Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006."— Presentation transcript:

1 Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006

2 Agenda Introduction Introduction Basics of the WEP-Protocol Basics of the WEP-Protocol Weaknesses of WEP Weaknesses of WEP Breaking WEP Breaking WEP Alternatives & Outlook Alternatives & Outlook Summary & Discussion Summary & Discussion

3 Wireless Networking ALOHAnet ALOHAnet 1997: IEEE 802.11 (IR) 1997: IEEE 802.11 (IR) 1999: IEEE 802.11b (11Mbps) 1999: IEEE 802.11b (11Mbps) 2003: IEEE 802.11g (54Mbps) 2003: IEEE 802.11g (54Mbps) 2007: IEEE 802.11n (540Mbps) 2007: IEEE 802.11n (540Mbps)

4 The need for security Why do we need the WEP-Protocoll? Why do we need the WEP-Protocoll? Wi-Fi networks use radio transmissions Wi-Fi networks use radio transmissions  prone to eavesdropping Mechanism to prevent outsiders from Mechanism to prevent outsiders from accessing network data & traffic accessing network data & traffic using network resources using network resources

5 IEEE reactions 1999: Wired Equivalent Privacy (WEP) 1999: Wired Equivalent Privacy (WEP) 2003: WiFi Protected Access (WPA) 2003: WiFi Protected Access (WPA)

6 Agenda Introduction Introduction Basics of the WEP-Protocol Basics of the WEP-Protocol Weaknesses of WEP Weaknesses of WEP Breaking WEP Breaking WEP Alternatives & Outlook Alternatives & Outlook Summary & Discussion Summary & Discussion

7 WEP – the basic idea WEP = Wired Equivalent Privacy WEP = Wired Equivalent Privacy As secure as a wired network As secure as a wired network Part of the IEEE 802.11 standard Part of the IEEE 802.11 standard

8 WEP – how it works Encrypt all network packages using Encrypt all network packages using a stream-cipher (RC4) for confidentiality a stream-cipher (RC4) for confidentiality a checksum (CRC) for integrity a checksum (CRC) for integrity

9 WEP – different flavors Originally (1999) 64 bit: Originally (1999) 64 bit: Legal limits Legal limits 24 bit Initialization Vector (IV) 24 bit Initialization Vector (IV) 40 bit key 40 bit key 128 bit: 128 bit: 104 bit (26 Hex-Characters) key 104 bit (26 Hex-Characters) key 256 bit: 256 bit: 232 bit key 232 bit key Available, but not common Available, but not common

10 Small steps? Evolution of WEP to WEP128 to WEP256: Initialization Vector remains at 24 bit Initialization Vector remains at 24 bit Encryption key size increases Encryption key size increases

11 Agenda Introduction Introduction Basics of the WEP-Protocol Basics of the WEP-Protocol Weaknesses of WEP Weaknesses of WEP Breaking WEP Breaking WEP Alternatives & Outlook Alternatives & Outlook Summary & Discussion Summary & Discussion

12 The major flaw A Stream-Cipher should never use the same key twice A Stream-Cipher should never use the same key twice

13 The Stream-Cipher-Breakdown E(A) = A xor C [C is the key] E(A) = A xor C [C is the key] E(B) = B xor C Compute E(A) xor E(B) Compute E(A) xor E(B) xor is commutative, hence: E(A) xor E(B) = A xor C xor B xor C = A xor B xor C xor C = A xor B

14 The major flaw A Stream-Cipher should never use the same key twice... A Stream-Cipher should never use the same key twice......or else we know A xor B, which is relatively easy to break...or else we know A xor B, which is relatively easy to break if both messages are in a natural language. if both messages are in a natural language.or if we know one of the messages. if we know one of the messages.

15 The WEP-repetition For a 24 bit Initialization Vector, there is a 50% chance of repetition after 5000 packets... For a 24 bit Initialization Vector, there is a 50% chance of repetition after 5000 packets...

