Download presentation
Presentation is loading. Please wait.
1
1 CSCD 439/539 Wireless Networks and Security Lecture 9 WEP Fall 2007
2
2 Introduction WEP We read a lot about the problems with WEP … kind of an afterthought for security –How does it work? –What are its weaknesses? –Are there any strengths? –What does an attacker need to do to break WEP encryption?
3
3 WEP Overview WEP –Wired Equivalent Privacy Originally deployed with 802.11 networks Only security for first 5 years WEP was not ever meant to provide military levels of security WEP is efficient – one of its strengths!! –Can be implemented in hardware or software WEP is exportable – Other countries can use it !! –Approved by US Department of Commerce Is optional !!! Can use NO security with 802.11
4
4 Recall Original Purpose of WEP Designed to … –Keep outsiders from connecting to a network or monitoring traffic on that network –Nothing more –Was not designed to be end-to-end encryption –Does not distribute and manage encryption keys
5
5 WEP Overview WEP – More details –Typically is implemented as firmware Incorporated in all Wi-Fi AP’s and client adaptors –Standard Only defines 64 bit key 128 bit, and now 256 bit keys are extensions Mixing hardware risks some incompatibilities
6
6 Based on RC4 Cipher RC4 Cipher is a Stream Cipher –Stream cipher as opposed to block ciper Stream ciphers encode sequences of plain text into cipher text in a continuous process while Block ciphers process blocks of data –Uses a stream of bits called keystream –Combined with text to produce cipher text –Ciphertext can then be combined with same keystream to recover original data –Most stream ciphers take short secret key and expand it into a pseudorandom keystream Resulting keystream is same length as message
7
7 Basic WEP Function Each byte of data is encrypted using a different pseudorandom key Ensures that if this packet’s key is cracked, only information leaked is that which is contained in that packet Actual encryption logic in RC4 is very simple Plain text is XOR-ed with an infinitely long keystream Security of RC4 comes from secrecy of pseudorandom key that’s derived from keystream
8
8 Plain Text Cipher Text Psedorandom key
9
9 WEP Definitions Where … Pseudorandom key: is formed by combining a pre-shared passphrase or WEP key for each AP, a state array and an initialization vector (IV) Pre-shared passphrase: The same pre-shared password is used by all users State Array: It’s a series of numbers which are scrambled and then used by RC4 to construct the key stream. Initialization Vector (IV): The IV is a 3-byte random number generated by the computer It’s either prepended or appended to cipher text and sent to the receiver who strips the IV off before decrypting the cipher text Little bit more on IV’s and their purpose ….
10
10 IV’s Solve a Problem What’s the purpose of IV’s? Make variable keys for each packet!!! Problem using fixed key values All data values encrypted with same key So, get same encrypted result for same data Attacker can spot same encrypted bytes and possibly decipher plain text This is a bad idea …
11
11 IV’s Solve a Problem IV is Solution to fixed key problem –Instead of using fixed secret key to encrypt packets you combine key with 24-bit number Changes for every packet –IV not really part of key since its passed unencrypted with encrypted frame –IV always changes, so same data will result in different ciphertext
12
12 IV’s Solve a Problem IV sent in clear –Receiver needs to know what IV to use to decrypt data –In theory, knowledge of IV useless without knowledge of secret part of key –So, never want to reuse the IV with the same secret key … more about this later –Look more at the RC4 algorithm …
