Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CSCD 439/539 Wireless Networks and Security Lecture 9 WEP Fall 2007.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CSCD 439/539 Wireless Networks and Security Lecture 9 WEP Fall 2007."— Presentation transcript:

1 1 CSCD 439/539 Wireless Networks and Security Lecture 9 WEP Fall 2007

2 2 Introduction WEP We read a lot about the problems with WEP … kind of an afterthought for security –How does it work? –What are its weaknesses? –Are there any strengths? –What does an attacker need to do to break WEP encryption?

3 3 WEP Overview WEP –Wired Equivalent Privacy Originally deployed with 802.11 networks Only security for first 5 years WEP was not ever meant to provide military levels of security WEP is efficient – one of its strengths!! –Can be implemented in hardware or software WEP is exportable – Other countries can use it !! –Approved by US Department of Commerce Is optional !!! Can use NO security with 802.11

4 4 Recall Original Purpose of WEP Designed to … –Keep outsiders from connecting to a network or monitoring traffic on that network –Nothing more –Was not designed to be end-to-end encryption –Does not distribute and manage encryption keys

5 5 WEP Overview WEP – More details –Typically is implemented as firmware Incorporated in all Wi-Fi AP’s and client adaptors –Standard Only defines 64 bit key 128 bit, and now 256 bit keys are extensions Mixing hardware risks some incompatibilities

6 6 Based on RC4 Cipher RC4 Cipher is a Stream Cipher –Stream cipher as opposed to block ciper Stream ciphers encode sequences of plain text into cipher text in a continuous process while Block ciphers process blocks of data –Uses a stream of bits called keystream –Combined with text to produce cipher text –Ciphertext can then be combined with same keystream to recover original data –Most stream ciphers take short secret key and expand it into a pseudorandom keystream Resulting keystream is same length as message

7 7 Basic WEP Function Each byte of data is encrypted using a different pseudorandom key Ensures that if this packet’s key is cracked, only information leaked is that which is contained in that packet Actual encryption logic in RC4 is very simple Plain text is XOR-ed with an infinitely long keystream Security of RC4 comes from secrecy of pseudorandom key that’s derived from keystream

8 8 Plain Text Cipher Text Psedorandom key

9 9 WEP Definitions Where … Pseudorandom key: is formed by combining a pre-shared passphrase or WEP key for each AP, a state array and an initialization vector (IV) Pre-shared passphrase: The same pre-shared password is used by all users State Array: It’s a series of numbers which are scrambled and then used by RC4 to construct the key stream. Initialization Vector (IV): The IV is a 3-byte random number generated by the computer It’s either prepended or appended to cipher text and sent to the receiver who strips the IV off before decrypting the cipher text Little bit more on IV’s and their purpose ….

10 10 IV’s Solve a Problem What’s the purpose of IV’s? Make variable keys for each packet!!! Problem using fixed key values All data values encrypted with same key So, get same encrypted result for same data Attacker can spot same encrypted bytes and possibly decipher plain text This is a bad idea …

11 11 IV’s Solve a Problem IV is Solution to fixed key problem –Instead of using fixed secret key to encrypt packets you combine key with 24-bit number Changes for every packet –IV not really part of key since its passed unencrypted with encrypted frame –IV always changes, so same data will result in different ciphertext

12 12 IV’s Solve a Problem IV sent in clear –Receiver needs to know what IV to use to decrypt data –In theory, knowledge of IV useless without knowledge of secret part of key –So, never want to reuse the IV with the same secret key … more about this later –Look more at the RC4 algorithm …

13 13 RC4 Algorithm Who is this person?

