sign in sign up
<<
Home , Wired Equivalent Privacy

Graduate Course on Computer Security

Lecture 6: Case Study II - WEP

Iliano Cervesato [email protected]

ITT Industries, Inc @ NRL – Washington DC

http://www.cs.stanford.edu/~iliano/

DIMI, Universita’ di Udine, Italy December 5, 2001 Outline

• The 802.11 wireless communication standard • WEP: Wired Equivalent Privacy  Architecture  Security goals  Attacks 802.11 . Confidentiality WEP . Authentication Secrecy Access . Integrity Integrity  Lessons Learned Lessons

Computer Security: 6 – Case Study II, WEP 2 The IEEE 802.11 Standard

Specifies standard networking functions over radio waves  Transparent layer for upper network protocols (IP, TCP, Novell NetWare, …) . Implements wireless networks (WLAN) . Integrates seamlessly into a LAN . Works on any platform, given drivers 802.11 WEP  Fast: up to 11Mbit/s Secrecy . Ethernet is 10Mbit/s, fast Ethernet 100Mbit/s Access . Range about 30m/100feet Integrity  Widely deployed Lessons . PCMCIA cards, ISA bus cards, embedded solutions, …

. Offered by major vendors

Computer Security: 6 – Case Study II, WEP 3 Infrastructure Mode

Access Point (AP)

Mobile station

802.11 • Access points connect to wired network WEP • Multiple mobile stations per AP Secrecy Access  Full internet connection for mobile users Integrity . University campus Lessons . Coffee shops . lounges, …

Computer Security: 6 – Case Study II, WEP 4 Ad Hoc Mode

• Wireless stations communicate directly  Communication without a wired network . On the fly networking 802.11 WEP – Impromptu meeting Secrecy . LAN set up is difficult Access – Monitoring volcanoes Integrity – Study of jungle canopy Lessons . LAN set up is dangerous

– War zones

Computer Security: 6 – Case Study II, WEP 5 Data Transmission

For both LANs and WLANs

• Communication broken into frames  Variable length (up to ~ 1,500 byte)

• Header associated with frame 802.11 WEP  Source address Secrecy  Destination address Access  Frame length, … Integrity Lessons • Packet = header + frame

Computer Security: 6 – Case Study II, WEP 6 Subverting Communication

WLAN LAN

• Eavesdropping • Eavesdropping  Hardware widely sold  Plug in laptop  Proximity of source  Need access to wire . Parking lot attack . Hardly unnoticeable

802.11 • Injecting traffic • Injecting traffic WEP  Just send to network  Just send to network Secrecy  May need to modify  May need to modify Access driver setup driver setup Integrity • Removing traffic • Removing traffic Lessons  Scramble radio signal  Feasible

Computer Security: 6 – Case Study II, WEP 7 WEP – Wired Equivalent Privacy

Security mechanism for WLANs

• 2 subsystems  Station authentication . 802.11 Simulate wired access control WEP  Data encapsulation Secrecy Access . Create privacy of wired network Integrity Lessons • Part of 802.11 standard

Computer Security: 6 – Case Study II, WEP 8 WEP Authentication

AP “Hi, it’s me”

S n

n ⊕ RC4(k)

k distributed out of band 802.11 WEP Secrecy • S and AP share key k Access  802.11 standard: 40 bit Integrity  Most vendors now offer 104 bits (advertised as 128 bit!) Lessons • n is randomly generated nonce

• S is accepted only if last message decrypts to n

Computer Security: 6 – Case Study II, WEP 9 Data Encapsulation

A wants to send frame m to B

• Encapsulation (A)

 Compute CRC-32 integrity checksum cm of m . Public algorithm, does not depend on k  Compute keystream RC4(k,v) 802.11 . RC4 is secure keystream function (proprietary RSA) WEP . v is 24 bit (IV) Secrecy  Broadcast v,x = v, ((m cm) ⊕ RC4(k,v)) Access Integrity Lessons • Decapsulation (B)

 x ⊕ RC4(k,v)) = m cm

Computer Security: 6 – Case Study II, WEP 10 … Pictorially

m CRC Standard: 40bit Enhanced: 104 bit m cm

RC4(k,v)

24 bits v (m cm) ⊕ RC4(k,v) 802.11 WEP • Checksum guarantees data integrity Secrecy • IV Access  Integrity Prevents reuse of keystream . Lessons WEP does not prescribe modification of IVs  Sent with each packet

Computer Security: 6 – Case Study II, WEP 11 WEP Security Goals

• Confidentiality  Prevent eavesdropping • Access control  Prevent unauthorized access • Integrity 802.11 WEP  Prevent tempering with messages Secrecy Access Integrity Lessons WEP does not achieve any of them!

