Transcript slides
How To Not Make a Secure
Protocol
802.11 WEP
Dan Petro
What is WEP?
Wired Equivalent Privacy
Wireless LAN security protocol
Uses IEEE 802.11 a,b,g, and n
Provides certain security services
Originally 64 bits, but has been extended to 128
bits and even 256 bits
Easily broken
Why? And How?
Fundamentally poor design choices
How does WEP work?
It works like a One
Time Pad
Keystream is
pseudorandom
XOR'd with plaintext
Perfectly secret
ciphertext
Right? What's the
worst that could
happen?
Design Goals of WEP
Confidentiality
Integrity
RC4 cipher and XOR
operation
CRC of message
inside plaintext
Authentication?!*
Availability?!
Keys
Not one, but two
keys.
Primary Master Key or
just “key” (Secret)
Initialization Vector
(Well known)
Key = 40 bits
IV = 24 bits
Total = 64 bits
Failure #1
ONE TIME Pad
In WEP, Key = PMK + IV
You must never use the same key(stream) twice.
IV changes for each message
If an IV is ever used twice, the same keystream will
be used twice
IV is only 24 bits
Birthday Attack = collision every 5,000 frames.
Failure #1
What's the harm?
Cipher1 = Plaintext1 Keystream
Cipher2 = Plaintext2 Keystream
You now know Plaintext1 Plaintext2
If you happen to know one of the plaintexts, then
you can decrypt any new ciphertext that uses the
same Keystream
Full and partial knowledge
No diffusion!
Even worse: WEP does not specify how to
select IV's.
Failure #1 Example
•
•
•
Capture multiple
Ciphertexts with the
same IV
Obtain a (partial)
Known Plaintext
Decrypt
corresponding bits in
the other messages.
Failure #2
Integrity Failure
Linear CRC is used
for Integrity.
Not a
Cryptographically
Secure Hash Function
Linear means
distributive
CRC(a) xor CRC(b)
Equals
CRC(a xor b)
Failure #2
Arbitrary packet
forgery!
Even with
partial
knowledge.
If you know the
plaintext of any part
of a message, you
can change it.
WEP sends DST IP
in plaintext
Failure #2.5
IP Redirection
Attack
– Change every
IP address to
that of the
attacker outside
the network.
Failure #3
•
•
•
•
Authentication Fail
1) Client Hello
2) Server Plaintext Challenge (128 Bytes)
3) Client Sends Encrypted Challenge back
Failure #3
But we can change the contents of any
message, remember?
Observe one valid authentication.
Failure #3
•
Now just change the contents of this
captured response to be the challenge you
need!
Failure #4
Getting a “Known Plaintext Attack”
WEP does not mask the size of frames
You can see exactly how long each message
is.
Mix that with TCP/IP, and you get a known
plaintext attack
ARP messages are very short, and of known
length. (28 ARP bytes + 14 Layer 1 Bytes= 42
Bytes Total)
Lots of routers automatically send tons of
ARP messages constantly
Failure #4.5
ARP Replay Attack
ARP is stateless
One ARP request packet can be replayed
over and over
Hosts will respond with fresh traffic as
responses
Allows for an arbitrary amount of traffic to be
generated in use with other attacks.
Upgrade the attack to “Chosen Plaintext”
Failure #5
No Server
Authentication
Rouge AP's
Attacker makes
another AP with the
same SSID
Victim connects to the
wrong AP
Now you have a Manin-the-Middle
Failure #6
The Cafe Latte Attack
Clients keep a list of
favorite AP's
No authentication
One's they've
used before
When powering on,
they try to connect to
those AP's
Stimulate traffic from
client, crack key
Failure #7
If the PMK is known, all bets are off
WEP does not specify how PMKs are chosen
or exchanged.
It's a standard “Shared Secret” problem!
Social Engineering
Use a Rouge AP
Dictionary attacks
Out of Band attacks
Does your company have a piece of paper with
the key laying around? It probably does.
Failure #8
Denial of Service
Firstly, it is legal to jam 2.4GHz signals
Just not cell phones!
802.11 Wifi is naturally vulnerable to this
But not Bluetooth!
Associate / Disassociate Packets are unencrypted
If there is a single malicious user on your network, he can
bring the whole thing down
ARP Cache Poisoning
DOSS (Denial of Service... with Style)
Failure #9
•
•
•
No Session
Keys!
How the
network's
perimeters
should look:
How it does
look:
Failure #9
Airpwn
First “displayed”
at Defcon 12
Intercepts data just
like with a Rouge AP
Responds to HTTP
traffic before the real
web server can
Result?
Anything you
want!
The Breaks
Key recovery attacks due to RC4
Fluhrer, Mantin and Shamir attack
Andreas Klein
Discovered that the first few bytes produced is
highly non-random
Even more correlations between key and
keystream found
Tews, Weinmann, and Pyshkin. (PTW)
Built upon Klein's analysis and built Aircrackptw
(Now Aircrack-ng)
References and links
Intercepting Mobile Communications: The
Insecurity of 802.11
Wikipedia
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
Weaknesses in the Key Scheduling Algorithm of
RC4
http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf
CC-BY-SA
http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf