Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson.

Published byWinfred McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson."— Presentation transcript:

1 Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson 21.3.04 21.3.04

2 WEP Protocol ► WEP – Wired Equivalent Privacy ► Wireless standard 802.11 ► Link layer ► Protocol goals:  Confidentiality: prevent eavesdropping  Access control: prevent unauthorized access  Data integrity: prevent tampering of messages ► We show that none of the security goals are attained

3 Network Model Internet

4 WEP Algorithm Encryption MessageCRC(M) RC4(k,IV) CipherIV

5 WEP Algorithm Decryption MessageCRC(M) RC4(k,IV) CipherIV

6 Confidentiality

7 Stream cipher properties ► Given two ciphers C 1,C 2 – C 1  C 2 = P 1  P 2. ► Keystream reuse can lead to a number of attacks:  If plaintext of one message is known, the other is immediately obtainable.  In the general case, known techniques for breaking reused keystreams.  As the number of reused keystream increases breaking them becomes easier. ► Two conditions required for this class of attcks to succeed:  Availability of ciphertexts where keystream is used more than once.  Partial knowledge of some of the plain texts.

8 Finding instances of keystream reuse ► Shared key k changes rarely. ► Reuse of IV causes reuse of keystream. ► IV are public.

9 IV Usage ► Standard recommends (but not requires) change of IV. ► Common PCMCIA cards sets IV to zero and increment it by 1 for each packet. ► IV size is only 24 bits. ► Busy access point of 5Mbps will exhaust available space in 11 hours. ► Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision

10 Exploiting keystream reuse ► Many fields of IP traffic are predictable. ► For example: login sequences. ► Active attack (known plaintext)

11 Decryption dictionaries ► Once plaintext of encrypted message is obtained, keystream value stored in dictionary. ► Full table requires 24GB ► Size of dictionary does not depend of size of key

12 Key management

13 Message Authentication ► Message modification ► Message injection

14 Message Modification ► Checksum used is CRC-32 which is a linear function of the message: ► In other words, checksum distributes over the XOR operation. C(x  y) = C(x)  C(y) ► RC4 stream cipher also linear.

15 The attack Given C we would like to create C’ s.t. C’ decrypts to M’ instead of M. MessageCRC(M) RC4(k,IV) Cipher  CRC(  )  = MessageCRC(M) RC4(k,IV)  CRC(  ) = RC4(k,IV) ’’CRC(  ’) =

16 Relation to GSM Encryption: C = G(M)  A5/2(IV,k) Decryption: 1. G(M) = C  A5/2 (IV,k) 2. H(G(M)) = 0 ? 3. M = G -1 (G(M))

17 Attack on GSM H(C) = H(A5/2(Iv, k)  G(M)) = H(A5/2(IV,k))  H(G(M)) = H(A5/2(IV,k))  0 = H(A5/2(IV,k))

18 Message Injection ► WEP checksum is an unkeyed function of the message. ► After knowing one keystream we can use it forever. C’ =  RC4(IV,k)

19 Other attacks ► IP redirection. Assumption: Destination address is known.

20 IP redirection (cont.) ► Need to calculate IP checksum ► Several options  IP checksum for original packet is known  Original IP checksum is not known  Compensate by changing another IP field

21 Reaction Attack ► Works only for TCP protocol ► Pick i at random, let  be all zeros, except for positions i and i+16. Calc C’ = C   Two options: 1. Got an acknowledgment, P i  P i+16 = 1 2. Else P i  P i+16 = 0 ► Each test reveals 1 bit of information

22 Conclusion ► Design of security protocols is difficult (more than the design of network protocols) ► Combining several secure algorithms does not mean that the result is secure ► Engineering perspective dictated selection of cryptographic algorithms

23 THE END ► Thank You!

Download ppt "Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson."

Similar presentations

1 Intercepting Mobile Communications: The Insecurity of 802.11 …or “Why WEP Stinks” Dustin Christmann.

1 Intercepting Mobile Communications: The Insecurity of …or “Why WEP Stinks” Dustin Christmann.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.

Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.
Wireless Security David Wagner University of California, Berkeley.

Wireless Security David Wagner University of California, Berkeley.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
1 IEEE 802.11 Network Security Rohit Tripathi Graduate Student. University of Southern California.

1 IEEE Network Security Rohit Tripathi Graduate Student. University of Southern California.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Similar presentations

Ads by Google