slide 1 scsc 555 hacking wireless networks (part ii – wep & wpa)
TRANSCRIPT
slide 1
SCSC 555
Hacking Wireless Networks(Part II – WEP & WPA)
slide 2
802.11b Overview
Standard for wireless networks• Approved by IEEE in 1999
Two modes: infrastructure and ad hoc
IBSS (ad hoc) mode BSS (infrastructure) mode
slide 3
Access Point SSID
Service Set Identifier (SSID) differentiates one access point from another• By default, access point broadcasts its SSID in
plaintext “beacon frames” every few seconds
Default SSIDs are easily guessable• Linksys defaults to “linksys”, Cisco to “tsunami”, etc.• This gives away the fact that access point is active
Access point settings can be changed to prevent it from announcing its presence in beacon frames and from using an easily guessable SSID• But then every user must know SSID in advance
slide 4
Wired Equivalent Privacy (WEP)
Special-purpose protocol for 802.11b• Intended to make wireless as secure as wired
network
Goals: confidentiality, integrity, authentication
Assumes that a secret key is shared between access point and clients
Uses RC4 stream cipher seeded with 24-bit initialization vector and 40-bit key• Terrible design choice for wireless environment• RC4 is used properly in SSL
slide 5
Shared-Key Authentication
beacon
Prior to communicating data, access point may require client to authenticate
Access Point Client
association requestassociation response
probe requestOR
challenge
challengeRC4(IV,K)
unauthenticated &unassociated
authenticated &unassociated
authenticated &associated
Passive eavesdropper recovers RC4(IV,K), can respond to any challenge from then on without knowing K
slide 6
How WEP Works
24 bits 40 bits
IV | shared key used as RC4 seed• Must never be repeated (why?)• There is no key update protocol in 802.11b, so security relies on never repeating IV
IV sent in the clearWorse: 802.11b says that changing IV with each packet is optional!
CRC-32 checksum is linear in : if attacker flips some bit in plaintext, there is a known, plaintext-independent set of CRC bits that, if flipped, will produce the same checksum
no integrity!
slide 7
Why RC4 is a Bad Choice for WEP
Stream ciphers require synchronization of key streams on both ends of connection• This is not suitable when packet losses are common
WEP solution: a separate seed for each packet• Can decrypt a packet even if a previous packet was
lost
But number of possible seeds is not large enough!• RC4 seed = 24-bit initialization vector + fixed key• Assuming 1500-byte packets at 11 Mbps, 224 possible IVs will be exhausted in about 5 hours
Seed reuse is deadly for stream ciphers
slide 8
Recovering Keystream
Get access point to encrypt a known plaintext• Send spam, access point will encrypt and forward it• Get victim to send an email with known content
If attacker knows plaintext, it is easy to recover keystream from ciphertext• C M = (MRC4(IV,key)) M = RC4(IV,key)• Not a problem if this keystream is not re-used
Even if attacker doesn’t know plaintext, he can exploit regularities (plaintexts are not random)• For example, IP packet structure is very regular
slide 9
Keystream Will Be Re-Used
In WEP, repeated IV means repeated keystream Busy network will repeat IVs often
• Many cards reset IV to 0 when re-booted, then increment by 1 expect re-use of low-value IVs
• If IVs are chosen randomly, expect repetition in O(212) due to birthday paradox (similar to hash collisions)
Recover keystream for each IV, store in a table• (KnownM RC4(IV,key)) KnownM = RC4(IV,key)
• Even if don’t know M, can exploit regularities
Wait for IV to repeat, decrypt and enjoy plaintext• (M’ RC4(IV,key)) RC4(IV,key) = M’
slide 10
It Gets Worse
Misuse of RC4 in WEP is a design flaw with no fix• Longer keys do not help!
– The problem is re-use of IVs, their size is fixed (24 bits)
• Attacks are passive and very difficult to detect
Perfect target for Fluhrer et al. attack on RC4• Attack requires known IVs of a special form• WEP sends IVs in plaintext• Generating IVs as counters or random numbers will
produce enough “special” IVs in a matter of hours
This results in key recovery (not just keystream)• Can decrypt even ciphertexts whose IV is unique
slide 11
Do Not Do This[Brian Lee]
Ingredients: Laptop (with 802.11b card, GPS, Netstumbler, Airsnort,
Ethereal) and the car of your choice Drive around, use Netstumbler to map out active
wireless networks and (using GPS) their access points If network is encrypted, park the car, start Airsnort,
leave it be for a few hours• Airsnort will passively listen to encrypted network traffic
and, after 5-10 million packets, extract the encryption key Once the encryption key is compromised, connect to the
network as if there is no encryption at all Alternative: use Ethereal (or packet sniffer of your
choice) to listen to decrypted traffic and analyze Many networks are even less secure
slide 12
Weak Countermeasures
Run VPN on top of wireless• Treat wireless as you would an insecure wired network• VPNs have their own security and performance issues
– Compromise of one client may compromise entire network
Hide SSID of your access point• Still, raw packets will reveal SSID (it is not encrypted!)
Have each access point maintain a list of network cards addresses that are allowed to connect to it• Infeasible for large networks• Attacker can sniff a packet from a legitimate card, then re-
code (spoof) his card to use a legitimate address
slide 13
Fixing the Problem
Extensible Authentication Protocol (EAP)• Developers can choose their own authentication method
– Cisco EAP-LEAP (passwords), Microsoft EAP-TLS (public-key certificates), PEAP (passwords OR certificates), etc.
