Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applying known techniques to WEP Keys Tim Newsham

Published byTomas Langenberg Modified over 6 years ago

Similar presentations

Presentation on theme: "Applying known techniques to WEP Keys Tim Newsham"— Presentation transcript:

1 Applying known techniques to WEP Keys Tim Newsham
Cracking WEP Keys Applying known techniques to WEP Keys Tim Newsham

2 Introduction Developed WEP key cracking software
Dictionary attack on the key generators Dictionary attack on raw keys Brute force of the 64-bit key generator Analyzed Key Generators Did not perform new cryptanalysis on the WEP protocol Did not look at 802.1x and Radius

3 Talk overview Motivation WEP protocol overview WEP keying
WEP key generators A WEP Cracker Results Related Work

4 Why Perform Dictionary attacks on WEP?
Security is as good as the weakest link Key cracking attacks the human problem But Isn’t WEP already broken? Key cracking is often simpler to implement and perform Key cracking can be less time consuming

5 Wired Equivalent Privacy
Purpose – bring the security of wired networks to Provides Authentication and Encryption Uses RC4 for encryption 64-bit RC4 keys Non-standard extension uses 128-bit keys Authentication built using encryption primitive – Challenge/Response

6 WEP Encryption ICV computed – 32-bit CRC of payload CRC 802.11 Frame
Header Payload Payload ICV 32 ICV computed – 32-bit CRC of payload

7 WEP Encryption ICV computed – 32-bit CRC of payload
4 x 40 Key 1 Key 2 Keynumber Key Key 3 40 Key 4 ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits

8 WEP Encryption ICV computed – 32-bit CRC of payload
IV keynumber 24 8 ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV selected – 24-bits, prepended to keynumber

9 WEP Encryption ICV computed – 32-bit CRC of payload
64 IV Key RC4 Payload ICV Payload ICV ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV selected – 24-bits, prepended to keynumber IV+key used to encrypt payload+ICV

10 WEP Encryption ICV computed – 32-bit CRC of payload
WEP Frame Header IV keynumber Payload ICV ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV selected – 24-bits, prepended to keynumber IV+key used to encrypt payload+ICV IV+keynumber prepended to encrypted payload+ICV

11 WEP Decryption Keynumber is used to select key Key 1 Key 2 Keynumber
4 x 40 Key 1 Key 2 Keynumber Key Key 3 40 Key 4 Keynumber is used to select key

12 WEP Decryption Keynumber is used to select key
64 IV Key RC4 Payload ICV Payload ICV Keynumber is used to select key ICV+key used to decrypt payload+ICV

13 WEP Decryption Keynumber is used to select key
Payload ICV CRC ICV’ 32 Header Payload Keynumber is used to select key ICV+key used to decrypt payload+ICV ICV recomputed and compared against original

14 WEP Authentication Uses WEP encryption primitives
Nonce is generated and sent to client Client encrypts nonce and sends it back Server decrypts response and verifies that it is the same nonce. Authentication is optional

15 128-bit Variant Purpose – increase the encryption key size
24 104 128-bits IV Key RC4 Payload ICV Payload ICV Purpose – increase the encryption key size Non-standard, but in wide use IV and ICV set as before 104-bit key selected IV+key concatenated to form 128-bit RC4 key

16 WEP Keying Keys are manually distributed
Keys are statically configured Implications: often infrequently changed and easy to remember! Four 40-bit keys (or one 104-bit key) Key values can be directly set as hex data Key generators provided for convenience ASCII string is converted into keying material Non-standard but in wide use Different key generators for 64- and 128-bit

17 Key Entry Example

18 64-bit key Generator . . . Generates four 40-bit keys
40 x 32 bits 34 f8 a9 27 ee 61 7b f7 M y P a s s p ab a3 35 59 40 iterations h r a s PRNG 12 e7 a3 98 seed e 62 c3 f3 7f 6a 8e a3 59 32 bits . . . Generates four 40-bit keys ASCII string mapped to 32-bit value with XOR Value used as seed to 32-bit linear congruential PRNG 40 values generated from PRNG, one byte taken from each 32-bit result

19 64-bit Generator Flawed! Ideally should have at least 40-bits of entropy Key entropy is reduced in several ways

20 ASCII Mapping Reduces Entropy
h r a s e 32 bits ASCII string mapped to 32-bits XOR operation guarantees four zero bits Input is ASCII. High bit of each character is always zero XOR of these high bits is also zero Only seeds 00:00:00:00 through 7f:7f:7f:7f can occur

21 PRNG Use Reduces Entropy
40 x 32 bits 34 f8 a9 27 40 iterations PRNG ee 61 7b f7 ab a3 35 59 . . . For each 32-bit output, only bits 16 through 23 are used Generator is a linear congruential generator modulo 2^32 Low bits are “less random” than higher bits Bit 0 has a cycle length of 2^1, Bit 3 has a cycle length of 2^4, etc.. The resultant bytes have a cycle length of 2^24 Only seeds 00:00:00:00 through 00:ff:ff:ff result in unique keys!

