Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.

Published byBonnie Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003."— Presentation transcript:

1 Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003

2 Wireless LAN Security2 Threats against WLANS Same threats as against wired LANs (eavesdropping, message modification, unauthorized access, denial of service) Access to shared medium is easy Dangerous configuration of WLANS

3 Wireless LAN Security3

4 4 Threats against WLANS (2) Finding WLANs is easy Wardriving: search for access points and publishing unprotected WLANs

5 Wireless LAN Security5

6 6 IEEE 802.11 Actual version 802.11b Layer 2 standard Peer-to-peer / via access point Similar to 802.3 (Ethernet) Open System Authentication Shared Key Authentication Wired Equivalent Privacy

7 Wireless LAN Security7 Wired Equivalent Privacy (WEP) Should provide an equivalent level of access control and protection of data on the WLAN as in wired networks Main security goals: confidentiality, access control, data integrity

8 Wireless LAN Security8 How does a stream cipher work? Keystream Generator Keystream Generator EncryptDecrypt Plaintext Ciphertext Keystream IV+Key IV: Initialization vector

9 Wireless LAN Security9 Encryption with WEP MessageCRC Keystream = RC4(v, k) IVCiphertext XOR Plaintext Transmitted data

10 Wireless LAN Security10 Encryption with WEP RC4 used with 40-bit key „128-bit“ implementation Per-packet 24-bit IV WEP allows re-use of IV 32-bit CRC is a linear function of the message and does not depend on the key

11 Wireless LAN Security11 Shared Key Authentication Mobile stationAccess point Challenge (Nonce) Response (Nonce encrypted with shared key) Shared key distribution Decrypted Nonce OK?

12 Wireless LAN Security12 The risks of keystream reuse C: Ciphertext P: Plaintext v: Initialization Vector k: Secret key Notation: If C 1 = P 1  RC4(v, k) and C 2 = P 2  RC4(v, k) then C 1  C 2 = (P 1  RC4(v, k))  (P 2  RC4(v, k)) = P 1  P 2

13 Wireless LAN Security13 The risk of keystream reuse (2) WEP uses per-packet IV to prevent these attacks Change of IV after every packet recommended (not required!) 24-bit IV nearly guaranteeing the same IV to be reused for multiple messages Bad handling of IV selection in some implementations

14 Wireless LAN Security14 Exploiting keystream reuse Find two packets, encrypted with same IV (Birthday paradoxon: 50% chance of a collision after only 4823 packets) Plaintext of one of the messages has to be known Provoke known plaintext to be transmitted Decryption dictionaries

15 Wireless LAN Security15 Message modification WEP checksum is a linear function Scenario: we have intercepted a message Is it possible to find a new ciphertext C‘ that decrypts to M‘, where M‘ = M   ? (  arbitrarily chosen) CRC(x  y) = CRC(x)  CRC(y) C = RC4(v, k) 

16 Wireless LAN Security16 Message modification (2) How to get C‘ from C C = RC4(v, k)  M‘ = M   C‘ = C  = RC4(v, k)   = RC4(v, k) 

17 Wireless LAN Security17 Authentication spoofing Observe an legitimate authentication sequence Known plaintext/ciphertext pair enables us to derive the used keystream: RC4(v, k) = C  P Use keystream to encrypt any subsequent challenge Authentication is possible without knowledge of the key

18 Wireless LAN Security18 Decryption via IP redirection Idea: sniff a encrypted packet, modify the destination IP address, send it to the WEP access point → AP will send us the decrypted packet Figuring out what the original IP address was is easy New checksum has to be correct

19 Wireless LAN Security19 Weaknesses in the key scheduling algorithm of RC4 Certain IVs sets the RC4 pseudorandom- generator to a state, in which the first word of output reveals one byte of the key. Improperly use of RC4 (as in WEP) allows an attacker to recover the secret key by observation of traffic This attack is implemented in publicly available tools as AirSnort or WEPCrack

20 Wireless LAN Security20 IEEE 802.11 in the future 802.11X as an enhancement of the today‘s standard Features: authentication via an authentication server, use of digital certificates, dynamic distribution of keys New IEEE standard 802.11i will include 802.11X and strong encryption (AES)

21 Wireless LAN Security21 Solutions for today‘s WLANs Treat link layer as insecure Usage of higher level security protocols (IPsec, SSL, SSH) Access points outside the firewall

22 Wireless LAN Security22 References [1] Nikita Borisov, Ian Goldberg, David Wagner: Intercepting Mobile Communications: The Insecurity of 802.11, In Proceedings of 7th International Conference on Mobile Computing and Networking 2001 (Mobicom 2001).Intercepting Mobile Communications: The Insecurity of 802.11, [2] Bill Arbaugh's Web Page über viele bekannte Sicherheitsschwächen von 802.11.Web Page [3] Scott Fluhrer, Martin Itsik, Adi Shamir: Weaknesses in the Key Scheduling Algorithm of RC4.In Proceedings of 8th Annual Workshop on Selected Areas in Cryptography (August 2001).Weaknesses in the Key Scheduling Algorithm of RC4 [4] Adam Stubblefield, John Ioannidis, Aviel Rubin: Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. AT&T Labs Technical Report TD-4ZCPZZ, Revision 2, August 21, 2001.Using the Fluhrer, Mantin, and Shamir Attack [5] William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan: Your 802.11 Wireless Network has No Clothes. Department of Computer Science, University of Maryland, College Park, Maryland 20742, March 30, 2001

Download ppt "Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003."

Similar presentations

1 Intercepting Mobile Communications: The Insecurity of 802.11 …or “Why WEP Stinks” Dustin Christmann.

1 Intercepting Mobile Communications: The Insecurity of …or “Why WEP Stinks” Dustin Christmann.
Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
Wireless Security David Wagner University of California, Berkeley.

Wireless Security David Wagner University of California, Berkeley.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
1 IEEE 802.11 Network Security Rohit Tripathi Graduate Student. University of Southern California.

1 IEEE Network Security Rohit Tripathi Graduate Student. University of Southern California.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
WEP and 802.11i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.

WEP and i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google