802.11 Security – Wired Equivalent Privacy (WEP)Agenda for the presentationIntroduction802.11 Wireless LAN – brief description802.11 Wireless LAN – brief description (cont’d) Network servicesGoals of WEPConfidentiality in WEPConfidentiality in WEP – (cont’d) WEP keys and Initialization vector (IV)Data Integrity in WEPConfidentiality and data integrity in WEPAccess Control in WLANsSecurity loopholes and attacks on WEP Attacks on shared key authenticationSecurity loopholes and attacks on WEP - (cont’d) Attacks due to keystream reuseSecurity loopholes and attacks on WEP - (cont’d) Attacks due to CRCSecurity loopholes and attacks on WEP - (cont’d) Attacks exploiting the Access PointsSlide 16Security loopholes and attacks on WEP - (cont’d) Attacks on RC4 used by WEPLessons learnt from the failure of WEPReferences802.11 Security – Wired Equivalent Privacy (WEP)ByShruthi B KrishnanAgenda for the presentationIntroduction802.11 Wireless LAN – brief descriptionGoals of WEPConfidentiality in WEPData Integrity in WEPAccess Control in WLANsSecurity loopholes and attacks on WEPLessons to be learntIntroductionHistory of wireless technologyInception of wireless networking took place at the University of Hawaii in 1971. It was called ALOHAnet.Star topology with 7 computersSpanned 4 Hawaiian islands with the central system in OahuIn 1997, world’s first WLAN standard– 802.11– was approved by IEEEWired Equivalent Privacy – security standard proposed by 802.11Has many loopholes and has been completely broken802.11 Wireless LAN – brief descriptionStationsWireless mediumAccess PointsDistribution SystemBasic Service Set (BSS)Extended Service set (ESS)Distribution systemAccess PointsWireless MediumMobile stationsMobile stations802.11 Wireless LAN – brief description (cont’d)Network servicesDistribution System servicesAssociationDisassociationReassociationStation servicesAuthenticationDeauthenticationPrivacySuccessful AuthenticationUnauthenticated andUnassociatedAuthenticated andUnassociatedAuthenticated andAssociatedSuccessful Association/ ReassociationDisassociationDeathenticationOutside the networkInside the networkGoals of WEPConfidentialityUses stream cipher RC4 for encryptionData IntegrityUses cyclic redundancy checkAccess controlShared key authenticationConfidentiality in WEPOne-time pad vs Stream ciphersPerfect randomness is compromised for practicalityRC4 algorithm used for encryption of data framesKEYPlaintextKeystreamCiphertext+IVConfidentiality in WEP – (cont’d)WEP keys and Initialization vector (IV)Shared secret keyShared among all usersChanged infrequentlyOriginal standard – 40 bit key. Later implementations used 104 bit keyWEP uses set of up to 4 keysKey distribution problemsInitialization vector24 bitsPrepended with the secret keyNeed to be random to prevent key reuse or IV collisionIV sent in clearData Integrity in WEPComputes Integrity Check Value (ICV)ICV is appended with data frame and encryptedCRC-32 algorithm usedEfficient in capturing data tamperingCryptographically insecurePlaintext ICVPlaintextCRC-32 Plaintext ICVRC4IV Keystream+ Plaintext ICVConfidentiality and data integrity in WEPIVFrame Header4 bytes3 bytespad Keyindex40 or 104 bit keyAccess Control in WLANsRequest for accessChallenge text, REncrypt R using WEPMobile station Access PointOpen System AuthenticationShared key authenticationKeystream = R1 C1Security loopholes and attacks on WEPAttacks on shared key authenticationRequest for accessChallenge text, R1Encrypt R1 using WEP (C1)Good guy Access PointRequest for accessChallenge text, R2Encrypt R2 using WEP (C2 = Keystream R2)Bad guy Access Point++Security loopholes and attacks on WEP - (cont’d)Attacks due to keystream reuseImproper IV managementIV-space is smallImplementation dependentSent in clear Recovery of plaintextsDecryption dictionary attacksIndependent of keysizeCiphertextPlaintextKeystreamCiphertext++Plaintext+PlaintextPlaintext+Security loopholes and attacks on WEP - (cont’d)Attacks due to CRCCRC is good for message authentication, but bad for securityBoth CRC checksum and RC4 are linear and can be easily manipulated CRC is unkeyedAttacker can inject messages into the system Plaintext ICVΔ+Δc+ Plaintext ICVΔ= Plaintext Plaintext = ICV ICV Δc++Security loopholes and attacks on WEP - (cont’d)Attacks exploiting the Access PointsMobile stationAccess PointChange destination addressAttackerSecurity loopholes and attacks on WEP - (cont’d)Attacks exploiting the Access PointsMobile stationAccess PointModify any Pi and Pi+16AttackerTCP ACKTCP ACKMessage with flipped bitsIntercepted ciphertext with flipped bitsAccess points can be used to monitor TCP/IP trafficRecipient send an ACK only if TCP checksum is correctTCP checksum remains unaltered if Pi ex-OR Pi+16 is 1.Security loopholes and attacks on WEP - (cont’d)Attacks on RC4 used by WEPResearch by Scott Fluhrer, Itsik Mantin and Adi Shamir First byte of plaintext has to be known. For WEP implementations, it is 0xAASet of weak keys that correspondingly reveal some part of the secret keyFormat of weak IVsFirst byte (B) can range from 0x03 to 0x07 Second byte has to be 0xFFThird byte (N) can be any known value between 0 & 255.Probability to find a byte of secret key for 60 different values of N is non-negligibleSeveral successful experiments based on this attackPopular key-recovery programs like Airsnort use this analysisLessons learnt from the failure of WEPKey shared by all users of the systemKey is changed infrequentlyNo Perfect forward secrecyManual key management Key reuse due to non-random IVsRandom IVs are not insisted uponShort IVsNo protection for replay attacksUse of unkeyed CRC instead of SHA1-HMACEncryption cipher used was weakWEP was not publicly reviewed before it became a standardWEP is insecure!!ReferencesThe Institute of Electrical and Electronics Engineers (IEEE) websitehttp://www.ieee.org802.11Wireless Networks- The Definitive GuideBy Matthew S. Gast, O’REILLY Publications.History of
View Full Document