Cracking WEP Keys Applying known techniques to WEP Keys Tim Newsham.

Slides:



Advertisements
Similar presentations
CLASSICAL ENCRYPTION TECHNIQUES
Advertisements

Security+ All-In-One Edition Chapter 10 – Wireless Security
Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Overview How to crack WEP and WPA
CWSP Guide to Wireless Security
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Block Cipher Modes of Operation and Stream Ciphers
ECE454/CS594 Computer and Network Security
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
Lecture 5: Cryptographic Hashes
1 Intercepting Mobile Communications: The Insecurity of …or “Why WEP Stinks” Dustin Christmann.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security Chapter 3
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.
How To Not Make a Secure Protocol WEP Dan Petro.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.
Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.
Computer Security CS 426 Lecture 3
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Mobile and Wireless Communication Security By Jason Gratto.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
CWNA Guide to Wireless LANs, Second Edition Chapter Eight Wireless LAN Security and Vulnerabilities.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Wireless Networking Concepts By: Forrest Finkler Computer Science 484 Networking Concepts.
Stream Cipher July 2011.
NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)
Cracking DES Cryptosystem A cryptosystem is made of these parts: Two parties who want to communicate over an insecure channel An encryption algorithm that.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
WEP Protocol Weaknesses and Vulnerabilities
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
CWNA Guide to Wireless LANs, Second Edition Chapter Eight Wireless LAN Security and Vulnerabilities.
WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)
Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.
Wired Equivalent Privacy (WEP): The first ‘confidentiality’ algorithm for the wireless IEEE standard. PRESENTED BY: Samuel Grush and Barry Preston.
Abusing : Weaknesses in LEAP Challenge/Response – Defcon 2003 Slide 1 Weaknesses in LEAP Challenge/Response Joshua Wright
無線網路安全 WEP. Requirements of Network Security Information Security Confidentiality Integrity Availability Non-repudiation Attack defense Passive Attack.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
1 Wireless Threats 1 – Cracking WEP Cracking WEP in Chapter 5 of Wireless Maximum Security by Peikari, C. and Fogie, S.
Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.
How To Not Make a Secure Protocol WEP Dan Petro.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Doc.: IEEE /230 Submission May 2001 William Arbaugh, University of MarylandSlide 1 An Inductive Chosen Plaintext Attack against WEP/WEP2 William.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Understanding Security Policies Lesson 3. Objectives.
Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Wired Equivalent Privacy. INTRODUCTION Wired Equivalent Privacy (WEP) is a security algorithm for IEEE wireless networks. Introduced as part of.
Wireless Protocols WEP, WPA & WPA2.
WEP & WPA Mandy Kershishnik.
Wireless Security Ian Bodley.
CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)
Applying known techniques to WEP Keys Tim Newsham
Security Issues with Wireless Protocols
Hash Function Requirements
Presentation transcript:

Cracking WEP Keys Applying known techniques to WEP Keys Tim Newsham

© S T A K E, I N C. Introduction  Developed WEP key cracking software –Dictionary attack on the key generators –Dictionary attack on raw keys –Brute force of the 64-bit key generator  Analyzed Key Generators  Did not perform new cryptanalysis on the WEP protocol  Did not look at 802.1x and Radius

© S T A K E, I N C. Talk overview  Motivation  WEP protocol overview  WEP keying  WEP key generators  A WEP Cracker  Results  Related Work

© S T A K E, I N C. Why Perform Dictionary attacks on WEP?  Security is as good as the weakest link  Key cracking attacks the human problem  But Isn’t WEP already broken? –Key cracking is often simpler to implement and perform –Key cracking can be less time consuming

© S T A K E, I N C. Wired Equivalent Privacy  Purpose – bring the security of wired networks to  Provides Authentication and Encryption  Uses RC4 for encryption –64-bit RC4 keys –Non-standard extension uses 128-bit keys  Authentication built using encryption primitive – Challenge/Response

© S T A K E, I N C. HeaderPayloadICVPayload Frame WEP Encryption  ICV computed – 32-bit CRC of payload CRC 32