13
13 RC4 Algorithm Who is this person?
14
14 RC4 Algorithm RC4 stands for –4 th cipher designed by Ron Rivest 1987 by RSA Labs Regarded as a trade secret –Algorithm was reverse engineered and made public in 1994 by anonymous person –Still some controversy surrounding this event
15
15 RC4 Algorithm In September 1994 –Description of it was anonymously posted to the Cypherpunks mailing list –It was soon posted on the sci.crypt newsgroup, and from there to many sites on the Internet –Leaked code was confirmed to be genuine as its output was found to match that of proprietary software using licensed RC4 –No longer a trade secret …
16
16 RC4 Algorithm Basic Idea 1)Generate pseudorandom sequence of bytes called a keystream 2)Combined with data using XOR XOR combines two bytes to get one by exclusive or’ing each bit 00110101 XOR 11100011 = 11010110 Characteristic of XOR – apply same value twice, get original value
17
17 RC4 Algorithm XOR 00110101 XOR 11100011 = 11010110 11010110 XOR 11100011 = 00110101 A XOR B = C, C XOR B = A A XOR B = C, C XOR B = A Encryption use of RC4 Plaintext XOR Keysequence = Ciphertext Ciphertxt XOR Keysequence = Plaintext Same
18
18 RC4 Algorithm Keysequence –Must be generated by both ends of the link –Idea is, can calculate next byte in sequence only if you know key used to generate stream –If don’t know key, looks random –XOR easy to compute, challenge is generate good pseudorandom number stream One for each byte of message
19
19 RC4 Algorithm Two phases to Algorithm –Key Scheduling Algorithm and pseudorandom generation 1.Key Scheduling algorithm establishes a 256 byte array with encoded with the numbers 0 – 255 S-Box -Create array of 0 – 255 in order K-Box – 2nd 256 byte array, filled with secret key Key is repeated to fill array
20
20 RC4 Algorithm Key Scheduling Algorithm continued … S-Box locations swapped with each other j is computed index into S-boxSwap Computed: j = (value in S-box[0]) + (value in K-box[0]) j = single byte, value no greater than 255 j used as index into S-box and value at that location is swapped with value in first location Procedure done 255 times until all bytes in S-box have been swapped
21
21 RC4 Algorithm Key Sch. Algorithm …continued … i = j = 0 For i = 0 to 255 j = (j + S[i] + K[i]) mod 256); swap(S[i], S[j]); End; After S-box initialized, next phase is pseudorandom number generation. Involves more swapping of bytes in S-box and creates one pseudorandom byte (R) per iteration
22
22 RC4 Algorithm 2. Pseudorandom number generation, creates R i = (i + 1) mod 256 j = (j + S[i]) mod 256 Swap S[i] and S[j] k = (S[i] + S[j]) mod 256 R = S[k] Later, ciphertext is created for each byte of plaintext by XORing byte with an R value
23
23 Example: Simple 4 byte password i=0 j=0 password = 6258 length=4 index=4 Step-1 State array: State[0]=0 State[1]=1 State[2]=2 State[3]=3 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [0 + S[0] + K[0]] mod 4 = 6 mod 4 = 2 Swap(State[0], State[2]) = Swap(0,2) State[0]=2 State[1]=1 State[2]=0 State[3]=3
24
24 Example: Simple 4 byte password Step-2 i=1 j=2 State array: State[0]=2 State[1]=1 State[2]=0 State[3]=3 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [2 + S[1] + K[1]] mod 4 = 5 mod 4 = 1 Swap(State[1], State[2]) = Swap(1,0) State[0]=2 State[1]=0 State[2]=1 State[3]=3
25
25 Example: Simple 4 byte password Step 3 i=2 j=1 State array: State[0]=2 State[1]=0 State[2]=1 State[3]=3 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [1 + State[2] + K[2]]mod 4 = 7 mod 4 = 3 Swap(State[2], State[3]) = Swap(1,3) State[0]=2 State[1]=0 State[2]=3 State[3]=1 ------------------------------------------------------------------------------------------- Step 4 i=3 j=3 State array: State[0]=2 State[1]=0 State[2]=3 State[3]=1 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [3 + State[3] +K[3]]mod 4 = 12 mod 4 = 0 Swap(State[3], State[0]) = Swap(1,2) State[0]=1 State[1]=0 State[2]=3 State[3]=2 Final State Array: State[0]=1 State[1]=0 State[2]=3 State[3]=2
26
