Presentation is loading. Please wait.

Presentation is loading. Please wait.

How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

Published byBeverly Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "How To Not Make a Secure Protocol 802.11 WEP Dan Petro."— Presentation transcript:

1 How To Not Make a Secure Protocol 802.11 WEP Dan Petro

2 What is WEP? Wired Equivalent Privacy Wireless LAN security protocol  Uses IEEE 802.11 a,b,g, and n Provides certain security services Originally 64 bits, but has been extended to 128 bits and even 256 bits Easily broken Why? And How?  Fundamentally poor design choices

3 How does WEP work? It works like a One Time Pad Keystream is pseudorandom XOR'd with plaintext Perfectly secret ciphertext Right? What's the worst that could happen?

4 Design Goals of WEP Confidentiality  RC4 cipher and XOR operation Integrity  CRC of message inside plaintext Authentication?!* Availability?!

5 Keys Not one, but two keys.  Primary Master Key or just “key” (Secret)  Initialization Vector (Well known) Key = 40 bits IV = 24 bits  Total = 64 bits

6 Failure #1 ONE TIME Pad  You must never use the same key(stream) twice. In WEP, Key = PMK + IV  IV changes for each message  If an IV is ever used twice, the same keystream will be used twice IV is only 24 bits  Birthday Attack = collision every 5,000 frames.

7 Failure #1 What's the harm?  Cipher1 = Plaintext1 ⊕  Keystream  Cipher2 = Plaintext2 ⊕  Keystream You now know Plaintext1 ⊕  Plaintext2  If you happen to know one of the plaintexts, then you can decrypt any new ciphertext that uses the same Keystream  Full and partial knowledge No diffusion! Even worse: WEP does not specify how to select IV's.

8 Failure #2 Integrity Failure  Linear CRC is used for Integrity.  Not a Cryptographically Secure Hash Function Linear means distributive  CRC(a) xor CRC(b) Equals  CRC(a xor b)

9 Failure #2 Arbitrary packet forgery!  Even with partial knowledge. IP Redirection Attack  Change every IP address to that of the attacker outside the network.

10 Failure #3 Authentication  Challenge & Response 1) Client sends request to router. 2) Router sends random 128 byte string to client in plaintext 3) Client sends back the same string, encypted with the Key 4) Server decrypts message, and verifies that the contents match the string sent.

11 Failure #3 But we can change the contents of any message, remember? Obverse one valid authentication. Now just change the contents of this captured response to be the random string you need! Easy as that, now you're authenticated. This is actually worse than no authentication!

12 Failure #4 Getting a “Known Plaintext Attack”  WEP does not mask the size of frames  You can see exactly how long each message is. Mix that with TCP/IP, and you get a known plaintext attack ARP messages are very short, and of known length. (28 bytes + some plaintext headers)  The vast majority of routers send gratuitous ARP messages constantly

13 Failure #4 1/2 ARP Replay Attack  ARP is stateless  One ARP packet read can be replayed over and over  Hosts will respond with fresh traffic as responses  Allows for an arbitrary amount of traffic to be generated in use with other attacks.  Upgrade the attack to “Chosen Plaintext”

14 Failure #5 The Cafe Latte Attack  No authentication Clients keep a list of favorite AP's  One's they've used before When powering on, they try to connect to those AP's Stimulate traffic from client, crack key

15 Failure #5 1/2 Rouge AP's WEP network with SSID “Protected” Attacker makes another AP with the same SSID Victim connects to the wrong AP Now you have a Man- in-the-Middle

16 Failure #6 If the PMK is known, all bets are off  WEP does not specify how PMKs are chosen or exchanged. It's a standard “Shared Secret” problem!  Social Engineering Use a Rouge AP  Dictionary attacks  Out of Band attacks Does your company have a piece of paper with the key laying around? It probably does.

17 Failure #7 Denial of Service Firstly, it is legal to jam 2.4GHz signals  Just not cell phones!  802.11 Wifi is naturally vulnerable to this But not Bluetooth! Associate / Disassociate Packets are unencrypted If there is a single malicious user on your network, he can bring the whole thing down  ARP Cache Poisoning  DOSS (Denial of Service... with Style)

18 Failure #7 1/2 Airpwn  First “displayed” at Defcon 12 Intercepts data just like with a Rouge AP Responds to HTTP traffic before the real web server can Result?  Anything you want!

19 The Breaks What really breaks WEP is RC4 Fluhrer, Mantin and Shamir attack  Discovered that the first few bytes produced is highly non-random Andreas Klein  Even more correlations between key and keystream found Tews, Weinmann, and Pyshkin. (PTW)  Built upon Klein's analysis and built Aircrack- ptw  (Now Aircrack-ng)

20 References and links Intercepting Mobile Communications: The Insecurity of 802.11  http://www.isaac.cs.berkeley.edu/isaac/mobic om.pdf http://www.isaac.cs.berkeley.edu/isaac/mobic om.pdf Wikipedia  http://en.wikipedia.org/wiki/Wired_Equivalent_ Privacy http://en.wikipedia.org/wiki/Wired_Equivalent_ Privacy Weaknesses in the Key Scheduling Algorithm of RC4  http://www.drizzle.com/~aboba/IEEE/rc4_ksap roc.pdf http://www.drizzle.com/~aboba/IEEE/rc4_ksap roc.pdf Any copyrights applicable to these slides including images are copylefted under the GLP v3

Download ppt "How To Not Make a Secure Protocol 802.11 WEP Dan Petro."

Similar presentations

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Similar presentations

Ads by Google