Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.

Similar presentations


Presentation on theme: "Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003."— Presentation transcript:

1 Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003

2 Wireless LAN Security2 Threats against WLANS Same threats as against wired LANs (eavesdropping, message modification, unauthorized access, denial of service) Access to shared medium is easy Dangerous configuration of WLANS

3 Wireless LAN Security3

4 4 Threats against WLANS (2) Finding WLANs is easy Wardriving: search for access points and publishing unprotected WLANs

5 Wireless LAN Security5

6 6 IEEE 802.11 Actual version 802.11b Layer 2 standard Peer-to-peer / via access point Similar to 802.3 (Ethernet) Open System Authentication Shared Key Authentication Wired Equivalent Privacy

7 Wireless LAN Security7 Wired Equivalent Privacy (WEP) Should provide an equivalent level of access control and protection of data on the WLAN as in wired networks Main security goals: confidentiality, access control, data integrity

8 Wireless LAN Security8 How does a stream cipher work? Keystream Generator Keystream Generator EncryptDecrypt Plaintext Ciphertext Keystream IV+Key IV: Initialization vector

9 Wireless LAN Security9 Encryption with WEP MessageCRC Keystream = RC4(v, k) IVCiphertext XOR Plaintext Transmitted data

10 Wireless LAN Security10 Encryption with WEP RC4 used with 40-bit key „128-bit“ implementation Per-packet 24-bit IV WEP allows re-use of IV 32-bit CRC is a linear function of the message and does not depend on the key

11 Wireless LAN Security11 Shared Key Authentication Mobile stationAccess point Challenge (Nonce) Response (Nonce encrypted with shared key) Shared key distribution Decrypted Nonce OK?

12 Wireless LAN Security12 The risks of keystream reuse C: Ciphertext P: Plaintext v: Initialization Vector k: Secret key Notation: If C 1 = P 1  RC4(v, k) and C 2 = P 2  RC4(v, k) then C 1  C 2 = (P 1  RC4(v, k))  (P 2  RC4(v, k)) = P 1  P 2

13 Wireless LAN Security13 The risk of keystream reuse (2) WEP uses per-packet IV to prevent these attacks Change of IV after every packet recommended (not required!) 24-bit IV nearly guaranteeing the same IV to be reused for multiple messages Bad handling of IV selection in some implementations

14 Wireless LAN Security14 Exploiting keystream reuse Find two packets, encrypted with same IV (Birthday paradoxon: 50% chance of a collision after only 4823 packets) Plaintext of one of the messages has to be known Provoke known plaintext to be transmitted Decryption dictionaries

15 Wireless LAN Security15 Message modification WEP checksum is a linear function Scenario: we have intercepted a message Is it possible to find a new ciphertext C‘ that decrypts to M‘, where M‘ = M   ? (  arbitrarily chosen) CRC(x  y) = CRC(x)  CRC(y) C = RC4(v, k) 

16 Wireless LAN Security16 Message modification (2) How to get C‘ from C C = RC4(v, k)  M‘ = M   C‘ = C  = RC4(v, k)   = RC4(v, k) 

17 Wireless LAN Security17 Authentication spoofing Observe an legitimate authentication sequence Known plaintext/ciphertext pair enables us to derive the used keystream: RC4(v, k) = C  P Use keystream to encrypt any subsequent challenge Authentication is possible without knowledge of the key

18 Wireless LAN Security18 Decryption via IP redirection Idea: sniff a encrypted packet, modify the destination IP address, send it to the WEP access point → AP will send us the decrypted packet Figuring out what the original IP address was is easy New checksum has to be correct

19 Wireless LAN Security19 Weaknesses in the key scheduling algorithm of RC4 Certain IVs sets the RC4 pseudorandom- generator to a state, in which the first word of output reveals one byte of the key. Improperly use of RC4 (as in WEP) allows an attacker to recover the secret key by observation of traffic This attack is implemented in publicly available tools as AirSnort or WEPCrack

20 Wireless LAN Security20 IEEE 802.11 in the future 802.11X as an enhancement of the today‘s standard Features: authentication via an authentication server, use of digital certificates, dynamic distribution of keys New IEEE standard 802.11i will include 802.11X and strong encryption (AES)

21 Wireless LAN Security21 Solutions for today‘s WLANs Treat link layer as insecure Usage of higher level security protocols (IPsec, SSL, SSH) Access points outside the firewall

22 Wireless LAN Security22 References [1] Nikita Borisov, Ian Goldberg, David Wagner: Intercepting Mobile Communications: The Insecurity of 802.11, In Proceedings of 7th International Conference on Mobile Computing and Networking 2001 (Mobicom 2001).Intercepting Mobile Communications: The Insecurity of 802.11, [2] Bill Arbaugh's Web Page über viele bekannte Sicherheitsschwächen von 802.11.Web Page [3] Scott Fluhrer, Martin Itsik, Adi Shamir: Weaknesses in the Key Scheduling Algorithm of RC4.In Proceedings of 8th Annual Workshop on Selected Areas in Cryptography (August 2001).Weaknesses in the Key Scheduling Algorithm of RC4 [4] Adam Stubblefield, John Ioannidis, Aviel Rubin: Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. AT&T Labs Technical Report TD-4ZCPZZ, Revision 2, August 21, 2001.Using the Fluhrer, Mantin, and Shamir Attack [5] William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan: Your 802.11 Wireless Network has No Clothes. Department of Computer Science, University of Maryland, College Park, Maryland 20742, March 30, 2001


Download ppt "Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003."

Similar presentations


Ads by Google