Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Security Why Swiss-Cheese Security Isn’t Enough

Published byMalcolm Franklin Modified over 6 years ago

Similar presentations

Presentation on theme: "Wireless Security Why Swiss-Cheese Security Isn’t Enough"— Presentation transcript:

1 Wireless Security Why Swiss-Cheese Security Isn’t Enough
David Wagner University of California at Berkeley

2 Wireless Networking is Here
Internet wireless networking is on the rise installed base: ~ 15 million users currently a $1 billion/year industry

3 The Problem: Security Wireless networking is just radio communications
Hence anyone with a radio can eavesdrop, inject traffic

4 The Security Risk: RF Leakage

5 The Risk of Attack From Afar

6 Why You Should Care

7 More Motivation

8 Overview of the Talk In this talk:
The history: WEP, and its (in)security Where we stand today Future directions

9 WEP The industry’s solution: WEP (Wired Equivalent Privacy)
(encrypted traffic) The industry’s solution: WEP (Wired Equivalent Privacy) Share a single cryptographic key among all devices Encrypt all packets sent over the air, using the shared key Use a checksum to prevent injection of spoofed packets

10 Early History of WEP 1997 802.11 WEP standard released
Simon, Aboba, Moore: some weaknesses Mar 2000 Walker: Unsafe at any key size Oct 2000 Borisov, Goldberg, Wagner: 7 serious attacks on WEP Jan 30, 2001 NY Times, WSJ break the story Feb 5, 2001

11 WEP - A Little More Detail
IV, P  RC4(K, IV) WEP uses the RC4 stream cipher to encrypt a TCP/IP packet (P) by xor-ing it with keystream (RC4(K, IV))

12 A Property of RC4 Keystream leaks, under known-plaintext attack
Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext P Let Z = RC4(K, IV) be the RC4 keystream Since C = P  Z, we can derive the RC4 keystream Z by P  C = P  (P  Z) = Z This is not a problem ... unless keystream is reused!

13 A Risk of Keystream Reuse
IV, P  RC4(K, IV) IV, P’  RC4(K, IV) If IV’s repeat, confidentiality is at risk If we send two ciphertexts (C, C’) using the same IV, then the xor of plaintexts leaks (P  P’ = C  C’), which might reveal both plaintexts  Lesson: If RC4 isn’t used carefully, it becomes insecure

14 Attack #1: Keystream Reuse
WEP didn’t use RC4 carefully The problem: IV’s frequently repeat The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV’s, so after intercepting enough packets, there are sure to be repeats  Attackers can eavesdrop on traffic An eavesdropper can decrypt intercepted ciphertexts even without knowing the key

15 original unencrypted packet
WEP -- Even More Detail checksum IV original unencrypted packet IV RC4 key encrypted packet

16 Attack #2: Spoofed Packets
Attackers can inject forged traffic Learn RC4(K, IV) using previous attack Since the checksum is unkeyed, you can then create valid ciphertexts that will be accepted by the receiver  Attackers can bypass access control All computers attached to wireless net are exposed

17 Attack #3: Reaction Attacks
P  RC4(K) P  RC4(K)  0x0101 ACK TCP ACKnowledgement appears  TCP checksum on received (modified) packet is valid  P & 0x0101 has exactly 1 bit set  Attacker can recover plaintext (P) without breaking RC4

18 Summary So Far None of WEP’s goals are achieved
Confidentiality, integrity, access control: all insecure

19 Subsequent Events Jan 2001 Borisov, Goldberg, Wagner Mar 2001
Arbaugh: Your network has no clothes Mar 2001 Arbaugh: more attacks … May 2001 Newsham: dictionary attacks on WEP keys Jun 2001 Fluhrer, Mantin, Shamir: efficient attack on way WEP uses RC4 Aug 2001 Arbaugh, Mishra: still more attacks Feb 2002

20 War Driving To find wireless nets: While you drive:
Load laptop, card, and GPS in car Drive While you drive: Attack software listens and builds map of all networks found

21 War Driving: Chapel Hill

22 Driving from LA to San Diego

23 Wireless Networks in LA

24 Silicon Valley

25 San Francisco

26 Toys for Hackers

27 A Dual-Use Product

28 Problems With 802.11 WEP WEP cannot be trusted for security
Attackers can eavesdrop, spoof wireless traffic Also can break the key with a few minutes of traffic Attacks are serious in practice Attack tools are available for download on the Net And: WEP is often not used anyway High administrative costs (WEP punts on key mgmt) WEP is turned off by default

29 History Repeats Itself…
analog cellphones: AMPS 1980 1990 2000 analog cloning, scanners fraud pervasive & costly digital: TDMA, GSM TDMA eavesdropping [Bar] more TDMA flaws [WSK] GSM cloneable [BGW] GSM eavesdropping [BSW,BGW] Future: 3rd gen.: 3GPP, … cellphones wireless security: not just 802.11, WEP 2001 2002 WEP broken [BGW] WEP badly broken [FMS] WPA 2000 1999 Future: i 2003  attacks pervasive wireless networks Berkeley motes 2002 TinyOS 1.0, TinySec Future: ??? 2003 sensor networks

30 Conclusions The bad news: is insecure, both in theory & in practice encryption is readily breakable, and 50-70% of networks never even turn on encryption Hackers are exploiting these weaknesses in the field The good news: Fixes (WPA, i) are on the way!

Download ppt "Wireless Security Why Swiss-Cheese Security Isn’t Enough"

Similar presentations

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.

Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
Wireless Security David Wagner University of California at Berkeley.

Wireless Security David Wagner University of California at Berkeley.
Wireless Security David Wagner University of California, Berkeley.

Wireless Security David Wagner University of California, Berkeley.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
WEP and 802.11i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.

WEP and i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Similar presentations

Ads by Google