© S T A K E, I N C.  ICV computed – 32-bit CRC of payload  One of four keys selected – 40-bits Key Keynumber Key 1 Key 2 Key 3 Key 4 WEP Encryption 40 4 x 40

© S T A K E, I N C.  ICV computed – 32-bit CRC of payload  One of four keys selected – 40-bits  IV selected – 24-bits, prepended to keynumber IV WEP Encryption keynumber 24 8

© S T A K E, I N C.  ICV computed – 32-bit CRC of payload  One of four keys selected – 40-bits  IV selected – 24-bits, prepended to keynumber  IV+key used to encrypt payload+ICV IVKey ICVPayloadICVPayload RC4 WEP Encryption 64

© S T A K E, I N C.  ICV computed – 32-bit CRC of payload  One of four keys selected – 40-bits  IV selected – 24-bits, prepended to keynumber  IV+key used to encrypt payload+ICV  IV+keynumber prepended to encrypted payload+ICV ICVPayload IVkeynumberHeader WEP Encryption WEP Frame

© S T A K E, I N C.  Keynumber is used to select key WEP Decryption Key Keynumber Key 1 Key 2 Key 3 Key x 40

© S T A K E, I N C. WEP Decryption IVKey ICVPayloadICVPayload RC4 64  Keynumber is used to select key  ICV+key used to decrypt payload+ICV

© S T A K E, I N C. WEP Decryption CRC ICVPayload HeaderPayload ICV’  Keynumber is used to select key  ICV+key used to decrypt payload+ICV  ICV recomputed and compared against original 32

© S T A K E, I N C. WEP Authentication  Uses WEP encryption primitives –Nonce is generated and sent to client –Client encrypts nonce and sends it back –Server decrypts response and verifies that it is the same nonce.  Authentication is optional

© S T A K E, I N C. 128-bit Variant  Purpose – increase the encryption key size  Non-standard, but in wide use  IV and ICV set as before  104-bit key selected  IV+key concatenated to form 128-bit RC4 key IVKey ICVPayloadICVPayload RC bits

© S T A K E, I N C. WEP Keying  Keys are manually distributed  Keys are statically configured –Implications: often infrequently changed and easy to remember!  Four 40-bit keys (or one 104-bit key)  Key values can be directly set as hex data  Key generators provided for convenience –ASCII string is converted into keying material –Non-standard but in wide use –Different key generators for 64- and 128-bit

© S T A K E, I N C. Key Entry Example

© S T A K E, I N C. 64-bit key Generator MyP assp hras e seed PRNG 34f8a927 ee617bf7 aba e7a398 62c3f37f 6a8ea  Generates four 40-bit keys  ASCII string mapped to 32-bit value with XOR  Value used as seed to 32-bit linear congruential PRNG  40 values generated from PRNG, one byte taken from each 32-bit result 40 iterations 32 bits 40 x 32 bits

© S T A K E, I N C. 64-bit Generator Flawed!  Ideally should have at least 40-bits of entropy  Ke y entropy is reduced in several ways

© S T A K E, I N C. ASCII Mapping Reduces Entropy  ASCII string mapped to 32-bits  XOR operation guarantees four zero bits –Input is ASCII. High bit of each character is always zero –XOR of these high bits is also zero –Only seeds 00:00:00:00 through 7f:7f:7f:7f can occur MyP assp hras e 32 bits

© S T A K E, I N C. PRNG Use Reduces Entropy –For each 32-bit output, only bits 16 through 23 are used –Generator is a linear congruential generator modulo 2^32  Low bits are “less random” than higher bits  Bit 0 has a cycle length of 2^1, Bit 3 has a cycle length of 2^4, etc.. –The resultant bytes have a cycle length of 2^24 –Only seeds 00:00:00:00 through 00:ff:ff:ff result in unique keys! PRNG 34f8a927 ee617bf7 aba iterations 40 x 32 bits...

