1. WEP, WPA, and EAP Drew Kalina

2. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)

3. WEP  Encryption method: RC4  Key size: 40 bits  Hash method: ICV  802.11x authentication: optional  Key distribution: manual

4. WEP Vulnerabilities  ICV insecure – based on CRC32 (bad) ICV can be modified to match message contents  IV key reuse attack Small IV allows this IV sent as plaintext

5. WEP Vulnerabilities (cont)  Known plaintext attack Lots of unencrypted TCP/IP traffic Send pings from internet to access point String length N can be recovered for a given IV Packets of size N can be forged using IV

6. WEP Vulnerabilities (cont)  Partial Known Plaintext Only a portion of message is known (e.g. IP header) Can recover M octets of key stream where M<N Extend then known key stream from M to N through probing Divert packets to attacker by flipping CRC32 bits

7. WEP Vulnerabilities (cont)  Authentication forging Use recovered key stream and IV because client specifies IV  Dictionary attacks Key derived from vulnerable password  Realtime decryption Dictionary of IVs and keystreams Only 2^24 possibilities Can be stored in 24GB disk space

8. WEP summary  Weak encryption with other problems  If possible, use some other protocol  Still better than plaintext

9. WPA  Encryption method: RC4, TKIP  Key size: 128 bits (varies)  Hash method: ICV, Michael  802.11x authentication: can be required  Key distribution: TKIP

10. WPA (cont)  Michael generates MIC (Message Integrity Code) 8 bits Placed between data and ICV  TKIP (Temporal Key Integral Protocol) Resolves keys to be used, looks at client’s configuration Changes encryption key every frame Sets unique default key for each client

11. WPA Vulnerabilities  Birthday attack Get a pair D,M where D 1 = MIC(M 1 ) When D i = D 1 where D i != 1, attack is successful Probability for success: 2^32 If keys change during attack, forgery is garbage

12. WPA Vulnerabilities (cont)  Differential cryptanalytic attack Michael results have special characteristics M = Mi XOR Mj and D = Di XOR Dj called characteristic differentials After characteristic differentials obtained, try to find MIC (learn parts of the key) Probability of success 2^30 Optimal attack exists with O(2^29)

13. WPA Vulnerabilities (cont)  Temporal Key Lost RC4 Keys Can discover TK and MIC Can forge messages Not a practical attack, O(2^105) Does show susceptibility in parts of WPA

14. WPA Vulnerabilities (cont)  DOS Access point shuts down for 60 seconds if forged unauthorized data detected Possible to shut access points with little network activity  PSK Used in absence of 802.1x, 1 per ESS (usually). Internal person can use this, and a captured MAC address/nonce to imitate another client Vulnerable to external dictionary attacks, if short

15. WPA summary  Much better than WEP (if 802.1x)  WEP2 even better using AES-CCMP  There are still vulnerabilities  Many WEP devices are upgradeable to WPA (not WPA2)

16. Suggestions for WPA  Rekey security associations after failures  Lower/eliminate timeouts after detecting forged packets Currently would take 1000+ years to break with 60 second timeouts

17. EAP  Transmission method and framework for authentication protocols  Works with many authen. protocols such as RADIUS, Kerberos.  Uses a variety of transport methods

18. EAP Transport methods  EAP-TLS  EAP-TTLS  PEAP (Protected EAP)  LEAP (Light EAP)

19. Vulnerabilities in LEAP  Dictionary attack  Early versions of MS-CHAP weak

20. That’s all!