The Final Nail in WEP s Coffin

Similar documents
Analyzing Wireless Security in Columbia, Missouri

05 - WLAN Encryption and Data Integrity Protocols

Wireless Security Security problems in Wireless Networks

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Overview of Security

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Stream Ciphers. Stream Ciphers 1

Plaintext Recovery Attacks Against WPA/TKIP

Gaining Access to encrypted networks

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Security in IEEE Networks

Configuring Cipher Suites and WEP

CS263: Wireless Communications and Sensor Networks

Wireless IDS Challenges and Vulnerabilities. Joshua Wright Senior Security Researcher Aruba Networks

Wireless Network Security Spring 2015

Security of WiFi networks MARCIN TUNIA

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

WPA Migration Mode: WEP is back to haunt you

Tutorial: Simple WEP Crack

Wireless Network Security Spring 2016

Securing a Wireless LAN

Security and Authentication for Wireless Networks

Wireless LAN Security. Gabriel Clothier

The security of existing wireless networks

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005


LESSON 12: WI FI NETWORKS SECURITY

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Configuring WEP and WEP Features

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

How Insecure is Wireless LAN?

Wireless Attacks and Countermeasures

Section 4 Cracking Encryption and Authentication

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

Physical and Link Layer Attacks

CITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule

Is Your Wireless Network Being Hacked?

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Wireless Network Security

COSC4377. Chapter 8 roadmap

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Computer and Network Security

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

BackTrack 5 Wireless Penetration Testing

What is Eavedropping?

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Wireless LAN Security (RM12/2002)

WIRELESS LOCAL AREA NETWORK SECURITY USING WPA2-PSK

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Securing Your Wireless LAN

EAPeak - Wireless 802.1X EAP Identification and Foot Printing Tool. Matt Neely and Spencer McIntyre

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Wireless Network Security

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

Wireless# Guide to Wireless Communications. Objectives

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA

Summary on Crypto Primitives and Protocols

Lab Configure Enterprise Security on AP

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

Wireless technology Principles of Security

HACKING & INFORMATION SECURITY Presents: - With TechNext

Networking Basics. Crystal Printer Network Installation Guidelines

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Scribe Notes -- October 31st, 2017

Security in Data Link Protocols

Wireless LANs. ITS 413 Internet Technologies and Applications

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

Advanced WiFi Attacks Using Commodity Hardware

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Configuring the Radio Network

Symmetric Encryption. Thierry Sans

WIRELESS LAN/PAN/BAN. Objectives: Readings: 1) Understanding the basic operations of WLANs. 2) WLAN security

Wi-Fi Scanner. Glossary. LizardSystems

Wireless Network Security

Security Setup CHAPTER

Securing Wireless LANs with Certificate Services

Realtime C&C Zeus Packet Detection Based on RC4 Decryption of Packet Length Field

Chapter 8 Network Security

Wireless Networked Systems

Wireless LANs: outline. wireless and WiFi security: WEP, i, WPA, WPA2. networking security wireless ad-hoc and mesh networks

Wireless Network Security

Chapter 24 Wireless Network Security

Symmetric Cryptography

WPA SECURITY (Wi-Fi Protected Access) Presentation. Douglas Cheathem (csc Spring 2007)

Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake

Wireless Router at Home

Overview of IEEE b Security

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Different attacks on the RC4 stream cipher

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

EEC-682/782 Computer Networks I

Transcription:

1/19 The Final Nail in WEP s Coffin Andrea Bittau 1 Mark Handley 1 Joshua Lackey 2 May 24, 2006 1 University College London. 2 Microsoft.

Wired Equivalent Privacy 2/19 WEP is the 802.11 standard for encryption. Pre-shared key for whole network. Protects data privacy since data is encrypted. Access control: need key to transmit. In practice, only half of the networks are encrypted. In the subset of encrypted networks, WEP is most adopted. Popularity (%) of WEP and its alternatives based on our survey Region WEP WPA 802.11i London 76 20 4 Seattle region 85 14 1

Goals when attacking WEP 3/19 Decrypt data in packets. Obtain access to the network by being able to transmit data. Recover the WEP key.

Contribution 4/19 Today, millions of packets are required to break a WEP key. Our fragmentation attack allows: 1 Transmitting arbitrary data after eavesdropping a single data packet on an 802.11 WEP protected network. 2 Real-time decryption given that network is connected to Internet.

Outline 5/19 1 WEP Description WEP Attacks 2 Transmission Decryption 3 Performance Evaluation 4

ICV { WEP operation 6/19 Data frame format 802.11 Header Frame Body CRC IV User Data { Initialization Vector CRC32 of user data Encryption IV + key { seed Plain text RC4 keystream { 0 1 1 1 1 0 0 0 1 0 0 1 Cipher text

History of WEP attacks... and how the real problem was ignored 7/19 Year 2000. Keystream attacks (independent of WEP key): Design flaw: WEP allows keystream reuse. Attacks were thought impractical: Need plain-text to recover keystream. Need 2 24 keystreams to decrypt all possible packets. Year 2001. Weak IV attacks (recover WEP key): Need millions of packets. Could take hours, and usually, days. Use EAP-based solutions to re-key, say, every ten minutes. Year 2006. Our contribution: fragmentation attack. Keystream attack which may be performed within minutes.

