Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Inductive Chosen Plaintext Attack against WEP/WEP2

Published byἜβέρ Χατζηιωάννου Modified over 5 years ago

Similar presentations

Presentation on theme: "An Inductive Chosen Plaintext Attack against WEP/WEP2"— Presentation transcript:

1 An Inductive Chosen Plaintext Attack against WEP/WEP2
May 2001 An Inductive Chosen Plaintext Attack against WEP/WEP2 William A. Arbaugh University of Maryland, College Park William Arbaugh, University of Maryland

2 Talk Outline Introduction Attack Overview Attack Details Conclusions
Month 2000 doc.: IEEE /xxx May 2001 Talk Outline Introduction WEP/WEP2 IP Walker/Berkeley Attacks Attack Overview Attack Details Conclusions William Arbaugh, University of Maryland John Doe, His Company

3 WEP/WEP2 Encryption Algorithm = RC4
May 2001 WEP/WEP2 Hdr Data Encapsulate Decapsulate Hdr Data IV ICV Encryption Algorithm = RC4 Per-packet encryption key = IV concatenated to a pre-shared key WEP: 24 bit IV WEP2: 128 bit IV WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key William Arbaugh, University of Maryland

4 How to Read WEP Encrypted Traffic (1)
May 2001 How to Read WEP Encrypted Traffic (1) Hdr Data IV ICV Encrypted under Key +IV using a Vernam Cipher 24 luxurious bits 50% chance of a collision exists already after only 4823 packets!!! Pattern recognition can disentangle the XOR’d recovered plaintext. Recovered ICV can tell you when you’ve disentangled plaintext correctly. After only a few hours of observation, you can recover all 224 key streams. William Arbaugh, University of Maryland

5 How to Read WEP Encrypted Traffic (2)
May 2001 How to Read WEP Encrypted Traffic (2) Ways to accelerate the process: Send spam into the network: no pattern recognition required! Get the victim to send to you The AP creates the plaintext for you! Decrypt packets from one Station to another via an Access Point If you know the plaintext on one leg of the journey, you can recover the key stream immediately on the other Etc., etc., etc. William Arbaugh, University of Maryland

6 Observations Walker/Berkeley attacks require either: Can we do better?
Month 2000 doc.: IEEE /xxx May 2001 Observations Walker/Berkeley attacks require either: Depth and post analysis Cooperating agent for known plain text Can we do better? William Arbaugh, University of Maryland John Doe, His Company

7 Inductive Chosen Plain Text
May 2001 Inductive Chosen Plain Text Base Case: Recover an initial pseudo random stream of length n from known plain text. Inductive step: Extend size of known pseudo random to n+1 by leveraging the redundant information in the CRC. William Arbaugh, University of Maryland

8 Base Case Find initial pseudo random stream of size n.
May 2001 Base Case Find initial pseudo random stream of size n. Identify DHCP Discover messages from externals, e.g. size, and broadcast MAC address. Known source ( ), destination ( ), header info Allows the recovery of 24 bytes of pseudo random stream: Let n = 24 William Arbaugh, University of Maryland

9 May 2001 Inductive Step Create a datagram of size n-3 representing an ARP request, UDP open, ICMP etc. Compute ICV and append only the first three bytes. XOR with n bytes of pseudo random stream. Append last byte as the n+1 byte William Arbaugh, University of Maryland

10 Inductive Step  n-3 3 n+1 May 2001 Data ICV Pseudo Random Steam
byte Iterate over the 255 possibilities Hdr Data IV ICV-1 n+1 Encrypted Data William Arbaugh, University of Maryland

11 Inductive Step 5. Now send datagram and wait for a response.
May 2001 Inductive Step 5. Now send datagram and wait for a response. 6. If no response, try another of the 254 remaining possibilities. 7. If there is a response, then we know: The n+1 byte was the last byte of the ICV, thus we have matching plaintext and ciphertext which gives us the n+1 byte of the pseudorandom stream. William Arbaugh, University of Maryland

12 After Response   n-3 3 n+1 May 2001 Data ICV Pseudo Random Steam
n+1 plaintext byte Data ICV byte Pseudo Random Steam byte n+1 ciphertext byte Encrypted Data byte n+1 pseudo byte Hdr IV Data ICV-1 byte n+1 William Arbaugh, University of Maryland

13 Attack Cost Assume moderately aggressive attacker:
May 2001 Attack Cost Assume moderately aggressive attacker: ~100 attacker transmissions per second NOTE: ICV failures will not be passed to OS and thus the attack is difficult to observe (failed ICV counter not withstanding) 1.6 hours to recover 2300 byte MTU regardless of IV and key size in worst case ~40 minutes in average case William Arbaugh, University of Maryland

14 May 2001 WEP Costs 46 hours to build full dictionary of <IV, pseudorandom> with one attacking host (~35GB) But, the attack is embarrassingly parallel. Four attacking hosts: 11.5 hours Eight attacking hosts: 5.75 hours William Arbaugh, University of Maryland

15 May 2001 WEP2 Costs Prohibitive to build entire dictionary in terms of space and time, but we don’t need to do so. Because, we can still find enough <IV,pseudorandom> pairs to find and attack a vulnerable host on the LAN and recover key actively, e.g. blind scans and blind attacks. William Arbaugh, University of Maryland

16 May 2001 This Attack Works Because of the redundant information provided by the CRC, and Because of the lack of a keyed MIC William Arbaugh, University of Maryland

17 Stopping/Mitigating the Attack
May 2001 Stopping/Mitigating the Attack Add a keyed MIC (stops attack) Adding a replay window (mitigates attack) Modifying the CRC such that it can’t be: Easily determined by an attacker Not linear (bit flipping attack) (mitigates attack) William Arbaugh, University of Maryland

18 May 2001 Conclusions Fundamental problem is that both WEP and WEP2 vulnerable to packet forgery. It’s easy to dismiss this attack (and the Walker/Berkeley attacks) as “academic”. However, it’s only a matter of time before the attacks are implemented/scripted and released …What then? William Arbaugh, University of Maryland

Download ppt "An Inductive Chosen Plaintext Attack against WEP/WEP2"

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.

The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.

The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
802.11 Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.

Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.

Similar presentations

Ads by Google