WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

Slides:



Advertisements
Similar presentations
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Advertisements

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
IPsec Internet Headquarters Branch Office SA R1 R2
1 MD5 Cracking One way hash. Used in online passwords and file verification.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
& WEP Tzachy Reinman System and Network Security Course
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
IEEE Wireless Local Area Networks (WLAN’s).
The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.
WLAN What is WLAN? Physical vs. Wireless LAN
Mobile and Wireless Communication Security By Jason Gratto.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.
A History of WEP The Ups and Downs of Wireless Security.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
13-1 Last time Security in Networks Network Security Controls Firewalls Honeypots Intrusion Detection Systems.
Wireless Insecurity By: No’eau Kamakani Robert Whitmire.
Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.
Wireless Security Presented by: Amit Kumar Singh Instructor : Dr. T. Andrew Yang.
Stream Cipher July 2011.
NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)
WEP Case Study Information Assurance Fall or Wi-Fi IEEE standard for wireless communication –Operates at the physical/data link layer –Operates.
Wired Equivalent Privacy (WEP): The first ‘confidentiality’ algorithm for the wireless IEEE standard. PRESENTED BY: Samuel Grush and Barry Preston.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
Intercepting Mobiles Communications: The Insecurity of ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
WEP – Wireless Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University.
Encryption Protocols used in Wireless Networks Derrick Grooms.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Slide 1 Vitaly Shmatikov CS 378 (In)Security of b.
Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.
How To Not Make a Secure Protocol WEP Dan Petro.
802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Doc.: IEEE /230 Submission May 2001 William Arbaugh, University of MarylandSlide 1 An Inductive Chosen Plaintext Attack against WEP/WEP2 William.
WLAN Security1 Security of WLAN Máté Szalay
Slide 1 Vitaly Shmatikov CS 378 Stream Ciphers. slide 2 Stream Ciphers uRemember one-time pad? Ciphertext(Key,Message)=Message  Key Key must be a random.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
1. Introduction In this presentation, we will review ,802.1x and give their drawbacks, and then we will propose the use of a central manager to replace.
WEP & WPA Mandy Kershishnik.
Wireless Security Ian Bodley.
ANALYSIS OF WIRED EQUIVALENT PRIVACY
Cryptography Lecture 16.
CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)
An Inductive Chosen Plaintext Attack against WEP/WEP2
RC4 RC
Inaugural meeting (for Hasheem: that means ‘the first meeting’
Intercepting Mobile Communications: The Insecurity of
Presentation transcript:

WEP 1 WEP

WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum: o “The standard prescribes a data link-level security protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see.”

WEP 3 WEP Authentication Protocol  Bob is wireless access point  Key K shared by access point and all users o Key K seldom (if ever) changes  WEP: the swiss cheese of security protocols Alice, K Bob, K Authentication Request R E(R, K)

WEP 4 WEP  Wired Equivalent Privacy  WEP uses RC4 cipher for confidentiality o RC4 is considered a strong cipher o But WEP introduces a subtle flaw  WEP uses CRC for “integrity” o Should have used a MAC or HMAC instead o CRC is for error detection, not crypto integrity

WEP 5 WEP Integrity Problems  WEP “integrity” provides no integrity o CRC is linear, so is stream cipher (XOR) o Trudy can change ciphertext and CRC so that checksum remains correct o Then Trudy’s introduced errors go undetected o Requires no knowledge of the plaintext!  CRC does not provide a cryptographic integrity check! o CRC designed to detect random errors o Not designed to detect intelligent changes

WEP 6 WEP Integrity Problems  Suppose Trudy knows destination IP  Trudy also knows keystream used to encrypt IP address, since… o … C = destination IP address  keystream  Then Trudy can replace C with… o … C = Trudy’s IP address  keystream  And change the CRC so no error detected! o Then what happens??  Big problems when integrity fails…

WEP 7 WEP Key  Recall WEP uses a long-term secret key: K  RC4 is a stream cipher, so each packet must be encrypted using a different key o Initialization Vector ( IV ) sent with packet o Sent in the clear, that is, IV is not secret o Note: IV similar to “MI” in WWII ciphers  Actual RC4 key for packet is (IV,K) o That is, IV is pre-pended to long-term key K

WEP 8 WEP Encryption  K IV is the RC4 key, (IV,K) o That is, RC4 key is K with 3-byte IV pre-pended  Note that the IV is known to Trudy Alice, K Bob, K IV, E(packet,K IV )

WEP 9 WEP IV has Issues  WEP uses 24-bit (3 byte) IV o Each packet gets a new IV o Key: IV pre-pended to long-term key, K  Long term key K seldom changes  If long-term key and IV are same, then same keystream is used o This is bad bad, really really bad! o Why?

WEP 10 WEP IV has Issues  Assume 1500 byte packets, 11 Mbps link  Suppose IVs generated in sequence o Since 1500  8/(11  10 6 )  2 24 = 18,000 seconds… o …an IV must repeat in about 5 hours  Suppose IV s generated at random o By birthday problem, some IV repeats in seconds  Again, repeated IV (with same K ) is bad!

WEP 11 Another Active Attack  Suppose Trudy can insert traffic and observe corresponding ciphertext o Then she knows the keystream for some IV o She can decrypt any packet(s) that uses that IV  If Trudy does this many times, she can decrypt data for lots of IV s o Remember, IV is sent in the clear  Is such an attack feasible?

WEP 12 WEP Cryptanalytic Attack  WEP data encrypted using RC4 o Packet key is IV and long-term key K o 3-byte IV is pre-pended to K o Packet key is (IV,K)  Recall IV is sent in the clear (not secret) o New IV sent with every packet o Long-term key K seldom changes (maybe never)  So Trudy always knows IV s and ciphertext o Trudy wants to find the key K

WEP 13 RC4 in WEP  3-byte IV pre-pended to key  Denote the RC4 key bytes… o …as K 0,K 1,K 2,K 3,K 4,K 5, … o Where IV = ( K 0,K 1,K 2 ), which Trudy knows o Trudy wants to find K 3,K 4,K 5, …  Given enough IV s, Trudy can find key K o Regardless of the length of the key! o Provided Trudy knows first keystream byte o Known plaintext attack (1st byte of each packet) o Prevent by discarding first 256 keystream bytes

WEP 14 WEP Conclusions  Many attacks are practical!  Attacks can be used to recover keys and break real WEP traffic  How to prevent WEP attacks? o Don’t use WEP  How to make WEP a little better? o Restrict MAC addresses, don’t broadcast ID, …