Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chalmers University of Technology Wireless security Breaking WEP and WPA.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chalmers University of Technology Wireless security Breaking WEP and WPA."— Presentation transcript:

1 Chalmers University of Technology Wireless security Breaking WEP and WPA

2 Chalmers University of Technology Wireless security - Why?

3 Chalmers University of Technology DEMO!

4 Chalmers University of Technology Wireless security timeline 1997199819992000200120022003200420052006200720082009 WEP introduced WPA introduced FMS attack on WEP ChopChop attack on WEP Fragmentation attack onWEP PTW attack on WEP Beck and Tews attack on WEP and WPA Message falsification attack on WPA Attack on TKIP WPA2 introduced

5 Chalmers University of Technology RC4 Was developed by Ron Rivest in 1987 “Rivest Cipher 4” Most widely used stream cipher Used in i.e. SSL, WEP, WPA and TLS Was secret until 1994 when it was leaked for i from 0 to 255 S[i] := i endfor l := keylength j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j]) endfor i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 256] endwhile

6 Chalmers University of Technology Key Scheduling Algorithm (KSA) Initializes the state Permutes array S based on key K Array S controls the secret state S is later used to generate stream for i from 0 to 255 S[i] := i endfor l := K.length j := 0 for i from 0 to 255 j := (j + S[i] + K[i mod l]) mod 256 swap(&S[i], &S[j]) endfor

7 Chalmers University of Technology KSA example S = 01234567 53 K = for i from 0 to 7 j := (j + S[i] + K[i mod l]) mod 8 swap(&S[i],&S[j]) endfor i i j 05526374500314

8 Chalmers University of Technology Pseudo Random Generation Algorithm (PRGA) Generates a stream of pseudo random numbers The state array is updated each iteration i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j+S[i]) mod 256 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 256] endwhile

9 Chalmers University of Technology PRGA example S = i j 26750314 while GeneratingOutput: i := (i + 1) mod 8 j := (j+S[i]) mod 8 swap(&S[i],&S[j]) output S[(S[i]+S[j]) mod 8] endwhile 4731

10 Chalmers University of Technology Question What problem might we encounter if the same key is used to encrypt multiple messages?

11 Chalmers University of Technology Wired Equivalent Privacy (WEP) Introduced in November 1997 Comes in 64-bit and 128-bit strength Uses initialization vectors to deal with the problem of key reuse Not meant to be secure (!) Adds Integrity Control Value (ICV) to the message to verify its correctness

12 Chalmers University of Technology WEP Initialization Vector (IV) Prepended to the key Sent in plaintext along with the message Only 3 bytes – reused every 2 24 message Reduces key size by 24 bits (!) –64 bit = 40 bit –128 bit = 104 bit + = IV Key Dynamic key

13 Chalmers University of Technology Fluhrer, Mantin and Shamir attack Found a group of weak IV’s –IV’s with format X + 3 || 255 || Y –If X=0, there is a 5 % chance that the first number generated will be K[0] for any Y –Same holds for respectively for 0  X  13 The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form

14 Chalmers University of Technology Example KSA Loop ijS[0]S[1]S[2]S[3]S[12] 100012312 2133120 32 259  3 302112 43 30 12 54?30 ?2 IV = [ 3, 255, 7 ]K = [ 3, 255, 7, ?, ?, ?, ?, ? ] 1.C[0] = 165 = 15  170 2.j = S[i] = S[1] = 0 3.S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0]  170 = 15 4.j = j + S[i] + K[i] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15  K[3] = 2

15 Chalmers University of Technology Statistics

16 Chalmers University of Technology Aircrack

17 Chalmers University of Technology Limitations Have to collect ~1 000 000-4 000 000 packets to get enough IV’s Could take 2-4 weeks to collect Weak IV’s no longer used Have since then been optimized and new attacks have been found Can now be broken in less than 60 seconds

18 Chalmers University of Technology ChopChop attack Truncates the message by one byte and xor with X –If ICV control succeeds, the truncated byte is X P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) ) Decreases time of finding the key to ~30 minutes

19 Chalmers University of Technology Wi-fi Protected Access (WPA) Built around WEP to fix its flaws and provide backward compatibility Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems

20 Chalmers University of Technology Temporal Key Integrity Protocol (TKIP) Adds a new Message Integrity Check (MIC) generated using Michael algorithm Michael is insecure, but this was handled by countermeasures in TKIP Replay protection, slows down attacks but do not prevent them

21 Chalmers University of Technology Becks and Tews attack Attacks a TKIP A modified version of the ChopChop attack Truncates the message by one byte and xor last byte with X –If ICV control fails nothing happens, increment X –If ICV control succeeds, then MIC control will fail and an error message will be sent, the truncated byte is X Limited to networks with QoS enabled

22 Chalmers University of Technology Wireless security timeline 1997199819992000200120022003200420052006200720082009 WEP introduced WPA introduced FMS attack on WEP ChopChop attack on WEP Fragmentation attack onWEP PTW attack on WEP Beck and Tews attack on WEP and WPA Message falsification attack on WPA Attack on TKIP WPA2 introduced

23 Chalmers University of Technology Additional reading Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4 Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP) Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds Beck, M., Tews, E.: Practical attacks against WEP and WPA Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack on TKIP Ohigashi, T., Morii, M.: A practical message falsification attack on WPA

Download ppt "Chalmers University of Technology Wireless security Breaking WEP and WPA."

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Encryption/Decyprtion using RC4 Vivek Ramachandran.

Encryption/Decyprtion using RC4 Vivek Ramachandran.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
1 CSCD 439/539 Wireless Networks and Security Lecture 9 WEP Fall 2007.

1 CSCD 439/539 Wireless Networks and Security Lecture 9 WEP Fall 2007.
The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.

The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.
15 November 2004 1 Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
802.11 Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.

Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.

Similar presentations

Ads by Google