Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007

Resources  Borisov, Goldberg, Wagner. Intercepting mobile communications: the insecurity of the 7th annual international conference on Mobile computing and networking. p-draft.pdf Guillaume Lehembre Wifi Security: WEP, WPA and WPA2 9_wifi/hakin9_wifi_EN.pdf

WEP Protocol  WEP – Wired Equivalent Privacy  Wireless standard  Link layer  Protocol goals: Confidentiality: prevent eavesdropping Access control: prevent unauthorized access Data integrity: prevent tampering of messages  We show that none of the security goals are attained

Network Model Internet

WEP Algorithm Encryption MessageCRC(M) RC4(k,IV) CipherIV

WEP Algorithm Decryption MessageCRC(M) RC4(k,IV) CipherIV

Confidentiality

Stream cipher properties  Given two ciphers C 1,C 2 – C 1  C 2 = P 1  P 2.  Keystream reuse can lead to a number of attacks: If plaintext of one message is known, the other is immediately obtainable. In the general case, known techniques for breaking reused keystreams. As the number of reused keystream increases breaking them becomes easier.  Two conditions required for this class of attcks to succeed: Availability of ciphertexts where keystream is used more than once. Partial knowledge of some of the plain texts.

Finding instances of keystream reuse  Shared key k changes rarely.  Reuse of IV causes reuse of keystream.  IV are public.

IV Usage  Standard recommends (but not requires) change of IV.  Common PCMCIA cards sets IV to zero and increment it by 1 for each packet.  IV size is only 24 bits.  Busy access point of 5Mbps will exhaust available space in 11 hours.  Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision

Exploiting keystream reuse  Many fields of IP traffic are predictable.  For example: login sequences.  Active attack (known plaintext)

Decryption dictionaries  Once plaintext of encrypted message is obtained, keystream value stored in dictionary.  Full table requires 24GB  Size of dictionary does not depend of size of key

Key management

Message Authentication  Message modification  Message injection

Message Modification  Checksum used is CRC-32 which is a linear function of the message:  In other words, checksum distributes over the XOR operation. C(x  y) = C(x)  C(y)  RC4 stream cipher also linear.

The attack Given C we would like to create C ’ s.t. C ’ decrypts to M ’ instead of M. MessageCRC(M) RC4(k,IV) Cipher  CRC(  )  = MessageCRC(M) RC4(k,IV)  CRC(  ) = RC4(k,IV) ’’CRC(  ’) =

Message Injection  WEP checksum is an unkeyed function of the message.  After knowing one keystream we can use it forever. C ’ =  RC4(IV,k)

Other attacks  IP redirection. Assumption: Destination address is known.

IP redirection (cont.)  Need to calculate IP checksum  Several options IP checksum for original packet is known Original IP checksum is not known Compensate by changing another IP field

Reaction Attack  Works only for TCP protocol  Pick i at random, let be all zeros, except for positions i and i+16. Calc C ’ = C   Two options: 1. Got an acknowledgment, P i  P i+16 = 1 2. Else P i  P i+16 = 0  Each test reveals 1 bit of information

Example attacks

ARP Request

Conclusion  Design of security protocols is difficult (more than the design of network protocols)  Combining several secure algorithms does not mean that the result is secure  Engineering perspective dictated selection of cryptographic algorithms

Fixing WEP WPA – Wi-Fi Protected Access and i

WPA  WPA – Wi-Fi Protected Access Draft security enhancements for A subset of the i proposed standard Proposed by IEEE TGi (Task Group i)  Design goals Preserve packet format Work with deployed hardware in AP and NICs  Composed of two components Authentication and master key generation – 802.1X TKIP (Temporal Key Integrity Protocol) - Temporal key generation, Confidentiality and Integrity

802.11i  A proposed standard  Defines authentication, key management, confidentiality, integrity and encapsulations for  Includes WEP (current implemented)  Encryption: RC4; Integrity: CRC-32 TKIP (temporary solution)  Encryption: RC4; Integrity: Michael WRAP (Wireless Robust Authenticated Protocol)  Encryption: AES; Integrity: HMAC-MD5

TKIP – Temporal Key Integrity Protocol

TKIP Components  TKIP is a wrapper around WEP  A cryptographic MIC (Message Integrity Code)  A per-packet sequence number  A per-packet key mixing function  A rekeying mechanism (802.1X)

TKIP MIC  MICHAEL the MIC function is designed for very low bandwidth CPU (the ones that are used by the Access Point)  Key length – 64 bits  The MIC is computed over the source address, the destination address and the data Protects against packet modification (e.g. bit flipping) Protects against header forgery

WEP with Enabled MIC =CRC =MAC

TKIP Sequence Counter  The station and the Access Point maintain a TKIP sequence counter  The transmitter increments the TKIP sequence counter each time it sends a packet  The counters are reset when new temporal keys are established  The sequence counter is mixed with the temporal key and the transmitter MAC address to create a RC4 seed key  On receipt the receiver de-mixed the key and checks that the resulting counter is indeed greater than the all the sequence counter that were encountered during this temporal key usage  Protects against replay attack

TKIP Keys  TKIP is using temporal keys  The station and the Access Point periodically exchange temporal keys  Four keys One Integrity (MIC) and one Encryption key per direction

TKIP ENCAPSULATION

TKIP Encapsulation  Calculate the 64 bits MIC with the MIC temporal key, over the source and destination addresses. The MIC is inserted into the message data  The sequence number, the MAC address and the temporal key are mixed to create a 128 bits RC4 seed key  The first three bytes of the key are stored in the IV field  The remaining 13 bytes are stored in a free WEP key buffer  The packet is sent to WEP processing

TKIP DECAPSULATION

TKIP Decapsulation  The IV and the temporal key are concatenated, to create the RC4 seed key  The key is de-mixed – to create the TKIP sequence counter. The counter is checked to be in sequence  The key, the IV and the data are sent for WEP decapsulation  After RC4 decryption, the MIC, with the temporal MIC key, is computed over the source and destination addressed and the decrypted packet, and is compared to the MIC field in the packet

TKIP Notes  The TKIP temporal key must be exchanged every less then 2 16 packets, since the key mixing can produce 2 16 different IVs  The MIC and key mixing algorithms are cryptographically weak But, all the WEP known problems are solved TKIP is a temporary solution – until NICs and APs with new hardware arrives to the market  The i uses AES encryption