The Insecurity of 802.11

The Insecurity of 802.11

Intercepting Mobile Communications: The Insecurity of 802.11 Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Systems UC Berkeley [email protected] [email protected] [email protected] ABSTRACT cipher, WEP contains several major security flaws. The flaws give The 802.11 standard for wireless networks includes a Wired Equiv- rise to a number of attacks, both passive and active, that allow alent Privacy (WEP) protocol, used to protect link-layer communi- eavesdropping on, and tampering with, wireless transmissions. In cations from eavesdropping and other attacks. We have discovered this paper, we discuss the flaws that we identified and describe the several serious security flaws in the protocol, stemming from mis- attacks that ensue. application of cryptographic primitives. The flaws lead to a num- ber of practical attacks that demonstrate that WEP fails to achieve The following section is devoted to an overview of WEP and the its security goals. In this paper, we discuss in detail each of the threat models that it is trying to address. Sections 3 and 4 identify flaws, the underlying security principle violations, and the ensuing particular flaws and the corresponding attacks, and also discuss the attacks. security principles that were violated. Section 5 describes potential countermeasures. Section 6 suggest some general lessons that can 1. INTRODUCTION be derived from the WEP insecurities. Finally, Section 7 offers In recent years, the proliferation of laptop computers and PDA’s some conclusions. has caused an increase in the range of places people perform com- puting. At the same time, network connectivity is becoming an 2. THE WEP PROTOCOL increasingly integral part of computing environments. As a re- The Wired Equivalent Privacy protocol is used in 802.11 networks sult, wireless networks of various kinds have gained much popu- to protect link-level data during wireless transmission. It is de- larity. But with the added convenience of wireless access come scribed in detail in the 802.11 standard [15]; we reproduce a brief new problems, not the least of which are heightened security con- description to enable the following discussion of its properties. cerns. When transmissions are broadcast over radio waves, inter- ception and masquerading becomes trivial to anyone with a radio, WEP relies on a secret key £ shared between the communicating and so there is a need to employ additional mechanisms to protect parties to protect the body of a transmitted frame of data. Encryp- the communications. tion of a frame proceeds as follows: The 802.11 standard [15] for wireless LAN communications intro- Checksumming: First, we compute an integrity checksum ¤¦¥¨§ © duced the Wired Equivalent Privacy (WEP) protocol in an attempt on the message § . We concatenate the two to obtain a plain- to address these new problems and bring the security level of wire- text ¨§¤¥¨§© , which will be used as input to the sec- less systems closer to that of wired ones. The primary goal of WEP ond stage. Note that ¤¥¨§© , and thus , does not depend on is to protect the confidentiality of user data from eavesdropping. the key £ . WEP is part of an international standard; it has been integrated by manufacturers into their 802.11 hardware and is currently in Encryption: In the second stage, we encrypt the plaintext de- widespread use. rived above using RC4. We choose an initialization vector (IV) . The RC4 algorithm generates a keystream—i.e., a Unfortunately, WEP falls short of accomplishing its security goals. long sequence of pseudorandom bytes—as a function of the £ ¥£© Despite employing the well-known and believed-secure RC4 [16]1 IV and the key . This keystream is denoted by . Then, we exclusive-or (XOR, denoted by ) the plaintext The work was done while Ian Goldberg was a student at UC with the keystream to obtain the ciphertext: Berkeley ¡ A public description of the alleged RC4 algorithm can be found !"¥£©$# Transmission: Finally, we transmit the IV and the ciphertext over Published in the proceedings of the Seventh Annual International Confer- the radio link. ence on Mobile Computing And Networking, July 16–21, 2001. Permission to make digital or hard copies of part or all of this work for per- sonal or classroom use is granted without fee provided that copies are not Symbolically, this may be represented as follows: made or distributed for profit or commercial advantage and that copies bear % &('*) ¨§ ¤¦¥¨§ ©$# this notice and the full citation on the first page. Copyrights for components +¥, !"¥-£.