intercepting mobile communications: the insecurity of 802.11
Post on 14-Jan-2016
48 Views
Preview:
DESCRIPTION
TRANSCRIPT
1
Intercepting Mobile Intercepting Mobile Communications: The Communications: The Insecurity of 802.11Insecurity of 802.11
…or “Why WEP Stinks”
Dustin Christmann
2
Introduction Introduction
This presentation will discuss the inadequacies of WEP encryption
We’ll discuss the theoretical weaknesses of the WEP standard
We’ll discuss the types of attacks that can exploit those weaknesses
We’ll discuss the speed of “real world” attacks on WEP
3
AgendaAgenda
What’s on your network?What is WEP?Theoretical weaknesses of WEPTypes of attacks on WEPHow well do these attacks work in the
“real world”?Countermeasures
4
What’s on your wireless network?What’s on your wireless network?
802.11 (Wi-Fi) networks are ubiquitous today
Types of encryption:– Open (No encryption)– WEP– WPA/WPA2
5
So what is WEP?So what is WEP?
WEP is Wired Equivalent PrivacyLink-layer encryptionDefined in the IEEE 802.11 standard“Least common denominator” Wi-Fi
encryptionGoals of WEP
– Confidentiality– Access control– Data integrity
6
So how does So how does WEP work?WEP work?
7
First, let’s introduce the playersFirst, let’s introduce the players Message: What you’re
encrypting CRC: To verify the integrity of
the message Plaintext: The message + CRC Initialization vector (IV): A 24-
bit number which plays two roles that we’ll meet in a moment
Key: A 40 or 104-bit number which is used to build the keystream
Keystream: What is used to encrypt the plaintext
Ciphertext: What we end up post-encryption
Message CRC
IV Key
Keystream
Ciphertext
8
WEP encryption step-by-stepWEP encryption step-by-step
Step 1: Compute CRC for the message CRC-32 polynomial is used
Message CRC
9
KeyIV
WEP encryption step-by-stepWEP encryption step-by-step
Step 2: Compute the keystream IV is concatenated with the key RC4 encryption algorithm is used on the 64 or
128 bit concatenation
Keystream
10
WEP encryption step-by-stepWEP encryption step-by-step
Step 3: Encrypt the plaintext The plaintext is XORed with the keystream to
form the ciphertext The IV is prepended to the ciphertext
Message CRC
Keystream
CiphertextIV
11
WEP decryption step-by-stepWEP decryption step-by-step
Step 1: Build the keystream Extract the IV from the incoming frame Prepend the IV to the key Use RC4 to build the keystream
Keystream
CiphertextIV
Key
12
WEP decryption step-by-stepWEP decryption step-by-step
Step 2: Decrypt the plaintext and verify XOR the keystream with the ciphertext Verify the extracted message with the CRC
Keystream
Ciphertext
Message CRC
13
What are the What are the main weaknesses main weaknesses
of WEP?of WEP?
14
Initialization vector (IV)Initialization vector (IV)
It’s carried in plaintext in the “encrypted” message!
It’s only 24 bits!There are no restrictions on IV reuse!The IV forms a significant portion of the
“seed” for the RC4 algorithm!
15
CRC algorithmCRC algorithm
The CRC is a linear function– First-order polynomial: y=mx+b– Key property when b is 0: f(x+y) = f(x) + f(y)
The CRC is an unkeyed function
16
RC4 cipherRC4 cipher
Some seeds are “weaker” than othersBy extension, some IV values are weaker
than othersWeak seeds = more easily calculated
keystreams
17
DefragmentationDefragmentation
Not necessarily a weaknessPart of 802.11 standard
– Affects WPA and WPA2 encryption as well
18
What are some What are some potential attacks potential attacks
on a WEP on a WEP network?network?
19
First, you know more about the First, you know more about the plaintext than you think you knowplaintext than you think you know
With 802.11, you know the first eight bytes of a packet
Many IP services have packets of fixed lengths Most WLAN IP addresses follow common
conventions. Many IP behaviors have predictable responses
AA AA 03 00 00 00 08 ??DSAP Ether typeORG CodeCTRLSSAP
Can be eitherIP or ARP
20
Message modificationMessage modification
Takes advantage of CRC’s linearity and unkeyed nature.
C is the original cybertext
c is the CRC-32 function
Δ is the change in the message
Need to know some of the plaintext, but not all!
)(,' cCC
21
Message injectionMessage injection
Takes advantage of CRC’s unkeyed nature and IV reuse.
C is the original cybertext
P is the original plaintext RC4(v,k) is the
keystream for IV v M’ is the new message c is the CRC-32 function Need to know all of the
plaintext
kvRCCP ,4
),(4)'(,'' kvRCMcMC
22
Authentication spoofingAuthentication spoofing
Takes advantage of IV reuse Takes advantage of WEP
challenge mechanism for new mobile stations
Access point sends unencrypted 128-bit value
Mobile station returns the same value encrypted
Monitor the exchange and…
– Learn an IV-keystream pair
– Authenticate on the mobile network
kvRCCP ,4
23
Fragmentation attackFragmentation attack
Takes advantage of defragmentation and IV reuse
Takes advantage of knowledge of plaintext of at least first eight bytes of 802.11 data
Each data includes 4 bytes of checksum An 802.11 frame can be divided into 16
segments The access point will defragment the frame
before forwarding, allowing the transmission of 16 * (known bytes of keystream – 4 bytes) of data
24
Full keystream recovery using Full keystream recovery using fragmentationfragmentation Send a 64-byte frame to a broadcast address in
16 segments Eavesdrop the defragmented 68-byte frame Send a 1024-byte frame to a broadcast address in
16 segments Eavesdrop the defragmented 1028-byte frame Send a 1496-byte frame to a broadcast address in
2 segments Eavesdrop the defragmented 1500-byte frame
25
IP redirectionIP redirection
Takes advantage of defragmentation Eavesdrop encrypted frame Build encrypted IP header with the desired destination IP
address Configure the 802.11 headers for segmented transmission Send frames Receive unencrypted data at Internet-connected computer
CiphertextxIP Headery
IP Header Message
26
So how easy do So how easy do these techniques these techniques
make a WEP network make a WEP network to compromise?to compromise?
27
Answer: Darn easyAnswer: Darn easy
Attacks greatly aided by automated toolsAuthors of “The Final Nail in WEP’s
Coffin” broke 40-bit key in under 15 minutes and 104-bit key in under 80 minutes
FBI agents demonstrated it in 3 minutes in 2005– http://www.informationweek.com/management/compliance/160502612
– “Usually it takes five to ten minutes”
28
CountermeasuresCountermeasures
DON’T USE WEP!Use WPA or WPA2 with a strong keyChange the default settings on your
wireless routerUse VPN
top related