Computer Security: 6 – Case Study II, WEP 12 Keystream Reuse

WEP collision  ⊕ If x1 = ((m1 cm1) RC4(k,v)) ⊕ and x2 = ((m2 cm2) RC4(k,v))  ⊕ ⊕ Then x1 x2 = (m1 cm1) (m2 cm2)

• Independent from key length! 802.11 WEP Secrecy • Recognizing collisions Access . k changes very seldom, if ever Integrity . Generally, all stations use same k Lessons . v sent in clear with every packet  Look for packets with the same IV

Computer Security: 6 – Case Study II, WEP 13 Likelihood of Keystream Reuse

Given r1, … rn ∈ [0, 1, …, B] If n ≥ 1.2√B, then Prob[∃ i ≠ j : ri = rj] > ½ • Ideal case  By birthday paradox . 50% chances of collision after ~5000 packets . < 4 minutes at 5Mbit/s (packets of 1500 bytes) . All 224 keystreams recovered in ½ day 802.11 WEP • In practice, IVs are poorly generated Secrecy  Many PCMCIA cards Access . IV=0 when inserted Integrity . incremented by 1 at each packet Lessons  Few thousand IVs determine most traffic

• 802.11 does not require changing IV

Computer Security: 6 – Case Study II, WEP 14 ⊕ If x1 = ((m1 cm1) RC4(k,v)) ⊕ and x2 = ((m2 cm2) RC4(k,v)) Attacks ⊕ ⊕ then x1 x2 = (m1 cm1) (m2 cm2)

• Passive attacks  Exploit message redundancy . Many fields of IP header are predictable . Login sequences (e.g. Password: ) . Transfer of shared libraries, …

802.11 • Active attacks WEP  Send spam to mobile host Secrecy Access  Have mobile host send you email, … Integrity • Dumb attacks Lessons  Some APs send frames unencrypted also

Computer Security: 6 – Case Study II, WEP 15 Decryption Dictionaries

• Once packet is revealed, keystream is known

• Build table of intercepted keystreams  Maps every v to RC4(k,v)) 802.11  Requires ~24Gb for 224 for 1,500 byte frames WEP  Secrecy Less than 1Gb with PCMCIA IV generation Access Integrity • Then, can decrypt all traffic Lessons

Computer Security: 6 – Case Study II, WEP 16 Key Management

• 802.11 does not specify how to  Generate  Distribute  Update shared key (and how often)

• In practice 802.11 WEP  Key is loaded in device by hand when set up Secrecy . Often keep manufacturer’s default Access  Never updated again Integrity  Attacker has years to compromise key Lessons . A few hours are enough for 40 bit version

Computer Security: 6 – Case Study II, WEP 17 Restoring Confidentiality

• IV is too short  Collisions frequency reduced with longer IVs  Relatively small decryption dictionary

• IV update unspecified (and non required)  Force collision resistant IV generation 802.11 WEP  From keyed random number generator Secrecy Access • Key management inexistent Integrity  Lessons Introduce mandatory key update protocol  Force different key for each host

Computer Security: 6 – Case Study II, WEP 18 “Hi, it’s me”

Gaining Access n

n ⊕ RC4(k) Trivial !

• Record one authentication exchange  from (n, n ⊕ RC4(k)), recover RC4(k)  Use it to encrypt all future 802.11 authentication challenges WEP

Secrecy Access • Remedy Integrity Lessons  Use different cipher for authentication . A block cipher would do

Computer Security: 6 – Case Study II, WEP 19 Perturbing Traffic

Integrity protected by CRC-32 checksum

• Checksums are linear w.r.t. ⊕

cm⊕m’ = cm ⊕ cm’

• Then for any ∆, xor’ing any ciphertext x with 802.11 (∆ c∆) will go undetected WEP Secrecy Access • Remedy Integrity  … exercise Lessons

Computer Security: 6 – Case Study II, WEP 20 Targeted Traffic Alteration

• Linearity of CRC limited to flipping bits

• Use format of frames to force bit values  E.g. IP header

802.11 • Build decryption dictionary WEP Secrecy Access Integrity Lessons

Computer Security: 6 – Case Study II, WEP 21 Analysis of a Débacle

Why is WEP so bad??  International standard  Backed by big vendors (IBM, 3COM, Apple, …)

• Written by communication engineers . “Keep packet length small” . “Be conservative in what you send, liberal in what you accept” 802.11  Not security people involved WEP  Secrecy Opaque design (no public review before standardization) Access  Could have profited from IPSec experience Integrity • Should operate with limited resource Lessons  Cell phones, PDAs, …

Computer Security: 6 – Case Study II, WEP 22 The Future of WEP

Proposal for a new standard 802.1X

• Use based on AES • Sequence number to avoid replays • 802.11 Replace CRC with MAC WEP • Authentication based on Kerberos Secrecy Access Integrity Lessons

Computer Security: 6 – Case Study II, WEP 23 Should You Go Wireless?

YES!

• 802.11 is a fine communication suite

• Handle security at higher levels 802.11  Virtual Private Network (VPN) WEP Secrecy  IPSec Access  … or just what you Integrity normally use! Lessons

Computer Security: 6 – Case Study II, WEP 24 Readings

• N. Borisov, I. Goldberg and D. Wagner, Intercepting Mobile Communications: the

Insecurity of 802.11, 2001

• W. Arbaugh, N. Shankar, and Y. Wan, Your 802.11 Wireless Network has no Clothes, 2001 802.11 WEP • IEEE 802.11 Working Group web page, Secrecy Access http://grouper.ieee.org/groups/802/11

Integrity Lessons • Jesse Walker, “Overview of 802.11 Security”, 2001

Computer Security: 6 – Case Study II, WEP 25 Exercises for Lecture 6

• Prove that

 if x = ((m cm) ⊕ RC4(k,v)),

 Then x ⊕ (∆ c∆) has a correct checksum for every ∆

802.11 WEP • Suggest a remedy for traffic Secrecy Access perturbation Integrity Lessons

Computer Security: 6 – Case Study II, WEP 26 Next …

• Specification Languages

802.11 WEP Secrecy Access Integrity Lessons

Computer Security: 6 – Case Study II, WEP 27