Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercepting Mobile Communications: The Insecurity of

Published byHanna-Mari Halttunen Modified over 5 years ago

Similar presentations

Presentation on theme: "Intercepting Mobile Communications: The Insecurity of"— Presentation transcript:

1 Intercepting Mobile Communications: The Insecurity of 802.11
By Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero Knowledge Systems UC Berkeley In Proc. of ACM Mobicom, 2001

2 What’s on your wireless network?
(Wi-Fi) networks are ubiquitous today Types of encryption: Open (No encryption) WEP WPA/WPA2

3 So what is WEP? WEP is Wired Equivalent Privacy Link-layer encryption
Defined in the IEEE standard “Least common denominator” Wi-Fi encryption Goals of WEP Confidentiality Access control Data integrity

4 First, let’s introduce the players
Message: What you’re encrypting CRC: To verify the integrity of the message Plaintext: The message + CRC Initialization vector (IV): A 24-bit number which plays two roles that we’ll meet in a moment Message CRC IV Key

5 First, let’s introduce the players
Key: A 40 or 104-bit number which is used to build the keystream Keystream: What is used to encrypt the plaintext Ciphertext: What we end up post- encryption Keystream Ciphertext

6 WEP encryption step-by-step
Message CRC Step 1: Compute CRC for the message CRC-32 polynomial is used

7 WEP encryption step-by-step
Keystream = RC4(IV, k) Step 2: Compute the keystream IV is concatenated with the key RC4 encryption algorithm is used on the 64 or 128 bit concatenation

8 WEP encryption step-by-step
plaintext Message CRC XOR Keystream = RC4(IV, k) IV Ciphertext Step 3: Encrypt the plaintext The plaintext is XORed with the keystream to form the ciphertext The IV is prepended to the ciphertext

9 WEP decryption step-by-step
IV Ciphertext Keystream = RC4(IV, k) Step 1: Build the keystream Extract the IV from the incoming frame Prepend the IV to the key Use RC4 to build the keystream

10 WEP decryption step-by-step
Ciphertext XOR Keystream = RC4(IV, k) Message CRC Step 2: Decrypt the plaintext and verify XOR the keystream with the ciphertext Verify the extracted message with the CRC

11 Attack Practicality Feasibility of mounting an attack
Equipment capable of monitoring 2.4GHz frequencies (e.g., off the shelf firmware) Transmit at the same frequency for active attackers Full access to the link layer for both active and passive attackers

12 Risks of stream cipher Possible plaintext recovery
The availability of ciphertexts, keystream reuse Partial knowledge of some of the plaintexts Per-packet IV in WEP cannot prevent keystream reuse attacks.

13 Risks of stream cipher How to find keystream reuse?
It’s carried in plaintext in the “encrypted” message! Key k rarely change, IV reset to 0 after initialization It’s only 24 bits! There are no restrictions on IV reuse! How to obtain plausible candidates for the plaintext?

14 You know more about the plaintext than you think you know
Can be either IP or ARP AA AA 03 00 00 00 08 ?? DSAP SSAP CTRL ORG Code Ether type With , you know the first eight bytes of a packet Many IP services have packets of fixed lengths Most WLAN IP addresses follow common conventions. Many IP behaviors have predictable responses

15 Risks of stream cipher How to obtain plausible candidates for the plaintext? Well defined structured: IP header fields, contents, traffic patterns (previous slide) Send IP traffic/ s/spam from an Internet host under the attacker’s control to a mobile host Send broadcast packets to an access point and observe their encrypted form

16 Risks of stream cipher Its possible to build a decryption dictionaries
A table of the keystreams corresponding to each IV One time effort Not rely on key size Key management A single key is shared for an entire network A higher chance of IV collision Difficult to replace compromised keys

17 Summary: Risks of stream cipher
Use of stream ciphers is dangerous (the reuse of keystream). Any protocol that uses a stream cipher must take special care to ensure that keystream never gets reused. In light of this, a protocol designer should give careful consideration to the complications that the use of stream ciphers adds to a protocol when choosing an encryption algorithm.

18 Potential Attacks to break message authentication
CRC algorithm The CRC is a linear function First-order polynomial: y = mx + b Key property when b is 0: f(x+y) = f(x) + f(y) The CRC is an unkeyed function

19 Message modification An attacker can make arbitrary modifications to an encrypted message without fear of detection Takes advantage of CRC’s linearity and unkeyed nature. Need to know some of the plaintext, but not all! Alice plaintext ciphertext encryption algorithm decryption Bob C and C’ are the original and modified cyphertext c is the CRC-32 function Δ is the change in the message Trudy

20 Message injection An attack is able to inject arbitrary traffic into the network with a pair of plaintext and ciphertext Takes advantage of CRC’s unkeyed nature and IV reuse. Need to know all of the plaintext Trudy plaintext ciphertext encryption algorithm decryption Bob C is the original cyphertext P is the original plaintext RC4(v,k) is the keystream for IV v M’ is the new message c is the CRC-32 function

21 Authentication spoofing
An attack can defeat the shared-key authentication mechanism Takes advantage of IV reuse, WEP challenge mechanism for new mobile stations Monitor the exchange and learn an IV-keystream pair Trudy Authenticate mobile stations authentication request nonce (128 bytes) nonce encrypted using the learned IV-keystream pair success if decrypted value equals nonce

22 Message Decryption With the ability to modify transmitted packets, an attacker can trick an access point into decrypting some ciphertext for him IP redirection Alice Trudy Eavesdrop encrypted frame Build encrypted IP header with the desired destination IP address Send frames Receive unencrypted data at Internet-connected computer

23 Message Decryption Alice Trudy

24 Message Decryption Reaction attacks Trudy
No need for connectivity to Internet Only for TCP traffic Viewed as a side channel attack Suggest using a secure MAC Monitor the reaction of a TCP packet (whether there is a ACK) Trudy For a ciphertext C, flip a few bits and adjust CRC to get C’ Infer some bits in plaintext based on whether C’ passes TCP checksum 24

25 Message Decryption 25

26 Summary: Potential Attacks to break message authentication
It’s importance to use a cryptographically secure message authentication code. Any unkeyed function falls short from defending against the attacks discussed here. 26

27 How hard to crack WEP? Attacks greatly aided by automated tools
Authors of “The Final Nail in WEP’s Coffin” broke 40-bit key in under 15 minutes and 104-bit key in under 80 minutes FBI agents demonstrated it in 3 minutes in 2005 e/ “Usually it takes five to ten minutes”

28 Countermeasures DON’T USE WEP! Use WPA or WPA2 with a strong key
Change the default settings on your wireless router Use VPN

29 Lessons Reuse past design and Offer new designs for public reviews.

30 Conclusion The paper demonstrated major security flaws in the WEP protocol and described several practical attacks. WEP should not be counted on to provide strong link-level security, and that additional precautions be taken to protect network traffic.

Download ppt "Intercepting Mobile Communications: The Insecurity of"

Similar presentations

1 Intercepting Mobile Communications: The Insecurity of 802.11 …or “Why WEP Stinks” Dustin Christmann.

1 Intercepting Mobile Communications: The Insecurity of …or “Why WEP Stinks” Dustin Christmann.
Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Security David Wagner University of California, Berkeley.

Wireless Security David Wagner University of California, Berkeley.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google