Intercepting Mobiles Intercepting Mobiles Communications: Communications:

The Insecurity of 802.11The Insecurity of 802.11

►Paper by Borisov, Goldberg, Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001Wagner – Berkley – MobiCom 2001

►Lecture by Danny BicksonLecture by Danny Bickson

21.3.0421.3.04

WEP ProtocolWEP Protocol

► WEP – Wired Equivalent PrivacyWEP – Wired Equivalent Privacy► Wireless standard 802.11Wireless standard 802.11► Link layerLink layer► Protocol goals:Protocol goals:

Confidentiality: prevent eavesdroppingConfidentiality: prevent eavesdropping Access control: prevent unauthorized accessAccess control: prevent unauthorized access Data integrity: prevent tampering of messagesData integrity: prevent tampering of messages

► We show that none of the security goals are We show that none of the security goals are attainedattained

Network ModelNetwork Model

Internet

WEP Algorithm WEP Algorithm EncryptionEncryption

Message CRC(M)

RC4(k,IV)

CipherIV

WEP AlgorithmWEP AlgorithmDecryptionDecryption

Message CRC(M)

RC4(k,IV)

CipherIV

ConfidentialityConfidentiality

Stream cipher propertiesStream cipher properties► Given two ciphers CGiven two ciphers C11,C,C22 – –

CC11 C C22 = P = P11 P P22..► Keystream reuse can lead to a number of Keystream reuse can lead to a number of

attacks:attacks: If plaintext of one message is known, the other is If plaintext of one message is known, the other is

immediately obtainable.immediately obtainable. In the general case, known techniques for breaking In the general case, known techniques for breaking

reused keystreams.reused keystreams. As the number of reused keystream increases As the number of reused keystream increases

breaking them becomes easier.breaking them becomes easier.► Two conditions required for this class of attcks Two conditions required for this class of attcks

to succeed:to succeed: Availability of ciphertexts where keystream is used Availability of ciphertexts where keystream is used

more than once.more than once. Partial knowledge of some of the plain texts.Partial knowledge of some of the plain texts.

Finding instances of Finding instances of keystream reusekeystream reuse

►Shared key k changes rarely.Shared key k changes rarely.►Reuse of IV causes reuse of Reuse of IV causes reuse of

keystream.keystream.► IV are public.IV are public.

IV UsageIV Usage► Standard recommends (but not requires) Standard recommends (but not requires)

change of IV.change of IV.► Common PCMCIA cards sets IV to zero and Common PCMCIA cards sets IV to zero and

increment it by 1 for each packet.increment it by 1 for each packet.► IV size is only 24 bits.IV size is only 24 bits.► Busy access point of 5Mbps will exhaust Busy access point of 5Mbps will exhaust

available space in 11 hours.available space in 11 hours.► Birthday paradox: on random IV selection Birthday paradox: on random IV selection

5000 packets are needed w.h.p. to find a 5000 packets are needed w.h.p. to find a collisioncollision

Exploiting keystream reuseExploiting keystream reuse

► Many fields of IP traffic are predictable.Many fields of IP traffic are predictable.► For example: login sequences.For example: login sequences.► Active attack (known plaintext)Active attack (known plaintext)

Decryption dictionariesDecryption dictionaries

►Once plaintext of encrypted message Once plaintext of encrypted message is obtained, keystream value stored in is obtained, keystream value stored in dictionary.dictionary.

►Full table requires 24GBFull table requires 24GB►Size of dictionary does not depend of Size of dictionary does not depend of

size of keysize of key

Key managementKey management

Message AuthenticationMessage Authentication

►Message modificationMessage modification►Message injectionMessage injection

Message ModificationMessage Modification

►Checksum used is CRC-32 which is a Checksum used is CRC-32 which is a linear function of the message:linear function of the message:

► In other words, checksum distributes In other words, checksum distributes over the XOR operation.over the XOR operation.

C(x C(x y) = C(x) y) = C(x) C(y) C(y)►RC4 stream cipher also linear.RC4 stream cipher also linear.

The attackThe attackGiven C we would like to create C’ Given C we would like to create C’

s.t. C’ decrypts to M’ instead of M.s.t. C’ decrypts to M’ instead of M.

Message CRC(M)

RC4(k,IV)

Cipher CRC()

CRC()

=

Message CRC(M)RC4(k,IV)

CRC()=

RC4(k,IV) ’ CRC(’)

=

Relation to GSMRelation to GSM

Encryption:

C = G(M) A5/2(IV,k)

Decryption:

1. G(M) = C A5/2 (IV,k)

2. H(G(M)) = 0 ?

3. M = G-1(G(M))

Attack on GSMAttack on GSM

H(C) = H(C) =

H(A5/2(Iv, k) H(A5/2(Iv, k) G(M)) = G(M)) =

H(A5/2(IV,k)) H(A5/2(IV,k)) H(G(M)) = H(G(M)) =

H(A5/2(IV,k)) H(A5/2(IV,k)) 0 = 0 =

H(A5/2(IV,k)) H(A5/2(IV,k))

Message InjectionMessage Injection

►WEP checksum is an unkeyed function WEP checksum is an unkeyed function of the message.of the message.

►After knowing one keystream we can After knowing one keystream we can use it forever.use it forever.

C’ = <M’, CRC(M’)> C’ = <M’, CRC(M’)> RC4(IV,k) RC4(IV,k)

Other attacksOther attacks

► IP redirection.IP redirection.

Assumption: Destination address is Assumption: Destination address is known.known.

IP redirection (cont.)IP redirection (cont.)

►Need to calculate IP checksumNeed to calculate IP checksum►Several optionsSeveral options

IP checksum for original packet is knownIP checksum for original packet is known Original IP checksum is not knownOriginal IP checksum is not known Compensate by changing another IP fieldCompensate by changing another IP field

Reaction AttackReaction Attack

►Works only for TCP protocolWorks only for TCP protocol►Pick i at random, let Pick i at random, let be all zeros, be all zeros,

except for positions i and i+16.except for positions i and i+16.Calc C’ = C Calc C’ = C Two options:Two options:

1. Got an acknowledgment, P1. Got an acknowledgment, Pii P Pi+16i+16 = 1 = 1

2. Else P2. Else Pii P Pi+16i+16 = 0 = 0►Each test reveals 1 bit of informationEach test reveals 1 bit of information

ConclusionConclusion

►Design of security protocols is difficult Design of security protocols is difficult (more than the design of network (more than the design of network protocols)protocols)

►Combining several secure algorithms Combining several secure algorithms does not mean that the result is does not mean that the result is securesecure

►Engineering perspective dictated Engineering perspective dictated selection of cryptographic algorithmsselection of cryptographic algorithms

THE ENDTHE END

►Thank You!Thank You!