Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley"— Presentation transcript:

1 Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley nikitab@cs.berkeley.edu

2 Wireless Security Wireless networks becoming prevalent New security concerns –More attack opportunities No need for physical access –Attack from a distance 1km or more with good antennae –No physical evidence of attack Typical LAN protection insufficient –Need stronger technological measures

3 802.11 Security “Wired Equivalent Privacy” protocol (WEP) Protects wireless data transmissions Security goals: –Prevent eavesdropping [privacy] –Prevent message modification [integrity] –Control network access [access control] Essentially, equivalent to wired security Only protects the wireless link –… not an end-to-end solution

4 Summary of Attacks None of security goals are met “Insecurity of 802.11” [BGW’01] –Keystream reuse [privacy] –CRC attacks [integrity] –Authentication spoofing [access control] –IP redirection & TCP reaction attacks [privacy] “Inductive chosen plaintext attack” [Arb’01] –CRC attack [privacy] “Weaknesses in RC4 key scheduling” [FMS’01] –RC4 weakness [privacy]

5 Protocol Setup Mobile Station Mobile Station Mobile Station Access Point Shared Key LAN

6 Protocol Setup Mobile station shares key with access point –Various key distribution strategies –One shared key per installation is common Integrity check (CRC) computed over packet Packet + CRC are encrypted with shared key –… together with an IV Receiver decrypts and verifies CRC Packet accepted if verification succeeds

7 Packet Format IVCRC-32 … Payload Key ID byte RC4 encrypted

8 Encryption Algorithm Use RC4 – a well-studied algorithm RC4 is a stream cipher Expands a key into an infinite pseudorandom keystream To encrypt, XOR keystream with plaintext Random ^ Anything = Random Encryption same as decryption (keystream cancels out)

9 Example “WIRELESS” = 574952454C455353 566A1722C5EE9EBC “WIRELESS” = 574952454C455353 RC4(“foo”) = 0123456789ABCDEF XOR

10 Initialization Vectors Encrypting two messages with the same part of RC4 keystream is disastrous: –C1 = P1  RC4(key) –C2 = P2  RC4(key) –C1  C2 = P1  P2 –Keystream cancels out! Use initialization vector to augment the key –Key = base_key || IV –Different IVs produce different keystreams Include IV (unencrypted) in header

11 Problem 1: IV collision What if two messages use the same IV? Same IV  same keystream! C1  C2 = P1  P2 If P1 is known, P2 is immediately available Otherwise, use expected distribution of P1 and P2 to discover contents –Much of network traffic contents predictable –Easier when three or more packets collide

12 Finding IV collisions 802.11 doesn’t specify how to pick IVs –Doesn’t even require a new one per packet Many implementations reset IV to 0 at startup and then count up Further, only 2 24 IV choices –Collisions guaranteed after enough time –Several hours to several days Collisions more likely if: –Keys are long-lived –Same key is used for multiple machines

13 Decryption Dictionary Once a packet is successfully decrypted, we can recover the keystream: –RC4(k,IV) = P xor C Use it to decrypt packets with same IV If we have 2 24 known plaintexts, can decrypt every packet Store decryption dictionary on a cheap hard drive For counting IVs starting at 0, smaller dictionaries can be effective

14 Problem 2: Linear Checksum Encrypted CRC-32 used to check integrity –Fine for random errors, but not deliberate ones CRC is linear –I.e. CRC(X  Y) = CRC(X)  CRC(Y) RC4(k,X  Y) = RC4(k,X)  Y RC4(k,CRC(X  Y)) = RC4(k,CRC(X))  CRC(Y) –Hence we can change bits in the packet

15 Packet Modification 011010010100 …………………………………… Payload 10110 ………… CRC-32 RC4 101101110101 ………………………………………………………… XOR 110111100001 …………………………………… 11011 ………… 010000000000 …………………………………… 00110 ………… XOR 100111100001 …………………………………… 11101 ………… Modified Packet RC4(k,CRC(X  Y)) = RC4(k,CRC(X))  CRC(Y)

16 Can modify packets! “Integrity check” does not prevent packet modification Can maliciously flip bits in packets –Modify active streams –Bypass access control Partial knowledge of packet is sufficient –Only modify the known portion

17 Typical Operation Mobile Station Access Point Recipient Packet Interne t

18 Redirection Attack Mobile Station Access Point Recipient Evil 1 Packet’ Interne t Evil 2

19 Redirection Attack Suppose we can guess destination IP in encrypted packet Flip bits to change IP to Evil 2, send it to AP –Tricks to adjust IP checksum (in paper) AP decrypts it, then forwards it to Evil 2 Incorrect TCP checksum not checked until Evil 2 sees the packet!

20 Reaction Attacks Send encrypted packet to the AP AP decrypts it for further processing System reacts to the decrypted data Monitor reaction –Learn information about decrypted data –Usually only a few bits Reaction becomes a side channel Learn more data with multiple experiments

21 TCP reaction attack Carefully modify an intercepted packet TCP checksum will be correct or incorrect depending on the decrypted contents Reinject packet, watch reaction –ACK received  TCP checksum correct –Otherwise, checksum failed Learn one bit of information about packet Repeat many times to discover entire packet

22 Fluhrer et al Attack on RC4 Designer’s worst fear: new flaw in encryption algorithm Attack: –Monitor encrypted traffic –Look for special IV values that reveal information about key state –Recover key after several million packets (many technical details omitted)

23 Practical Considerations Park van outside of house or office –With good antenna and line of sight, can be many blocks away Use off-the-shelf wireless card Monitor and inject traffic –Injection potentially difficult, but possible Software to do Fluhrer et al attack readily available

24 Defences Various commercial 802.11 enhancements –Almost always, “enhanced security” means better key management –Does not protect against active attacks (reaction, redirection) or the Fluhrer et al attack Wait for next version of WEP –Still in progress Use a VPN over the wireless network –Assumes wireless LAN untrusted –Works around any security flaws

25 Lesson: Public Review Essential IEEE used “open design” –Anyone allowed to participate meetings –Standard documents freely available (used to cost $$) However: –Only employees sponsored by companies can afford the time and expense of meetings –No review by cryptography community Many flaws are not new –E.g. CRC attacks, reaction attacks –Arguably, even the Fluhrer et al attack could have been prevented

26 Lesson: Message Integrity Essential Message integrity was only a secondary goal However, poor integrity can compromise privacy as well: –IP redirection attack –TCP reaction attack –Inductive CRC attack [Arbaugh’01] Proper cryptographic authentication necessary “Encryption without integrity checking is all but useless” [Bellovin’96]

27 Privacy Protection in Infrastructure Insecure network tools prevalent –File sharing (FTP, NFS, SMB) –E-mail (SMTP, POP) –Etc. Wireless networks expose security problems –Attacks possible in wired networks, but accessible to many more people in wireless ones Fix wireless networks or fix infrastructure? –Privacy is best protected end-to-end

28 Conclusions Security is difficult to achieve –Even when good cryptography is used WEP is insufficient to protect privacy –All security goals can be compromised –Use other technologies to secure transmissions More information at: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Download ppt "Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley"

Similar presentations

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.

Wireless Security Why Swiss-Cheese Security Isn’t Enough David Wagner University of California at Berkeley.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
Wireless Security David Wagner University of California at Berkeley.

Wireless Security David Wagner University of California at Berkeley.
Wireless Security David Wagner University of California, Berkeley.

Wireless Security David Wagner University of California, Berkeley.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

Similar presentations

Ads by Google