Systems Architecture Breaking WEP in less than 60 seconds A presentation by Roman Scherer and Rainer Rehak June 12 th.

Slides:



Advertisements
Similar presentations
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Advertisements

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Chalmers University of Technology Wireless security Breaking WEP and WPA.
COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
IEEE Wireless Local Area Networks (WLAN’s).
Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
AJ Mancini IV Paul Schiffgens Jack O’Hara. WIRELESS SECURITY  Brief history of Wi-Fi  Wireless encryption standards  WEP/WPA  The problem with WEP.
WLAN What is WLAN? Physical vs. Wireless LAN
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
CSC-682 Advanced Computer Security
A History of WEP The Ups and Downs of Wireless Security.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.
Wireless Security Presented by: Amit Kumar Singh Instructor : Dr. T. Andrew Yang.
Stream Cipher July 2011.
Analyzing Wireless Security in Columbia, Missouri Matthew Chittum Clayton Harper John Mixon Johnathan Walton.
WEP Protocol Weaknesses and Vulnerabilities
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.
WEP Case Study Information Assurance Fall or Wi-Fi IEEE standard for wireless communication –Operates at the physical/data link layer –Operates.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Encryption Protocols used in Wireless Networks Derrick Grooms.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
1 Wireless Threats 1 – Cracking WEP Cracking WEP in Chapter 5 of Wireless Maximum Security by Peikari, C. and Fogie, S.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.
How To Not Make a Secure Protocol WEP Dan Petro.
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
IEEE Security Specifically WEP, WPA, and WPA2 Brett Boge, Presenter CS 450/650 University of Nevada, Reno.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Doc.: IEEE /230 Submission May 2001 William Arbaugh, University of MarylandSlide 1 An Inductive Chosen Plaintext Attack against WEP/WEP2 William.
WLAN Security1 Security of WLAN Máté Szalay
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.
Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Tightening Wireless Networks By Andrew Cohen. Question Why more and more businesses aren’t converting their wired networks into wireless networks?
Module 48 (Wireless Hacking)
WEP & WPA Mandy Kershishnik.
Cryptography CS 555 Topic 15: Stream Ciphers.
Wireless Security Ian Bodley.
ANALYSIS OF WIRED EQUIVALENT PRIVACY
Cryptography Lecture 16.
Wireless Privacy: Analysis of Security
CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)
An Inductive Chosen Plaintext Attack against WEP/WEP2
WLAN Security Antti Miettinen.
ADVANCED ENCRYPTION STANDARDADVANCED ENCRYPTION STANDARD
RC4 RC
Antti Miettinen (modified by JJ)
Chapter -4 STREAM CIPHERS
Intercepting Mobile Communications: The Insecurity of
The RC4 Algorithm Network Security.
By: Anthony Gervasi & Adam Dickinson
Presentation transcript:

Systems Architecture Breaking WEP in less than 60 seconds A presentation by Roman Scherer and Rainer Rehak June 12 th 2007 Security Engineering, HU-Berlin

2 May Systems Architecture Overview  brief history of WEP  WEP variants  usage of WEP in common environments  WEP-packet structure  general WEP-encryption algorithm  detailed WEP-encryption algorithm (RC4)  Klein's attack on RC4  Klein's attack on RC4 for independent bytes  Application on WEP: ARP and packet-injection  Additional information and conclusion Raine r Roma n Raine r Roma n

3 May Systems Architecture Introduction (1)  wired networks are in general secure due to physical reasons - direct wire-bound communication between peers -> direct physical access required  wireless networks are insecure due to physical reasons - reception area is a sphere -> traffic is by default public ? ?

4 May Systems Architecture Introduction (2)  traffic needs to be encrypted to ensure privacy -> WEP (Wired Equivalent Privacy)  ratified in September 1999 by the IEEE as  two variants: 64-bit (40-bit) and 128-bit (104-bit) encryption - 64-bit for slow computers (3 Byte Initialization Vector) bit for high security (3 Byte Initialization Vector)  in 2001 Fluhrer, Mantin and Shamir presented an attack against RC4, but IVs needed to fulfill a special condition  in 2004 Stubblefield, Ioannidis, and Rubin applied this to WEP -> approximately 4 million packets needed

5 May Systems Architecture  therefore WEP+ (WEP-plus) was introduced not using those IVs  in 2007 Klein improved the RC4 attack, it works regardless of the IVs used  although WEP being known as insecure, (not representative) statistics in middle germany show the following:  WEP is still the most commonly used WLAN-protection Introduction (3)

6 May Systems Architecture IEEE Standard IEEE specifies the two lowest layers of the OSI (Open System Interconnection) model for local wireless networks. The specification of these two layers (Physical & Media Access Control) is kown as WLAN or WIFI. IEEE specifies the two lowest layers of the OSI (Open System Interconnection) model for local wireless networks. The specification of these two layers (Physical & Media Access Control) is kown as WLAN or WIFI.