14 14 RC4 Algorithm RC4 stands for –4 th cipher designed by Ron Rivest 1987 by RSA Labs Regarded as a trade secret –Algorithm was reverse engineered and made public in 1994 by anonymous person –Still some controversy surrounding this event

15 15 RC4 Algorithm In September 1994 –Description of it was anonymously posted to the Cypherpunks mailing list –It was soon posted on the sci.crypt newsgroup, and from there to many sites on the Internet –Leaked code was confirmed to be genuine as its output was found to match that of proprietary software using licensed RC4 –No longer a trade secret …

16 16 RC4 Algorithm Basic Idea 1)Generate pseudorandom sequence of bytes called a keystream 2)Combined with data using XOR XOR combines two bytes to get one by exclusive or’ing each bit 00110101 XOR 11100011 = 11010110 Characteristic of XOR – apply same value twice, get original value

17 17 RC4 Algorithm XOR 00110101 XOR 11100011 = 11010110 11010110 XOR 11100011 = 00110101 A XOR B = C, C XOR B = A A XOR B = C, C XOR B = A Encryption use of RC4 Plaintext XOR Keysequence = Ciphertext Ciphertxt XOR Keysequence = Plaintext Same

18 18 RC4 Algorithm Keysequence –Must be generated by both ends of the link –Idea is, can calculate next byte in sequence only if you know key used to generate stream –If don’t know key, looks random –XOR easy to compute, challenge is generate good pseudorandom number stream One for each byte of message

19 19 RC4 Algorithm Two phases to Algorithm –Key Scheduling Algorithm and pseudorandom generation 1.Key Scheduling algorithm establishes a 256 byte array with encoded with the numbers 0 – 255 S-Box -Create array of 0 – 255 in order K-Box – 2nd 256 byte array, filled with secret key Key is repeated to fill array

20 20 RC4 Algorithm Key Scheduling Algorithm continued … S-Box locations swapped with each other j is computed index into S-boxSwap Computed: j = (value in S-box[0]) + (value in K-box[0]) j = single byte, value no greater than 255 j used as index into S-box and value at that location is swapped with value in first location Procedure done 255 times until all bytes in S-box have been swapped

21 21 RC4 Algorithm Key Sch. Algorithm …continued … i = j = 0 For i = 0 to 255 j = (j + S[i] + K[i]) mod 256); swap(S[i], S[j]); End; After S-box initialized, next phase is pseudorandom number generation. Involves more swapping of bytes in S-box and creates one pseudorandom byte (R) per iteration

22 22 RC4 Algorithm 2. Pseudorandom number generation, creates R i = (i + 1) mod 256 j = (j + S[i]) mod 256 Swap S[i] and S[j] k = (S[i] + S[j]) mod 256 R = S[k] Later, ciphertext is created for each byte of plaintext by XORing byte with an R value

23 23 Example: Simple 4 byte password i=0 j=0 password = 6258 length=4 index=4 Step-1 State array: State[0]=0 State[1]=1 State[2]=2 State[3]=3 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [0 + S[0] + K[0]] mod 4 = 6 mod 4 = 2 Swap(State[0], State[2]) = Swap(0,2) State[0]=2 State[1]=1 State[2]=0 State[3]=3

24 24 Example: Simple 4 byte password Step-2 i=1 j=2 State array: State[0]=2 State[1]=1 State[2]=0 State[3]=3 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [2 + S[1] + K[1]] mod 4 = 5 mod 4 = 1 Swap(State[1], State[2]) = Swap(1,0) State[0]=2 State[1]=0 State[2]=1 State[3]=3

25 25 Example: Simple 4 byte password Step 3 i=2 j=1 State array: State[0]=2 State[1]=0 State[2]=1 State[3]=3 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [1 + State[2] + K[2]]mod 4 = 7 mod 4 = 3 Swap(State[2], State[3]) = Swap(1,3) State[0]=2 State[1]=0 State[2]=3 State[3]=1 ------------------------------------------------------------------------------------------- Step 4 i=3 j=3 State array: State[0]=2 State[1]=0 State[2]=3 State[3]=1 Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8 j = [3 + State[3] +K[3]]mod 4 = 12 mod 4 = 0 Swap(State[3], State[0]) = Swap(1,2) State[0]=1 State[1]=0 State[2]=3 State[3]=2 Final State Array: State[0]=1 State[1]=0 State[2]=3 State[3]=2

