Graduate Course on Computer Security Lecture 6: Case Study II - WEP Iliano Cervesato [email protected] ITT Industries, Inc @ NRL – Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita’ di Udine, Italy December 5, 2001 Outline • The 802.11 wireless communication standard • WEP: Wired Equivalent Privacy Architecture Security goals Attacks 802.11 . Confidentiality WEP . Authentication Secrecy Access . Integrity Integrity Lessons Learned Lessons Computer Security: 6 – Case Study II, WEP 2 The IEEE 802.11 Standard Specifies standard networking functions over radio waves Transparent layer for upper network protocols (IP, TCP, Novell NetWare, …) . Implements wireless networks (WLAN) . Integrates seamlessly into a LAN . Works on any platform, given drivers 802.11 WEP Fast: up to 11Mbit/s Secrecy . Ethernet is 10Mbit/s, fast Ethernet 100Mbit/s Access . Range about 30m/100feet Integrity Widely deployed Lessons . PCMCIA cards, ISA bus cards, embedded solutions, … . Offered by major vendors Computer Security: 6 – Case Study II, WEP 3 Infrastructure Mode Access Point (AP) Mobile station 802.11 • Access points connect to wired network WEP • Multiple mobile stations per AP Secrecy Access Full internet connection for mobile users Integrity . University campus Lessons . Coffee shops . airport lounges, … Computer Security: 6 – Case Study II, WEP 4 Ad Hoc Mode • Wireless stations communicate directly Communication without a wired network . On the fly networking 802.11 WEP – Impromptu meeting Secrecy . LAN set up is difficult Access – Monitoring volcanoes Integrity – Study of jungle canopy Lessons . LAN set up is dangerous – War zones Computer Security: 6 – Case Study II, WEP 5 Data Transmission For both LANs and WLANs • Communication broken into frames Variable length (up to ~ 1,500 byte) • Header associated with frame 802.11 WEP Source address Secrecy Destination address Access Frame length, … Integrity Lessons • Packet = header + frame Computer Security: 6 – Case Study II, WEP 6 Subverting Communication WLAN LAN • Eavesdropping • Eavesdropping Hardware widely sold Plug in laptop Proximity of source Need access to wire . Parking lot attack . Hardly unnoticeable 802.11 • Injecting traffic • Injecting traffic WEP Just send to network Just send to network Secrecy May need to modify May need to modify Access driver setup driver setup Integrity • Removing traffic • Removing traffic Lessons Scramble radio signal Feasible Computer Security: 6 – Case Study II, WEP 7 WEP – Wired Equivalent Privacy Security mechanism for WLANs • 2 subsystems Station authentication . 802.11 Simulate wired access control WEP Data encapsulation Secrecy Access . Create privacy of wired network Integrity Lessons • Part of 802.11 standard Computer Security: 6 – Case Study II, WEP 8 WEP Authentication AP “Hi, it’s me” S n n ⊕ RC4(k) k distributed out of band 802.11 WEP Secrecy • S and AP share key k Access 802.11 standard: 40 bit Integrity Most vendors now offer 104 bits (advertised as 128 bit!) Lessons • n is randomly generated nonce • S is accepted only if last message decrypts to n Computer Security: 6 – Case Study II, WEP 9 Data Encapsulation A wants to send frame m to B • Encapsulation (A) Compute CRC-32 integrity checksum cm of m . Public algorithm, does not depend on k Compute keystream RC4(k,v) 802.11 . RC4 is secure keystream function (proprietary RSA) WEP . v is 24 bit initialization vector (IV) Secrecy Broadcast v,x = v, ((m cm) ⊕ RC4(k,v)) Access Integrity Lessons • Decapsulation (B) x ⊕ RC4(k,v)) = m cm Computer Security: 6 – Case Study II, WEP 10 … Pictorially m CRC Standard: 40bit Enhanced: 104 bit m cm RC4(k,v) 24 bits v (m cm) ⊕ RC4(k,v) 802.11 WEP • Checksum guarantees data integrity Secrecy • IV Access Integrity Prevents reuse of keystream . Lessons WEP does not prescribe modification of IVs Sent with each packet Computer Security: 6 – Case Study II, WEP 11 WEP Security Goals • Confidentiality Prevent eavesdropping • Access control Prevent unauthorized access • Integrity 802.11 WEP Prevent tempering with messages Secrecy Access Integrity Lessons WEP does not achieve any of them! Computer Security: 6 – Case Study II, WEP 12 Keystream Reuse WEP collision ⊕ If x1 = ((m1 cm1) RC4(k,v)) ⊕ and x2 = ((m2 cm2) RC4(k,v)) ⊕ ⊕ Then x1 x2 = (m1 cm1) (m2 cm2) • Independent from key length! 802.11 WEP Secrecy • Recognizing collisions Access . k changes very seldom, if ever Integrity . Generally, all stations use same k Lessons . v sent in clear with every packet Look for packets with the same IV Computer Security: 6 – Case Study II, WEP 13 Likelihood of Keystream Reuse Given r1, … rn ∈ [0, 1, …, B] If n ≥ 1.2√B, then Prob[∃ i ≠ j : ri = rj] > ½ • Ideal case By birthday paradox . 