Intercepting Mobiles Communications: The Insecurity of 802.11

Danny BicksonACNS Course, IDCSpring 2007

Resources Borisov, Goldberg, Wagner. Intercepting

mobile communications: the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking. http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf

• Guillaume LehembreWifi Security: WEP, WPA and WPA2http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf

WEP Protocol WEP – Wired Equivalent Privacy Wireless standard 802.11 Link layer Protocol goals:

Confidentiality: prevent eavesdropping Access control: prevent unauthorized access Data integrity: prevent tampering of messages

We show that none of the security goals are attained

Network Model

Internet

WEP Algorithm Encryption

Message CRC(M)

RC4(k,IV)

CipherIV

WEP AlgorithmDecryption

Message CRC(M)

RC4(k,IV)

CipherIV

Confidentiality

Stream cipher properties Given two ciphers C1,C2 –

C1 C2 = P1 P2. Keystream reuse can lead to a number of attacks:

If plaintext of one message is known, the other is immediately obtainable.

In the general case, known techniques for breaking reused keystreams.

As the number of reused keystream increases breaking them becomes easier.

Two conditions required for this class of attcks to succeed: Availability of ciphertexts where keystream is used

more than once. Partial knowledge of some of the plain texts.

Finding instances of keystream reuse

Shared key k changes rarely. Reuse of IV causes reuse of

keystream. IV are public.

IV Usage Standard recommends (but not requires)

change of IV. Common PCMCIA cards sets IV to zero and

increment it by 1 for each packet. IV size is only 24 bits. Busy access point of 5Mbps will exhaust

available space in 11 hours. Birthday paradox: on random IV selection

5000 packets are needed w.h.p. to find a collision

Exploiting keystream reuse

Many fields of IP traffic are predictable.For example: login sequences.Active attack (known plaintext)

Decryption dictionaries

Once plaintext of encrypted message is obtained, keystream value stored in

dictionary.Full table requires 24GBSize of dictionary does not depend of

size of key

Key management

Message Authentication

Message modification Message injection

Message Modification

Checksum used is CRC-32 which is a linear function of the message:

In other words, checksum distributes over the XOR operation.C(x y) = C(x) C(y)

RC4 stream cipher also linear.

The attackGiven C we would like to create C’ s.t.

C’ decrypts to M’ instead of M.

Message CRC(M)

RC4(k,IV)

Cipher CRC()

CRC()

=

Message CRC(M)RC4(k,IV)

CRC()=

RC4(k,IV) ’ CRC(’)

=

Message Injection

WEP checksum is an unkeyed function of the message.

After knowing one keystream we can use it forever.C’ = <M’, CRC(M’)> RC4(IV,k)

Other attacks

IP redirection.Assumption: Destination address is known.

IP redirection (cont.)

Need to calculate IP checksum Several options

IP checksum for original packet is known Original IP checksum is not known Compensate by changing another IP field

Reaction Attack Works only for TCP protocol Pick i at random, let be all zeros,

except for positions i and i+16.Calc C’ = C Two options:1. Got an acknowledgment, Pi Pi+16 = 1

2. Else Pi Pi+16 = 0 Each test reveals 1 bit of information

Example attacks

ARP Request

Conclusion

Design of security protocols is difficult (more than the design of network protocols)

Combining several secure algorithms does not mean that the result is secure

Engineering perspective dictated selection of cryptographic algorithms

Fixing WEP

WPA – Wi-Fi Protected Accessand 802.11i

WPA WPA – Wi-Fi Protected Access

Draft security enhancements for 802.11 A subset of the 802.11i proposed standard Proposed by IEEE 802.11 TGi (Task Group i)

Design goals Preserve packet format Work with deployed 802.11 hardware in AP and NICs

Composed of two components Authentication and master key generation– 802.1X TKIP (Temporal Key Integrity Protocol) - Temporal key

generation, Confidentiality and Integrity

802.11i A proposed standard Defines authentication, key management,

confidentiality, integrity and encapsulations for 802.11

Includes WEP (current implemented)

Encryption: RC4; Integrity: CRC-32 TKIP (temporary solution)

Encryption: RC4; Integrity: Michael WRAP (Wireless Robust Authenticated Protocol)

Encryption: AES; Integrity: HMAC-MD5

TKIP – Temporal Key Integrity Protocol

TKIP Components

TKIP is a wrapper around WEP A cryptographic MIC (Message

Integrity Code) A per-packet sequence number A per-packet key mixing function A rekeying mechanism (802.1X)

TKIP MIC MICHAEL the MIC function is designed for

very low bandwidth CPU (the ones that are used by the Access Point)

Key length – 64 bits The MIC is computed over the source

address, the destination address and the data Protects against packet modification (e.g. bit

flipping) Protects against header forgery

WEP with Enabled MIC

IV

802.11 Header

00

08

16

24

KeyID

ICV

Data

RC4

Encrypted

IV fields

802 Header (SNAP+LLC)

MIC

=CRC

=MAC

TKIP Sequence Counter The station and the Access Point maintain a TKIP

sequence counter The transmitter increments the TKIP sequence

counter each time it sends a packet The counters are reset when new temporal keys are

established The sequence counter is mixed with the temporal

key and the transmitter MAC address to create a RC4 seed key

On receipt the receiver de-mixed the key and checks that the resulting counter is indeed greater than the all the sequence counter that were encountered during this temporal key usage

Protects against replay attack

TKIP Keys

TKIP is using temporal keys The station and the Access Point

periodically exchange temporal keys Four keys

One Integrity (MIC) and one Encryption key per direction

TKIP ENCAPSULATION

TKIP Encapsulation Calculate the 64 bits MIC with the MIC temporal

key, over the source and destination addresses. The MIC is inserted into the message data

The sequence number, the MAC address and the temporal key are mixed to create a 128 bits RC4 seed key

The first three bytes of the key are stored in the IV field

The remaining 13 bytes are stored in a free WEP key buffer

The packet is sent to WEP processing

TKIP DECAPSULATION

TKIP Decapsulation The IV and the temporal key are concatenated, to

create the RC4 seed key The key is de-mixed – to create the TKIP sequence

counter. The counter is checked to be in sequence The key, the IV and the data are sent for WEP

decapsulation After RC4 decryption, the MIC, with the temporal

MIC key, is computed over the source and destination addressed and the decrypted packet , and is compared to the MIC field in the packet

TKIP Notes The TKIP temporal key must be exchanged

every less then 216 packets, since the key mixing can produce 216 different IVs

The MIC and key mixing algorithms are cryptographically weak But, all the WEP known problems are solved TKIP is a temporary solution – until NICs and APs

with new hardware arrives to the market The 802.11i uses AES encryption