26 Example: Simple 4 byte password 1. Pseudorandom number generation, z1-z4 Initially i=0 j=0 K[0]=6 K[1]=2 K[2]=5 K[3]=8 First Loop: State[0]=1 State[1]=0 State[2]=3 State[3]=2 i=1 j=0+State[1]=0+0=0 Swap(State[1], State[0]) = Swap(0,1) State[0]=0 State[1]=1 State[2]=3 State[3]=2 z = State[State[1] + State[0] mod 4] = State[1] = 1 z1 = 00000001
27
27 Example: Simple 4 byte password Second Loop: State[0]=0 State[1]=1 State[2]=3 State[3]=2 i=2 j=0+State[2]=3 Swap(State[2], State[3]) = Swap(3,2) State[0]=0 State[1]=1 State[2]=2 State[3]=3 z = State[State[2] + State[3] mod 4] = State[1] = 1 z2 = 00000001
28
28 Example: Simple 4 byte password Third Loop: State[0]=0 State[1]=1 State[2]=2 State[3]=3 i=3 j=3+State[3]=6 mod 4 = 2 Swap(State[3],State[2]) = Swap(3,2) State[0]=0 State[1]=1 State[2]=3 State[3]=2 z = State[State[3] + State[2]] mod 4 = State[1] = 1 z3=00000001 Fourth Loop: State[0]=0 State[1]=1 State[2]=3 State[3]=2 i=4 j=2+State[4]=2+State[4 mod 4] = 2+State[0] = 2 Swap(State[4],State[2]) = Swap(State[0],State[2]) = Swap(0,3) State[0]=3 State[1]=1 State[2]=0 State[3]=2 z4 = State[State[4] + State[2]] = State[State[0] + State[2]] = State[3] = 2 z4=00000010
29
29 Example: Simple 4 byte password After calculating Z’s, use them to encrypt z1 = 00000001 z2= 00000001 z3= 00000001 z4= 00000010 T xor z1 = 01010100 xor 00000001 = 01010101 = U E xor z2 = 01000101 xor 00000001 = 01000100 = D S xor z3 = 01010011 xor 00000001 = 01010010 = R T xor z4 = 01010100 xor 00000010 = 01010110 = U The word TEST when encrypted with WEP is UDRU Example came from: http://palisade.plynt.com/issues/2006Dec/wep-encryption/
30
30 RC4 Cipher is Fairly Strong RC4 is secure –Implementation that makes crypto insecure –Difficult to implement strong crypto –Implementation weakens crypto Insecure key storage Poor random number generation Flaws in key generation –Specifically for WEP, Initialization Vector has problems
31
31 WEP IV Problems Two problems with way IV’s created 1. IV’s are reused over time Never want that to happen, attacker can figure out plaintext using identical keys 2. IV’s have a certain percentage that are weak Easier to break encryption than typical IV
32
32 Initialization Vector Reuse (IV) However, 24 bits is not that long … –Maximum value = 16,777,216 ≈ 17 million –Busy AP at 11 Mpbs is capable of transmitting/receiving about 700 average packets/sec –If different IV used for each packet, use all IV’s in about 7 hours! –IV’s are then reset … and the sequence is started over
33
33 IV Weakness Explanation –Limited number of rearrangements between the initial setup of the key table and the first pseudorandom byte – Found by Fluhrer et al 2001 (See ref at end …) –Showed that for certain key values, weak keys, disproportionate number of bits in first few bytes of key stream were determined by a few bits in the key itself –If you change one bit in key then output should be different. Yet, some bits of key had a bigger effect on output which reduced the number of effective bits –So, certain key combinations don’t produce sufficiently random data for first few bytes
34
34 IV Weakness Fluher et al showed problems –Allowed attacker to wait for potentially weak key and directly attack the key Works like this: Assume know first few plaintext bytes Watch transmission looking for a weak key Know there is a correlation between ciphertext, plaintext and secret key bytes
35
35 IV Weakness Continued … Since, only limited number of possible values for first secret key byte After capturing about 60 messages, attacker can guess first key byte with reasonable certainty. Can attack each secret key byte in turn, so extracts entire message. Increasing key size from 40 to 104 bytes only increases time to do this by 2.5 times Time increases linearly instead of exponentially In their favor, manufacturers try to disallow weak IV values
36
36 WEP Keys Reason for four keys –Supposed to help you change your keys –Can use multiple keys simultaneously until you, the manager wants to switch permanently to the new key –Only one key at a time is the active key for encrypting –But can decrypt using non-active keys –Active key is identified by key number 0, 1, 2, 3 –Still need to figure out how to distribute keys...
