Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented by Presented by Kunjan Naik Kunjan Naik

Agenda Introduction Introduction WEP protocol Brief description Security goals WEP protocol Brief description Security goals Keystream reuse attacks Keystream reuse attacks Attacks involving message authentication Attacks involving message authentication Countermeasures Countermeasures Conclusion Conclusion

Typical Scenario Ad-Hoc Network Infrastructure Network

WEP Protocol Wired Equivalent Privacy Wired Equivalent Privacy Link Layer Security Protocol Link Layer Security Protocol Goals : Confidentiality : Protection against eavesdropping Access Control : Restrict accessibility Data Integrity : Correctness of data Goals : Confidentiality : Protection against eavesdropping Access Control : Restrict accessibility Data Integrity : Correctness of data

RC4 and Stream Ciphers RC4 and Stream Ciphers RC4 encryption is Vernam Cipher RC4 encryption is Vernam Cipher RC4 is a stream cipher RC4 is a stream cipher Generates pseudo random keystream from the key( IV || Key) Generates pseudo random keystream from the key( IV || Key) Encryption key Pseudo-random number generator Plain text data byte Cipher text byte

WEP Protocol WEP Protocol Mobile station shares key with Access Point Mobile station shares key with Access Point Transmitting a message M Compute checksum of M and append it to M Generate keystream using RC4(IV,Key) Xor with keystream Transmit IV and cipher text Transmitting a message M Compute checksum of M and append it to M Generate keystream using RC4(IV,Key) Xor with keystream Transmit IV and cipher text Upon receiving Reverse steps Upon receiving Reverse steps

Packet Format and Encapsulation Encryption Algorithm = RC4 Encryption Algorithm = RC4 Key length = 40. IV length = 24 Key length = 40. IV length = 24 C = RC4(IV,K) xor C = RC4(IV,K) xor MessageCRC Keystream = RC(IV,k) Cipher TextIV XOR

WEP Authentication Authentication key distributed out-of-band Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret Station encrypts challenge using pre-shared secret Denial of service attack Denial of service attack Shared secret distributed out of band Challenge (Nonce) Response (Nonce RC4 encrypted under shared key) Decrypted nonce OK?

So What are the Problems? Shared key mechanism Same shared key in the network Shared key mechanism Same shared key in the network Attacks based on Keystream Reuse IV collision Attacks based on Keystream Reuse IV collision Decryption Dictionaries Decryption Dictionaries Message modification Message modification Message injection. Message injection.

Shared key mechanism Single key or array of shared keys between all mobile stations in the network Single key or array of shared keys between all mobile stations in the network key length is just 40 bits. key length is just 40 bits. Key management is a misnomer Key management is a misnomer Shared keys changes rarely. Shared keys changes rarely. Chances of IV collision proportional to number of users. Chances of IV collision proportional to number of users.

IV Collision P1 and P2 packets with same IV P1 and P2 packets with same IV C1 = P1 xor RC4(IV,Shared Key) C1 = P1 xor RC4(IV,Shared Key) C2 = P2 xor RC4(IV,Shared Key) C2 = P2 xor RC4(IV,Shared Key) C1 xor C2 = P1 xor P2 C1 xor C2 = P1 xor P2 Attacker knows the Xor of two plaintexts Attacker knows the Xor of two plaintexts Given P1 or P2 easy to find other Given P1 or P2 easy to find other More packets with same IV : More easier More packets with same IV : More easier Dragging cribs, frequency analysis methods Dragging cribs, frequency analysis methods

Key Reuse Shared key same in both directions Shared key same in both directions Keystream depends on IV as Key is fixed Keystream depends on IV as Key is fixed IV included in unencrypted portion of message IV included in unencrypted portion of message IV reset to 0 when initialized IV reset to 0 when initialized Easy to find collisions Easy to find collisions After 16 million packets ( worst case ) IV repeats After 16 million packets ( worst case ) IV repeats

How to find keystream reuse? IV space - 2^24 possibilities IV space - 2^24 possibilities Collision after few minutes on a busy AP Collision after few minutes on a busy AP WEP standard recommends IV to be changed (but does not require) per packet WEP standard recommends IV to be changed (but does not require) per packet More so, IV set to 0 when re-initialized More so, IV set to 0 when re-initialized Finding keystream reuse is therefore easy Finding keystream reuse is therefore easy

How to get plaintext? IP traffic predictable - well defined structures and message content IP traffic predictable - well defined structures and message content Login sequences and Welcome messages Login sequences and Welcome messages Sniffing Authentication challenge - plain and cipher text both Sniffing Authentication challenge - plain and cipher text both Sending packets from outside - ping Sending packets from outside - ping Broadcast packets in both encrypted and unencrypted form - for some implementations Broadcast packets in both encrypted and unencrypted form - for some implementations

