Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson.

Similar presentations


Presentation on theme: "Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson."— Presentation transcript:

1 Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson 21.3.04 21.3.04

2 WEP Protocol ► WEP – Wired Equivalent Privacy ► Wireless standard 802.11 ► Link layer ► Protocol goals:  Confidentiality: prevent eavesdropping  Access control: prevent unauthorized access  Data integrity: prevent tampering of messages ► We show that none of the security goals are attained

3 Network Model Internet

4 WEP Algorithm Encryption MessageCRC(M) RC4(k,IV) CipherIV

5 WEP Algorithm Decryption MessageCRC(M) RC4(k,IV) CipherIV

6 Confidentiality

7 Stream cipher properties ► Given two ciphers C 1,C 2 – C 1  C 2 = P 1  P 2. ► Keystream reuse can lead to a number of attacks:  If plaintext of one message is known, the other is immediately obtainable.  In the general case, known techniques for breaking reused keystreams.  As the number of reused keystream increases breaking them becomes easier. ► Two conditions required for this class of attcks to succeed:  Availability of ciphertexts where keystream is used more than once.  Partial knowledge of some of the plain texts.

8 Finding instances of keystream reuse ► Shared key k changes rarely. ► Reuse of IV causes reuse of keystream. ► IV are public.

9 IV Usage ► Standard recommends (but not requires) change of IV. ► Common PCMCIA cards sets IV to zero and increment it by 1 for each packet. ► IV size is only 24 bits. ► Busy access point of 5Mbps will exhaust available space in 11 hours. ► Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision

10 Exploiting keystream reuse ► Many fields of IP traffic are predictable. ► For example: login sequences. ► Active attack (known plaintext)

11 Decryption dictionaries ► Once plaintext of encrypted message is obtained, keystream value stored in dictionary. ► Full table requires 24GB ► Size of dictionary does not depend of size of key

12 Key management

13 Message Authentication ► Message modification ► Message injection

14 Message Modification ► Checksum used is CRC-32 which is a linear function of the message: ► In other words, checksum distributes over the XOR operation. C(x  y) = C(x)  C(y) ► RC4 stream cipher also linear.

15 The attack Given C we would like to create C’ s.t. C’ decrypts to M’ instead of M. MessageCRC(M) RC4(k,IV) Cipher  CRC(  )  = MessageCRC(M) RC4(k,IV)  CRC(  ) = RC4(k,IV) ’’CRC(  ’) =

16 Relation to GSM Encryption: C = G(M)  A5/2(IV,k) Decryption: 1. G(M) = C  A5/2 (IV,k) 2. H(G(M)) = 0 ? 3. M = G -1 (G(M))

17 Attack on GSM H(C) = H(A5/2(Iv, k)  G(M)) = H(A5/2(IV,k))  H(G(M)) = H(A5/2(IV,k))  0 = H(A5/2(IV,k))

18 Message Injection ► WEP checksum is an unkeyed function of the message. ► After knowing one keystream we can use it forever. C’ =  RC4(IV,k)

19 Other attacks ► IP redirection. Assumption: Destination address is known.

20 IP redirection (cont.) ► Need to calculate IP checksum ► Several options  IP checksum for original packet is known  Original IP checksum is not known  Compensate by changing another IP field

21 Reaction Attack ► Works only for TCP protocol ► Pick i at random, let  be all zeros, except for positions i and i+16. Calc C’ = C   Two options: 1. Got an acknowledgment, P i  P i+16 = 1 2. Else P i  P i+16 = 0 ► Each test reveals 1 bit of information

22 Conclusion ► Design of security protocols is difficult (more than the design of network protocols) ► Combining several secure algorithms does not mean that the result is secure ► Engineering perspective dictated selection of cryptographic algorithms

23 THE END ► Thank You!


Download ppt "Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson."

Similar presentations


Ads by Google