1. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 1 An Inductive Chosen Plaintext Attack against WEP/WEP2 William A. Arbaugh University of Maryland, College Park waa@cs.umd.edu

2. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 2 Talk Outline Introduction –WEP/WEP2 –IP –Walker/Berkeley Attacks Attack Overview Attack Details Conclusions

3. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 3 WEP/WEP2 802.11 HdrData Encryption Algorithm = RC4 Per-packet encryption key = IV concatenated to a pre-shared key WEP: 24 bit IV WEP2: 128 bit IV WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key 802.11 HdrDataIVICV EncapsulateDecapsulate

4. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 4 How to Read WEP Encrypted Traffic (1) 50% chance of a collision exists already after only 4823 packets!!! Pattern recognition can disentangle the XOR’d recovered plaintext. Recovered ICV can tell you when you’ve disentangled plaintext correctly. After only a few hours of observation, you can recover all 2 24 key streams. 802.11 HdrDataIVICV 24 luxurious bits Encrypted under Key +IV using a Vernam Cipher

5. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 5 How to Read WEP Encrypted Traffic (2) Ways to accelerate the process: –Send spam into the network: no pattern recognition required! –Get the victim to send e-mail to you The AP creates the plaintext for you! –Decrypt packets from one Station to another via an Access Point If you know the plaintext on one leg of the journey, you can recover the key stream immediately on the other –Etc., etc., etc.

6. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 6 Observations Walker/Berkeley attacks require either: –Depth and post analysis –Cooperating agent for known plain text Can we do better?

7. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 7 Inductive Chosen Plain Text Base Case: Recover an initial pseudo random stream of length n from known plain text. Inductive step: Extend size of known pseudo random to n+1 by leveraging the redundant information in the CRC.

8. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 8 Base Case Find initial pseudo random stream of size n. –Identify DHCP Discover messages from externals, e.g. size, and broadcast MAC address. Known source (0.0.0.0), destination (255.255.255.255), header info Allows the recovery of 24 bytes of pseudo random stream: Let n = 24

9. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 9 Inductive Step 1.Create a datagram of size n-3 representing an ARP request, UDP open, ICMP etc. 2.Compute ICV and append only the first three bytes. 3.XOR with n bytes of pseudo random stream. 4.Append last byte as the n+1 byte

10. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 10 Inductive Step Data n-3 ICV 3 Pseudo Random Steam  Encrypted Data byte Iterate over the 255 possibilities 802.11 Hdr DataIVICV-1 byte n+1

11. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 11 Inductive Step 5. Now send datagram and wait for a response. 6. If no response, try another of the 254 remaining possibilities. 7. If there is a response, then we know: The n+1 byte was the last byte of the ICV, thus we have matching plaintext and ciphertext which gives us the n+1 byte of the pseudorandom stream.

12. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 12 After Response Data n-3 ICV 3 Pseudo Random Steam  Encrypted Data 802.11 Hdr DataIVICV-1 byte n+1 byte n+1 plaintext byte byte n+1 pseudo byte byte  n+1 ciphertext byte

13. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 13 Attack Cost Assume moderately aggressive attacker: –~100 attacker transmissions per second –NOTE: ICV failures will not be passed to OS and thus the attack is difficult to observe (failed ICV counter not withstanding) 1.6 hours to recover 2300 byte MTU regardless of IV and key size in worst case ~40 minutes in average case

14. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 14 WEP Costs 46 hours to build full dictionary of with one attacking host (~35GB) But, the attack is embarrassingly parallel. –Four attacking hosts: 11.5 hours –Eight attacking hosts: 5.75 hours

15. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 15 WEP2 Costs Prohibitive to build entire dictionary in terms of space and time, but we don’t need to do so. Because, we can still find enough pairs to find and attack a vulnerable host on the LAN and recover key actively, e.g. blind scans and blind attacks.

16. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 16 This Attack Works 1.Because of the redundant information provided by the CRC, and 2.Because of the lack of a keyed MIC

17. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 17 Stopping/Mitigating the Attack 1.Add a keyed MIC (stops attack) 2.Adding a replay window (mitigates attack) 3.Modifying the CRC such that it can’t be: a.Easily determined by an attacker b.Not linear (bit flipping attack) (mitigates attack)

18. doc.: IEEE 802.11-01/230 Submission May 2001 William Arbaugh, University of MarylandSlide 18 Conclusions Fundamental problem is that both WEP and WEP2 vulnerable to packet forgery. It’s easy to dismiss this attack (and the Walker/Berkeley attacks) as “academic”. However, it’s only a matter of time before the attacks are implemented/scripted and released …What then?