WLAN Security1 Security of WLAN Máté Szalay
WLAN Security2 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security3 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security4 Introduction Wireless LAN IEEE a (5 GHz, 54Mbps) b (2.4 GHz, 11 Mbps) g (2.4 GHz, 6-54 Mbps) PDA, Notebook
WLAN Security5 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security6 WEP 1 Wired Equivalent Privacy Radio Interface Goals: Privacy/Confidentiality User authentication Message authentication
WLAN Security7 WEP 2 RC4 Checksum Message IV (24) k (40) Keystream
WLAN Security8 WEP 3 – RC4 RC4 Stream cipher 10 times faster than DES Ron Rivest, 1987 (Ron’s Code) Details available since 1994 Variable key size
WLAN Security9 WEP 4 M: message c(M): integrity checksum Key independent! v: IV (Initialization Vector) k: Secret Key P: plaintext P= C: ciphertext C=PRC4(v,k)
WLAN Security10 WEP 5 AB: v,C C=PRC4(v,k) = RC4(v,k)
WLAN Security11 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security12 Intercepting Traffic Open Radio Waves 2.4 GHz Significant time and equipment costs Modifying WLAN hardware Firmware upgrade
WLAN Security13 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security14 Keystream reuse 1 Same keystream portion is used to encrypt C 1 and C 2 C 1 C 2 =P 1 P 2 Partial knowledge of some plaintexts Known headers Languages
WLAN Security15 Keystream reuse 2 k is rarely changed WLAN uses per packet IV IV reuse means keystream reuse IV reuse is easy to detect PCMCIA cards set IV to 0 on reset and increment after each packet
WLAN Security16 Keystream reuse 3 24-bit IV Random IV Birthday paradox Per packet IV is recommended by standard 5Mbps, 24-bit IV space is exhausted in less than half a day
WLAN Security17 Exploiting keystream reuse Known headers Plaintext can be “chosen” Building up TCP connection from a known IP address Sending , and waiting for the user to check it over WLAN
WLAN Security18 Decryption Dictionaries IV reuse Plaintexts are learned Keystream segment is also learned Full table: 1500 bytes for 2^24 IVs 24 GB Starting from low IVs Fast and easy decryption
WLAN Security19 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security20 Key Management Not specified by standard Globally shared array of 4 keys Message contains key ID Practice: one key is used in the entire network Same IV from different users
WLAN Security21 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security22 Message Authentication - 1 Checksum is linear! C= RC4(v,k) M’=MD C’=C = RC4(v,k) = RC4(v,k)
WLAN Security23 Message Authentication - 2 Injection Checksum is unkeyed! Attacker learns M, C Recovers keystream Can inject any M using the same IV Receiver must accept IV reuse to be compliant
WLAN Security24 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security25 User Authentication Shared key authentication 128 bit random challenge Must be returned WEP encrypted Intercepting valid authentication Plaintext ciphertext pair is learned Attacker can authenticate without key!
WLAN Security26 Contents Introduction WEP Intercepting Traffic Keystream Reuse Key Management Message Authentication User Authentication Message Confidentiality
WLAN Security27 Message confidentiality AP can decrypt for us Clone packets in WLAN network with different destination IP address IP checksum: problem
WLAN Security28 Conclusions Consider WLAN network “untrusted” Outside the firewall VPN (dialup) Improved key management MCL WLAN solution
WLAN Security29 Thank you for your attention!