Wireless Security Ian Bodley
Overview Wireless vs. Wired WEP Overview Vulnerabilities Exploits Protection
Wireless vs. Wired Accessibility The main difference between wired and wireless is obviously the need for a physical connection to a network. The creates many attractive advantages for corporations and institutions, yet unless properly manages, exposes these networks to anyone with a wireless card. For instance, any of us could sit outside of this building and have wireless access to it.
Overview Wireless vs. Wired WEP Overview Vulnerabilities Exploits Protection
WEP Overview Wireless Equivalent Privacy (WEP) 802.11's optional encryption standard implemented in the MAC Layer that most radio network interface card (NIC) and access point vendors support. If a user activates WEP, the NIC encrypts the payload (frame body and checksum) of each 802.11 frame before transmission using an RC4 stream cipher provided by RSA Security. The receiving station, such as an access point or another radio NIC, performs decryption upon arrival of the frame. As a result, 802.11 WEP only encrypts data between 802.11 stations. Once the frame enters the wired side of the network, such as between access points, WEP no longer applies.
WEP Overview Plaintext frame data M concatenated with checksum c(M) Wireless node M Per packet initialization vector IV (24 bits) prepended to secret key to create the packet key M . c(M) RC4 cipher initialized using the packet key IV . k IV: a sequence of random bytes appended to the front of the packet key. Adding the IV to the beginning eliminates the possibility of having the initial ciphertext block the same for any two messages. Few things to note here: the packets will all be encrypted differently due to the presence of the IV, creates a random aspect to the data stream for each packet RC4 Cipher Output bytes of cipher are exclusive-ored with checksummed plaintext C=(M . c(M)) ◦ RC4(IV . K) Access Point
Overview Wireless vs. Wired WEP Overview Vulnerabilities Exploits Protection
Vulnerabilities Human Error Short IVs Static keys WEP Configuration Large networks reuse IVs every hour Static keys No support to change keys When transmitting messages having a common beginning, such as the "FROM" address in an e-mail, the beginning of each encrypted payload will be equivalent when using the same key. After encrypting the data, the beginnings of these frames would be the same, offering a pattern that can aid hackers in cracking the encryption algorithm In stream ciphers, it is unsafe to use the same key twice. But WEP's small IV almost guarantees keystream reuse. Manually-configured LANs cannot to change the key often enough to avoid reuse.
Overview Wireless vs. Wired WEP Overview Vulnerabilities Exploits Protection
Exploits Fluhrer, Mantin, and Shamir Inductive Cryptanalytic attack (pattern recognition) Capture enough WEP frames, compare streams to determine secret key Inductive Discover message by modifying a captured frame When transmitting messages having a common beginning, such as the "FROM" address in an e-mail, the beginning of each encrypted payload will be equivalent when using the same key. After encrypting the data, the beginnings of these frames would be the same, offering a pattern that can aid hackers in cracking the encryption algorithm 802.11 frames carry IP packets containing a large amount of known plaintext. This lets an attacker recover a partial keystream for every packet. Building up hints, an attacker eventually discovers the entire keystream. CRC lets the receiver verify that the frame was not modified in transit, an attacker can sniff a valid 802.11b frame, set the destination IP address to his own, adjust the CRC to cover his tracks, and transmit the modified frame to the AP. If the AP operates as an Internet gateway, it will decrypt the packet and deliver the plaintext to the attacker's PC
Overview Wireless vs. Wired WEP Overview Vulnerabilities Exploits Protection
Protection Mapping table of MACs Firewalls Second level of encryption firewalls to restrict the flow of packets from wireless APs to appropriate destinations
Thank You!