WEP Weaknesses Or What on Earth does this

  • Slides: 21
Download presentation
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber

Goals ¨ Authorization – Prevent unauthorized access to network ¨ Privacy – The P

Goals ¨ Authorization – Prevent unauthorized access to network ¨ Privacy – The P in WEP – Make it feel like LAN – Maintain data privacy from outsiders 2

Basic Flaws ¨ Bad design – Each component is good, but not suited to

Basic Flaws ¨ Bad design – Each component is good, but not suited to datagram environment ¨ No key management – One key for all ¨ Bad implementation 3

Stream Ciphers ¨C = P S ¨ Key streams must never be reused –

Stream Ciphers ¨C = P S ¨ Key streams must never be reused – C 1 C 2 = (P 1 S) (P 2 S) = P 1 P 2 ¨ Forgery is easy – Bit flip attack – If M 2 = M 1 X – Then C 2 = C 1 X 4

Stream Ciphers And Datagram ¨ Key streams must never be reused ¨ Encryptor and

Stream Ciphers And Datagram ¨ Key streams must never be reused ¨ Encryptor and decryptor must remain synchronized ¨ Bad for datagram environment ¨ Without Random Access property encryption process starts for each packet ¨ Different key for each packet 5

WEP Solution ¨ ICV – Prevents forgery – Checksum on the data prevents bit

WEP Solution ¨ ICV – Prevents forgery – Checksum on the data prevents bit flipping ¨ IV – Prevents key reuse – Each packet a new key that starts a new stream is used 6

? ICV Prevents Forgery ¨ Uses CRC-32 checksum ¨ CRC-32 is linear: – CRC(A

? ICV Prevents Forgery ¨ Uses CRC-32 checksum ¨ CRC-32 is linear: – CRC(A B) = CRC(A) CRC(B) ¨ RC 4 is transparent to XOR – C = RC 4 ( [M, CRC(M)] ) – C’ = C [X, CRC(X)] = [M, CRC(M)] S [X, CRC(X)] = RC 4 ([M X, CRC( M X)]) 7

IV Prevents Key Reuse ? ¨ IV space is very small : 224 ¨

IV Prevents Key Reuse ? ¨ IV space is very small : 224 ¨ Birthday attack: – 50% chance of collision after only 4823 packets – 99% collision after 12, 430 packets = 3 seconds in 11 Mbps traffic – Assuming random IV selection (Some implemented IV as a counter from 0) – Assuming IV changes. Its optional 8

After IV Match Is Found ¨ Pattern recognition on the XOR’d plaintext ¨ ICV

After IV Match Is Found ¨ Pattern recognition on the XOR’d plaintext ¨ ICV tells if the guess is correct ¨ After only a few hours of observation, you can recover all 224 key streams ¨ Get active: – Send Spam to the network – Get the victim to send e-mail to you – Known plaintext Key stream 9

Authentication ¨ SSID ¨ Shared Key ¨ MAC 10

Authentication ¨ SSID ¨ Shared Key ¨ MAC 10

Authentication Problems ¨ SSID – Easy to get by sniffing, it is broadcasted (If

Authentication Problems ¨ SSID – Easy to get by sniffing, it is broadcasted (If WEP encryption deployed – access by key) ¨ MAC – It is broadcasted – Can be spoofed 11

How to Authenticate without the Key AP STA Challenge (Nonce) Response ( RC 4

How to Authenticate without the Key AP STA Challenge (Nonce) Response ( RC 4 [Nonce] under shared key) Decrypted nonce OK? Simple Attack: • Record one challenge/response with a sniffer • Use the challenge to decrypt the response and recover the key stream • Use the recovered key stream to encrypt any subsequent challenge 12

Types Of Attacks ¨ IV re-use attack to decrypt traffic – We already seen

Types Of Attacks ¨ IV re-use attack to decrypt traffic – We already seen it ¨ Replay Attack – Trivial ¨ Statistical attacks ¨ IP Modification ¨ Active attack to inject traffic ¨ Bit flip attack to recover key stream 13

Improvement Techniques “Grow” a partial keystream, Use key table 14

Improvement Techniques “Grow” a partial keystream, Use key table 14

FMS Attack ¨ Fluhrer, Martin and Shamir found a class of RC 4 keys

FMS Attack ¨ Fluhrer, Martin and Shamir found a class of RC 4 keys called “weak keys” ¨ If the first 2 bytes of enough key stream are known -> The RC 4 key is discovered ¨ The first 8 bytes of WEP packet is a known SNAP-SAP header ¨ Air. Snort implements this attack – Recovers key after 20, 000 packets = 11 seconds 15

IP Modification IP redirection: – Change the destination of an encrypted packet to a

IP Modification IP redirection: – Change the destination of an encrypted packet to a machine controlled by the attacker on the wired network. – Send modified frame to AP that will decrypt it and send to attacker machine – Derive keystream from this ciphertext, plaintext pair – Attacker can reuse keysteam to send/receive WLAN traffic 16

Inject Traffic ¨ If there is a known cipher plaintext pair ¨ The cipher

Inject Traffic ¨ If there is a known cipher plaintext pair ¨ The cipher can be modified to any message ¨ Correct CRC is calculated and inserted ¨ Uses: – Unauthorized traffic can be sent – User commands can be altered. (telnet , ftp, etc) 17

Bit Flipping Attack 18

Bit Flipping Attack 18

Practicality ¨ Available cheap equipment ¨ Laptop and wireless card ¨ Tools: Air. Snort,

Practicality ¨ Available cheap equipment ¨ Laptop and wireless card ¨ Tools: Air. Snort, Netstumbler, Kismet ¨ Easy to sniff, harder to transmit 19

Main Points ¨ WEP was badly designed ¨ WEP was badly implemented ¨ I

Main Points ¨ WEP was badly designed ¨ WEP was badly implemented ¨ I didn’t even speak about Do. S attack, MITMs, Impersonating to AP ¨ Treat wireless the way you treat remote traffic 20

Thank You!

Thank You!