Intercepting Mobile Communications: The Insecurity of 802.11 Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.

Slides:



Advertisements
Similar presentations
1 Intercepting Mobile Communications: The Insecurity of …or “Why WEP Stinks” Dustin Christmann.
Advertisements

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Security David Wagner University of California, Berkeley.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
1 IEEE Network Security Rohit Tripathi Graduate Student. University of Southern California.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
WEP and i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
IEEE Wireless Local Area Networks (WLAN’s).
Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.
WLAN What is WLAN? Physical vs. Wireless LAN
Mobile and Wireless Communication Security By Jason Gratto.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
CSC-682 Advanced Computer Security
CWNA Guide to Wireless LANs, Second Edition Chapter Eight Wireless LAN Security and Vulnerabilities.
A History of WEP The Ups and Downs of Wireless Security.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Wireless Insecurity By: No’eau Kamakani Robert Whitmire.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Class 7 Practical Considerations CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Wireless Security Presented by: Amit Kumar Singh Instructor : Dr. T. Andrew Yang.
NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)
WEP Protocol Weaknesses and Vulnerabilities
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
Class 5 Channels and Preview CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Network Security David Lazăr.
Wired Equivalent Privacy (WEP): The first ‘confidentiality’ algorithm for the wireless IEEE standard. PRESENTED BY: Samuel Grush and Barry Preston.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
Intercepting Mobiles Communications: The Insecurity of ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
WEP – Wireless Encryption Protocol A. Gabriel W. Daleson CS 610 – Advanced Security Portland State University.
Encryption Protocols used in Wireless Networks Derrick Grooms.
1 Wireless Threats 1 – Cracking WEP Cracking WEP in Chapter 5 of Wireless Maximum Security by Peikari, C. and Fogie, S.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
How To Not Make a Secure Protocol WEP Dan Petro.
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Doc.: IEEE /230 Submission May 2001 William Arbaugh, University of MarylandSlide 1 An Inductive Chosen Plaintext Attack against WEP/WEP2 William.
WLAN Security1 Security of WLAN Máté Szalay
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Wireless Security Ian Bodley.
ANALYSIS OF WIRED EQUIVALENT PRIVACY
Wireless Networks - Energy, Security
Wireless Privacy: Analysis of Security
CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)
An Inductive Chosen Plaintext Attack against WEP/WEP2
Security Issues with Wireless Protocols
Intercepting Mobile Communications: The Insecurity of
Presentation transcript:

Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented by Presented by Kunjan Naik Kunjan Naik

Agenda Introduction Introduction WEP protocol Brief description Security goals WEP protocol Brief description Security goals Keystream reuse attacks Keystream reuse attacks Attacks involving message authentication Attacks involving message authentication Countermeasures Countermeasures Conclusion Conclusion

Typical Scenario Ad-Hoc Network Infrastructure Network

WEP Protocol Wired Equivalent Privacy Wired Equivalent Privacy Link Layer Security Protocol Link Layer Security Protocol Goals : Confidentiality : Protection against eavesdropping Access Control : Restrict accessibility Data Integrity : Correctness of data Goals : Confidentiality : Protection against eavesdropping Access Control : Restrict accessibility Data Integrity : Correctness of data

RC4 and Stream Ciphers RC4 and Stream Ciphers RC4 encryption is Vernam Cipher RC4 encryption is Vernam Cipher RC4 is a stream cipher RC4 is a stream cipher Generates pseudo random keystream from the key( IV || Key) Generates pseudo random keystream from the key( IV || Key) Encryption key Pseudo-random number generator Plain text data byte Cipher text byte

WEP Protocol WEP Protocol Mobile station shares key with Access Point Mobile station shares key with Access Point Transmitting a message M Compute checksum of M and append it to M Generate keystream using RC4(IV,Key) Xor with keystream Transmit IV and cipher text Transmitting a message M Compute checksum of M and append it to M Generate keystream using RC4(IV,Key) Xor with keystream Transmit IV and cipher text Upon receiving Reverse steps Upon receiving Reverse steps

