Presentation is loading. Please wait.

Presentation is loading. Please wait.

Systems Architecture Breaking WEP in less than 60 seconds A presentation by Roman Scherer and Rainer Rehak June 12 th.

Similar presentations


Presentation on theme: "Systems Architecture Breaking WEP in less than 60 seconds A presentation by Roman Scherer and Rainer Rehak June 12 th."— Presentation transcript:

1 Systems Architecture http://sar.informatik.hu-berlin.de Breaking WEP in less than 60 seconds A presentation by Roman Scherer and Rainer Rehak June 12 th 2007 Security Engineering, HU-Berlin

2 2 May 2006 - 2 Systems Architecture http://sar.informatik.hu-berlin.de Overview  brief history of WEP  WEP variants  usage of WEP in common environments  WEP-packet structure  general WEP-encryption algorithm  detailed WEP-encryption algorithm (RC4)  Klein's attack on RC4  Klein's attack on RC4 for independent bytes  Application on WEP: ARP and packet-injection  Additional information and conclusion Raine r Roma n Raine r Roma n

3 3 May 2006 - 3 Systems Architecture http://sar.informatik.hu-berlin.de Introduction (1)  wired networks are in general secure due to physical reasons - direct wire-bound communication between peers -> direct physical access required  wireless networks are insecure due to physical reasons - reception area is a sphere -> traffic is by default public ? ?

4 4 May 2006 - 4 Systems Architecture http://sar.informatik.hu-berlin.de Introduction (2)  traffic needs to be encrypted to ensure privacy -> WEP (Wired Equivalent Privacy)  ratified in September 1999 by the IEEE as 802.11  two variants: 64-bit (40-bit) and 128-bit (104-bit) encryption - 64-bit for slow computers (3 Byte Initialization Vector) - 128-bit for high security (3 Byte Initialization Vector)  in 2001 Fluhrer, Mantin and Shamir presented an attack against RC4, but IVs needed to fulfill a special condition  in 2004 Stubblefield, Ioannidis, and Rubin applied this to WEP -> approximately 4 million packets needed

5 5 May 2006 - 5 Systems Architecture http://sar.informatik.hu-berlin.de  therefore WEP+ (WEP-plus) was introduced not using those IVs  in 2007 Klein improved the RC4 attack, it works regardless of the IVs used  although WEP being known as insecure, (not representative) statistics in middle germany show the following:  WEP is still the most commonly used WLAN-protection Introduction (3)

6 6 May 2006 - 6 Systems Architecture http://sar.informatik.hu-berlin.de IEEE 802.11 Standard IEEE 802.11 specifies the two lowest layers of the OSI (Open System Interconnection) model for local wireless networks. The specification of these two layers (Physical & Media Access Control) is kown as WLAN or WIFI. IEEE 802.11 specifies the two lowest layers of the OSI (Open System Interconnection) model for local wireless networks. The specification of these two layers (Physical & Media Access Control) is kown as WLAN or WIFI.

7 7 May 2006 - 7 Systems Architecture http://sar.informatik.hu-berlin.de BSS // Basic Service Set A WLAN consists of a minimum of two communication partners, also called stations. Stations can communicate with each other using electro-magnetic waves, that have a scope of 20m – 300m. This communication area is known as BSS (Basic Service Set). A WLAN consists of a minimum of two communication partners, also called stations. Stations can communicate with each other using electro-magnetic waves, that have a scope of 20m – 300m. This communication area is known as BSS (Basic Service Set). Station# 1 Station# 2 Station# 1 Station# 2 Access Point BS S

8 8 May 2006 - 8 Systems Architecture http://sar.informatik.hu-berlin.de WEP Paketaufbau Logical Link Control BSS ID Initialization Vector (IV)Destination Address Sub Network Access Protocol Header Data Integrety Check Value (CRC32) 802.11 Header The first part of a WEP packet is not encrypted and contains, amongst others, the initalization vector IV as well as the hardware address of the destinaton (or the broadcast address). The second part of the packet contains the encrypted data of the protocols above. Each packet will be encrypted with an ''other'' key. The first part of a WEP packet is not encrypted and contains, amongst others, the initalization vector IV as well as the hardware address of the destinaton (or the broadcast address). The second part of the packet contains the encrypted data of the protocols above. Each packet will be encrypted with an ''other'' key.

9 9 May 2006 - 9 Systems Architecture http://sar.informatik.hu-berlin.de Stream Ciphers

10 10 May 2006 - 10 Systems Architecture http://sar.informatik.hu-berlin.de WEP Encoding Seed: IV (24bit) || K-BSS (104bit) = RK (128bit)

11 11 May 2006 - 11 Systems Architecture http://sar.informatik.hu-berlin.de WEP Decoding WEP uses the RC4 algorithm as it's pseudo random number generator.

