Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic."— Presentation transcript:

1 COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic

2 COMP4690, HKBU2 Outline Introduction of 802.11 Introduction of WEP Security of WEP References

3 COMP4690, HKBU3 Example of Single-Cell Wireless LAN

4 COMP4690, HKBU4 Example of Multi-Cell Wireless LAN

5 COMP4690, HKBU5 IEEE 802.11 – infrastructure mode Smallest building block is Basic Service Set (BSS) A number of stations executing the same MAC protocol Compete for access to same shared wireless medium A BSS may be isolated, or may connect to a Backbone Distribution System (DS) through an Access Point (AP) AP functions as bridge MAC protocol may be distributed or controlled by a central coordination function in AP BSS generally corresponds to a “cell” DS can be a switch, wired network, or wireless network

6 COMP4690, HKBU6 IEEE 802.11 – infrastructure mode BSS 1 BSS 2 Internet hub, switch or router AP

7 COMP4690, HKBU7 IEEE 802.11 Protocol Architecture

8 COMP4690, HKBU8 Some history Cordless phones Analog cell phones Anybody with a scanner that operated at the right frequency could easily listen to calls not intended for them. 802.11 tried to avoid, but the same cycle still played out… Wireless access points must announce themselves to the world: by broadcasting 802.11 beacon frames. Wandering users with an 802.11 receiver can find out about wireless networks in the area simply by putting up an antenna. War driving: driving around looking for access points http://www.securityfocus.com/news/192 One quick solution: MAC-address filtering But malicious attackers can alter addresses (with sufficient operating system privileges).

9 COMP4690, HKBU9 Security of 802.11 Existing security consists of two subsystems A data encapsulation technique called Wired Equivalent Privacy (WEP) An authentication algorithm called Shared Key Authentication Defined in Section 8 “Authentication and privacy” in the IEEE Std 802.11 (in 1997).

10 COMP4690, HKBU10 WEP Wired Equivalent Privacy To protect authorized users of a wireless LAN from casual eavesdropping To create the privacy achieved by a wired network (using a switch) Because of the U.S. export regulations, WEP secret keys were limited to 40 bits. The rules were relaxed later. WEP has been an option feature. But WEP itself was a flawed anchor point for security. Even with “128-bit” version, WEP is still not secure!

11 COMP4690, HKBU11 WEP WEP relied on a secret key (40-bit) shared between the two peers (usually a mobile station and an access point). Before transmission of a frame: Checksumming: compute an integrity checksum on the message using CRC-32 algorithm, then concatenate the two into plaintext P Encryption: encrypt the plaintext P using RC4. This requires an initialization vector (IV). IV has only 24 bits. It is inserted into the frame in plaintext (so that the peer can decrypt the ciphertext).

12 COMP4690, HKBU12 WEP Encapsulation 802.11 HdrData WEP Encapsulation Summary: Encryption Algorithm = RC4 Per-packet encryption key = 24-bit IV concatenated to a pre-shared key WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key 802.11 HdrDataIVICV EncapsulateDecapsulate

13 COMP4690, HKBU13 WEP Encryption IV: 24-bit, how often to change IV values? Secret Key: 40-bit, be distributed by an external key management service Seed: 64-bit PRNG: Pseudo-Random Number Generator, using RC4 algorithm from RSA Data Security, Inc. ICV: 32-bit, using CRC-32

14 COMP4690, HKBU14 WEP Encryption Message: M Initialization vector (IV): v Integrity checksum (ICV): c(M) After concatenation: P = M || c(M) Key sequence: RC4(v, k) Ciphertext: C = P  RC4(v, k)

15 COMP4690, HKBU15 WEP Decryption

16 COMP4690, HKBU16 WEP Decryption The receiver gets v from the received frame. The receiver calculates the key sequence using RC4(v, k). The receiver decrypts the ciphertext using P = C  RC4(v, k) P is divided into two parts: M' and c' where c' contains the last 32 bits of P. If c(M') = c', the receiver will think that M' is the message.

