How To Not Make a Secure Protocol WEP Dan Petro

What is WEP? Wired Equivalent Privacy Wireless LAN security protocol  Uses IEEE a,b,g, and n Provides certain security services Originally 64 bits, but has been extended to 128 bits and even 256 bits Easily broken Why? And How?  Fundamentally poor design choices

How does WEP work? It works like a One Time Pad Keystream is pseudorandom XOR'd with plaintext Perfectly secret ciphertext Right? What's the worst that could happen?

Design Goals of WEP Confidentiality  RC4 cipher and XOR operation Integrity  CRC of message inside plaintext Authentication?!* Availability?!

Keys Not one, but two keys.  Primary Master Key or just “key” (Secret)  Initialization Vector (Well known) Key = 40 bits IV = 24 bits  Total = 64 bits

Failure #1 ONE TIME Pad  You must never use the same key(stream) twice. In WEP, Key = PMK + IV  IV changes for each message  If an IV is ever used twice, the same keystream will be used twice IV is only 24 bits  Birthday Attack = collision every 5,000 frames.

Failure #1 What's the harm?  Cipher1 = Plaintext1 ⊕  Keystream  Cipher2 = Plaintext2 ⊕  Keystream You now know Plaintext1 ⊕  Plaintext2  If you happen to know one of the plaintexts, then you can decrypt any new ciphertext that uses the same Keystream  Full and partial knowledge No diffusion! Even worse: WEP does not specify how to select IV's.

Failure #2 Integrity Failure  Linear CRC is used for Integrity.  Not a Cryptographically Secure Hash Function Linear means distributive  CRC(a) xor CRC(b) Equals  CRC(a xor b)

Failure #2 Arbitrary packet forgery!  Even with partial knowledge. IP Redirection Attack  Change every IP address to that of the attacker outside the network.

Failure #3 Authentication  Challenge & Response 1) Client sends request to router. 2) Router sends random 128 byte string to client in plaintext 3) Client sends back the same string, encypted with the Key 4) Server decrypts message, and verifies that the contents match the string sent.

Failure #3 But we can change the contents of any message, remember? Obverse one valid authentication. Now just change the contents of this captured response to be the random string you need! Easy as that, now you're authenticated. This is actually worse than no authentication!

Failure #4 Getting a “Known Plaintext Attack”  WEP does not mask the size of frames  You can see exactly how long each message is. Mix that with TCP/IP, and you get a known plaintext attack ARP messages are very short, and of known length. (28 bytes + some plaintext headers)  The vast majority of routers send gratuitous ARP messages constantly

Failure #4 1/2 ARP Replay Attack  ARP is stateless  One ARP packet read can be replayed over and over  Hosts will respond with fresh traffic as responses  Allows for an arbitrary amount of traffic to be generated in use with other attacks.  Upgrade the attack to “Chosen Plaintext”

Failure #5 The Cafe Latte Attack  No authentication Clients keep a list of favorite AP's  One's they've used before When powering on, they try to connect to those AP's Stimulate traffic from client, crack key

Failure #5 1/2 Rouge AP's WEP network with SSID “Protected” Attacker makes another AP with the same SSID Victim connects to the wrong AP Now you have a Man- in-the-Middle

Failure #6 If the PMK is known, all bets are off  WEP does not specify how PMKs are chosen or exchanged. It's a standard “Shared Secret” problem!  Social Engineering Use a Rouge AP  Dictionary attacks  Out of Band attacks Does your company have a piece of paper with the key laying around? It probably does.

Failure #7 Denial of Service Firstly, it is legal to jam 2.4GHz signals  Just not cell phones!  Wifi is naturally vulnerable to this But not Bluetooth! Associate / Disassociate Packets are unencrypted If there is a single malicious user on your network, he can bring the whole thing down  ARP Cache Poisoning  DOSS (Denial of Service... with Style)

Failure #7 1/2 Airpwn  First “displayed” at Defcon 12 Intercepts data just like with a Rouge AP Responds to HTTP traffic before the real web server can Result?  Anything you want!

The Breaks What really breaks WEP is RC4 Fluhrer, Mantin and Shamir attack  Discovered that the first few bytes produced is highly non-random Andreas Klein  Even more correlations between key and keystream found Tews, Weinmann, and Pyshkin. (PTW)  Built upon Klein's analysis and built Aircrack- ptw  (Now Aircrack-ng)

References and links Intercepting Mobile Communications: The Insecurity of  om.pdf om.pdf Wikipedia  Privacy Privacy Weaknesses in the Key Scheduling Algorithm of RC4  roc.pdf roc.pdf Any copyrights applicable to these slides including images are copylefted under the GLP v3