Transcript WEP Attacks

CSC-682
Advanced Computer Security
Attacks
on wireless networks
using WEP encryption
presented by : Pompi Rotaru
Wireless technology
•
IEEE 802.11 a/b/g/n is the set of standards for W-LAN
•
Wireless technology has been on the rise in recent years
•
An individual can sit outside the building and connect to an
unprotected wireless network
•
Preserving privacy and integrity of wireless communications
becomes an important objective of the network security team
•
Basic service set :
•
infrastructure mode
independent (ad-hoc) mode
WEP
•
Wired Equivalent Privacy (WEP) is most common mechanism
for protection
•
Encryption with 40-bit key (aka “64-bit encryption”)
•
Encryption with 104-bit key (aka "128-bit encryption“)
•
Uses as the most common encryption algorithm the RC4
algorithm.
History of WEP
•
1997 Release of the first final version of IEEE 802.11
•
2001 WEP broken by Fluhrer, Mantin, and Shamir
•
2004 WEP broken again by KoreK
•
2005 WEP broken again by KoreK again (chopchop attack)
•
2005 WEP broken again by Bittau, fragmentation attack
•
2007 WEP broken again by Pyshkin, Tews, Weinmann, with
the help of Klein
RC4 algorithm description
•
Stream cipher designed by Ron Rivest in 1987
•
It works as a variable key-size stream cipher with byteoriented operations
•
Key Scheduling Algorithm (KSA) - which turns a random key
into a permutation by scrambling the bits
•
Pseudo-Random Generator Algorithm (PRGA) – using swap
operations for the previously permutation it generates pseudorandom numbers
•
X = RC4(K)
How WEP encryption works
•
A 3 bytes initialization vector (IV) is chosen
•
A key stream X = RC4(K) is generated from secret key K
•
A 32 bit long checksum called Integrity Check Value (ICV) is
appended to the message to protect the integrity
•
The resulting plain text is encrypted making an XOR
operation with the generated key stream
•
The unencrypted IV and the cipher-text are sent over the air
Types of WEP attacks
•
•
Depending on key
•
without recovering the WEP key
•
recovering the key
Depending on communication
•
static (no communication with AP)
•
dynamic (involves communication with AP)
General steps for attack
•
Setup equipment (laptop, directional antenna)
•
Find the target (airdump-ng, Kismet, NetStumbler)
•
Capture data from air (airmon-ng, airodump-ng)
•
Wait or make the target network busy (aireplay-ng)
•
Start cracking from captured data (aircrack-ng)
The brute force / dictionary attack
•
“Power” of the WEP relies in the difficulty of discovery of the
secret key through a brute-force attack
•
“Dictionary attack” uses dictionary of keys, not all possible
keys
•
Such attack requires less then a month for all keys
•
Steps :
•
capture 2 WEP encrypted packets
•
try to decrypt it using the captured IV and a potential key
•
verify decrypted ICV (the CRC)
•
(optional) verify the key on the 2nd packet
The FMS attack
•
2001 - Scott Fluhrer, Itsik Mantin and Adi Shamir
•
Static - with key recovery
•
RC4 weaknesses :
•
The “Invariance Weakness” - existence of large classes of weak keys
•
The “IV Weakness” – using IV attacker can rederive the secret part by
analyzing the initial word
•
Finding the key → use key-output correlation = propagation
of a weak key pattern into the outputs combined with biased
distribution of bits in English text
•
Decision tree
•
Requires 9 millions packets (listen to traffic for 1…2 hours)
The KoreK attack
•
2004 – internet hacker KoreK
•
Static - with key recovery
•
Does not need weak IV
•
Uses 16 additional correlations between the first 1 byte of an
RC4 key, the first 2 bytes of the generated key stream, and the
next keybyte
•
Same decision-tree based approach same as FMS attack
•
Requires 700000 packets
The KoreK chop-chop attack
•
2005 – same KoreK
•
Does not recover the key, it just reveals the message
•
Exploits an ICV vulnerability
•
Process of truncation of packets while keeping them still valid
•
Steps :
•
capture one packet
•
truncate the last byte and try to guess one “value” for plaintext
•
correct the checksum and send packet to AP
•
if guess is correct the AP will reply
•
repeat until all bytes are decrypted
The Bittau attack
•
2005 - Andrea Bittau, Mark Handley and Joshua Lackey
•
Fragmentation :
•
•
•
Possible to send multiple fragments (16) using the same key stream
•
Each packet is encrypted independently at MAC layer
Steps:
•
listen to traffic, eavesdrop one packet then recover 8 bytes of key
stream
•
prepend an IP header to the eavesdropped packet and send to AP
•
AP will sent the clear text to a controlled internet host
Fragmentation is used to break 802.11’s cryptography
The PTW attack
•
2007 - Andrei Pyshkin, Erik Tews & Ralf-Philipp Weinmann
•
They found a “multibyte correlation” between the first l bytes
of an RC4 key, the generated keystream, and the next i bytes
of the key.
•
Steps :
•
captures packets and recovers their keystreams (FMS, KoreK)
•
evaluate the multibyte correlation function (Klein)
•
create decision tree for key and start voting (Rk[0], Rk[1],
Rk[2]…)
•
Requires 35000 …. 40000 packets
•
Less then 60 seconds to crack a 104 bit WEP key
Protecting WEP
•
Increase the number of bytes used for encryption (“protects”
against FMS attack)
•
Remove the weak IV - keystream re-use vulnerabilities
•
Prevent key re-use
•
Extensible Authentication Protocol (EAP) – change often the
WEP-key (not enough against Bittau attack)
•
Deploy Intrusion Detection Systems (IDS) to protect against
injected traffic (really protects against PTW attack)
•
Companies sell hardware using modified versions of the WEP
protocol claiming to be secure
Conclusions
•
WEP has a long history of vulnerabilities and “fixes”
•
WEP is a good example of how attacks evolve and mature
over time
•
Attacks that a few years ago took days, now take minutes if
the right tools are used
•
2005 WEP is officially declared deprecated by IEEE 802.11
committee
•
2008 WEP used by 30% of users in a US university
•
Today – too many old networks, some using WEP
•
WEP must be abandoned once and for all, rather than
patch it yet again !!!
Bibliography
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
http://dl.aircrack-ng.org/breakingwepandwpa.pdf
http://eprint.iacr.org/2007/120.pdf
http://tapir.cs.ucl.ac.uk/bittau-wep.pdf
http://www.netstumbler.org/showthread.php?t=12489
http://www.netstumbler.org/showpost.php?p=93942&postcount=35
http://www.pisa.org.hk/event/live-wifi-attack-defense/WEP_cracking_demo.pdf
http://en.wikipedia.org/wiki/Fluhrer,_Mantin,_and_Shamir_attack
http://www.cc.gatech.edu/~traynor/cs8803-f08/slides/lecture13-wep2.pdf
http://www.rossbuffington.com/WEP_Insecurity.pdf
http://www.franken.de/uploads/media/WEP-Cracking.pdf
http://www.quequero.org/How_To_Attack_a_WEP/WPA_Protected_Wireless_Network_(eng)
http://yawcu.sourceforge.net/documentation.pdf
http://eprint.iacr.org/2007/471.pdf