Chalmers University of Technology Wireless security Breaking WEP and WPA
Chalmers University of Technology Wireless security - Why?
Chalmers University of Technology DEMO!
Chalmers University of Technology Wireless security timeline WEP introduced WPA introduced FMS attack on WEP ChopChop attack on WEP Fragmentation attack onWEP PTW attack on WEP Beck and Tews attack on WEP and WPA Message falsification attack on WPA Attack on TKIP WPA2 introduced
Chalmers University of Technology RC4 Was developed by Ron Rivest in 1987 “Rivest Cipher 4” Most widely used stream cipher Used in i.e. SSL, WEP, WPA and TLS Was secret until 1994 when it was leaked for i from 0 to 255 S[i] := i endfor l := keylength j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j]) endfor i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 256] endwhile
Chalmers University of Technology Key Scheduling Algorithm (KSA) Initializes the state Permutes array S based on key K Array S controls the secret state S is later used to generate stream for i from 0 to 255 S[i] := i endfor l := K.length j := 0 for i from 0 to 255 j := (j + S[i] + K[i mod l]) mod 256 swap(&S[i], &S[j]) endfor
Chalmers University of Technology KSA example S = K = for i from 0 to 7 j := (j + S[i] + K[i mod l]) mod 8 swap(&S[i],&S[j]) endfor i i j
Chalmers University of Technology Pseudo Random Generation Algorithm (PRGA) Generates a stream of pseudo random numbers The state array is updated each iteration i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j+S[i]) mod 256 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 256] endwhile
Chalmers University of Technology PRGA example S = i j while GeneratingOutput: i := (i + 1) mod 8 j := (j+S[i]) mod 8 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 8] endwhile 4731
Chalmers University of Technology Question What problem might we encounter if the same key is used to encrypt multiple messages?
Chalmers University of Technology Wired Equivalent Privacy (WEP) Introduced in November 1997 Comes in 64-bit and 128-bit strength Uses initialization vectors to deal with the problem of key reuse Not meant to be secure (!) Adds Integrity Control Value (ICV) to the message to verify its correctness
Chalmers University of Technology WEP Initialization Vector (IV) Prepended to the key Sent in plaintext along with the message Only 3 bytes – reused every 2 24 message Reduces key size by 24 bits (!) –64 bit = 40 bit –128 bit = 104 bit + = IV Key Dynamic key
Chalmers University of Technology Fluhrer, Mantin and Shamir attack Found a group of weak IV’s –IV’s with format X + 3 || 255 || Y –If X=0, there is a 5 % chance that the first number generated will be K[0] for any Y –Same holds for respectively for 0 X 13 The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form
Chalmers University of Technology Example KSA Loop ijS[0]S[1]S[2]S[3]S[12] ?30 ?2 IV = [ 3, 255, 7 ]K = [ 3, 255, 7, ?, ?, ?, ?, ? ] 1.C[0] = 165 = 15 j = S[i] = S[1] = 0 3.S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0] 170 = 15 4.j = j + S[i] + K[i] = 12 + S[3] + K[3] = K[3] = 15 K[3] = 2
Chalmers University of Technology Statistics
Chalmers University of Technology Aircrack
Chalmers University of Technology Limitations Have to collect ~ packets to get enough IV’s Could take 2-4 weeks to collect Weak IV’s no longer used Have since then been optimized and new attacks have been found Can now be broken in less than 60 seconds
Chalmers University of Technology ChopChop attack Truncates the message by one byte and xor with X –If ICV control succeeds, the truncated byte is X P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) ) Decreases time of finding the key to ~30 minutes
Chalmers University of Technology Wi-fi Protected Access (WPA) Built around WEP to fix its flaws and provide backward compatibility Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems
Chalmers University of Technology Temporal Key Integrity Protocol (TKIP) Adds a new Message Integrity Check (MIC) generated using Michael algorithm Michael is insecure, but this was handled by countermeasures in TKIP Replay protection, slows down attacks but do not prevent them
Chalmers University of Technology Becks and Tews attack Attacks a TKIP A modified version of the ChopChop attack Truncates the message by one byte and xor last byte with X –If ICV control fails nothing happens, increment X –If ICV control succeeds, then MIC control will fail and an error message will be sent, the truncated byte is X Limited to networks with QoS enabled
Chalmers University of Technology Wireless security timeline WEP introduced WPA introduced FMS attack on WEP ChopChop attack on WEP Fragmentation attack onWEP PTW attack on WEP Beck and Tews attack on WEP and WPA Message falsification attack on WPA Attack on TKIP WPA2 introduced
Chalmers University of Technology Additional reading Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4 Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the b wired equivalent privacy protocol (WEP) Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds Beck, M., Tews, E.: Practical attacks against WEP and WPA Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack on TKIP Ohigashi, T., Morii, M.: A practical message falsification attack on WPA