Intercepting Mobile Communications: The Insecurity of 802. 11 …or “Why WEP Stinks” Dustin Christmann 1
Introduction This presentation will discuss the inadequacies of WEP encryption l We’ll discuss theoretical weaknesses of the WEP standard l We’ll discuss the types of attacks that can exploit those weaknesses l We’ll discuss the speed of “real world” attacks on WEP l 2
Agenda What’s on your network? l What is WEP? l Theoretical weaknesses of WEP l Types of attacks on WEP l How well do these attacks work in the “real world”? l Countermeasures l 3
What’s on your wireless network? 802. 11 (Wi-Fi) networks are ubiquitous today l Types of encryption: l – Open (No encryption) – WEP – WPA/WPA 2 4
So what is WEP? WEP is Wired Equivalent Privacy l Link-layer encryption l Defined in the IEEE 802. 11 standard l “Least common denominator” Wi-Fi encryption l Goals of WEP l – Confidentiality – Access control – Data integrity 5
So how does WEP work? 6
First, let’s introduce the players l l l l Message: What you’re encrypting CRC: To verify the integrity of the message Plaintext: The message + CRC Initialization vector (IV): A 24 bit number which plays two roles that we’ll meet in a moment Key: A 40 or 104 -bit number which is used to build the keystream Keystream: What is used to encrypt the plaintext Ciphertext: What we end up postencryption Message IV CRC Keystream Ciphertext 7
WEP encryption step-by-step Message CRC Step 1: Compute CRC for the message l CRC-32 polynomial is used 8
WEP encryption step-by-step IV Keystream Key Step 2: Compute the keystream l IV is concatenated with the key l RC 4 encryption algorithm is used on the 64 or 128 bit concatenation 9
WEP encryption step-by-step Message IV CRC Ciphertext Keystream Step 3: Encrypt the plaintext l The plaintext is XORed with the keystream to form the ciphertext l The IV is prepended to the ciphertext 10
WEP decryption step-by-step IV Ciphertext Keystream Key Step 1: Build the keystream l Extract the IV from the incoming frame l Prepend the IV to the key l Use RC 4 to build the keystream 11
WEP decryption step-by-step Ciphertext Message CRC Keystream Step 2: Decrypt the plaintext and verify l XOR the keystream with the ciphertext l Verify the extracted message with the CRC 12
What are the main weaknesses of WEP? 13
Initialization vector (IV) It’s carried in plaintext in the “encrypted” message! l It’s only 24 bits! l There are no restrictions on IV reuse! l The IV forms a significant portion of the “seed” for the RC 4 algorithm! l 14
CRC algorithm l The CRC is a linear function – First-order polynomial: y=mx+b – Key property when b is 0: f(x+y) = f(x) + f(y) l The CRC is an unkeyed function 15
RC 4 cipher Some seeds are “weaker” than others l By extension, some IV values are weaker than others l Weak seeds = more easily calculated keystreams l 16
Defragmentation Not necessarily a weakness l Part of 802. 11 standard l – Affects WPA and WPA 2 encryption as well 17
What are some potential attacks on a WEP network? 18
First, you know more about the plaintext than you think you know AA AA 03 00 00 00 08 ? ? DSAP l l SSAP CTRL ORG Code Ether type Can be either IP or ARP With 802. 11, you know the first eight bytes of a packet Many IP services have packets of fixed lengths Most WLAN IP addresses follow common conventions. Many IP behaviors have predictable responses 19
Message modification l l l Takes advantage of CRC’s linearity and unkeyed nature. C is the original cybertext c is the CRC-32 function Δ is the change in the message Need to know some of the plaintext, but not all! 20
Message injection l l l l Takes advantage of CRC’s unkeyed nature and IV reuse. C is the original cybertext P is the original plaintext RC 4(v, k) is the keystream for IV v M’ is the new message c is the CRC-32 function Need to know all of the plaintext 21
Authentication spoofing l l l Takes advantage of IV reuse Takes advantage of WEP challenge mechanism for new mobile stations Access point sends unencrypted 128 -bit value Mobile station returns the same value encrypted Monitor the exchange and… – Learn an IV-keystream pair – Authenticate on the mobile network 22
Fragmentation attack l l l Takes advantage of defragmentation and IV reuse Takes advantage of knowledge of plaintext of at least first eight bytes of 802. 11 data Each data includes 4 bytes of checksum An 802. 11 frame can be divided into 16 segments The access point will defragment the frame before forwarding, allowing the transmission of 16 * (known bytes of keystream – 4 bytes) of data 23
Full keystream recovery using fragmentation l l l Send a 64 -byte frame to a broadcast address in 16 segments Eavesdrop the defragmented 68 -byte frame Send a 1024 -byte frame to a broadcast address in 16 segments Eavesdrop the defragmented 1028 -byte frame Send a 1496 -byte frame to a broadcast address in 2 segments Eavesdrop the defragmented 1500 -byte frame 24
IP redirection y IP Header l l l x Ciphertext Message Takes advantage of defragmentation Eavesdrop encrypted frame Build encrypted IP header with the desired destination IP address Configure the 802. 11 headers for segmented transmission Send frames Receive unencrypted data at Internet-connected computer 25
So how easy do these techniques make a WEP network to compromise? 26
Answer: Darn easy Attacks greatly aided by automated tools l Authors of “The Final Nail in WEP’s Coffin” broke 40 -bit key in under 15 minutes and 104 -bit key in under 80 minutes l FBI agents demonstrated it in 3 minutes in 2005 l – http: //www. informationweek. com/management/compliance/160502612 – “Usually it takes five to ten minutes” 27
Countermeasures DON’T USE WEP! l Use WPA or WPA 2 with a strong key l Change the default settings on your wireless router l Use VPN l 28
Скачать презентацию Intercepting Mobile Communications The Insecurity of 802 11
536b3e135069384fdef74815fc79dc8c.ppt