Presentation on theme: "1 Intercepting Mobile Communications: The Insecurity of 802.11 …or “Why WEP Stinks” Dustin Christmann."— Presentation transcript:
1 Intercepting Mobile Communications: The Insecurity of 802.11 …or “Why WEP Stinks” Dustin Christmann
2 Introduction This presentation will discuss the inadequacies of WEP encryption We’ll discuss the theoretical weaknesses of the WEP standard We’ll discuss the types of attacks that can exploit those weaknesses We’ll discuss the speed of “real world” attacks on WEP
3 Agenda What’s on your network? What is WEP? Theoretical weaknesses of WEP Types of attacks on WEP How well do these attacks work in the “real world”? Countermeasures
4 What’s on your wireless network? 802.11 (Wi-Fi) networks are ubiquitous today Types of encryption: –Open (No encryption) –WEP –WPA/WPA2
5 So what is WEP? WEP is Wired Equivalent Privacy Link-layer encryption Defined in the IEEE 802.11 standard “Least common denominator” Wi-Fi encryption Goals of WEP –Confidentiality –Access control –Data integrity
7 First, let’s introduce the players Message: What you’re encrypting CRC: To verify the integrity of the message Plaintext: The message + CRC Initialization vector (IV): A 24- bit number which plays two roles that we’ll meet in a moment Key: A 40 or 104-bit number which is used to build the keystream Keystream: What is used to encrypt the plaintext Ciphertext: What we end up post- encryption MessageCRC IVKey Keystream Ciphertext
8 WEP encryption step-by-step Step 1: Compute CRC for the message CRC-32 polynomial is used MessageCRC
9 KeyIV WEP encryption step-by-step Step 2: Compute the keystream IV is concatenated with the key RC4 encryption algorithm is used on the 64 or 128 bit concatenation Keystream
10 WEP encryption step-by-step Step 3: Encrypt the plaintext The plaintext is XORed with the keystream to form the ciphertext The IV is prepended to the ciphertext MessageCRC Keystream Ciphertext IV
11 WEP decryption step-by-step Step 1: Build the keystream Extract the IV from the incoming frame Prepend the IV to the key Use RC4 to build the keystream Keystream Ciphertext IV Key
12 WEP decryption step-by-step Step 2: Decrypt the plaintext and verify XOR the keystream with the ciphertext Verify the extracted message with the CRC Keystream Ciphertext MessageCRC
14 Initialization vector (IV) It’s carried in plaintext in the “encrypted” message! It’s only 24 bits! There are no restrictions on IV reuse! The IV forms a significant portion of the “seed” for the RC4 algorithm!
15 CRC algorithm The CRC is a linear function –First-order polynomial: y=mx+b –Key property when b is 0: f(x+y) = f(x) + f(y) The CRC is an unkeyed function
16 RC4 cipher Some seeds are “weaker” than others By extension, some IV values are weaker than others Weak seeds = more easily calculated keystreams
17 Defragmentation Not necessarily a weakness Part of 802.11 standard –Affects WPA and WPA2 encryption as well
18 What are some potential attacks on a WEP network?
19 First, you know more about the plaintext than you think you know With 802.11, you know the first eight bytes of a packet Many IP services have packets of fixed lengths Most WLAN IP addresses follow common conventions. Many IP behaviors have predictable responses AA 0300 08?? DSAPEther typeORG CodeCTRLSSAP Can be either IP or ARP
20 Message modification Takes advantage of CRC’s linearity and unkeyed nature. C is the original cybertext c is the CRC-32 function Δ is the change in the message Need to know some of the plaintext, but not all!
21 Message injection Takes advantage of CRC’s unkeyed nature and IV reuse. C is the original cybertext P is the original plaintext RC4(v,k) is the keystream for IV v M’ is the new message c is the CRC-32 function Need to know all of the plaintext
22 Authentication spoofing Takes advantage of IV reuse Takes advantage of WEP challenge mechanism for new mobile stations Access point sends unencrypted 128-bit value Mobile station returns the same value encrypted Monitor the exchange and… –Learn an IV-keystream pair –Authenticate on the mobile network
23 Fragmentation attack Takes advantage of defragmentation and IV reuse Takes advantage of knowledge of plaintext of at least first eight bytes of 802.11 data Each data includes 4 bytes of checksum An 802.11 frame can be divided into 16 segments The access point will defragment the frame before forwarding, allowing the transmission of 16 * (known bytes of keystream – 4 bytes) of data
24 Full keystream recovery using fragmentation Send a 64-byte frame to a broadcast address in 16 segments Eavesdrop the defragmented 68-byte frame Send a 1024-byte frame to a broadcast address in 16 segments Eavesdrop the defragmented 1028-byte frame Send a 1496-byte frame to a broadcast address in 2 segments Eavesdrop the defragmented 1500-byte frame
25 IP redirection Takes advantage of defragmentation Eavesdrop encrypted frame Build encrypted IP header with the desired destination IP address Configure the 802.11 headers for segmented transmission Send frames Receive unencrypted data at Internet-connected computer Ciphertextx IP Header y Message
26 So how easy do these techniques make a WEP network to compromise?
27 Answer: Darn easy Attacks greatly aided by automated tools Authors of “The Final Nail in WEP’s Coffin” broke 40-bit key in under 15 minutes and 104-bit key in under 80 minutes FBI agents demonstrated it in 3 minutes in 2005 –http://www.informationweek.com/management/compliance/160502612http://www.informationweek.com/management/compliance/160502612 –“Usually it takes five to ten minutes”
28 Countermeasures DON’T USE WEP! Use WPA or WPA2 with a strong key Change the default settings on your wireless router Use VPN