Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Intercepting Mobile Communications: The Insecurity of 802.11 …or “Why WEP Stinks” Dustin Christmann 1 Introduction This presentation will discuss the inadequacies of WEP encryption We’ll discuss the theoretical weaknesses of the WEP standard We’ll discuss the types of attacks that can exploit those weaknesses We’ll discuss the speed of “real world” attacks on WEP 2 Agenda What’s on your network? What is WEP? Theoretical weaknesses of WEP Types of attacks on WEP How well do these attacks work in the “real world”? Countermeasures 3 What’s on your wireless network? 802.11 (Wi-Fi) networks are ubiquitous today Types of encryption: – Open (No encryption) – WEP – WPA/WPA2 4 So what is WEP? WEP is Wired Equivalent Privacy Link-layer encryption Defined in the IEEE 802.11 standard “Least common denominator” Wi-Fi encryption Goals of WEP – Confidentiality – Access control – Data integrity 5 So how does WEP work? 6 First, let’s introduce the players Message: What you’re encrypting CRC: To verify the integrity of the message Plaintext: The message + CRC Initialization vector (IV): A 24bit number which plays two roles that we’ll meet in a moment Key: A 40 or 104-bit number which is used to build the keystream Keystream: What is used to encrypt the plaintext Ciphertext: What we end up postencryption Message IV CRC Key Keystream Ciphertext 7 WEP encryption step-by-step Message CRC Step 1: Compute CRC for the message CRC-32 polynomial is used 8 WEP encryption step-by-step IV Keystream Key Step 2: Compute the keystream IV is concatenated with the key RC4 encryption algorithm is used on the 64 or 128 bit concatenation 9 WEP encryption step-by-step Message IV CRC Ciphertext Keystream Step 3: Encrypt the plaintext The plaintext is XORed with the keystream to form the ciphertext The IV is prepended to the ciphertext 10 WEP decryption step-by-step IV Ciphertext Keystream Key Step 1: Build the keystream Extract the IV from the incoming frame Prepend the IV to the key Use RC4 to build the keystream 11 WEP decryption step-by-step Ciphertext Message CRC Keystream Step 2: Decrypt the plaintext and verify XOR the keystream with the ciphertext Verify the extracted message with the CRC 12 What are the main weaknesses of WEP? 13 Initialization vector (IV) It’s carried in plaintext in the “encrypted” message! It’s only 24 bits! There are no restrictions on IV reuse! The IV forms a significant portion of the “seed” for the RC4 algorithm! 14 CRC algorithm The CRC is a linear function – First-order polynomial: y=mx+b – Key property when b is 0: f(x+y) = f(x) + f(y) The CRC is an unkeyed function 15 RC4 cipher Some seeds are “weaker” than others By extension, some IV values are weaker than others Weak seeds = more easily calculated keystreams 16 Defragmentation Not necessarily a weakness Part of 802.11 standard – Affects WPA and WPA2 encryption as well 17 What are some potential attacks on a WEP network? 18 First, you know more about the plaintext than you think you know AA AA 03 00 00 00 08 ?? DSAP SSAP CTRL ORG Code Ether type Can be either IP or ARP With 802.11, you know the first eight bytes of a packet Many IP services have packets of fixed lengths Most WLAN IP addresses follow common conventions. Many IP behaviors have predictable responses 19 Message modification Takes advantage of CRC’s linearity and unkeyed nature. C is the original cybertext c is the CRC-32 function Δ is the change in the message Need to know some of the plaintext, but not all! C ' C , c ( ) 20 Message injection Takes advantage of CRC’s unkeyed nature and IV reuse. C is the original cybertext P is the original plaintext RC4(v,k) is the keystream for IV v M’ is the new message c is the CRC-32 function Need to know all of the plaintext P C RC 4v, k C ' M ' , c( M ' ) RC 4(v, k ) 21 Authentication spoofing Takes advantage of IV reuse Takes advantage of WEP challenge mechanism for new mobile stations Access point sends unencrypted 128-bit value Mobile station returns the same value encrypted Monitor the exchange and… – Learn an IV-keystream pair – Authenticate on the mobile network P C RC 4v, k 22 Fragmentation attack Takes advantage of defragmentation and IV reuse Takes advantage of knowledge of plaintext of at least first eight bytes of 802.11 data Each data includes 4 bytes of checksum An 802.11 frame can be divided into 16 segments The access point will defragment the frame before forwarding, allowing the transmission of 16 * (known bytes of keystream – 4 bytes) of data 23 Full keystream recovery using fragmentation Send a 64-byte frame to a broadcast address in 16 segments Eavesdrop the defragmented 68-byte frame Send a 1024-byte frame to a broadcast address in 16 segments Eavesdrop the defragmented 1028-byte frame Send a 1496-byte frame to a broadcast address in 2 segments Eavesdrop the defragmented 1500-byte frame 24 IP redirection y IP Header IP Header x Ciphertext Message Takes advantage of defragmentation Eavesdrop encrypted frame Build encrypted IP header with the desired destination IP address Configure the 802.11 headers for segmented transmission Send frames Receive unencrypted data at Internet-connected computer 25 So how easy do these techniques make a WEP network to compromise? 26 Answer: Darn easy Attacks greatly aided by automated tools Authors of “The Final Nail in WEP’s Coffin” broke 40-bit key in under 15 minutes and 104-bit key in under 80 minutes FBI agents demonstrated it in 3 minutes in 2005 – http://www.informationweek.com/management/compliance/160502612 – “Usually it takes five to ten minutes” 27 Countermeasures DON’T USE WEP! Use WPA or WPA2 with a strong key Change the default settings on your wireless router Use VPN 28