©© where of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers or to The format of the encrypted frame is also shown pictorially in Fig- redistribute to lists, requires prior specific permission and/or a fee. ure 1. ¢ c 2001 ACM in [17]. specifies the use of 40-bit keys, so chosen because of US Govern- 1 Plaintext ment restrictions on the export of technology containing cryptogra- 0 / Message CRC phy, which were in effect at the time the protocol was drafted. This key length is short enough to make brute-force attacks practical XOR to individuals and organizations with fairly modest computing re- 2 Keystream = RC4(v,k) sources [3, 8]. However, it is straightforward to extend the protocol to use larger keys, and several equipment manufacturers offer a so- called “128-bit” version (which actually uses 104-bit keys, despite 0 3 v Ciphertext its misleading name). This extension renders brute-force attacks impossible for even the most resourceful of adversaries given to- Transmitted Data day’s technology. Nonetheless, we will demonstrate that there are shortcut attacks on the system that do not require a brute-force at- tack on the key, and thus even the 128-bit versions of WEP are not secure. Figure 1: Encrypted WEP Frame. In the remainder of this paper, we will argue that none of the three security goals are attained. First, we show practical attacks that al- We will consistently use the term message (symbolically, § ) to refer to the initial frame of data to be protected, the term plaintext low eavesdropping. Then, we show that it is possible to subvert the integrity checksum field and to modify the contents of a transmit- ( ) to refer to the concatenation of message and checksum as it is presented to the RC4 encryption algorithm, and the term ciphertext ted message, violating data integrity. Finally, we demonstrate that ( ) to refer to the encryption of the plaintext as it is transmitted our attacks can be extended to inject completely new traffic into the over the radio link. network. To decrypt a frame protected by WEP, the recipient simply re- A number of these results (particularly the IV reuse weaknesses verses the encryption process. First, he regenerates the keystream described in Section 3) have been anticipated in earlier indepen- dent work by Simon et. al [19] and by Walker [24]. The serious ¥-£© and XORs it against the ciphertext to recover the initial plaintext: flaws in the WEP checksum (see Section 4), however, to the best of our knowledge have not been reported before. After our work was 7¥-£.© 546 completed, Arbaugh et. al have found several extensions that may ¥, !"¥-£.©©89.¥-£© make these weaknesses even more dangerous in practice [2, 1]. :# 2.2 Attack Practicality Next, the recipient verifies the checksum on the decrypted plaintext Before describing the attacks, we would like to discuss the fea- ¨§ ¤ 4 4 4 by splitting it into the form , re-computing the check- sibility of mounting them in practice. In addition to the crypto- ¤¥¨§ © sum 4 , and checking that it matches the received checksum graphic considerations discussed in the sections to follow, a com- ¤ 4 . This ensures that only frames with a valid checksum will be mon barrier to attacks on communication subsystems is access to accepted by the receiver. the transmitted data. Despite being transmitted over open radio waves, 802.11 traffic requires significant infrastructure to intercept. 2.1 Security Goals An attacker needs equipment capable of monitoring 2.4GHz fre- The WEP protocol is intended to enforce three main security goals quencies and understanding the physical layer of the 802.11 proto- [15]: col; for active attacks, it is also necessary to transmit at the same frequencies. A significant development cost for equipment manu- facturers lies in creating technologies that can reliably perform this Confidentiality: The fundamental goal of WEP is to prevent ca- task. sual eavesdropping. Access control: A second goal of the protocol is to protect access As such, there might be temptation to dismiss attacks requiring to a wireless network infrastructure. The 802.11 standard link-layer access as impractical; for instance, this was once es- includes an optional feature to discard all packets that are not tablished practice among the cellular industry. However, such a properly encrypted using WEP, and manufacturers advertise position is dangerous. First, it does not safeguard against highly the ability of WEP to provide access control. resourceful attackers who have the ability to incur significant time and equipment costs to gain access to data. This limitation is es- Data integrity: A related goal is to prevent tampering with trans- pecially dangerous when securing a company’s internal wireless mitted messages; the integrity checksum field is included for network, since corporate espionage can be a highly profitable busi- this purpose. ness. Second, the necessary hardware to monitor and inject 802.11 traf- In all three cases, the claimed security of the protocol “relies on fic is readily available to consumers in the form of wireless Eth- the difficulty of discovering the secret key through a brute-force ernet interfaces. All that is needed is to subvert it to monitor and attack” [15].

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    9 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us