Download presentation
Presentation is loading. Please wait.
1
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007
2
Resources Borisov, Goldberg, Wagner. Intercepting mobile communications: the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking. http://www.isaac.cs.berkeley.edu/isaac/we p-draft.pdf Guillaume Lehembre Wifi Security: WEP, WPA and WPA2 http://www.hsc.fr/ressources/articles/hakin 9_wifi/hakin9_wifi_EN.pdf
4
WEP Protocol WEP – Wired Equivalent Privacy Wireless standard 802.11 Link layer Protocol goals: Confidentiality: prevent eavesdropping Access control: prevent unauthorized access Data integrity: prevent tampering of messages We show that none of the security goals are attained
5
Network Model Internet
6
WEP Algorithm Encryption MessageCRC(M) RC4(k,IV) CipherIV
7
WEP Algorithm Decryption MessageCRC(M) RC4(k,IV) CipherIV
8
Confidentiality
9
Stream cipher properties Given two ciphers C 1,C 2 – C 1 C 2 = P 1 P 2. Keystream reuse can lead to a number of attacks: If plaintext of one message is known, the other is immediately obtainable. In the general case, known techniques for breaking reused keystreams. As the number of reused keystream increases breaking them becomes easier. Two conditions required for this class of attcks to succeed: Availability of ciphertexts where keystream is used more than once. Partial knowledge of some of the plain texts.
10
Finding instances of keystream reuse Shared key k changes rarely. Reuse of IV causes reuse of keystream. IV are public.
11
IV Usage Standard recommends (but not requires) change of IV. Common PCMCIA cards sets IV to zero and increment it by 1 for each packet. IV size is only 24 bits. Busy access point of 5Mbps will exhaust available space in 11 hours. Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision
12
Exploiting keystream reuse Many fields of IP traffic are predictable. For example: login sequences. Active attack (known plaintext)
13
Decryption dictionaries Once plaintext of encrypted message is obtained, keystream value stored in dictionary. Full table requires 24GB Size of dictionary does not depend of size of key
14
Key management
15
Message Authentication Message modification Message injection
16
Message Modification Checksum used is CRC-32 which is a linear function of the message: In other words, checksum distributes over the XOR operation. C(x y) = C(x) C(y) RC4 stream cipher also linear.
17
The attack Given C we would like to create C ’ s.t. C ’ decrypts to M ’ instead of M. MessageCRC(M) RC4(k,IV) Cipher CRC( ) = MessageCRC(M) RC4(k,IV) CRC( ) = RC4(k,IV) ’’CRC( ’) =
18
Message Injection WEP checksum is an unkeyed function of the message. After knowing one keystream we can use it forever. C ’ = RC4(IV,k)
19
Other attacks IP redirection. Assumption: Destination address is known.
20
IP redirection (cont.) Need to calculate IP checksum Several options IP checksum for original packet is known Original IP checksum is not known Compensate by changing another IP field
21
Reaction Attack Works only for TCP protocol Pick i at random, let be all zeros, except for positions i and i+16. Calc C ’ = C Two options: 1. Got an acknowledgment, P i P i+16 = 1 2. Else P i P i+16 = 0 Each test reveals 1 bit of information
22
Example attacks
23
ARP Request
27
Conclusion Design of security protocols is difficult (more than the design of network protocols) Combining several secure algorithms does not mean that the result is secure Engineering perspective dictated selection of cryptographic algorithms
28
Fixing WEP WPA – Wi-Fi Protected Access and 802.11i
29
WPA WPA – Wi-Fi Protected Access Draft security enhancements for 802.11 A subset of the 802.11i proposed standard Proposed by IEEE 802.11 TGi (Task Group i) Design goals Preserve packet format Work with deployed 802.11 hardware in AP and NICs Composed of two components Authentication and master key generation – 802.1X TKIP (Temporal Key Integrity Protocol) - Temporal key generation, Confidentiality and Integrity
30
802.11i A proposed standard Defines authentication, key management, confidentiality, integrity and encapsulations for 802.11 Includes WEP (current implemented) Encryption: RC4; Integrity: CRC-32 TKIP (temporary solution) Encryption: RC4; Integrity: Michael WRAP (Wireless Robust Authenticated Protocol) Encryption: AES; Integrity: HMAC-MD5
31
TKIP – Temporal Key Integrity Protocol
32
TKIP Components TKIP is a wrapper around WEP A cryptographic MIC (Message Integrity Code) A per-packet sequence number A per-packet key mixing function A rekeying mechanism (802.1X)
33
TKIP MIC MICHAEL the MIC function is designed for very low bandwidth CPU (the ones that are used by the Access Point) Key length – 64 bits The MIC is computed over the source address, the destination address and the data Protects against packet modification (e.g. bit flipping) Protects against header forgery
34
WEP with Enabled MIC =CRC =MAC
35
TKIP Sequence Counter The station and the Access Point maintain a TKIP sequence counter The transmitter increments the TKIP sequence counter each time it sends a packet The counters are reset when new temporal keys are established The sequence counter is mixed with the temporal key and the transmitter MAC address to create a RC4 seed key On receipt the receiver de-mixed the key and checks that the resulting counter is indeed greater than the all the sequence counter that were encountered during this temporal key usage Protects against replay attack
36
TKIP Keys TKIP is using temporal keys The station and the Access Point periodically exchange temporal keys Four keys One Integrity (MIC) and one Encryption key per direction
37
TKIP ENCAPSULATION
38
TKIP Encapsulation Calculate the 64 bits MIC with the MIC temporal key, over the source and destination addresses. The MIC is inserted into the message data The sequence number, the MAC address and the temporal key are mixed to create a 128 bits RC4 seed key The first three bytes of the key are stored in the IV field The remaining 13 bytes are stored in a free WEP key buffer The packet is sent to WEP processing
39
TKIP DECAPSULATION
40
TKIP Decapsulation The IV and the temporal key are concatenated, to create the RC4 seed key The key is de-mixed – to create the TKIP sequence counter. The counter is checked to be in sequence The key, the IV and the data are sent for WEP decapsulation After RC4 decryption, the MIC, with the temporal MIC key, is computed over the source and destination addressed and the decrypted packet, and is compared to the MIC field in the packet
41
TKIP Notes The TKIP temporal key must be exchanged every less then 2 16 packets, since the key mixing can produce 2 16 different IVs The MIC and key mixing algorithms are cryptographically weak But, all the WEP known problems are solved TKIP is a temporary solution – until NICs and APs with new hardware arrives to the market The 802.11i uses AES encryption
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.