History of WEP attacks... and how the real problem was ignored 7/19 Year 2000. Keystream attacks (independent of WEP key): Design flaw: WEP allows keystream reuse. Attacks were thought impractical: Need plain-text to recover keystream. Need 2 24 keystreams to decrypt all possible packets. Year 2001. Weak IV attacks (recover WEP key): Need millions of packets. Could take hours, and usually, days. Use EAP-based solutions to re-key, say, every ten minutes. Year 2006. Our contribution: fragmentation attack. Keystream attack which may be performed within minutes.

History of WEP attacks... and how the real problem was ignored 7/19 Year 2000. Keystream attacks (independent of WEP key): Design flaw: WEP allows keystream reuse. Attacks were thought impractical: Need plain-text to recover keystream. Need 2 24 keystreams to decrypt all possible packets. Year 2001. Weak IV attacks (recover WEP key): Need millions of packets. Could take hours, and usually, days. Use EAP-based solutions to re-key, say, every ten minutes. Year 2006. Our contribution: fragmentation attack. Keystream attack which may be performed within minutes.

Fragmentation attack Outline 8/19 Transmission 1 Recover a keystream. 2 Reuse the keystream to send arbitrary data. Keystream-based decryption Resend data through the AP to a buddy on the Internet. Recover the keystream used for encrypting the packet. WEP key recovery Use transmission ability for speeding up weak IV attacks.

Transmission Recovering a short keystream 9/19 If cipher-text & plain-text pair is known, their XOR is a keystream. Known plain-text (LLC/SNAP headers) in IP packets: 802.11 header 0xAA 0xAA 0x03 0x00 0x00 0x00 0x08 0x00

Transmission Recovering a short keystream 9/19 If cipher-text & plain-text pair is known, their XOR is a keystream. Known plain-text (LLC/SNAP headers) in IP packets: 802.11 header 0xAA 0xAA 0x03 0x00 0x00 0x00 0x08 0x00 802.11 header Cipher-text 8 bytes of keystream Can recover 8 bytes of keystream by eavesdropping a packet. Can encrypt (and transmit) 8 bytes of arbitrary data.

Transmission Sending arbitrarily long data 10/19 802.11 supports MAC layer fragmentation. Transmit arbitrary data in 8 byte chunks. Fragmentation }Data }CRC32 Original plain-text & CRC. abcd efgh 1234 Fragments & CRC. Keystream (IV x). Encrypted frags. x abcd 1983 1234 5678 2911 8305 }IV x efgh 1914 1234 5678 1337 6667

Transmission Sending arbitrarily long data 10/19 802.11 supports MAC layer fragmentation. Transmit arbitrary data in 8 byte chunks. Fragmentation }Data }CRC32 Original plain-text & CRC. abcd efgh 1234 Fragments & CRC. Keystream (IV x). Encrypted frags. x abcd 1983 1234 5678 2911 8305 }IV x efgh 1914 1234 5678 1337 6667

Transmission Sending arbitrarily long data 10/19 802.11 supports MAC layer fragmentation. Transmit arbitrary data in 8 byte chunks. Fragmentation }Data }CRC32 Original plain-text & CRC. abcd efgh 1234 Fragments & CRC. Keystream (IV x). Encrypted frags. x abcd 1983 1234 5678 2911 8305 }IV x efgh 1914 1234 5678 1337 6667

Transmission Sending arbitrarily long data 10/19 802.11 supports MAC layer fragmentation. Transmit arbitrary data in 8 byte chunks. Fragmentation }Data }CRC32 Original plain-text & CRC. abcd efgh 1234 Fragments & CRC. Keystream (IV x). Encrypted frags. x abcd 1983 1234 5678 2911 8305 }IV x efgh 1914 1234 5678 1337 6667

Transmission Sending arbitrarily long data 10/19 802.11 supports MAC layer fragmentation. Transmit arbitrary data in 8 byte chunks. Fragmentation }Data }CRC32 Original plain-text & CRC. abcd efgh 1234 Fragments & CRC. Keystream (IV x). Encrypted frags. x abcd 1983 1234 5678 2911 8305 }IV x efgh 1914 1234 5678 1337 6667

Transmission Recovering a longer keystream 11/19 Discover a longer keystream to avoid sending many tiny packets: Send a long broadcast frame via multiple smaller fragments. AP relays it as a single packet. (New cipher & plain-text pair.) Keystream discovery Encrypted frags. }IV x }Data 2911 }CRC 8305 x 1337 6667 De-crypt & reassemble. Calculate entire CRC. abcd efgh 1234 Keystream for IV y. 3141 5926 5358 Relayed payload. y 2718 2818 2845