Packet Format and Encapsulation Encryption Algorithm = RC4 Encryption Algorithm = RC4 Key length = 40. IV length = 24 Key length = 40. IV length = 24 C = RC4(IV,K) xor C = RC4(IV,K) xor MessageCRC Keystream = RC(IV,k) Cipher TextIV XOR

WEP Authentication Authentication key distributed out-of-band Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret Station encrypts challenge using pre-shared secret Denial of service attack Denial of service attack Shared secret distributed out of band Challenge (Nonce) Response (Nonce RC4 encrypted under shared key) Decrypted nonce OK?

So What are the Problems? Shared key mechanism Same shared key in the network Shared key mechanism Same shared key in the network Attacks based on Keystream Reuse IV collision Attacks based on Keystream Reuse IV collision Decryption Dictionaries Decryption Dictionaries Message modification Message modification Message injection. Message injection.

Shared key mechanism Single key or array of shared keys between all mobile stations in the network Single key or array of shared keys between all mobile stations in the network key length is just 40 bits. key length is just 40 bits. Key management is a misnomer Key management is a misnomer Shared keys changes rarely. Shared keys changes rarely. Chances of IV collision proportional to number of users. Chances of IV collision proportional to number of users.

IV Collision P1 and P2 packets with same IV P1 and P2 packets with same IV C1 = P1 xor RC4(IV,Shared Key) C1 = P1 xor RC4(IV,Shared Key) C2 = P2 xor RC4(IV,Shared Key) C2 = P2 xor RC4(IV,Shared Key) C1 xor C2 = P1 xor P2 C1 xor C2 = P1 xor P2 Attacker knows the Xor of two plaintexts Attacker knows the Xor of two plaintexts Given P1 or P2 easy to find other Given P1 or P2 easy to find other More packets with same IV : More easier More packets with same IV : More easier Dragging cribs, frequency analysis methods Dragging cribs, frequency analysis methods

Key Reuse Shared key same in both directions Shared key same in both directions Keystream depends on IV as Key is fixed Keystream depends on IV as Key is fixed IV included in unencrypted portion of message IV included in unencrypted portion of message IV reset to 0 when initialized IV reset to 0 when initialized Easy to find collisions Easy to find collisions After 16 million packets ( worst case ) IV repeats After 16 million packets ( worst case ) IV repeats

How to find keystream reuse? IV space - 2^24 possibilities IV space - 2^24 possibilities Collision after few minutes on a busy AP Collision after few minutes on a busy AP WEP standard recommends IV to be changed (but does not require) per packet WEP standard recommends IV to be changed (but does not require) per packet More so, IV set to 0 when re-initialized More so, IV set to 0 when re-initialized Finding keystream reuse is therefore easy Finding keystream reuse is therefore easy

How to get plaintext? IP traffic predictable - well defined structures and message content IP traffic predictable - well defined structures and message content Login sequences and Welcome messages Login sequences and Welcome messages Sniffing Authentication challenge - plain and cipher text both Sniffing Authentication challenge - plain and cipher text both Sending packets from outside - ping Sending packets from outside - ping Broadcast packets in both encrypted and unencrypted form - for some implementations Broadcast packets in both encrypted and unencrypted form - for some implementations

Attack from both ends Internet Attacker AP Attacker MS Attacker sends data AP encrypts plaintext data

Attack from both sides cont’d Attacker will send packets from internet to mobile station and AP will encrypt them for attacker Attacker will send packets from internet to mobile station and AP will encrypt them for attacker Flip bits to change destination address to host we control - IP checksum needs to be modified Flip bits to change destination address to host we control - IP checksum needs to be modified Sufficient number of packets with different IV’s will enable the attacker to build a decryption dictionary Sufficient number of packets with different IV’s will enable the attacker to build a decryption dictionary