802.11i standard fixes 802.11b problems• Patch: TKIP. Still RC4, but encrypts IVs and establishes
new shared keys for every 10 KBytes transmitted– No keystream re-use, prevents exploitation of RC4 weaknesses– Use same network card, only upgrade firmware
• Long-term: AES in CCMP mode, 128-bit keys, 48-bit IVs– Block cipher (in special mode) instead of stream cipher– Requires new network card hardware
slide 14
Hacking Wireless Networks(Part III – WPA)
slide 15
What is WPA?
WPA (Wireless Protected Access) or WEP2 ■ An interim solution to replace WEP.
■ Aimed to work well with hardware designed for WEP.
■ Still use RC4 for encryption.
■ Several new elements were introduced: - TKIP (Temporal Key Integrity Protocol). - MIC (message integrity code) for preventing forgery. - IV=48 bits for preventing replay attack. - A mixing function for generating per-frame key.
15
slide 16
WPA Structure
16
802.11 Hdr data
802.11 Hdr IV Data MIC
RC4 Encryption
MIC Function
MIC||
K
WEP Key Per-Frame Key
Integrity Key
TKIP
Mixing Function K’
slide 17
WPA Structure (in details)
slide 18
WPA - Modes of OperationWPA - Modes of Operation
Enterprise Mode:
- Requires an authentication server – RADIUS(Remote Authentication Dial In Service) for authentication and key distribution- RADIUS has centralized management of user credentials
Pre-shared key (PSK) Mode:
- Does not require authentication server- A “shared secret” is used for authentication to access point vulnerable to dictionary attacks
18
slide 19
Enterprise Mode DiagramEnterprise Mode Diagram
19
slide 20
PSK Mode Diagram PSK Mode Diagram
20
slide 21
Issues of PSK ModeIssues of PSK Mode
Needed if no authentication server is in use
“shared secret” – revealed, network security is compromised
No standardized way of changing shared secret
It increases the attacker’s effort to do decryption of messages
The more complex the shared secret is, the better it is
as there are less chances of dictionary attacks
21
slide 22
Summary: Security Mechanisms in WPASummary: Security Mechanisms in WPA
22
slide 23
802.1X Authentication prevents end users from 802.1X Authentication prevents end users from accessing Enterprise networksaccessing Enterprise networks
23
slide 24
TKIP – Temporal Key Integrity ProtocolTKIP – Temporal Key Integrity Protocol TKIP is responsible for generating the encryption key, encrypting the message and verifying its integrity
TKIP ensures: - Encryption key changes with every packet - Encryption key is unique for every client - TKIP encryptions keys are 256 bit long
WEP Encryption key = shared secret + IV
TKIP packet comprises of: - 128 bit temporal key (shared by both clients and AP) - Client Device MAC address - 48 bit IV (Packet sequence number) to prevent known plain text attacks (WEP = 24 bit IV)
24
slide 25
TKIP for Data PrivacyTKIP for Data Privacy
TKIP key mixing function + temporal key = per packet key
Temporal keys - 128 bit, change frequently, definite life
MAC Address + Temporal key + four most significant octets of the packet sequence number are fed into the S-Box to generate intermediate key
Results in a unique encryption key
Then, mix the intermediate key with two least significant octets of packet sequence number = 128 bit per packet key
Each key encrypts only one packet of data and prevents weak key attacks
25
slide 26
Message Integrity Check (MIC)Message Integrity Check (MIC)
Used to enforce data integrity
“Message Integrity Code” (MIC) = 64 bit message calc. using Michael’s algorithm
MIC is inserted in the TKIP packet
The sender and the receiver each compute MIC and then compare. MIC does not match = data is manipulated
Detects potential packet content altercation due to transmission error or purposeful manipulation
Uses 64 bit key and partitions the data into 32 bit blocks
Various operations: shifts, XOR’s, additions
26
slide 27
WPA2 WPA2
A long term solution specified by IEEE 802.11iUse AES (in a new mode called CCM) for encryption.
Counter Mode with CBC-MAC Protocol (CCMP) encryption
CCMP = CTR + CBC + MAC
■ Several new elements were introduced: - The base key K=128 bits. - MIC is 64 bits for preventing forgery. - IV=48 bits for preventing replay attack. - Packet sequence number is used to generate IV. Will require or replacement hardware (AP’s and NIC’s)
27
slide 28
WPA2WPA2
28
802.11 Hdr 802.11i Hdr Data MIC FCS
Encrypted by AES
Authenticated by MIC
IV Key ID
slide 29
Encryption Method Comparison TableEncryption Method Comparison Table
WEP WPA WPA2
Cipher RC4 RC4 AES
Key Size 40 bits128 bits encryption 64
bits authentication128 bits
Key Life 24 bit IV 48 bit IV 48 bit IV
Packet Key Concatenated Mixing Function Not needed
Data Integrity CRC-32 Michael Algorithm CCM
Header Integrity None Michael Algorithm CCM
Replay Attack None IV Sequence IV Sequence
Key Management None EAP Based EAP Based
29
slide 30
ConclusionsConclusions
WEP is not secure anymore !
WPA solves almost all WEP weaknesses
WPA still considered secure and provides secure authentication, encryption and access control
WPA is not yet broken…!
WPA2 is a stronger cipher than WPA and will provide robust security for WLANs
30