26 26 Example: Simple 4 byte password 1. Pseudorandom number generation, z1-z4 Initially i=0 j=0 K[0]=6 K[1]=2 K[2]=5 K[3]=8 First Loop: State[0]=1 State[1]=0 State[2]=3 State[3]=2 i=1 j=0+State[1]=0+0=0 Swap(State[1], State[0]) = Swap(0,1) State[0]=0 State[1]=1 State[2]=3 State[3]=2 z = State[State[1] + State[0] mod 4] = State[1] = 1 z1 = 00000001

27 27 Example: Simple 4 byte password Second Loop: State[0]=0 State[1]=1 State[2]=3 State[3]=2 i=2 j=0+State[2]=3 Swap(State[2], State[3]) = Swap(3,2) State[0]=0 State[1]=1 State[2]=2 State[3]=3 z = State[State[2] + State[3] mod 4] = State[1] = 1 z2 = 00000001

28 28 Example: Simple 4 byte password Third Loop: State[0]=0 State[1]=1 State[2]=2 State[3]=3 i=3 j=3+State[3]=6 mod 4 = 2 Swap(State[3],State[2]) = Swap(3,2) State[0]=0 State[1]=1 State[2]=3 State[3]=2 z = State[State[3] + State[2]] mod 4 = State[1] = 1 z3=00000001 Fourth Loop: State[0]=0 State[1]=1 State[2]=3 State[3]=2 i=4 j=2+State[4]=2+State[4 mod 4] = 2+State[0] = 2 Swap(State[4],State[2]) = Swap(State[0],State[2]) = Swap(0,3) State[0]=3 State[1]=1 State[2]=0 State[3]=2 z4 = State[State[4] + State[2]] = State[State[0] + State[2]] = State[3] = 2 z4=00000010

29 29 Example: Simple 4 byte password After calculating Z’s, use them to encrypt z1 = 00000001 z2= 00000001 z3= 00000001 z4= 00000010 T xor z1 = 01010100 xor 00000001 = 01010101 = U E xor z2 = 01000101 xor 00000001 = 01000100 = D S xor z3 = 01010011 xor 00000001 = 01010010 = R T xor z4 = 01010100 xor 00000010 = 01010110 = U The word TEST when encrypted with WEP is UDRU Example came from: http://palisade.plynt.com/issues/2006Dec/wep-encryption/

30 30 RC4 Cipher is Fairly Strong RC4 is secure –Implementation that makes crypto insecure –Difficult to implement strong crypto –Implementation weakens crypto Insecure key storage Poor random number generation Flaws in key generation –Specifically for WEP, Initialization Vector has problems

31 31 WEP IV Problems Two problems with way IV’s created 1. IV’s are reused over time Never want that to happen, attacker can figure out plaintext using identical keys 2. IV’s have a certain percentage that are weak Easier to break encryption than typical IV

32 32 Initialization Vector Reuse (IV) However, 24 bits is not that long … –Maximum value = 16,777,216 ≈ 17 million –Busy AP at 11 Mpbs is capable of transmitting/receiving about 700 average packets/sec –If different IV used for each packet, use all IV’s in about 7 hours! –IV’s are then reset … and the sequence is started over

33 33 IV Weakness Explanation –Limited number of rearrangements between the initial setup of the key table and the first pseudorandom byte – Found by Fluhrer et al 2001 (See ref at end …) –Showed that for certain key values, weak keys, disproportionate number of bits in first few bytes of key stream were determined by a few bits in the key itself –If you change one bit in key then output should be different. Yet, some bits of key had a bigger effect on output which reduced the number of effective bits –So, certain key combinations don’t produce sufficiently random data for first few bytes

34 34 IV Weakness Fluher et al showed problems –Allowed attacker to wait for potentially weak key and directly attack the key Works like this: Assume know first few plaintext bytes Watch transmission looking for a weak key Know there is a correlation between ciphertext, plaintext and secret key bytes

35 35 IV Weakness Continued … Since, only limited number of possible values for first secret key byte After capturing about 60 messages, attacker can guess first key byte with reasonable certainty. Can attack each secret key byte in turn, so extracts entire message. Increasing key size from 40 to 104 bytes only increases time to do this by 2.5 times Time increases linearly instead of exponentially In their favor, manufacturers try to disallow weak IV values

36 36 WEP Keys Reason for four keys –Supposed to help you change your keys –Can use multiple keys simultaneously until you, the manager wants to switch permanently to the new key –Only one key at a time is the active key for encrypting –But can decrypt using non-active keys –Active key is identified by key number 0, 1, 2, 3 –Still need to figure out how to distribute keys...

