Transcript CS591

Wireless Network Security:
WEP And Beyond
Heidi Parsaye
Jason DeVries
Roxanne Ilse
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Outline
• Wireless networking basics
– Attempts at making wireless networking secure
• Wired Equivalent Privacy
– Why it’s no longer private
– Brief overview of how to crack
• Beyond WEP – WiFi Protected Access (WPA)
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Wireless Broadband
• How Does Wireless
Broadband Work?
• Benefits of Wireless
Broadband
• Disadvantage of
Wireless Broadband
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Wireless Network Security
• IEEE 802.11 WI-FI
• Wired Equivalent Privacy (WEP)
• TKIP (Temporal Key Integrity Protocol)
• MAC address filtering
• Wi-Fi Protected Access (WPA and WPA2)
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Encryption Of WEP Data
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Decryption Of WEP Data
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Important Details About WEP Frames
Plaintext
• BSSID
• Initialization Vector
• Destination Address
Encrypted
• LLC Header
• SNAP Header
• Data
• 32-bit CRC
• All 802.11 WEP frames
contain a plaintext header
followed by encrypted
data.
• The Initialization Vector is
included in the plaintext.
• There is no CRC on the
plaintext header. We can
easily spoof the BSSID to
get around MAC address
filtering.
• No attempt is made to
hide packet lengths.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Important Details About WEP Frames
• The RC4 Initialization
Vector must be sent in
plaintext. The recipient
needs to be combine it
with the secret key to
re-create the state array
used for decryption.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
The Problem With WEP
• It’s actually a problem with RSA RC4 which
was designed in 1987 by Ron Rivest (the R in
RSA).
• In 2001, Scott Fluhrer, Itsik Mantin, and Adi
Shamir (the S in RSA) discovered that the first
few bytes of the RC4 data are non-random
and leak information about the key.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
The Problem With RC4
• The “Secret Key” used
by KSA is actually the
Initialization Vector (3
bytes) plus the Secret
Key (5 or 13 bytes).
• Since we know the first
three values, we know
the output for the first
three iterations of KSA.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
The Problem With RC4
• If we can get the state
array, we can now start
plugging data into
PRGA. More
specifically, we can start
running it in reverse to
give us a hint about the
secret key.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Another Weakness
Plaintext
• BSSID
• Initialization Vector
• Destination Address
Encrypted
•
•
•
•
LLC Header
SNAP Header
Data
32-bit CRC
• The 3-byte LLC Header is
always the same on every
frame, starting with 0xAA,
indicating that SNAP is next.
• In fact, with a certain
message we’ll cover later,
we know the values for 16
of the encrypted bytes.
• Knowing some of the
encrypted plaintext makes
the job even easier.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Getting The Secret Key
• What we really need to see is the exact same
plaintext message encrypted thousands of times
using different Initialization Vectors.
• If we get enough unique Initialization Vectors, we
can crack the secret key.
• But how do we get a WEP network to encrypt and
transmit the exact same message thousands of
times?
– The answer: Ask the network the same question… get
the same answer thousands of times!
Heidi Parsaye - Jason DeVries - Roxanne Ilse
We Have Ways Of Making You Talk
• Ok, so what question can we ask the network
thousands of times and get the same answer?
– Hey network… what’s my IP address? This is known as
an ARP request.
• Since we don’t have the secret key, we can’t
encrypt our own ARP request.
• That means we need to steal a legitimate ARP
request from the network. Once we get one,
we’ll replay it thousands of times. We’ll force the
network to talk to us as it replies to these
requests… generating messages for us.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
ARP Requests
• But if the data is encrypted, how could we find
and read an ARP request?
– The answer: We don’t need to read it or decrypt its
content. We just need to recognize it as what we
need.
• Two facts about ARP requests help us:
– They’re always the same fixed length. We can look for
that.
– It will be sent to a broadcast address. Remember, the
destination MAC address is sent as plaintext in the
802.11 header so we can read that part.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Retransmitting ARP Requests
Plaintext
• BSSID
• Initialization Vector
• Destination Address
Encrypted
•
•
•
•
LLC Header
SNAP Header
Data
32-bit CRC
• Look at the 802.11 frame again.
Once we steal a legitimate ARP
request, there’s absolutely
nothing to keep us from spoofing
our BSSID and retransmitting the
exact same request as many
times as we want.
• We don’t know the values of the
encrypted bytes we’re
transmitting, but that’s ok. We
don’t care.
• We also won’t be able to read the
ARP reply sent by the network.
We don’t care about the
contents. The important part is
that they are the same every
time.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Recent Work
• In 2005, Andreas Klein extended the 2001 work of
Fluhrer, Mantin, and Shamir. He found additional
correlations between the encrypted data and the
secret key. However, his method still relied on
educated guesses to compute all bytes of the secret
key sequentially.
– If while computing the 10th byte it turns out you
made an incorrect guess on the 4th byte, you have
to throw out all computations done from the 4th
byte onward and start again.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Recent Work
• In 2007, Erik Tews, Ralf-Philipp Weinmann,
and Andrei Pyshkin optimized Klein’s 2005
attack for usage against WEP.
– Most notably, they modified the attack such that it
is possible to compute the secret key bytes
independently, instead of sequentially… much
more efficient, less wasted computations.
– Working at 802.11g data rates, they showed they
could crack 128-bit WEP with just 85,000 packets,
a success rate of 95%... in less than 60 seconds.
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Using AirCrack
Heidi Parsaye - Jason DeVries - Roxanne Ilse
Beyond WEP – WPA2
• Implements mandatory elements of 802.11i
• Available in personal (SOHO) and enterprise
mode
• Uses AES (Advanced Encryption Standards)
Heidi Parsaye - Jason DeVries - Roxanne Ilse
WPA2 Components
• WPA2 Wi-Fi certified client devices; may
require software/hardware upgrades
• Client supplicant, such as Microsoft or Funk
Odyssey
• EAP Authentication Types
• WPA2-Enterprise Wi-Fi Certified APs; may
require firmware or hardware upgrade
• Authentication Server (RADIUS)/Database
(SQL, LDAP or AD)
Heidi Parsaye - Jason DeVries - Roxanne Ilse
How WPA2 Works
• Initiated when user associates with an AP
• User must authenticate first before AP will allow access to
network
• Authentication process enabled by IEEE 802.1X/EAP
framework
• Client & authentication server mutually authenticate with
each other via the AP
• Once authenticated, the authentication server & client
simultaneously generate a “Pairwise Master Key” (PMK)
• 4-way handshake between client and AP to complete
authentication and establish AES encryption keys to encrypt
data exchanged between client and AP
Heidi Parsaye - Jason DeVries - Roxanne Ilse