© S T A K E, I N C. Entropy of 64-bit Generator is 21-bits –The ASCII folding operation only generates seeds 00:00:00:00 through 7f:7f:7f:7f  High bit of each constituent byte is always zero –Only seeds 00:00:00:00 through ff:ff:ff:ff result in unique keys –Result: Only 2^21 unique keys generated!  Only need to consider seeds 00:00:00:00 through 00:7f:7f:7f with zero high bits

© S T A K E, I N C. 128-bit Generator  One 104-bit key is generated  ASCII string is extended to 64-bytes through repetition  MD5 of resulting 64-bytes is taken  104-bits of output selected  Key strength relies on the strength of MD5 and of the ASCII string My PassphraseMy Pass… MD5 032f6d8e8392……8df926a 64 bits 104 bits

© S T A K E, I N C. Designed and Implemented a WEP Cracker  Proof of concept: bells and whistles left out  Perform dictionary attack against WEP keys –Find keys generated from a dictionary word –Find keys that are ASCII words  Consider each of the four 64-bit WEP keys or the single 128-bit WEP key  Perform brute force of the weak 64-bit WEP generator  No support for other brute force attacks

© S T A K E, I N C. Structure of WEP Cracker  Packet collector  Guess Generator  Mapping guesses to WEP keys  Key verifier Guess Generator Packets Map To Keys Key Verifier Success?

© S T A K E, I N C. Packet Collector  Collect the appropriate packets needed for guess verification –Collects DATA packets –Two packets collected  Reads from pcap-format file –Simplifies design and allows for off-line cracking –Capture utilities such as PrismDump already output to this format

© S T A K E, I N C. Making Guesses  Dictionary attack –Read wordlist from file –Lots of room for improvement. For example, rule-based word generation.  Brute force of generator –Generate sequential PRNG seeds between 00:00:00:00 and 00:7f:7f:7f

© S T A K E, I N C. Mapping Guesses to Keys  Direct translation of ASCII to key bytes –Five ASCII bytes mapped to a single 64-bit WEP key –Thirteen ASCII bytes mapped to the 128-bit WEP key –Truncation of long words, zero-fill for short words  Use of the key generator functions –Map ASCII to keys with 64-bit generator –Map ASCII to keys with 128-bit generator –Map PRNG seeds to keys with 64-bit generator

© S T A K E, I N C. Key Verification  Authentication (Challenge/Response) packets –Easiest to verify  Challenge/Responds provides known plaintext –Not ideal - Infrequent and optional  Data packets –Verify that decrypted packets are well-formed –Verify that ICV is correct –Inexact: can result in false-positives  Verifying against several packets increases assurance

© S T A K E, I N C. ICV Verification  Get IV and keynumber from packet  Form RC4 key from IV+key[keynumber]  Decrypt payload+ICV  Recompute ICV and compare  Probability of false match is 2^-32 –Matching two packets gives high assurance

© S T A K E, I N C. Results  Proof of concept constructed –Dictionary attack on ASCII keys and 64- and 128-bit key generators –Brute force of 64-bit generator  Performance on PIII/500MHz laptop –Brute force of 64-bit generator in 35 seconds, 60,000 guesses/second –60,000 guesses/second against 64-bit ASCII keys –45,000 guesses/second against 128-bit generated keys –55,000 guesses/second against 128-bit ASCII keys

© S T A K E, I N C. Brute Force of Keys  Brute force of 40-bit keys is not practical –About 210 days on my laptop –~100 machines could perform attack in reasonable time –Better attacks exist  Brute force 104-bit keys is not feasible –10^19 years

© S T A K E, I N C. Implications  64-bit generator should not be used  If ASCII keys or generated keys are used, string should be well chosen –Use similar guidelines as when choosing a login password  Random 40-bit keys have reasonable strength  Well chosen 104-bit keys, generated or not, are strong

© S T A K E, I N C. Related work – Bad News  Ian Goldberg et al and Jesse Walker –WEP encryption is fundamentally flawed –Attack times on the order of a few days  Bill Arbaugh et al –WEP authentication can be performed without knowing the key –Extended Goldberg’s attacks against WEP encryption – easier to perform  Places upper limit on cracking efforts – 1-2 days

© S T A K E, I N C. That’s All Folks…   Source code provided on CD or at  Source code is Public Domain  Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.