Decryption Dictionaries Xoring cipher text and plain text gives keystream Xoring cipher text and plain text gives keystream Store one to one mapping of IV to RC4(IV,Key) Store one to one mapping of IV to RC4(IV,Key) Xor any packet with corresponding IV and read data Xor any packet with corresponding IV and read data Number of entries in table 2^24 Number of entries in table 2^ bytes per packet - 24 GB 1500 bytes per packet - 24 GB Independent of key size - depends on IV only. Independent of key size - depends on IV only. Building table ensures immediate decryption Building table ensures immediate decryption

Message Authentication CRC checksum for data integrity CRC checksum for data integrity CRC resilient against random errors and not malicious attacks CRC resilient against random errors and not malicious attacks CRC is independent of IV and key CRC is independent of IV and key CRC and RC4 are linear CRC and RC4 are linear CRC(X xor Y) = CRC(X) xor CRC(Y) CRC(X xor Y) = CRC(X) xor CRC(Y) So, changing bits in packet is easy So, changing bits in packet is easy

Message modification C = RC4(IV,K) * {M,C(M)} C = RC4(IV,K) * {M,C(M)} Let M’ = M * D Let M’ = M * D D is arbitrarily chosen and * => xor D is arbitrarily chosen and * => xor C’ = C * { D, C(D) } RC4(IV,K) * {M,C(M)} * {D,C(D)} RC4(IV,K) * {M * D,C(M) * C(D)} RC4(IV,K) * {M * D,C(M * D)} RC4(IV,K) * {M’, C(M’)} C’ = C * { D, C(D) } RC4(IV,K) * {M,C(M)} * {D,C(D)} RC4(IV,K) * {M * D,C(M) * C(D)} RC4(IV,K) * {M * D,C(M * D)} RC4(IV,K) * {M’, C(M’)} Effectively Attacker does C’ = C * {D, C(D)} Effectively Attacker does C’ = C * {D, C(D)}

Message Injection Attacker needs plain text and cipher text Attacker needs plain text and cipher text Attacker has fake message F and computes C(F) Attacker has fake message F and computes C(F) Computes C’ = {F,C(F)} xor RC4(VI,key) Computes C’ = {F,C(F)} xor RC4(VI,key) Transmits (VI, C’) Transmits (VI, C’) Reuse old IV’s and circumvent access control Reuse old IV’s and circumvent access control Attacker can authenticate himself using message injection Attacker can authenticate himself using message injection

Message Decryption IP redirection - Send encrypted packet to host on the internet ; IP checksum and firewall issues IP redirection - Send encrypted packet to host on the internet ; IP checksum and firewall issues Reaction attacks - TCP packets will be dropped for incorrect checksum and TCP ack for the correct packets. Modify packet and check recipients reaction Reaction attacks - TCP packets will be dropped for incorrect checksum and TCP ack for the correct packets. Modify packet and check recipients reaction

Attack Practicality Use off the shelf wireless card and software radio Use off the shelf wireless card and software radio Sit outside competitor’s office and sniff packets Sit outside competitor’s office and sniff packets Reverse engineer firmware to inject packets Reverse engineer firmware to inject packets Dictionaries - Has to be done once Dictionaries - Has to be done once

Countermeasures Data encryption is not enough - access control through data authentication is must Data encryption is not enough - access control through data authentication is must Use block ciphers Use block ciphers Increase key length Increase key length Make checksum keyed function of message Make checksum keyed function of message Put wireless network outside firewall -treat it as public network Put wireless network outside firewall -treat it as public network

Conclusion Public review is essential Public review is essential All three goals Confidentiality - Attacker can read traffic Access Control - Attacker can inject traffic Data Integrity - Attacker can modify traffic All three goals Confidentiality - Attacker can read traffic Access Control - Attacker can inject traffic Data Integrity - Attacker can modify traffic Use VPN, IPSec, SSH along with WEP Use VPN, IPSec, SSH along with WEP ESN is supposed to solve all problems ESN is supposed to solve all problems