Intercepting Mobiles Communications: The Insecurity of ► Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001 ► Lecture by Danny Bickson
WEP Protocol ► WEP – Wired Equivalent Privacy ► Wireless standard ► Link layer ► Protocol goals: Confidentiality: prevent eavesdropping Access control: prevent unauthorized access Data integrity: prevent tampering of messages ► We show that none of the security goals are attained
Network Model Internet
WEP Algorithm Encryption MessageCRC(M) RC4(k,IV) CipherIV
WEP Algorithm Decryption MessageCRC(M) RC4(k,IV) CipherIV
Confidentiality
Stream cipher properties ► Given two ciphers C 1,C 2 – C 1 C 2 = P 1 P 2. ► Keystream reuse can lead to a number of attacks: If plaintext of one message is known, the other is immediately obtainable. In the general case, known techniques for breaking reused keystreams. As the number of reused keystream increases breaking them becomes easier. ► Two conditions required for this class of attcks to succeed: Availability of ciphertexts where keystream is used more than once. Partial knowledge of some of the plain texts.
Finding instances of keystream reuse ► Shared key k changes rarely. ► Reuse of IV causes reuse of keystream. ► IV are public.
IV Usage ► Standard recommends (but not requires) change of IV. ► Common PCMCIA cards sets IV to zero and increment it by 1 for each packet. ► IV size is only 24 bits. ► Busy access point of 5Mbps will exhaust available space in 11 hours. ► Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision
Exploiting keystream reuse ► Many fields of IP traffic are predictable. ► For example: login sequences. ► Active attack (known plaintext)
Decryption dictionaries ► Once plaintext of encrypted message is obtained, keystream value stored in dictionary. ► Full table requires 24GB ► Size of dictionary does not depend of size of key
Key management
Message Authentication ► Message modification ► Message injection
Message Modification ► Checksum used is CRC-32 which is a linear function of the message: ► In other words, checksum distributes over the XOR operation. C(x y) = C(x) C(y) ► RC4 stream cipher also linear.
The attack Given C we would like to create C’ s.t. C’ decrypts to M’ instead of M. MessageCRC(M) RC4(k,IV) Cipher CRC( ) = MessageCRC(M) RC4(k,IV) CRC( ) = RC4(k,IV) ’’CRC( ’) =
Relation to GSM Encryption: C = G(M) A5/2(IV,k) Decryption: 1. G(M) = C A5/2 (IV,k) 2. H(G(M)) = 0 ? 3. M = G -1 (G(M))
Attack on GSM H(C) = H(A5/2(Iv, k) G(M)) = H(A5/2(IV,k)) H(G(M)) = H(A5/2(IV,k)) 0 = H(A5/2(IV,k))
Message Injection ► WEP checksum is an unkeyed function of the message. ► After knowing one keystream we can use it forever. C’ = RC4(IV,k)
Other attacks ► IP redirection. Assumption: Destination address is known.
IP redirection (cont.) ► Need to calculate IP checksum ► Several options IP checksum for original packet is known Original IP checksum is not known Compensate by changing another IP field
Reaction Attack ► Works only for TCP protocol ► Pick i at random, let be all zeros, except for positions i and i+16. Calc C’ = C Two options: 1. Got an acknowledgment, P i P i+16 = 1 2. Else P i P i+16 = 0 ► Each test reveals 1 bit of information
Conclusion ► Design of security protocols is difficult (more than the design of network protocols) ► Combining several secure algorithms does not mean that the result is secure ► Engineering perspective dictated selection of cryptographic algorithms
THE END ► Thank You!