17 COMP4690, HKBU17 Properties of Vernam Ciphers The WEP encryption algorithm RC4 is a Vernam Cipher: Pseudo-random number generator Encryption Key K Plaintext data byte p Random byte b  Ciphertext data byte p Decryption works the same way: p = c  b

18 COMP4690, HKBU18 Properties of Vernam Ciphers Thought experiment 1: what happens when p 1 and p 2 are encrypted under the same “random” byte b? c 1 = p 1  bc 2 = p 2  b Then: Conclusion: it is a very bad idea to encrypt any two messages using the same key sequence. The ciphertexts can be sniffered easily. So once p 1 is know, you can know p 2, and vice versa. c 1  c 2 = (p 1  b)  (p 2  b) = p 1  p 2

19 COMP4690, HKBU19 Keystream Reuse Keystream (or key sequence): RC(v, k) Usually k is fixed. How about v? It’s better to have different values of v for different packets: per-packet IV. However, “IV collision” is difficult to avoid: For some implementations, IV is reset to 0 when initialized, and incremented by one for each packet. IV has only 24 bits, too short!!!

20 COMP4690, HKBU20 How to Read WEP Encrypted Traffic (1) If IV is randomly chosen, by Birthday Paradox, probability P n that two packets will share same IV after n packets is P 2 = 1/2 24 after two frames and P n = P n–1 + (n–1)(1–P n–1 )/ 2 24 for n > 2. 50% chance of a collision exists already after only 4823 packets!!! Once two encrypted packets that use the same IV are discovered, various methods of attack can be applied to recover the plaintext. If the plaintext of one of the messages is knows, it is easy to derive the contents of the other one; and also other messages that have been encrypted using the same IV can be directly decrypted. 802.11 HdrDataIVICV 24 bits Encrypted under Key +IV using RC4

21 COMP4690, HKBU21 How to Read WEP Encrypted Traffic (2) Ways to accelerate the process: Send spam into the network: no pattern recognition required! Get the victim to send e-mail to you The AP creates the plaintext for you! Decrypt packets from one Station to another via an Access Point If you know the plaintext on one leg of the journey, you can recover the key stream immediately on the other Etc., etc., etc.

22 COMP4690, HKBU22 Data Integrity CRC checksum is insufficient to ensure data integrity. It is designed to detect random errors, not to stop malicious attackers! It is easy for attackers to modify the message and to inject messages without detection! Mainly because CRC is a linear function of the message: c(x  y) = c(x)  c(y)

23 COMP4690, HKBU23 Message Modification Assume C is the ciphertext of message M C = RC4(v, k)  (M||c(M)) For an attacker, he can easily capture C and v. But he doesn’t know k. The main purpose of the attacker is to replay a different message C' to the receiver without being detected. In another word, the receiver will get a wrong message M'.

24 COMP4690, HKBU24 Message Modification Given any E, the attacker can calculate its checksum c(E). Then the attacker generates C' as: C' = C  (E||c(E)) Once C' is received by the receiver, it will decrypt as follows: Therefore the receiver gets a wrong message M' = M  E.

25 COMP4690, HKBU25 Final answer? WPA: Wi-Fi Protected Access Intended as an intermediate measure to take the place of WEP while 802.11i was prepared 802.11i Ratified in June 2004. Supported by Intel, IBM, etc. AES-CCMP (Counter-Mode/CBC-MAC Protocol) WRAP (Wireless Robust Authenticated Protocol) 802.1x WPA2 WPA2 is the certified form of 802.11i tested by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i.

26 COMP4690, HKBU26 References ISO/IEEE Std 802.11, Section 8, “MAC and PHY Specifications -- Authentication and Privacy”, 1999 Edition. Nikita Borisov, et al, “Intercepting Mobile Communications: the Insecurity of 802.11”, 2001. W. A. Arbaugh, et al, “Your 802.11 Wireless Network has No Clothes”, 2001. Matthew Gast, “Wireless LAN Security: a Short History”, 2002.

Download ppt "COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic."

Similar presentations

IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
WEP and 802.11i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.

WEP and i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.

The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.

Similar presentations

Ads by Google