Download presentation
Presentation is loading. Please wait.
Published byHanna-Mari Halttunen Modified over 5 years ago
1
Intercepting Mobile Communications: The Insecurity of 802.11
By Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero Knowledge Systems UC Berkeley In Proc. of ACM Mobicom, 2001
2
What’s on your wireless network?
(Wi-Fi) networks are ubiquitous today Types of encryption: Open (No encryption) WEP WPA/WPA2
3
So what is WEP? WEP is Wired Equivalent Privacy Link-layer encryption
Defined in the IEEE standard “Least common denominator” Wi-Fi encryption Goals of WEP Confidentiality Access control Data integrity
4
First, let’s introduce the players
Message: What you’re encrypting CRC: To verify the integrity of the message Plaintext: The message + CRC Initialization vector (IV): A 24-bit number which plays two roles that we’ll meet in a moment Message CRC IV Key
5
First, let’s introduce the players
Key: A 40 or 104-bit number which is used to build the keystream Keystream: What is used to encrypt the plaintext Ciphertext: What we end up post- encryption Keystream Ciphertext
6
WEP encryption step-by-step
Message CRC Step 1: Compute CRC for the message CRC-32 polynomial is used
7
WEP encryption step-by-step
Keystream = RC4(IV, k) Step 2: Compute the keystream IV is concatenated with the key RC4 encryption algorithm is used on the 64 or 128 bit concatenation
8
WEP encryption step-by-step
plaintext Message CRC XOR Keystream = RC4(IV, k) IV Ciphertext Step 3: Encrypt the plaintext The plaintext is XORed with the keystream to form the ciphertext The IV is prepended to the ciphertext
9
WEP decryption step-by-step
IV Ciphertext Keystream = RC4(IV, k) Step 1: Build the keystream Extract the IV from the incoming frame Prepend the IV to the key Use RC4 to build the keystream
10
WEP decryption step-by-step
Ciphertext XOR Keystream = RC4(IV, k) Message CRC Step 2: Decrypt the plaintext and verify XOR the keystream with the ciphertext Verify the extracted message with the CRC
11
Attack Practicality Feasibility of mounting an attack
Equipment capable of monitoring 2.4GHz frequencies (e.g., off the shelf firmware) Transmit at the same frequency for active attackers Full access to the link layer for both active and passive attackers
12
Risks of stream cipher Possible plaintext recovery
The availability of ciphertexts, keystream reuse Partial knowledge of some of the plaintexts Per-packet IV in WEP cannot prevent keystream reuse attacks.
13
Risks of stream cipher How to find keystream reuse?
It’s carried in plaintext in the “encrypted” message! Key k rarely change, IV reset to 0 after initialization It’s only 24 bits! There are no restrictions on IV reuse! How to obtain plausible candidates for the plaintext?
14
You know more about the plaintext than you think you know
Can be either IP or ARP AA AA 03 00 00 00 08 ?? DSAP SSAP CTRL ORG Code Ether type With , you know the first eight bytes of a packet Many IP services have packets of fixed lengths Most WLAN IP addresses follow common conventions. Many IP behaviors have predictable responses
15
Risks of stream cipher How to obtain plausible candidates for the plaintext? Well defined structured: IP header fields, contents, traffic patterns (previous slide) Send IP traffic/ s/spam from an Internet host under the attacker’s control to a mobile host Send broadcast packets to an access point and observe their encrypted form
16
Risks of stream cipher Its possible to build a decryption dictionaries
A table of the keystreams corresponding to each IV One time effort Not rely on key size Key management A single key is shared for an entire network A higher chance of IV collision Difficult to replace compromised keys
17
Summary: Risks of stream cipher
Use of stream ciphers is dangerous (the reuse of keystream). Any protocol that uses a stream cipher must take special care to ensure that keystream never gets reused. In light of this, a protocol designer should give careful consideration to the complications that the use of stream ciphers adds to a protocol when choosing an encryption algorithm.
18
Potential Attacks to break message authentication
CRC algorithm The CRC is a linear function First-order polynomial: y = mx + b Key property when b is 0: f(x+y) = f(x) + f(y) The CRC is an unkeyed function
19
Message modification An attacker can make arbitrary modifications to an encrypted message without fear of detection Takes advantage of CRC’s linearity and unkeyed nature. Need to know some of the plaintext, but not all! Alice plaintext ciphertext encryption algorithm decryption Bob C and C’ are the original and modified cyphertext c is the CRC-32 function Δ is the change in the message Trudy
20
Message injection An attack is able to inject arbitrary traffic into the network with a pair of plaintext and ciphertext Takes advantage of CRC’s unkeyed nature and IV reuse. Need to know all of the plaintext Trudy plaintext ciphertext encryption algorithm decryption Bob C is the original cyphertext P is the original plaintext RC4(v,k) is the keystream for IV v M’ is the new message c is the CRC-32 function
21
Authentication spoofing
An attack can defeat the shared-key authentication mechanism Takes advantage of IV reuse, WEP challenge mechanism for new mobile stations Monitor the exchange and learn an IV-keystream pair Trudy Authenticate mobile stations authentication request nonce (128 bytes) nonce encrypted using the learned IV-keystream pair success if decrypted value equals nonce
22
Message Decryption With the ability to modify transmitted packets, an attacker can trick an access point into decrypting some ciphertext for him IP redirection Alice Trudy Eavesdrop encrypted frame Build encrypted IP header with the desired destination IP address Send frames Receive unencrypted data at Internet-connected computer
23
Message Decryption Alice Trudy
24
Message Decryption Reaction attacks Trudy
No need for connectivity to Internet Only for TCP traffic Viewed as a side channel attack Suggest using a secure MAC Monitor the reaction of a TCP packet (whether there is a ACK) Trudy For a ciphertext C, flip a few bits and adjust CRC to get C’ Infer some bits in plaintext based on whether C’ passes TCP checksum 24
25
Message Decryption 25
26
Summary: Potential Attacks to break message authentication
It’s importance to use a cryptographically secure message authentication code. Any unkeyed function falls short from defending against the attacks discussed here. 26
27
How hard to crack WEP? Attacks greatly aided by automated tools
Authors of “The Final Nail in WEP’s Coffin” broke 40-bit key in under 15 minutes and 104-bit key in under 80 minutes FBI agents demonstrated it in 3 minutes in 2005 e/ “Usually it takes five to ten minutes”
28
Countermeasures DON’T USE WEP! Use WPA or WPA2 with a strong key
Change the default settings on your wireless router Use VPN
29
Lessons Reuse past design and Offer new designs for public reviews.
30
Conclusion The paper demonstrated major security flaws in the WEP protocol and described several practical attacks. WEP should not be counted on to provide strong link-level security, and that additional precautions be taken to protect network traffic.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.