50% chances of collision after ~5000 packets . < 4 minutes at 5Mbit/s (packets of 1500 bytes) . All 224 keystreams recovered in ½ day 802.11 WEP • In practice, IVs are poorly generated Secrecy Many PCMCIA cards Access . IV=0 when inserted Integrity . incremented by 1 at each packet Lessons Few thousand IVs determine most traffic • 802.11 does not require changing IV Computer Security: 6 – Case Study II, WEP 14 ⊕ If x1 = ((m1 cm1) RC4(k,v)) ⊕ and x2 = ((m2 cm2) RC4(k,v)) Attacks ⊕ ⊕ then x1 x2 = (m1 cm1) (m2 cm2) • Passive attacks Exploit message redundancy . Many fields of IP header are predictable . Login sequences (e.g. Password: ) . Transfer of shared libraries, … 802.11 • Active attacks WEP Send spam to mobile host Secrecy Access Have mobile host send you email, … Integrity • Dumb attacks Lessons Some APs send frames unencrypted also Computer Security: 6 – Case Study II, WEP 15 Decryption Dictionaries • Once packet is revealed, keystream is known • Build table of intercepted keystreams Maps every v to RC4(k,v)) 802.11 Requires ~24Gb for 224 for 1,500 byte frames WEP Secrecy Less than 1Gb with PCMCIA IV generation Access Integrity • Then, can decrypt all traffic Lessons Computer Security: 6 – Case Study II, WEP 16 Key Management • 802.11 does not specify how to Generate Distribute Update shared key (and how often) • In practice 802.11 WEP Key is loaded in device by hand when set up Secrecy . Often keep manufacturer’s default Access Never updated again Integrity Attacker has years to compromise key Lessons . A few hours are enough for 40 bit version Computer Security: 6 – Case Study II, WEP 17 Restoring Confidentiality • IV is too short Collisions frequency reduced with longer IVs Relatively small decryption dictionary • IV update unspecified (and non required) Force collision resistant IV generation 802.11 WEP From keyed random number generator Secrecy Access • Key management inexistent Integrity Lessons Introduce mandatory key update protocol Force different key for each host Computer Security: 6 – Case Study II, WEP 18 “Hi, it’s me” Gaining Access n n ⊕ RC4(k) Trivial ! • Record one authentication exchange from (n, n ⊕ RC4(k)), recover RC4(k) Use it to encrypt all future 802.11 authentication challenges WEP Secrecy Access • Remedy Integrity Lessons Use different cipher for authentication . A block cipher would do Computer Security: 6 – Case Study II, WEP 19 Perturbing Traffic Integrity protected by CRC-32 checksum • Checksums are linear w.r.t. ⊕ cm⊕m’ = cm ⊕ cm’ • Then for any ∆, xor’ing any ciphertext x with 802.11 (∆ c∆) will go undetected WEP Secrecy Access • Remedy Integrity … exercise Lessons Computer Security: 6 – Case Study II, WEP 20 Targeted Traffic Alteration • Linearity of CRC limited to flipping bits • Use format of frames to force bit values E.g. IP header 802.11 • Build decryption dictionary WEP Secrecy Access Integrity Lessons Computer Security: 6 – Case Study II, WEP 21 Analysis of a Débacle Why is WEP so bad?? International standard Backed by big vendors (IBM, 3COM, Apple, …) • Written by communication engineers . “Keep packet length small” . “Be conservative in what you send, liberal in what you accept” 802.11 Not security people involved WEP Secrecy Opaque design (no public review before standardization) Access Could have profited from IPSec experience Integrity • Should operate with limited resource Lessons Cell phones, PDAs, … Computer Security: 6 – Case Study II, WEP 22 The Future of WEP Proposal for a new standard 802.1X • Use stream cipher based on AES • Sequence number to avoid replays • 802.11 Replace CRC with MAC WEP • Authentication based on Kerberos Secrecy Access Integrity Lessons Computer Security: 6 – Case Study II, WEP 23 Should You Go Wireless? YES! • 802.11 is a fine communication suite • Handle security at higher levels 802.11 Virtual Private Network (VPN) WEP Secrecy IPSec Access … or just what you Integrity normally use! Lessons Computer Security: 6 – Case Study II, WEP 24 Readings • N. Borisov, I. Goldberg and D. Wagner, Intercepting Mobile Communications: the Insecurity of 802.11, 2001 • W. Arbaugh, N. Shankar, and Y. Wan, Your 802.11 Wireless Network has no Clothes, 2001 802.11 WEP • IEEE 802.11 Working Group web page, Secrecy Access http://grouper.ieee.org/groups/802/11 Integrity Lessons • Jesse Walker, “Overview of 802.11 Security”, 2001 Computer Security: 6 – Case Study II, WEP 25 Exercises for Lecture 6 • Prove that if x = ((m cm) ⊕ RC4(k,v)), Then x ⊕ (∆ c∆) has a correct checksum for every ∆ 802.11 WEP • Suggest a remedy for traffic Secrecy Access perturbation Integrity Lessons Computer Security: 6 – Case Study II, WEP 26 Next … • Specification Languages 802.11 WEP Secrecy Access Integrity Lessons Computer Security: 6 – Case Study II, WEP 27 .