Presentation is loading. Please wait.

Presentation is loading. Please wait.

How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

Similar presentations


Presentation on theme: "How To Not Make a Secure Protocol 802.11 WEP Dan Petro."— Presentation transcript:

1 How To Not Make a Secure Protocol 802.11 WEP Dan Petro

2 What is WEP? Wired Equivalent Privacy Wireless LAN security protocol  Uses IEEE 802.11 a,b,g, and n Provides certain security services Originally 64 bits, but has been extended to 128 bits and even 256 bits Easily broken Why? And How?  Fundamentally poor design choices

3 How does WEP work? It works like a One Time Pad Keystream is pseudorandom XOR'd with plaintext Perfectly secret ciphertext Right? What's the worst that could happen?

4 Design Goals of WEP Confidentiality  RC4 cipher and XOR operation Integrity  CRC of message inside plaintext Authentication?!* Availability?!

5 Keys Not one, but two keys.  Primary Master Key or just “key” (Secret)  Initialization Vector (Well known) Key = 40 bits IV = 24 bits  Total = 64 bits

6 Failure #1 ONE TIME Pad  You must never use the same key(stream) twice. In WEP, Key = PMK + IV  IV changes for each message  If an IV is ever used twice, the same keystream will be used twice IV is only 24 bits  Birthday Attack = collision every 5,000 frames.

7 Failure #1 What's the harm?  Cipher1 = Plaintext1 ⊕ Keystream  Cipher2 = Plaintext2 ⊕ Keystream You now know Plaintext1 ⊕ Plaintext2  If you happen to know one of the plaintexts, then you can decrypt any new ciphertext that uses the same Keystream  Full and partial knowledge No diffusion! Even worse: WEP does not specify how to select IV's.

8 Failure #1 Example Capture multiple Ciphertexts with the same IV Obtain a (partial) Known Plaintext Decrypt corresponding bits in the other messages.

9 Failure #2 Integrity Failure  Linear CRC is used for Integrity.  Not a Cryptographically Secure Hash Function Linear means distributive  CRC(a) xor CRC(b) Equals  CRC(a xor b)

10 Failure #2 Arbitrary packet forgery!  Even with partial knowledge. If you know the plaintext of any part of a message, you can change it. WEP sends DST IP in plaintext

11 Failure #2.5 IP Redirection Attack – Change every IP address to that of the attacker outside the network.

12 Failure #3 Authentication Fail 1) Client Hello 2) Server Plaintext Challenge (128 Bytes) 3) Client Sends Encrypted Challenge back

13 Failure #3 But we can change the contents of any message, remember? Observe one valid authentication.

14 Failure #3 Now just change the contents of this captured response to be the challenge you need!

15 Failure #4 Getting a “Known Plaintext Attack”  WEP does not mask the size of frames  You can see exactly how long each message is. Mix that with TCP/IP, and you get a known plaintext attack ARP messages are very short, and of known length. (28 ARP bytes + 14 Layer 1 Bytes= 42 Bytes Total)  Lots of routers automatically send tons of ARP messages constantly

16 Failure #4.5 ARP Replay Attack  ARP is stateless  One ARP request packet can be replayed over and over  Hosts will respond with fresh traffic as responses  Allows for an arbitrary amount of traffic to be generated in use with other attacks.  Upgrade the attack to “Chosen Plaintext”

17 Failure #5 No Server Authentication Rouge AP's Attacker makes another AP with the same SSID Victim connects to the wrong AP Now you have a Man- in-the-Middle

18 Failure #6 The Cafe Latte Attack  No authentication Clients keep a list of favorite AP's  One's they've used before When powering on, they try to connect to those AP's Stimulate traffic from client, crack key

19 Failure #7 If the PMK is known, all bets are off  WEP does not specify how PMKs are chosen or exchanged. It's a standard “Shared Secret” problem!  Social Engineering Use a Rouge AP  Dictionary attacks  Out of Band attacks Does your company have a piece of paper with the key laying around? It probably does.

20 Failure #8 Denial of Service Firstly, it is legal to jam 2.4GHz signals  Just not cell phones!  802.11 Wifi is naturally vulnerable to this But not Bluetooth! Associate / Disassociate Packets are unencrypted If there is a single malicious user on your network, he can bring the whole thing down  ARP Cache Poisoning  DOSS (Denial of Service... with Style)

21 Failure #9 No Session Keys! How the network's perimeters should look: How it does look:

22 Failure #9 Airpwn  First “displayed” at Defcon 12 Intercepts data just like with a Rouge AP Responds to HTTP traffic before the real web server can Result?  Anything you want!

23 The Breaks Key recovery attacks due to RC4 Fluhrer, Mantin and Shamir attack  Discovered that the first few bytes produced is highly non-random Andreas Klein  Even more correlations between key and keystream found Tews, Weinmann, and Pyshkin. (PTW)  Built upon Klein's analysis and built Aircrack- ptw  (Now Aircrack-ng)

24 References and links Intercepting Mobile Communications: The Insecurity of 802.11  http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf Wikipedia  http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy Weaknesses in the Key Scheduling Algorithm of RC4  http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf CC-BY-SA


Download ppt "How To Not Make a Secure Protocol 802.11 WEP Dan Petro."

Similar presentations


Ads by Google