12 12 May 2006 - 12 Systems Architecture http://sar.informatik.hu-berlin.de RC4 (1)  RC4 is a widely used stream cipher by Ron Rivest of RSA Security from 1987  takes key of arbitrary length up to 256 byte  produces pseudo-random keystream of unlimited length  RC4 can be described as a machine with internal states being defined by an 256-byte-array and two single bytes acting as pointers to elements of the array

13 13 May 2006 - 13 Systems Architecture http://sar.informatik.hu-berlin.de RC4 (2)  for every packet RC4 is newly initialized as the key (IV+K BSS ) differs from packet to packet  creates a permutation of S[ ] based on the packet key

14 14 May 2006 - 14 Systems Architecture http://sar.informatik.hu-berlin.de RC4 (3)  the packet's content is then XOR'ed with the generated key stream  each generation of one byte for the key stream changes the internal state of the RC4  here, n is 256

15 15 May 2006 - 15 Systems Architecture http://sar.informatik.hu-berlin.de Klein's attack (1)  Klein's attack on RC4 is based on the fact, that only the public IV changes, but the secret root key K BSS is fixed  K is the packet key, X is the packet key stream, we have m bytes  if we have the first i bytes of the packet key and the i-th byte of the key stream, we have a (not just random) chance to calculate the (i+1)th byte of the packet key

16 16 May 2006 - 16 Systems Architecture http://sar.informatik.hu-berlin.de Multiple Key Bytes Using Klein's attack it is possible to compute all secret key bytes if enough samples are available. Disadvantage - The IV's and recovered keystreams must be processed for each key byte. - All key bytes following a falsely guessed key byte have to be recalculated. Tews, Weinmann & Pyshkin Approach - Extension to Klein's attack to be able to calculate the key bytes independently of each other. - They developed an approximation so the recovery algorithm only depends on the first 3 key bytes, which is the unencrypted IV. - Using the approximation together with a key ranking method & an error correction function for strong keys they are able to recover the correct key.

17 17 May 2006 - 17 Systems Architecture http://sar.informatik.hu-berlin.de ARP // Address Resolution Protocol

18 18 May 2006 - 18 Systems Architecture http://sar.informatik.hu-berlin.de LLC & ARP Header Problem AA AA 03 00 00 00 08 0600 01 08 00 06 04... XX00 01XX... ARP Request: Who has IP address 192.168.0.1 ? LLC HeaderARP Request Header... XXXX... AA AA 03 00 00 00 08 0600 01 08 00 06 04... XX00 01XX... ARP Response: 00:01:02:03:04:05 has the IP address 192.168.0.1 LLC HeaderARP Request Header... XXXX... ARP request/response packets are always of the same length, and can therefore be easily distinguished from other packets by looking at the packet length and the destination address in the unencrypted 802.11 header.

19 19 May 2006 - 19 Systems Architecture http://sar.informatik.hu-berlin.de LLC & ARP Header Problem 4B 3A 02 9A BC DF 0030 01 08 23 06 04... XX31 34XX... Encrypted packet, that was identified as an ARP request: LLC HeaderARP Request Header... XXXX... AA AA 03 00 00 00 08 0600 01 08 00 06 04... XX00 01XX... LLC Header & ARP Request header: Keystream... XXXX... XO R = RC4 Keystream:

20 20 May 2006 - 20 Systems Architecture http://sar.informatik.hu-berlin.de ARP Packet Injection To successfully recover a 104 bit WEP key we need: - 40.000 packets having a success probability of 50% - 85.000 packets having a success probability of 95%. It is not practical to wait for all these packets (passive attack)! The usual approach is to wait for an ARP request from a valid client and re-inject this packet back to the network. Since ARP is a low level protocol it is typically not restricted by any kind of packet filters. ARP replies expire quickly, so it usually takes only some seconds/minutes until an attacker can capture a packet and start reinjecting it to the newtork. Sending a faked deauthenticate message to a client can sometimes force clients to flush their ARP cache an generate a new request.

21 21 May 2006 - 21 Systems Architecture http://sar.informatik.hu-berlin.de References  E. Tews, R.-P. Weinmann, A. PyshkinPaper: Breaking 104 bit WEP in less than 60 seconds Technische Universität Darmstadt, Fachbereich Informatik  Klein, A. Attacks on the RC4 stream cipher. submitted to Designs, Codes and Cryptography, 2007.  Website des Chaos Computer Club www.ccc.dewww.ccc.de  Chaosradio / Chaospodcast, www.ccc.de/chaosradiowww.ccc.de


Download ppt "Systems Architecture Breaking WEP in less than 60 seconds A presentation by Roman Scherer and Rainer Rehak June 12 th."

Similar presentations


Ads by Google