Attack from both ends Internet Attacker AP Attacker MS Attacker sends data AP encrypts plaintext data

Attack from both sides cont’d Attacker will send packets from internet to mobile station and AP will encrypt them for attacker Attacker will send packets from internet to mobile station and AP will encrypt them for attacker Flip bits to change destination address to host we control - IP checksum needs to be modified Flip bits to change destination address to host we control - IP checksum needs to be modified Sufficient number of packets with different IV’s will enable the attacker to build a decryption dictionary Sufficient number of packets with different IV’s will enable the attacker to build a decryption dictionary

Decryption Dictionaries Xoring cipher text and plain text gives keystream Xoring cipher text and plain text gives keystream Store one to one mapping of IV to RC4(IV,Key) Store one to one mapping of IV to RC4(IV,Key) Xor any packet with corresponding IV and read data Xor any packet with corresponding IV and read data Number of entries in table 2^24 Number of entries in table 2^ bytes per packet - 24 GB 1500 bytes per packet - 24 GB Independent of key size - depends on IV only. Independent of key size - depends on IV only. Building table ensures immediate decryption Building table ensures immediate decryption

Message Authentication CRC checksum for data integrity CRC checksum for data integrity CRC resilient against random errors and not malicious attacks CRC resilient against random errors and not malicious attacks CRC is independent of IV and key CRC is independent of IV and key CRC and RC4 are linear CRC and RC4 are linear CRC(X xor Y) = CRC(X) xor CRC(Y) CRC(X xor Y) = CRC(X) xor CRC(Y) So, changing bits in packet is easy So, changing bits in packet is easy

Message modification C = RC4(IV,K) * {M,C(M)} C = RC4(IV,K) * {M,C(M)} Let M’ = M * D Let M’ = M * D D is arbitrarily chosen and * => xor D is arbitrarily chosen and * => xor C’ = C * { D, C(D) } RC4(IV,K) * {M,C(M)} * {D,C(D)} RC4(IV,K) * {M * D,C(M) * C(D)} RC4(IV,K) * {M * D,C(M * D)} RC4(IV,K) * {M’, C(M’)} C’ = C * { D, C(D) } RC4(IV,K) * {M,C(M)} * {D,C(D)} RC4(IV,K) * {M * D,C(M) * C(D)} RC4(IV,K) * {M * D,C(M * D)} RC4(IV,K) * {M’, C(M’)} Effectively Attacker does C’ = C * {D, C(D)} Effectively Attacker does C’ = C * {D, C(D)}

Message Injection Attacker needs plain text and cipher text Attacker needs plain text and cipher text Attacker has fake message F and computes C(F) Attacker has fake message F and computes C(F) Computes C’ = {F,C(F)} xor RC4(VI,key) Computes C’ = {F,C(F)} xor RC4(VI,key) Transmits (VI, C’) Transmits (VI, C’) Reuse old IV’s and circumvent access control Reuse old IV’s and circumvent access control Attacker can authenticate himself using message injection Attacker can authenticate himself using message injection

Message Decryption IP redirection - Send encrypted packet to host on the internet ; IP checksum and firewall issues IP redirection - Send encrypted packet to host on the internet ; IP checksum and firewall issues Reaction attacks - TCP packets will be dropped for incorrect checksum and TCP ack for the correct packets. Modify packet and check recipients reaction Reaction attacks - TCP packets will be dropped for incorrect checksum and TCP ack for the correct packets. Modify packet and check recipients reaction

Attack Practicality Use off the shelf wireless card and software radio Use off the shelf wireless card and software radio Sit outside competitor’s office and sniff packets Sit outside competitor’s office and sniff packets Reverse engineer firmware to inject packets Reverse engineer firmware to inject packets Dictionaries - Has to be done once Dictionaries - Has to be done once

Countermeasures Data encryption is not enough - access control through data authentication is must Data encryption is not enough - access control through data authentication is must Use block ciphers Use block ciphers Increase key length Increase key length Make checksum keyed function of message Make checksum keyed function of message Put wireless network outside firewall -treat it as public network Put wireless network outside firewall -treat it as public network

Conclusion Public review is essential Public review is essential All three goals Confidentiality - Attacker can read traffic Access Control - Attacker can inject traffic Data Integrity - Attacker can modify traffic All three goals Confidentiality - Attacker can read traffic Access Control - Attacker can inject traffic Data Integrity - Attacker can modify traffic Use VPN, IPSec, SSH along with WEP Use VPN, IPSec, SSH along with WEP ESN is supposed to solve all problems ESN is supposed to solve all problems