Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Similar presentations


Presentation on theme: "Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007."— Presentation transcript:

1 Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007

2 Resources  Borisov, Goldberg, Wagner. Intercepting mobile communications: the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking. http://www.isaac.cs.berkeley.edu/isaac/we p-draft.pdf Guillaume Lehembre Wifi Security: WEP, WPA and WPA2 http://www.hsc.fr/ressources/articles/hakin 9_wifi/hakin9_wifi_EN.pdf

3

4 WEP Protocol  WEP – Wired Equivalent Privacy  Wireless standard 802.11  Link layer  Protocol goals: Confidentiality: prevent eavesdropping Access control: prevent unauthorized access Data integrity: prevent tampering of messages  We show that none of the security goals are attained

5 Network Model Internet

6 WEP Algorithm Encryption MessageCRC(M) RC4(k,IV) CipherIV

7 WEP Algorithm Decryption MessageCRC(M) RC4(k,IV) CipherIV

8 Confidentiality

9 Stream cipher properties  Given two ciphers C 1,C 2 – C 1  C 2 = P 1  P 2.  Keystream reuse can lead to a number of attacks: If plaintext of one message is known, the other is immediately obtainable. In the general case, known techniques for breaking reused keystreams. As the number of reused keystream increases breaking them becomes easier.  Two conditions required for this class of attcks to succeed: Availability of ciphertexts where keystream is used more than once. Partial knowledge of some of the plain texts.

10 Finding instances of keystream reuse  Shared key k changes rarely.  Reuse of IV causes reuse of keystream.  IV are public.

11 IV Usage  Standard recommends (but not requires) change of IV.  Common PCMCIA cards sets IV to zero and increment it by 1 for each packet.  IV size is only 24 bits.  Busy access point of 5Mbps will exhaust available space in 11 hours.  Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision

12 Exploiting keystream reuse  Many fields of IP traffic are predictable.  For example: login sequences.  Active attack (known plaintext)

13 Decryption dictionaries  Once plaintext of encrypted message is obtained, keystream value stored in dictionary.  Full table requires 24GB  Size of dictionary does not depend of size of key

14 Key management

15 Message Authentication  Message modification  Message injection

16 Message Modification  Checksum used is CRC-32 which is a linear function of the message:  In other words, checksum distributes over the XOR operation. C(x  y) = C(x)  C(y)  RC4 stream cipher also linear.

17 The attack Given C we would like to create C ’ s.t. C ’ decrypts to M ’ instead of M. MessageCRC(M) RC4(k,IV) Cipher  CRC(  )  = MessageCRC(M) RC4(k,IV)  CRC(  ) = RC4(k,IV) ’’CRC(  ’) =

18 Message Injection  WEP checksum is an unkeyed function of the message.  After knowing one keystream we can use it forever. C ’ =  RC4(IV,k)

19 Other attacks  IP redirection. Assumption: Destination address is known.

20 IP redirection (cont.)  Need to calculate IP checksum  Several options IP checksum for original packet is known Original IP checksum is not known Compensate by changing another IP field

21 Reaction Attack  Works only for TCP protocol  Pick i at random, let be all zeros, except for positions i and i+16. Calc C ’ = C   Two options: 1. Got an acknowledgment, P i  P i+16 = 1 2. Else P i  P i+16 = 0  Each test reveals 1 bit of information

22 Example attacks

23 ARP Request

24

25

26

27 Conclusion  Design of security protocols is difficult (more than the design of network protocols)  Combining several secure algorithms does not mean that the result is secure  Engineering perspective dictated selection of cryptographic algorithms

28 Fixing WEP WPA – Wi-Fi Protected Access and 802.11i

29 WPA  WPA – Wi-Fi Protected Access Draft security enhancements for 802.11 A subset of the 802.11i proposed standard Proposed by IEEE 802.11 TGi (Task Group i)  Design goals Preserve packet format Work with deployed 802.11 hardware in AP and NICs  Composed of two components Authentication and master key generation – 802.1X TKIP (Temporal Key Integrity Protocol) - Temporal key generation, Confidentiality and Integrity

30 802.11i  A proposed standard  Defines authentication, key management, confidentiality, integrity and encapsulations for 802.11  Includes WEP (current implemented)  Encryption: RC4; Integrity: CRC-32 TKIP (temporary solution)  Encryption: RC4; Integrity: Michael WRAP (Wireless Robust Authenticated Protocol)  Encryption: AES; Integrity: HMAC-MD5

31 TKIP – Temporal Key Integrity Protocol

32 TKIP Components  TKIP is a wrapper around WEP  A cryptographic MIC (Message Integrity Code)  A per-packet sequence number  A per-packet key mixing function  A rekeying mechanism (802.1X)

33 TKIP MIC  MICHAEL the MIC function is designed for very low bandwidth CPU (the ones that are used by the Access Point)  Key length – 64 bits  The MIC is computed over the source address, the destination address and the data Protects against packet modification (e.g. bit flipping) Protects against header forgery

34 WEP with Enabled MIC =CRC =MAC

35 TKIP Sequence Counter  The station and the Access Point maintain a TKIP sequence counter  The transmitter increments the TKIP sequence counter each time it sends a packet  The counters are reset when new temporal keys are established  The sequence counter is mixed with the temporal key and the transmitter MAC address to create a RC4 seed key  On receipt the receiver de-mixed the key and checks that the resulting counter is indeed greater than the all the sequence counter that were encountered during this temporal key usage  Protects against replay attack

36 TKIP Keys  TKIP is using temporal keys  The station and the Access Point periodically exchange temporal keys  Four keys One Integrity (MIC) and one Encryption key per direction

37 TKIP ENCAPSULATION

38 TKIP Encapsulation  Calculate the 64 bits MIC with the MIC temporal key, over the source and destination addresses. The MIC is inserted into the message data  The sequence number, the MAC address and the temporal key are mixed to create a 128 bits RC4 seed key  The first three bytes of the key are stored in the IV field  The remaining 13 bytes are stored in a free WEP key buffer  The packet is sent to WEP processing

39 TKIP DECAPSULATION

40 TKIP Decapsulation  The IV and the temporal key are concatenated, to create the RC4 seed key  The key is de-mixed – to create the TKIP sequence counter. The counter is checked to be in sequence  The key, the IV and the data are sent for WEP decapsulation  After RC4 decryption, the MIC, with the temporal MIC key, is computed over the source and destination addressed and the decrypted packet, and is compared to the MIC field in the packet

41 TKIP Notes  The TKIP temporal key must be exchanged every less then 2 16 packets, since the key mixing can produce 2 16 different IVs  The MIC and key mixing algorithms are cryptographically weak But, all the WEP known problems are solved TKIP is a temporary solution – until NICs and APs with new hardware arrives to the market  The 802.11i uses AES encryption


Download ppt "Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007."

Similar presentations


Ads by Google