Systems Architecture Breaking WEP in less than 60 seconds A presentation by Roman Scherer and Rainer Rehak June 12 th 2007 Security Engineering, HU-Berlin
2 May Systems Architecture Overview brief history of WEP WEP variants usage of WEP in common environments WEP-packet structure general WEP-encryption algorithm detailed WEP-encryption algorithm (RC4) Klein's attack on RC4 Klein's attack on RC4 for independent bytes Application on WEP: ARP and packet-injection Additional information and conclusion Raine r Roma n Raine r Roma n
3 May Systems Architecture Introduction (1) wired networks are in general secure due to physical reasons - direct wire-bound communication between peers -> direct physical access required wireless networks are insecure due to physical reasons - reception area is a sphere -> traffic is by default public ? ?
4 May Systems Architecture Introduction (2) traffic needs to be encrypted to ensure privacy -> WEP (Wired Equivalent Privacy) ratified in September 1999 by the IEEE as two variants: 64-bit (40-bit) and 128-bit (104-bit) encryption - 64-bit for slow computers (3 Byte Initialization Vector) bit for high security (3 Byte Initialization Vector) in 2001 Fluhrer, Mantin and Shamir presented an attack against RC4, but IVs needed to fulfill a special condition in 2004 Stubblefield, Ioannidis, and Rubin applied this to WEP -> approximately 4 million packets needed
5 May Systems Architecture therefore WEP+ (WEP-plus) was introduced not using those IVs in 2007 Klein improved the RC4 attack, it works regardless of the IVs used although WEP being known as insecure, (not representative) statistics in middle germany show the following: WEP is still the most commonly used WLAN-protection Introduction (3)
6 May Systems Architecture IEEE Standard IEEE specifies the two lowest layers of the OSI (Open System Interconnection) model for local wireless networks. The specification of these two layers (Physical & Media Access Control) is kown as WLAN or WIFI. IEEE specifies the two lowest layers of the OSI (Open System Interconnection) model for local wireless networks. The specification of these two layers (Physical & Media Access Control) is kown as WLAN or WIFI.
7 May Systems Architecture BSS // Basic Service Set A WLAN consists of a minimum of two communication partners, also called stations. Stations can communicate with each other using electro-magnetic waves, that have a scope of 20m – 300m. This communication area is known as BSS (Basic Service Set). A WLAN consists of a minimum of two communication partners, also called stations. Stations can communicate with each other using electro-magnetic waves, that have a scope of 20m – 300m. This communication area is known as BSS (Basic Service Set). Station# 1 Station# 2 Station# 1 Station# 2 Access Point BS S
8 May Systems Architecture WEP Paketaufbau Logical Link Control BSS ID Initialization Vector (IV)Destination Address Sub Network Access Protocol Header Data Integrety Check Value (CRC32) Header The first part of a WEP packet is not encrypted and contains, amongst others, the initalization vector IV as well as the hardware address of the destinaton (or the broadcast address). The second part of the packet contains the encrypted data of the protocols above. Each packet will be encrypted with an ''other'' key. The first part of a WEP packet is not encrypted and contains, amongst others, the initalization vector IV as well as the hardware address of the destinaton (or the broadcast address). The second part of the packet contains the encrypted data of the protocols above. Each packet will be encrypted with an ''other'' key.
9 May Systems Architecture Stream Ciphers
10 May Systems Architecture WEP Encoding Seed: IV (24bit) || K-BSS (104bit) = RK (128bit)
11 May Systems Architecture WEP Decoding WEP uses the RC4 algorithm as it's pseudo random number generator.
12 May Systems Architecture RC4 (1) RC4 is a widely used stream cipher by Ron Rivest of RSA Security from 1987 takes key of arbitrary length up to 256 byte produces pseudo-random keystream of unlimited length RC4 can be described as a machine with internal states being defined by an 256-byte-array and two single bytes acting as pointers to elements of the array
13 May Systems Architecture RC4 (2) for every packet RC4 is newly initialized as the key (IV+K BSS ) differs from packet to packet creates a permutation of S[ ] based on the packet key
14 May Systems Architecture RC4 (3) the packet's content is then XOR'ed with the generated key stream each generation of one byte for the key stream changes the internal state of the RC4 here, n is 256
15 May Systems Architecture Klein's attack (1) Klein's attack on RC4 is based on the fact, that only the public IV changes, but the secret root key K BSS is fixed K is the packet key, X is the packet key stream, we have m bytes if we have the first i bytes of the packet key and the i-th byte of the key stream, we have a (not just random) chance to calculate the (i+1)th byte of the packet key
16 May Systems Architecture Multiple Key Bytes Using Klein's attack it is possible to compute all secret key bytes if enough samples are available. Disadvantage - The IV's and recovered keystreams must be processed for each key byte. - All key bytes following a falsely guessed key byte have to be recalculated. Tews, Weinmann & Pyshkin Approach - Extension to Klein's attack to be able to calculate the key bytes independently of each other. - They developed an approximation so the recovery algorithm only depends on the first 3 key bytes, which is the unencrypted IV. - Using the approximation together with a key ranking method & an error correction function for strong keys they are able to recover the correct key.
17 May Systems Architecture ARP // Address Resolution Protocol
18 May Systems Architecture LLC & ARP Header Problem AA AA XX00 01XX... ARP Request: Who has IP address ? LLC HeaderARP Request Header... XXXX... AA AA XX00 01XX... ARP Response: 00:01:02:03:04:05 has the IP address LLC HeaderARP Request Header... XXXX... ARP request/response packets are always of the same length, and can therefore be easily distinguished from other packets by looking at the packet length and the destination address in the unencrypted header.
19 May Systems Architecture LLC & ARP Header Problem 4B 3A 02 9A BC DF XX31 34XX... Encrypted packet, that was identified as an ARP request: LLC HeaderARP Request Header... XXXX... AA AA XX00 01XX... LLC Header & ARP Request header: Keystream... XXXX... XO R = RC4 Keystream:
20 May Systems Architecture ARP Packet Injection To successfully recover a 104 bit WEP key we need: packets having a success probability of 50% packets having a success probability of 95%. It is not practical to wait for all these packets (passive attack)! The usual approach is to wait for an ARP request from a valid client and re-inject this packet back to the network. Since ARP is a low level protocol it is typically not restricted by any kind of packet filters. ARP replies expire quickly, so it usually takes only some seconds/minutes until an attacker can capture a packet and start reinjecting it to the newtork. Sending a faked deauthenticate message to a client can sometimes force clients to flush their ARP cache an generate a new request.
21 May Systems Architecture References E. Tews, R.-P. Weinmann, A. PyshkinPaper: Breaking 104 bit WEP in less than 60 seconds Technische Universität Darmstadt, Fachbereich Informatik Klein, A. Attacks on the RC4 stream cipher. submitted to Designs, Codes and Cryptography, Website des Chaos Computer Club Chaosradio / Chaospodcast,