Transmission Recovering a longer keystream 11/19 Discover a longer keystream to avoid sending many tiny packets: Send a long broadcast frame via multiple smaller fragments. AP relays it as a single packet. (New cipher & plain-text pair.) Keystream discovery Encrypted frags. }IV x }Data 2911 }CRC 8305 x 1337 6667 De-crypt & reassemble. Calculate entire CRC. abcd efgh 1234 Keystream for IV y. 3141 5926 5358 Relayed payload. y 2718 2818 2845

Transmission Recovering a longer keystream 11/19 Discover a longer keystream to avoid sending many tiny packets: Send a long broadcast frame via multiple smaller fragments. AP relays it as a single packet. (New cipher & plain-text pair.) Keystream discovery Encrypted frags. }IV x }Data 2911 }CRC 8305 x 1337 6667 De-crypt & reassemble. Calculate entire CRC. abcd efgh 1234 Keystream for IV y. 3141 5926 5358 Relayed payload. y 2718 2818 2845

Transmission Recovering a longer keystream 11/19 Discover a longer keystream to avoid sending many tiny packets: Send a long broadcast frame via multiple smaller fragments. AP relays it as a single packet. (New cipher & plain-text pair.) Keystream discovery Encrypted frags. }IV x }Data 2911 }CRC 8305 x 1337 6667 De-crypt & reassemble. Calculate entire CRC. abcd efgh 1234 Keystream for IV y. 3141 5926 5358 Relayed payload. y 2718 2818 2845

Transmission Recovering a longer keystream 11/19 Discover a longer keystream to avoid sending many tiny packets: Send a long broadcast frame via multiple smaller fragments. AP relays it as a single packet. (New cipher & plain-text pair.) Keystream discovery Encrypted frags. }IV x }Data 2911 }CRC 8305 x 1337 6667 De-crypt & reassemble. Calculate entire CRC. abcd efgh 1234 Keystream for IV y. 3141 5926 5358 Relayed payload. y 2718 2818 2845

Decryption Keystream expansion 12/19 Decrypt data locally in linear time with respect to its length: If n bytes of keystream were known, n bytes of data could be decrypted. Base case: 8 bytes of keystream are known. Guess keystream byte n + 1 and verify it. Send a broadcast using extended keystream. If AP relayed it, guess is correct. Continue keystream expansion for whole length of packet. Decryption example Known keystream 00 AP Known keystream 01 Known keystream 01 00

Decryption Resending data to our Internet buddy 13/19 To decrypt data in real-time, resend it to the Internet. 1 Eavesdrop a payload to decrypt. 2 Send two 802.11 fragments: an IP header with our buddy as destination, and the original encrypted payload as a fragment. 3 AP will decrypt and send it in clear-text to our Internet buddy. Decrypting with an Internet buddy Source IP, data AP Destination Attacker IP IP, data IP {IP, Data} Buddy

Fragmentation attack Summary 14/19 To encrypt data: 1 Eavesdrop a data packet. 2 Cipher-text known plain-text 8 bytes of keystream. 3 Transmit data in multiple 8 byte fragments. To decrypt data: 1 Eavesdrop packet to decrypt. 2 Send two 802.11 fragments: 1 An IP header destined to a buddy on the Internet. 2 A fragment containing the original eavesdropped payload. 3 Internet buddy will receive the payload in clear-text.

15/19 Hardware: Atheros chipset. Software radio. Ideal for packet injection. Supports 802.11{a,b,g}. Software: FreeBSD. Added packet injection support to ath driver. wesside. Proof-of-concept fragmentation attack tool.

wesside 16/19 1 Eavesdrops data packet and uses fragmentation to transmit. 2 Determines the network IP via keystream expansion. 3 Contacts buddy on Internet instructing him to flood the WiFi. 4 Recovers WEP key via weak IV attack (using aircrack). Operation of wesside Data packet WEP key Fragmentation Attacker Weak IV Flood request AP Flood Buddy on Internet

Performance 17/19 Fragmentation attack, after eavesdropping one packet: Recover 1500 bytes of keystream: < 2 seconds. Decrypt network s IP: < 30 seconds. CDF of cracked keys via weak IV Percentage of cracked keys 100 75 50 Attack Time (min) 28 65 93 121 148 176 204 232 25 40-bit keys 104-bit keys 0 0 2 4 6 8 10 12 14 16 Number of packets (millions)

Lessons 18/19 Fragmentation attack: May be performed instantly. Frequent re-keying (EAP) does not mitigate the problem. Migrate to 802.11i. Non-solution: ship hardware with no fragmentation support. Solution: ship hardware with no WEP support. WEP history: Attacks evolve over time. In 2000, theoretical issues were identified. Today, we provide a practical exploit for them. Theoretical guidelines must be followed. Perfect example of damage incurred by keystream reuse and no authentication.

19/19 Do not use WEP teach about its failures. Future Work: The First Nail in WPA s Coffin...

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback