresses that are allowed to connect to it
• Infeasible for large networks
• Attacker can sniff a packet from a legitimate card, then
re-code (spoof) his card to use a legitimate address
slide 12
Fixing the Problem
Extensible Authentication Protocol (EAP)
• Developers can choose their own authentication method
– Cisco EAP-LEAP (passwords), Microsoft EAP-TLS (public-key
certificates), PEAP (passwords OR certificates), etc.
802.11i standard fixes 802.11b problems
• Patch: TKIP. Still RC4, but encrypts IVs and establishes
new shared keys for every 10 KBytes transmitted
– No keystream re-use, prevents exploitation of RC4 weaknesses
– Use same network card, only upgrade firmware
• Long-term: AES in CCMP mode, 128-bit keys, 48-bit IVs
– Block cipher (in special mode) instead of stream cipher
– Requires new network card hardware
slide 13
Hacking Wireless Networks
(Part III – WPA)
slide 14
What is WPA?
WPA (Wireless Protected Access) or WEP2
■ An interim solution to replace WEP.
■ Aimed to work well with hardware designed for WEP.
■ Still use RC4 for encryption.
■ Several new elements were introduced:
- TKIP (Temporal Key Integrity Protocol).
- MIC (message integrity code) for preventing forgery.
- IV=48 bits for preventing replay attack.
- A mixing function for generating per-frame key.
slide15
15
WPA Structure
802.11 Hdr
data
TKIP
||
WEP Key
K
MIC
MIC
Function
Per-Frame Key
Mixing
Function
802.11 Hdr
K’
IV
RC4
Encryption
Data
Integrity
Key
MIC
slide16
16
WPA Structure (in details)
slide 17
WPA - Modes of Operation
 Enterprise Mode:
- Requires an authentication server – RADIUS
(Remote Authentication Dial In Service) for authentication and
key distribution
- RADIUS has centralized management of user credentials
 Pre-shared key (PSK) Mode:
- Does not require authentication server
- A “shared secret” is used for authentication to access point
vulnerable to dictionary attacks
slide18
18
Enterprise Mode Diagram
slide19
19
PSK Mode Diagram
slide20
20
Issues of PSK Mode
 Needed if no authentication server is in use
 “shared secret” – revealed, network security is compromised
 No standardized way of changing shared secret
 It increases the attacker’s effort to do decryption of messages
 The more complex the shared secret is, the better it is
as there are less chances of dictionary attacks
slide21
21
Summary: Security Mechanisms in WPA
slide22
22
802.1X Authentication prevents end users from
accessing Enterprise networks
slide23
23
TKIP – Temporal Key Integrity Protocol
 TKIP is responsible for generating the encryption key, encrypting the
message and verifying its integrity
 TKIP ensures:
- Encryption key changes with every packet
- Encryption key is unique for every client
- TKIP encryptions keys are 256 bit long
 WEP Encryption key = shared secret + IV
 TKIP packet comprises of:
- 128 bit temporal key (shared by both clients and AP)
- Client Device MAC address
- 48 bit IV (Packet sequence number) to prevent known plain text
attacks (WEP = 24 bit IV)
slide24
24
TKIP for Data Privacy
 TKIP key mixing function + temporal key = per packet key
 Temporal keys - 128 bit, change frequently, definite life
 MAC Address + Temporal key + four most significant octets of the
packet sequence number are fed into the S-Box to generate
intermediate key
 Results in a unique encryption key
 Then, mix the intermediate key with two least significant octets of
packet sequence number = 128 bit per packet key
 Each key encrypts only one packet of data and prevents weak key
attacks
slide25
25
Message Integrity Check (MIC)

Used to enforce data integrity
 “Message Integrity Code” (MIC) = 64 bit message calc.
using Michael’s algorithm
 MIC is inserted in the TKIP packet
 The sender and the receiver each compute MIC and then
compare. MIC does not match = data is manipulated
 Detects potential packet content altercation due to
transmission error or purposeful manipulation
 Uses 64 bit key and partitions the data into 32 bit blocks
 Various operations: shifts, XOR’s, additions
slide26
26
WPA2
 A long term solution specified by IEEE 802.11i
Use AES (in a new mode called CCM) for encryption.
Counter Mode with CBC-MAC Protocol (CCMP)
encryption
CCMP = CTR + CBC + MAC
■ Several new elements were introduced:
- The base key K=128 bits.
- MIC is 64 bits for preventing forgery.
- IV=48 bits for preventing replay attack.
- Packet sequence number is used to generate IV.
Will require or replacement hardware (AP’s and NIC’s)
slide27
27
WPA2
IV
Key ID
Encrypted by AES
802.11 Hdr 802.11i Hdr
Data
MIC
FCS
Authenticated by MIC
slide28
28
Encryption Method Comparison Table
WEP
WPA
WPA2
Cipher
RC4
RC4
AES
Key Size
40 bits
128 bits encryption 64
bits authentication
128 bits
Key Life
24 bit IV
48 bit IV
48 bit IV
Packet Key
Concatenated
Mixing Function
Not needed
Data Integrity
CRC-32
Michael Algorithm
CCM
Header Integrity
None
Michael Algorithm
CCM
Replay Attack
None
IV Sequence
IV Sequence
Key Management
None
EAP Based
EAP Based
slide29
29
Conclusions
 WEP is not secure anymore !
 WPA solves almost all WEP weaknesses
 WPA still considered secure and provides secure
authentication, encryption and access control
 WPA is not yet broken…!
 WPA2 is a stronger cipher than WPA and will provide robust
security for WLANs
slide30
30