7 May Systems Architecture BSS // Basic Service Set A WLAN consists of a minimum of two communication partners, also called stations. Stations can communicate with each other using electro-magnetic waves, that have a scope of 20m – 300m. This communication area is known as BSS (Basic Service Set). A WLAN consists of a minimum of two communication partners, also called stations. Stations can communicate with each other using electro-magnetic waves, that have a scope of 20m – 300m. This communication area is known as BSS (Basic Service Set). Station# 1 Station# 2 Station# 1 Station# 2 Access Point BS S

8 May Systems Architecture WEP Paketaufbau Logical Link Control BSS ID Initialization Vector (IV)Destination Address Sub Network Access Protocol Header Data Integrety Check Value (CRC32) Header The first part of a WEP packet is not encrypted and contains, amongst others, the initalization vector IV as well as the hardware address of the destinaton (or the broadcast address). The second part of the packet contains the encrypted data of the protocols above. Each packet will be encrypted with an ''other'' key. The first part of a WEP packet is not encrypted and contains, amongst others, the initalization vector IV as well as the hardware address of the destinaton (or the broadcast address). The second part of the packet contains the encrypted data of the protocols above. Each packet will be encrypted with an ''other'' key.

9 May Systems Architecture Stream Ciphers

10 May Systems Architecture WEP Encoding Seed: IV (24bit) || K-BSS (104bit) = RK (128bit)

11 May Systems Architecture WEP Decoding WEP uses the RC4 algorithm as it's pseudo random number generator.

12 May Systems Architecture RC4 (1)  RC4 is a widely used stream cipher by Ron Rivest of RSA Security from 1987  takes key of arbitrary length up to 256 byte  produces pseudo-random keystream of unlimited length  RC4 can be described as a machine with internal states being defined by an 256-byte-array and two single bytes acting as pointers to elements of the array

13 May Systems Architecture RC4 (2)  for every packet RC4 is newly initialized as the key (IV+K BSS ) differs from packet to packet  creates a permutation of S[ ] based on the packet key

14 May Systems Architecture RC4 (3)  the packet's content is then XOR'ed with the generated key stream  each generation of one byte for the key stream changes the internal state of the RC4  here, n is 256

15 May Systems Architecture Klein's attack (1)  Klein's attack on RC4 is based on the fact, that only the public IV changes, but the secret root key K BSS is fixed  K is the packet key, X is the packet key stream, we have m bytes  if we have the first i bytes of the packet key and the i-th byte of the key stream, we have a (not just random) chance to calculate the (i+1)th byte of the packet key

16 May Systems Architecture Multiple Key Bytes Using Klein's attack it is possible to compute all secret key bytes if enough samples are available. Disadvantage - The IV's and recovered keystreams must be processed for each key byte. - All key bytes following a falsely guessed key byte have to be recalculated. Tews, Weinmann & Pyshkin Approach - Extension to Klein's attack to be able to calculate the key bytes independently of each other. - They developed an approximation so the recovery algorithm only depends on the first 3 key bytes, which is the unencrypted IV. - Using the approximation together with a key ranking method & an error correction function for strong keys they are able to recover the correct key.

17 May Systems Architecture ARP // Address Resolution Protocol

18 May Systems Architecture LLC & ARP Header Problem AA AA XX00 01XX... ARP Request: Who has IP address ? LLC HeaderARP Request Header... XXXX... AA AA XX00 01XX... ARP Response: 00:01:02:03:04:05 has the IP address LLC HeaderARP Request Header... XXXX... ARP request/response packets are always of the same length, and can therefore be easily distinguished from other packets by looking at the packet length and the destination address in the unencrypted header.

19 May Systems Architecture LLC & ARP Header Problem 4B 3A 02 9A BC DF XX31 34XX... Encrypted packet, that was identified as an ARP request: LLC HeaderARP Request Header... XXXX... AA AA XX00 01XX... LLC Header & ARP Request header: Keystream... XXXX... XO R = RC4 Keystream:

20 May Systems Architecture ARP Packet Injection To successfully recover a 104 bit WEP key we need: packets having a success probability of 50% packets having a success probability of 95%. It is not practical to wait for all these packets (passive attack)! The usual approach is to wait for an ARP request from a valid client and re-inject this packet back to the network. Since ARP is a low level protocol it is typically not restricted by any kind of packet filters. ARP replies expire quickly, so it usually takes only some seconds/minutes until an attacker can capture a packet and start reinjecting it to the newtork. Sending a faked deauthenticate message to a client can sometimes force clients to flush their ARP cache an generate a new request.

21 May Systems Architecture References  E. Tews, R.-P. Weinmann, A. PyshkinPaper: Breaking 104 bit WEP in less than 60 seconds Technische Universität Darmstadt, Fachbereich Informatik  Klein, A. Attacks on the RC4 stream cipher. submitted to Designs, Codes and Cryptography,  Website des Chaos Computer Club  Chaosradio / Chaospodcast,