An Inductive Chosen Plaintext Attack against WEP/WEP2 May 2001 An Inductive Chosen Plaintext Attack against WEP/WEP2 William A. Arbaugh University of Maryland, College Park waa@cs.umd.edu William Arbaugh, University of Maryland

Talk Outline Introduction Attack Overview Attack Details Conclusions Month 2000 doc.: IEEE 802.11-00/xxx May 2001 Talk Outline Introduction WEP/WEP2 IP Walker/Berkeley Attacks Attack Overview Attack Details Conclusions William Arbaugh, University of Maryland John Doe, His Company

WEP/WEP2 Encryption Algorithm = RC4 May 2001 WEP/WEP2 802.11 Hdr Data Encapsulate Decapsulate 802.11 Hdr Data IV ICV Encryption Algorithm = RC4 Per-packet encryption key = IV concatenated to a pre-shared key WEP: 24 bit IV WEP2: 128 bit IV WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key William Arbaugh, University of Maryland

How to Read WEP Encrypted Traffic (1) May 2001 How to Read WEP Encrypted Traffic (1) 802.11 Hdr Data IV ICV Encrypted under Key +IV using a Vernam Cipher 24 luxurious bits 50% chance of a collision exists already after only 4823 packets!!! Pattern recognition can disentangle the XOR’d recovered plaintext. Recovered ICV can tell you when you’ve disentangled plaintext correctly. After only a few hours of observation, you can recover all 224 key streams. William Arbaugh, University of Maryland

How to Read WEP Encrypted Traffic (2) May 2001 How to Read WEP Encrypted Traffic (2) Ways to accelerate the process: Send spam into the network: no pattern recognition required! Get the victim to send e-mail to you The AP creates the plaintext for you! Decrypt packets from one Station to another via an Access Point If you know the plaintext on one leg of the journey, you can recover the key stream immediately on the other Etc., etc., etc. William Arbaugh, University of Maryland

Observations Walker/Berkeley attacks require either: Can we do better? Month 2000 doc.: IEEE 802.11-00/xxx May 2001 Observations Walker/Berkeley attacks require either: Depth and post analysis Cooperating agent for known plain text Can we do better? William Arbaugh, University of Maryland John Doe, His Company

Inductive Chosen Plain Text May 2001 Inductive Chosen Plain Text Base Case: Recover an initial pseudo random stream of length n from known plain text. Inductive step: Extend size of known pseudo random to n+1 by leveraging the redundant information in the CRC. William Arbaugh, University of Maryland

Base Case Find initial pseudo random stream of size n. May 2001 Base Case Find initial pseudo random stream of size n. Identify DHCP Discover messages from externals, e.g. size, and broadcast MAC address. Known source (0.0.0.0), destination (255.255.255.255), header info Allows the recovery of 24 bytes of pseudo random stream: Let n = 24 William Arbaugh, University of Maryland

May 2001 Inductive Step Create a datagram of size n-3 representing an ARP request, UDP open, ICMP etc. Compute ICV and append only the first three bytes. XOR with n bytes of pseudo random stream. Append last byte as the n+1 byte William Arbaugh, University of Maryland

Inductive Step  n-3 3 n+1 May 2001 Data ICV Pseudo Random Steam byte Iterate over the 255 possibilities 802.11 Hdr Data IV ICV-1 n+1 Encrypted Data William Arbaugh, University of Maryland

Inductive Step 5. Now send datagram and wait for a response. May 2001 Inductive Step 5. Now send datagram and wait for a response. 6. If no response, try another of the 254 remaining possibilities. 7. If there is a response, then we know: The n+1 byte was the last byte of the ICV, thus we have matching plaintext and ciphertext which gives us the n+1 byte of the pseudorandom stream. William Arbaugh, University of Maryland

After Response   n-3 3 n+1 May 2001 Data ICV Pseudo Random Steam n+1 plaintext byte Data ICV byte Pseudo Random Steam  byte  n+1 ciphertext byte Encrypted Data byte n+1 pseudo byte 802.11 Hdr IV Data ICV-1 byte n+1 William Arbaugh, University of Maryland

Attack Cost Assume moderately aggressive attacker: May 2001 Attack Cost Assume moderately aggressive attacker: ~100 attacker transmissions per second NOTE: ICV failures will not be passed to OS and thus the attack is difficult to observe (failed ICV counter not withstanding) 1.6 hours to recover 2300 byte MTU regardless of IV and key size in worst case ~40 minutes in average case William Arbaugh, University of Maryland

May 2001 WEP Costs 46 hours to build full dictionary of <IV, pseudorandom> with one attacking host (~35GB) But, the attack is embarrassingly parallel. Four attacking hosts: 11.5 hours Eight attacking hosts: 5.75 hours William Arbaugh, University of Maryland

May 2001 WEP2 Costs Prohibitive to build entire dictionary in terms of space and time, but we don’t need to do so. Because, we can still find enough <IV,pseudorandom> pairs to find and attack a vulnerable host on the LAN and recover key actively, e.g. blind scans and blind attacks. William Arbaugh, University of Maryland

May 2001 This Attack Works Because of the redundant information provided by the CRC, and Because of the lack of a keyed MIC William Arbaugh, University of Maryland

Stopping/Mitigating the Attack May 2001 Stopping/Mitigating the Attack Add a keyed MIC (stops attack) Adding a replay window (mitigates attack) Modifying the CRC such that it can’t be: Easily determined by an attacker Not linear (bit flipping attack) (mitigates attack) William Arbaugh, University of Maryland

May 2001 Conclusions Fundamental problem is that both WEP and WEP2 vulnerable to packet forgery. It’s easy to dismiss this attack (and the Walker/Berkeley attacks) as “academic”. However, it’s only a matter of time before the attacks are implemented/scripted and released …What then? William Arbaugh, University of Maryland