Wireless Security By Robert Peterson M S C

Wireless Security By Robert Peterson M. S. C. E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering

802. 11 b overview • Not originally designed for the business world • No load balancing • SSID was intended to be used much like a strong password (long, non-meaningful strings, symbols) • Access Points (APs) broadcast ‘Beacon Frames’ periodically. SSID scans were not an intended feature of the standard.

There are two types of security in 802. 11 b (1) An authentication standard for connecting to an access point (2) Wireless Encryption Protocol (WEP) which encrypts each wireless data frame

Access Point Authentication There are two choices: (1) Open Authentication (none) (2) Shared Key Authentication: a) user sends request to AP b) user receives Challenge. Text c) user sends back {Challenge. Text}WEP_Key The encryption method used is called RC 4 is a symmetric stream cipher with an arbitrary key size. RC 4 was created by Ron Rivest of RSA Security in 1987.

Shared Key Authentication is horrible • A WEP key is just 40 bits and malicious party has access to RC 4 (open standard), the ciphertext, and plaintext! • Over all possible RC 4 keys, the statistics for the first few bytes of output keystream are strongly non-random. • Every source I read said that open authentication is far safer then Shared Key Authentication (SKA). Why is SKA dangerous to keep on?

Wireless Encryption Protocol (WEP) • Every wireless frame is encrypted with a global 40 -bit WEP key and a generated 24 bit number called an initialization vector (IV) • It is completely insecure. You don’t need anything other then a regular wireless card to compromise everything.

Vulnerability 1 Plaintext P Message M + Checksum c(M) RC 4(iv, k) = Cipher text C • RC 4 is a stream cipher – Produces a stream of keys that is XORed with the plain text – Susceptible to “key stream re-use” attacks

A Property of Stream Ciphers • Observe: Suppose we are given: C 1 = P 1 RC 4(iv, k) C 2 = P 2 RC 4(iv, k) Then: C 1 C 2 = P 1 RC 4(iv, k) P 2 RC 4(iv, k) = P 1 P 2 • XORing two cipher texts together gives the XOR of the two plain texts!! – C 1 C 2 = P 1 P 2

Consequences of Observation Just observed that: C 1 C 2 = P 1 P 2 • Given P 1, C 1 and C 2, you can calculate P 2 • In the real world, it is possible to recover P 1 and P 2 given C 1, C 2, and P 1 P 2 using – classical techniques (frequency analysis) – known formats (IP header) – secure and insecure broadcast packets

How to fix this problem? • The vulnerability exists because the same key stream is used for both p 1 and p 2 – Simple fix: change the key stream! • This is done by changing the initialization vector used for each packet – Augment the plain text portion of each packet with its initialization vector – WEP recommends that this be done • In practice, this does NOT prevent key stream reuse attacks!!

IV was an idiotic fix to keep RC 4 • Easy to find re-used initialization vectors – Sent as plain text • Management problems – WEP does not specify how it is chosen • Most simply start at 0 upon boot, and increment by 1!!! • WEP specifies that the initialization vector is only 24 bits – Essentially guarantees re-use • WEP does not require changing the initialization vector. – Can stay the same!

Now decryption is easy • Decryption dictionary: – Once the plain text is known from vulnerability 1, the key stream is also known • RC 4(iv, k) = C P – An attacker can store this key stream in a table indexed by the initialization vector • Assuming 1. 5 KB for each of the 224 initialization vectors, this table would only be 24 GB – Once created, decryption is easy • This attack is not affected by key size

Vulnerability 2 • Key Management – WEP does not specify how the secret key is distributed – In practice, the key is manually entered • For convenience, most sites use a single shared key – Increases the probability of initialization vector reuse • Due to inconvenience, keys are rarely changed in practice

Vulnerability 3 • WEP does not provide access control – Once a key stream is found, the attacker can inject any messages into the network • Can calculate CRC-32 checksum • Can encrypt message + checksum using the known key stream – This defeats the WEP authentication protocol • Simple challenge-encrypt-reply-decrypt-compare protocol

Proposed Solutions • Use 128 -bit WEP Key – still suxors, who cares? IV is the source of attacks not WEP • Rotational WEP Keys – Global Key and Rotating Session keys each encrypted with previous one. Helps but IV still weak link. • MAC address filtering – management nightmare, MAC addresses can be sniffed out of frames

VPN • Each client is configured with a VPN client and tunneled over the wireless network to a VPN concentrator on the wired network • Malicious party just ignores the tunnel! • Some clients have the option to battle with the Operating System and only allow traffic to go through the tunnel, but not common place

802. 11 X • New authentication protocol (replaces Shared Key Authentication) • Steps: (1) Client requests connection from AP (2) AP asks for “credentials” (3) AP sends credentials to a RADIUS Server RADIUS = Remote Authentication Dial-In User Service The secure protocol for supplying credentials must follow the 802. 11 X Extensible Authentication Protocol (EAP) standard

Some EAP implementations • EAP-MD 5 - one of the first implementations - passes a hash of a username/password pair to the RADIUS Server - Doesn’t prevent current WEP Attacks • EAP-Cisco Wireless, or LEAP - A one-time WEP key is used to validate credentials - RADIUS has session timeout feature

The Future? IEEE is working on 802. 11 i, which will go beyond just ratifying authentication which is what 802. 11 X did - MAC addresses will be reworked Temporal Key Integrity Protocol (TKIP). Generates new encryption keys for every 10 kilobytes of data transmitted. Still uses WEP and RC 4.

References ars technica Wireless Security Black Paper 7/18/2002, http: //arstechnica. com/articles/paedia/security. ars/ Intercepting Mobile Communications: The Insecurity of 802. 11 Nikita Borisov, Ian Goldberg, David Wagner University of California, Berkeley Mobi. Com 2001, http: //classes. cec. wustl. edu/~cs 673/WEP. ppt Real Security for Wireless LANs By: Erlanger, Leon. PC Magazine 8/05/2003, Vol. 22 Issue 13, p 72 Beefing Up 802. 11 b Security Yardena Arar, PCWorld. com 2/04/2002, http: //www. pcworld. com/news/article/0, aid, 82563, 00. asp