16 The Theory Fluhrer, Mantin, and Shamir wrote a paper on the WEP weakness in the RC4 implementation... Cornell University “ “Weaknesses in the Key Scheduling Algorithm of RC4“

17 Agenda Introduction Introduction Basics of the WEP-Protocol Basics of the WEP-Protocol Weaknesses of WEP Weaknesses of WEP Breaking WEP Breaking WEP Alternatives & Outlook Alternatives & Outlook Summary & Discussion Summary & Discussion

18 Feasibility of attack Practical Practical Cheap Cheap Easy Easy Fast Fast

19 Feasibility of attack Practical Practical Cheap Cheap Easy Easy Fast Fast WEP Users: time to panic! WEP Users: time to panic!

20 How to do it... Stubblefield, Ioannidis, and Rubin wrote a paper about the implementation in 2001 Stubblefield, Ioannidis, and Rubin wrote a paper about the implementation in 2001 Rice University & AT&T Rice University & AT&T “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP” “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP” Only six pages! Only six pages!

21 How to do it... Collect packets (about 6m for WEP128) Collect packets (about 6m for WEP128) Only observe the first byte Only observe the first byte Depends on only 3 values Depends on only 3 values (S[1], S[S[1]], S[S[1]+S[S[1]]) May be known plaintext (“0xAA“) May be known plaintext (“0xAA“) Try guessing the key, byte by byte Try guessing the key, byte by byte chance of 1/20 per byte chance of 1/20 per byte

22 How WE do it... Aircrack-ng Aircrack-ng Available freely for Linux, Windows and certain PDAs Available freely for Linux, Windows and certain PDAs Only requires about 1m packets for WEP128 Only requires about 1m packets for WEP128

23 Agenda Introduction Introduction Basics of the WEP-Protocol Basics of the WEP-Protocol Weaknesses of WEP Weaknesses of WEP Breaking WEP Breaking WEP Alternatives & Outlook Alternatives & Outlook Summary & Discussion Summary & Discussion

24 Outlook for WEP WEP2 WEP2 Enlarged IV Enlarged IV enforced 128-bit encryption enforced 128-bit encryption WEP+ WEP+ Only use strong IVs Only use strong IVs has to be used on both ends has to be used on both ends...a dead end...

25 Outlook for WEP WEP2 WEP2 No change in concept, just more packets needed No change in concept, just more packets needed WEP+ WEP+ How does one enforce the client side? How does one enforce the client side?...a dead end...

26 Alternatives WPA, WPA2, 802.1X WPA, WPA2, 802.1X 48 bit IV, mutate key after certain time 48 bit IV, mutate key after certain time Depend on an authentication server Depend on an authentication server IPsec, VPN IPsec, VPN Tunneling and secure wrapping of packets Tunneling and secure wrapping of packets

27 Agenda Introduction Introduction Basics of the WEP-Protocol Basics of the WEP-Protocol Weaknesses of WEP Weaknesses of WEP Breaking WEP Breaking WEP Alternatives & Outlook Alternatives & Outlook Summary & Discussion Summary & Discussion

28 Summary: WEP WEP is not secure! WEP is not secure! Faulty implementation of RC4 Faulty implementation of RC4 Developing an attack was easy Developing an attack was easy A successful attack only needs: A successful attack only needs: Off-the-shelf hardware (Laptop, Prism2) Off-the-shelf hardware (Laptop, Prism2) Free software Free software A very short time (a few days at most) A very short time (a few days at most)

Download ppt "Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006."

Similar presentations

IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Wireless Security David Wagner University of California, Berkeley.

Wireless Security David Wagner University of California, Berkeley.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
1 IEEE 802.11 Network Security Rohit Tripathi Graduate Student. University of Southern California.

1 IEEE Network Security Rohit Tripathi Graduate Student. University of Southern California.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

Similar presentations

Ads by Google