Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Security David Wagner University of California, Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Wireless Security David Wagner University of California, Berkeley."— Presentation transcript:

1 Wireless Security David Wagner University of California, Berkeley

2 The Setting An example of a 802.11 wireless network (current installed base in the millions of users) Internet

3 The Problem: Security!  Wireless networking is just radio communications Hence anyone with a radio can eavesdrop, inject traffic

4 WEP  The industry’s solution: WEP (Wired Equivalent Privacy) Share a single cryptographic key among all devices Encrypt all packets sent over the air, using the shared key Use a checksum to prevent injection of spoofed packets (encrypted traffic)

5 Why You Should Care

6 More Motivation

7 Overview of the Talk  In this talk: Security evaluation of WEP The history, where we stand today, and future directions

8 Early History of WEP 802.11 WEP standard released 1997 Simon, Aboba, Moore: some weaknesses Mar 2000 Walker: Unsafe at any key size Oct 2000 Borisov, Goldberg, Wagner: 7 serious attacks on WEP Jan 30, 2001 NY Times, WSJ break the story Feb 5, 2001

9 How WEP Works IV RC4 key IV encrypted packet original unencrypted packet checksum

10 A Property of RC4  Keystream leaks, under known-plaintext attack Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext P Let Z = RC4(key, IV) be the RC4 keystream Since C = P  Z, we can derive the RC4 keystream Z by P  C = P  (P  Z) = (P  P)  Z = 0  Z = Z  This is not a problem... unless keystream is reused!

11 A Risk With RC4  If any IV ever repeats, confidentiality is at risk Suppose P, P’ are two plaintexts encrypted with same IV Let Z = RC4(key, IV); then the two ciphertexts are C = P  Z and C’ = P’  Z Note that C  C’ = P  P’, hence the xor of both plaintexts is revealed If there is redundancy, this may reveal both plaintexts Or, if we can guess one plaintext, the other is leaked  So: If RC4 isn’t used carefully, it becomes insecure

12 Attack #1: Keystream Reuse  WEP didn’t use RC4 carefully  The problem: IV’s frequently repeat The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV’s, so after intercepting enough packets, there are sure to be repeats  Implications: can eavesdrop on 802.11 traffic An eavesdropper can decrypt intercepted ciphertexts even without knowing the key

13 Attack #2: Spoofed Packets  Attackers can inject forged traffic onto 802.11 nets Suppose I know the value Z = RC4(key, IV) for some IV e.g., by using the previous attack This is all I need to know to encrypt using this IV Since the checksum is unkeyed, I can create valid ciphertexts that will be accepted by the receiver  Implication: can bypass access control Can attack any computer attached to the wireless net

14 Summary So Far  None of WEP’s goals are achieved Confidentiality, integrity, access control all broken  And these are only 2 of the 7 attacks we showed in our paper…

15 Subsequent Events Jan 2001 Borisov, Goldberg, Wagner Arbaugh: Your 802.11 network has no clothes Mar 2001 Arbaugh, Mishra: still more attacks Feb 2002 Arbaugh: more attacks … May 2001 Newsham: dictionary attacks on WEP keys Jun 2001 Fluhrer, Mantin, Shamir: efficient attack on way WEP uses RC4 Aug 2001

16 Evaluation of WEP  WEP cannot be trusted for security Attackers can eavesdrop, spoof wireless traffic Can often break the key with a few minutes of traffic  Attacks are very serious in practice Attack tools are available for download on the Net Hackers sitting in a van in your parking lot may be able to watch all your wireless data, despite the encryption

17 War Driving  To find wireless nets: Load laptop, 802.11 card, and GPS in car Drive  While you drive: Attack software listens and builds map of all 802.11 networks found

18 War Driving: Chapel Hill

19 Driving from LA to San Diego

20 Zoom in on Los Angeles

21 Example: RF Leakage

22 One Network in Kansas City

23 Silicon Valley

24 San Francisco

25 Toys for Hackers

26 A Dual-Use Product

27 Conclusions  Wireless networks: insecure in theory & in practice 50-70% of networks never even turn on encryption, and the remaining are vulnerable to attacks shown here Hackers are exploiting these weaknesses in the field, from distances of a mile or more  Lesson: Open design is important These problems were all avoidable  In security-critical contexts, be wary of wireless!

Download ppt "Wireless Security David Wagner University of California, Berkeley."

Similar presentations

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.
Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.

Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
Wireless Security David Wagner University of California at Berkeley.

Wireless Security David Wagner University of California at Berkeley.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
WEP and 802.11i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.

WEP and i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Similar presentations

Ads by Google