NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)

NSRI2 Contents Introduction WEP Security What’s Wrong Solutions Conclusions

NSRI3 Introduction IEEE standard  Wired Equivalent Privacy (WEP)  Goal: data privacy to the level of wired network  Use of 40-bit RC4 for encryption mechanism Attack against WEP  Researchers at Univ. of California at Berkely published a document “security flaws in the security protocol”  Main weakness: use of static WEP keys shared among users

NSRI4 Wireless LAN WEP (wireless network infrastructure)

NSRI5 Security Goal Confidentiality: the fundamental goal of WEP is to prevent casual eavesdropping Access control: to protect access to a wireless network infrastructure* Data integrity: to prevent tampering with transmitted messages** * standard includes an optional feature to discard all packets that are not properly encrypted using WEP, and manufacturers advertise the ability of WEP to provide access control ** the integrity checksum field is included for this purpose

NSRI6 WEP Encryption RC4 IV(24-bit) K(40-bit) Plain-textCipher-text

NSRI7 Encrypted WEP Frame MessageCRC Keystream = RC4(IV, K) Cipher-textIV Plain-text Transmitted Data

NSRI8 WEP Encryption & Decryption A  B : IV, C = (P  RC4(IV, K)), where P = (M, c(M)) B : 1) 2) Verifies the checksum on P’

NSRI9 WEP Encapsulation Summary Encryption Algorithm = RC4 Per-packet encryption key = 24-bit IV concatenated to a pre-shared key WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “IV”) Data and IV are encrypted under the per-packet encryption key

NSRI10 WEP Authentication Challenge (Nonce) Response (Nonce RC4 encrypted under shared key) STA AP Shared secret distributed out of band Decrypted nonce OK? Authentication Summary: Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret

NSRI11 Properties of Stream Cipher What happens when plaintext P 1 and P 2 are encrypted using same key K  It is a very bad idea to encrypt any two plain texts using the same key stream output by a stream cipher

NSRI12 Keystream reuse Key is fixed shared secret, that changes rarely if ever  In fact, in many setups, every user shares the same key So the keystream depends only on IV  If two packets ever get transmitted with the same IV, you reuse the keystream value, which is bad  Since IV gets transmitted in the clear for each packet, the adversary can even easily tell when a value of IV is reused(a “collision”)

NSRI13 Attack – Confidentiality(1)  Attacker obtains two cipher texts C 1 and C 2  C 1  C 2 = P 1  P 2  Using the redundancy of plaintexts, he can know (partial) P 1 and P 2 This is really easy if he knows the plaintext, because, for example, he sent it to you, say via pings, or spam . If he knows one plaintext, he can recover all the other plaintexts.

NSRI14 Attack – Confidentiality(2) Note that he does not learn the value of the shared secret K Solutions  Use of different IV per packets  Some PCMCIA cards reset the IV to 0 each time they were re- initialized, and then incremented the IV by one for each packet transmitted.  These cards re-initialized themselves each time they are inserted in to the laptop, which can be expected to happen fairly frequently.  Consequently, keystreams corresponding to low-valued IV’s were likely to be reused many times during the lifetime of the key.  Increase the size of IV  24 bits is too small (Note that if the speed is 11Mbps  The probability of collision is 99% after 12,430 frames, or in 2 to 3 seconds of normal traffic at 11Mbps.

NSRI15 Attack – Message modification(1)  Attacker intercept a ciphertext C before it could reach its destination:  Assume that C corresponds to some unknown message M, so that  Claim: it is possible to find a new ciphertext C’ that decrypts to M’, where and △ may be chosen arbitrarily by the attacker.  Then we will be able to replace the original transmission with our new ciphertext by spoofing the source, and upon decryption, the recipient B will obtain the modified message M’ with the correct checksum.

NSRI16 Attack – Message modification(2)  How to obtain C’ from C so that C’ decrypts to M’ instead of M. CRC is linear Note that this attack can be applied without full knowledge of M: the attacker only needs to know the original ciphertext C and the desired plaintext difference △ in order to calculate C’=C  ( △,c( △ )).

NSRI17 Attack – Message Injection(1) We can inject a fake message F of the adversary’s choice into the wireless net so that it will be accepted by a receiver as genuine  The adversary just needs to know a single plaintext, and its corresponding encrypted packet(ping or spam can provide this easily)  The encrypted packet is (IV, C), and the plain text is (M, c(M)), so the adversary can compute the keystream RC4(IV,K) = C  (M,c(M))  Now he can take his fake message F, compute c(F), and compute C’ = (F, c(F))  RC4(IV,K).  Then he transmits (IV, C’)

NSRI18 Attack – Message Injection(2) The receiver  C’= (F, c(F))  RC4(IV, K)  C’ is a correct encryption of the message F, so he has to accept it  The adversary has succeeded Solution  CRC does not depend on the key  MAC(keyed hash function must be used)

NSRI19 Attack – Authentication(1) Authentication: client to AP  AP  M: send a challenge string R(128-bit) to the client  M  AP: WEP-encrypted ciphertext (RC4(IV, K)  R)  AP: checks if the challenge is correctly encrypted, and if so, accepts the client  Goal: verify that a client joining the network really knows the shared secret key K So the adversary has now just seen both the plaintext and the ciphertext of the challenge  This is enough not only to inject packets (as in the previous attack), but to execute the authentication protocol himself.

NSRI20 Attack – Authentication(2) Once the adversary obtains a single challenge/response pair for a given key K, he can extract IV and RC4(IV, K) Now attacker tries to connect to the network  The AP sends a challenge string M’ to the adversary  The adversary replies with IV, (M’,c(M’))  RC4(IV, K)  This is in fact the correct response, so the CP accepts the adversary  The adversary has succeeded even though he never did learn the value of K Solution: Use challenge-response protocol using block cipher

NSRI21 How to make secure WEP RC4  128-bit block cipher Precise decryptions  Setup procedure of Key  Generation method of IV  Detail of “mode of operation” Never reuse of IV (if K is fixed) Size of IV > 56 bit(??) CRC  MAC Challenge-response Authentication protocol based on block cipher

NSRI22 Conclusion WEP is totally insecure  Confidentiality  X  Access control  X  Data integrity  X No matter if you’re using 40-bit keys or 104-bit keys( or IV) CRC is useless against malicious errors(CRC detects random bit error in transmission) It is quite difficult to adopt Stream cipher for the purpose of “message integrity” or “user authentication” What about Bluetooth?