csc-682 advanced computer security attacks on wireless networks using wep encryption presented by :...
TRANSCRIPT
CSC-682 Advanced Computer SecurityCSC-682 Advanced Computer Security
Attackson wireless networks using WEP encryption
presented by : Pompi Rotaru
Wireless technology
• IEEE 802.11 a/b/g/n is the set of standards for W-LAN
• Wireless technology has been on the rise in recent years
• An individual can sit outside the building and connect to an
unprotected wireless network
• Preserving privacy and integrity of wireless communications
becomes an important objective of the network security team
• Basic service set :• infrastructure mode independent (ad-hoc) mode
WEP
• Wired Equivalent Privacy (WEP) is most common
mechanism for protection
• Encryption with 40-bit key (aka “64-bit encryption”)
• Encryption with 104-bit key (aka "128-bit encryption“)
• Uses as the most common encryption algorithm the RC4
algorithm.
History of WEP
• 1997 Release of the first final version of IEEE 802.11
• 2001 WEP broken by Fluhrer, Mantin, and Shamir
• 2004 WEP broken again by KoreK
• 2005 WEP broken again by KoreK again (chopchop attack)
• 2005 WEP broken again by Bittau, fragmentation attack
• 2007 WEP broken again by Pyshkin, Tews, Weinmann, with
the help of Klein
RC4 algorithm description
• Stream cipher designed by Ron Rivest in 1987
• It works as a variable key-size stream cipher with byte-
oriented operations
• Key Scheduling Algorithm (KSA) - which turns a random key
into a permutation by scrambling the bits
• Pseudo-Random Generator Algorithm (PRGA) – using swap
operations for the previously permutation it generates pseudo-
random numbers
• X = RC4(K)
How WEP encryption works
• A 3 bytes initialization vector (IV) is chosen
• A key stream X = RC4(K) is generated from secret key K
• A 32 bit long checksum called Integrity Check Value (ICV)
is appended to the message to protect the integrity
• The resulting plain text is encrypted making an XOR
operation with the generated key stream
• The unencrypted IV and the cipher-text are sent over the air
Types of WEP attacks
• Depending on key
• without recovering the WEP key
• recovering the key
• Depending on communication
• static (no communication with AP)
• dynamic (involves communication with AP)
General steps for attack
• Setup equipment (laptop, directional antenna)
• Find the target (airdump-ng, Kismet, NetStumbler)
• Capture data from air (airmon-ng, airodump-ng)
• Wait or make the target network busy (aireplay-ng)
• Start cracking from captured data (aircrack-ng)
The brute force / dictionary attack
• “Power” of the WEP relies in the difficulty of discovery of the
secret key through a brute-force attack
• “Dictionary attack” uses dictionary of keys, not all possible
keys
• Such attack requires less then a month for all keys
• Steps :• capture 2 WEP encrypted packets
• try to decrypt it using the captured IV and a potential key
• verify decrypted ICV (the CRC)
• (optional) verify the key on the 2nd packet
The FMS attack
• 2001 - Scott Fluhrer, Itsik Mantin and Adi Shamir
• Static - with key recovery
• RC4 weaknesses :• The “Invariance Weakness” - existence of large classes of weak keys
• The “IV Weakness” – using IV attacker can rederive the secret part by
analyzing the initial word
• Finding the key → use key-output correlation = propagation
of a weak key pattern into the outputs combined with biased
distribution of bits in English text
• Decision tree
• Requires 9 millions packets (listen to traffic for 1…2 hours)
The KoreK attack
• 2004 – internet hacker KoreK
• Static - with key recovery• Does not need weak IV
• Uses 16 additional correlations between the first 1 byte of an
RC4 key, the first 2 bytes of the generated key stream, and the
next keybyte
• Same decision-tree based approach same as FMS attack
• Requires 700000 packets
The KoreK chop-chop attack
• 2005 – same KoreK
• Does not recover the key, it just reveals the message
• Exploits an ICV vulnerability
• Process of truncation of packets while keeping them still valid
• Steps :• capture one packet
• truncate the last byte and try to guess one “value” for plaintext
• correct the checksum and send packet to AP
• if guess is correct the AP will reply
• repeat until all bytes are decrypted
The Bittau attack
• 2005 - Andrea Bittau, Mark Handley and Joshua Lackey
• Fragmentation :• Possible to send multiple fragments (16) using the same key stream
• Each packet is encrypted independently at MAC layer
• Steps:• listen to traffic, eavesdrop one packet then recover 8 bytes of key
stream
• prepend an IP header to the eavesdropped packet and send to AP
• AP will sent the clear text to a controlled internet host
• Fragmentation is used to break 802.11’s cryptography
The PTW attack
• 2007 - Andrei Pyshkin, Erik Tews & Ralf-Philipp Weinmann
• They found a “multibyte correlation” between the first l bytes
of an RC4 key, the generated keystream, and the next i bytes of
the key.
• Steps :• captures packets and recovers their keystreams (FMS,
KoreK)
• evaluate the multibyte correlation function (Klein)
• create decision tree for key and start voting (Rk[0], Rk[1], Rk[2]…)
• Requires 35000 …. 40000 packets
• Less then 60 seconds to crack a 104 bit WEP key
Protecting WEP
• Increase the number of bytes used for encryption (“protects”
against FMS attack)
• Remove the weak IV - keystream re-use vulnerabilities
• Prevent key re-use
• Extensible Authentication Protocol (EAP) – change often the
WEP-key (not enough against Bittau attack)
• Deploy Intrusion Detection Systems (IDS) to protect against
injected traffic (really protects against PTW attack)
• Companies sell hardware using modified versions of the WEP
protocol claiming to be secure
Conclusions
• WEP has a long history of vulnerabilities and “fixes” • WEP is a good example of how attacks evolve and mature
over time • Attacks that a few years ago took days, now take minutes if
the right tools are used• 2005 WEP is officially declared deprecated by IEEE 802.11
committee • 2008 WEP used by 30% of users in a US university• Today – too many old networks, some using WEP• WEP must be abandoned once and for all, rather than
patch it yet again !!!
Bibliography• http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
• http://dl.aircrack-ng.org/breakingwepandwpa.pdf
• http://eprint.iacr.org/2007/120.pdf
• http://tapir.cs.ucl.ac.uk/bittau-wep.pdf
• http://www.netstumbler.org/showthread.php?t=12489
• http://www.netstumbler.org/showpost.php?p=93942&postcount=35
•
• http://www.pisa.org.hk/event/live-wifi-attack-defense/WEP_cracking_demo.pdf
• http://en.wikipedia.org/wiki/Fluhrer,_Mantin,_and_Shamir_attack
• http://www.cc.gatech.edu/~traynor/cs8803-f08/slides/lecture13-wep2.pdf
• http://www.rossbuffington.com/WEP_Insecurity.pdf
• http://www.franken.de/uploads/media/WEP-Cracking.pdf
• http://www.quequero.org/How_To_Attack_a_WEP/WPA_Protected_Wireless_Network_(eng)
• http://yawcu.sourceforge.net/documentation.pdf
• http://eprint.iacr.org/2007/471.pdf