37 37 WEP Keys How to distribute keys? Standard does not specify how keys are distributed At home, easy to configure several computers to use same key Corporate setting, hundreds of computers –Distribution more difficult –Change key, and how to update everyone to new key –For now, up to individual sites to manage keys

38 38 Diagram of Encryption Process

39 39 WEP Mechanics User has plaintext message First, Create an Integrity Check Value –Integrity Check Value (ICV) –Computed on unencrypted message –Added to message and encrypted so attacker can’t change message and recompute a CRC on altered message

40 40 WEP Mechanics DATAICV Compute Check Encrypt DATAICV

41 41 WEP Mechanics Preparing Frame for Transmission –System selects an Initial Vector (IV) value and appends it to the secret WEP key Encrypts message –Passes each byte from data and ICV block to encryption engine –For each byte plaintext going in, encrypted byte comes out Until all bytes processes

42 42 WEP Mechanics Preparing Frame for Transmission –For decryption, key number (0 – 3) and IV value stuck on front of message Takes 4 bytes for these values Unencrypted DATAICVIVKey ID Encrypted

43 43 WEP Mechanics Frame for Transmission MAC header is added and CRC for transmission errors One bit in MAC header for WEP on/off Receive Process WEP on, reads and stores IV values Reads Key ID so it knows to use correct key Appends IV value to Secret Key and initializes RC4 crypto engine with that value

44 44 WEP Mechanics Receive Process RC4 requires same process for both encryption and decryption After encryption engine initialized, data run through one byte at a time to get back original message Final step, recompute ICV and verify value matches that sent in message

45 45 History of WEP WEP began in –1999 –Most systems supported key extensions of up to 104 bits –Industry still wasn’t sure WEP was secure –By 2000, wireless was everywhere and researchers began to investigate security –Major attack was discovered and published in 2001 showing keys could be extracted in hours – no matter the key length

46 46 WEP Insecurity Other problems in WEP –Want security to provide number of mechanisms Authentication Access Control Replay prevention Message modification Message privacy Key protection –WEP doesn’t provide any of these

47 47 Authentication Proof between two entities –You are you –Should not be a one-time process Every time you communicate should authenticate –Wireless, want mutual authentication Both mobile device and AP Use different keys for authentication and encryption

48 48 Authentication Open authentication –No real authentication mechanism –Systems have used MAC address lists –OK, unless MAC address is spoofed

49 49 Message Replay Watch a stream between AP and device –If WEP encrypted, can guess user has sent login and password Save all data User shuts down Bring up own client and using her MAC address, connect to the network Can replay login message and hopefully login to server Still need WEP key for unencrypting data

50 50 References S. Fluhrer, I. Mantin, A, Shamir. Weakness in the Key Scheduling Algorithm of RC4, http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf Nikita Borisov,Ian Goldberg,David Wagner, Intercepting Mobile Communications: The Insecurity of 802.11 http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf W. A. Arbaugh, N. Shankar, and Y. J. Wan. Your 802.11 wireless network has no clothes, http://www.cs.umd.edu/~waa/wireless.pdf

51 51 Finish Next time: WPA/IEEE 802.11i Reading: Read Articles on CourseNotes page See Assignments page … new assignment

Download ppt "1 CSCD 439/539 Wireless Networks and Security Lecture 9 WEP Fall 2007."

Similar presentations

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Encryption/Decyprtion using RC4 Vivek Ramachandran.

Encryption/Decyprtion using RC4 Vivek Ramachandran.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.

The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Similar presentations

Ads by Google