37
37 WEP Keys How to distribute keys? Standard does not specify how keys are distributed At home, easy to configure several computers to use same key Corporate setting, hundreds of computers –Distribution more difficult –Change key, and how to update everyone to new key –For now, up to individual sites to manage keys
38
38 Diagram of Encryption Process
39
39 WEP Mechanics User has plaintext message First, Create an Integrity Check Value –Integrity Check Value (ICV) –Computed on unencrypted message –Added to message and encrypted so attacker can’t change message and recompute a CRC on altered message
40
40 WEP Mechanics DATAICV Compute Check Encrypt DATAICV
41
41 WEP Mechanics Preparing Frame for Transmission –System selects an Initial Vector (IV) value and appends it to the secret WEP key Encrypts message –Passes each byte from data and ICV block to encryption engine –For each byte plaintext going in, encrypted byte comes out Until all bytes processes
42
42 WEP Mechanics Preparing Frame for Transmission –For decryption, key number (0 – 3) and IV value stuck on front of message Takes 4 bytes for these values Unencrypted DATAICVIVKey ID Encrypted
43
43 WEP Mechanics Frame for Transmission MAC header is added and CRC for transmission errors One bit in MAC header for WEP on/off Receive Process WEP on, reads and stores IV values Reads Key ID so it knows to use correct key Appends IV value to Secret Key and initializes RC4 crypto engine with that value
44
44 WEP Mechanics Receive Process RC4 requires same process for both encryption and decryption After encryption engine initialized, data run through one byte at a time to get back original message Final step, recompute ICV and verify value matches that sent in message
45
45 History of WEP WEP began in –1999 –Most systems supported key extensions of up to 104 bits –Industry still wasn’t sure WEP was secure –By 2000, wireless was everywhere and researchers began to investigate security –Major attack was discovered and published in 2001 showing keys could be extracted in hours – no matter the key length
46
46 WEP Insecurity Other problems in WEP –Want security to provide number of mechanisms Authentication Access Control Replay prevention Message modification Message privacy Key protection –WEP doesn’t provide any of these
47
47 Authentication Proof between two entities –You are you –Should not be a one-time process Every time you communicate should authenticate –Wireless, want mutual authentication Both mobile device and AP Use different keys for authentication and encryption
48
48 Authentication Open authentication –No real authentication mechanism –Systems have used MAC address lists –OK, unless MAC address is spoofed
49
49 Message Replay Watch a stream between AP and device –If WEP encrypted, can guess user has sent login and password Save all data User shuts down Bring up own client and using her MAC address, connect to the network Can replay login message and hopefully login to server Still need WEP key for unencrypting data
50
50 References S. Fluhrer, I. Mantin, A, Shamir. Weakness in the Key Scheduling Algorithm of RC4, http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf Nikita Borisov,Ian Goldberg,David Wagner, Intercepting Mobile Communications: The Insecurity of 802.11 http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf W. A. Arbaugh, N. Shankar, and Y. J. Wan. Your 802.11 wireless network has no clothes, http://www.cs.umd.edu/~waa/wireless.pdf
51
51 Finish Next time: WPA/IEEE 802.11i Reading: Read Articles on CourseNotes page See Assignments page … new assignment
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.