22 Entropy of 64-bit Generator is 21-bits
The ASCII folding operation only generates seeds 00:00:00:00 through 7f:7f:7f:7f High bit of each constituent byte is always zero Only seeds 00:00:00:00 through ff:ff:ff:ff result in unique keys Result: Only 2^21 unique keys generated! Only need to consider seeds 00:00:00:00 through 00:7f:7f:7f with zero high bits

23 128-bit Generator One 104-bit key is generated
104 bits MD5 My PassphraseMy Pass… 032f6d8e8392… …8df926a 64 bits 64 bits One 104-bit key is generated ASCII string is extended to 64-bytes through repetition MD5 of resulting 64-bytes is taken 104-bits of output selected Key strength relies on the strength of MD5 and of the ASCII string

24 Designed and Implemented a WEP Cracker
Proof of concept: bells and whistles left out Perform dictionary attack against WEP keys Find keys generated from a dictionary word Find keys that are ASCII words Consider each of the four 64-bit WEP keys or the single 128-bit WEP key Perform brute force of the weak 64-bit WEP generator No support for other brute force attacks

25 Structure of WEP Cracker
Map To Keys Guess Generator Key Verifier Success? Packets Packet collector Guess Generator Mapping guesses to WEP keys Key verifier

26 Packet Collector Collect the appropriate packets needed for guess verification Collects DATA packets Two packets collected Reads from pcap-format file Simplifies design and allows for off-line cracking Capture utilities such as PrismDump already output to this format

27 Making Guesses Dictionary attack Brute force of generator
Read wordlist from file Lots of room for improvement. For example, rule-based word generation. Brute force of generator Generate sequential PRNG seeds between 00:00:00:00 and 00:7f:7f:7f

28 Mapping Guesses to Keys
Direct translation of ASCII to key bytes Five ASCII bytes mapped to a single 64-bit WEP key Thirteen ASCII bytes mapped to the 128-bit WEP key Truncation of long words, zero-fill for short words Use of the key generator functions Map ASCII to keys with 64-bit generator Map ASCII to keys with 128-bit generator Map PRNG seeds to keys with 64-bit generator

29 Key Verification Authentication (Challenge/Response) packets
Easiest to verify Challenge/Responds provides known plaintext Not ideal - Infrequent and optional Data packets Verify that decrypted packets are well-formed Verify that ICV is correct Inexact: can result in false-positives Verifying against several packets increases assurance

30 ICV Verification Get IV and keynumber from packet
Form RC4 key from IV+key[keynumber] Decrypt payload+ICV Recompute ICV and compare Probability of false match is 2^-32 Matching two packets gives high assurance

31 Results Proof of concept constructed Performance on PIII/500MHz laptop
Dictionary attack on ASCII keys and 64- and 128-bit key generators Brute force of 64-bit generator Performance on PIII/500MHz laptop Brute force of 64-bit generator in 35 seconds, 60,000 guesses/second 60,000 guesses/second against 64-bit ASCII keys 45,000 guesses/second against 128-bit generated keys 55,000 guesses/second against 128-bit ASCII keys

32 Brute Force of Keys Brute force of 40-bit keys is not practical
About 210 days on my laptop ~100 machines could perform attack in reasonable time Better attacks exist Brute force 104-bit keys is not feasible 10^19 years

33 Implications 64-bit generator should not be used
If ASCII keys or generated keys are used, string should be well chosen Use similar guidelines as when choosing a login password Random 40-bit keys have reasonable strength Well chosen 104-bit keys, generated or not, are strong

34 Related work – Bad News Ian Goldberg et al and Jesse Walker
WEP encryption is fundamentally flawed Attack times on the order of a few days Bill Arbaugh et al WEP authentication can be performed without knowing the key Extended Goldberg’s attacks against WEP encryption – easier to perform Places upper limit on cracking efforts – 1-2 days

35 That’s All Folks… tnewsham@stake.com
Source code provided on CD or at Source code is Public Domain Questions?

Download ppt "Applying known techniques to WEP Keys Tim Newsham"

Similar presentations

Cracking WEP Keys Applying known techniques to WEP Keys Tim Newsham.

Cracking WEP Keys Applying known techniques to WEP Keys Tim Newsham.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.

The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.

The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.
802.11 Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.

Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

Similar presentations

Ads by Google