Presentation is loading. Please wait.

Presentation is loading. Please wait.

How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "How To Not Make a Secure Protocol 802.11 WEP Dan Petro."— Presentation transcript:

1 How To Not Make a Secure Protocol 802.11 WEP Dan Petro

2 What is WEP? Wired Equivalent Privacy Wireless LAN security protocol  Uses IEEE 802.11 a,b,g, and n Provides certain security services Originally 64 bits, but has been extended to 128 bits and even 256 bits Easily broken Why? And How?  Fundamentally poor design choices

3 How does WEP work? It works like a One Time Pad Keystream is pseudorandom XOR'd with plaintext Perfectly secret ciphertext Right? What's the worst that could happen?

4 Design Goals of WEP Confidentiality  RC4 cipher and XOR operation Integrity  CRC of message inside plaintext Authentication?!* Availability?!

5 Keys Not one, but two keys.  Primary Master Key or just “key” (Secret)  Initialization Vector (Well known) Key = 40 bits IV = 24 bits  Total = 64 bits

6 Failure #1 ONE TIME Pad  You must never use the same key(stream) twice. In WEP, Key = PMK + IV  IV changes for each message  If an IV is ever used twice, the same keystream will be used twice IV is only 24 bits  Birthday Attack = collision every 5,000 frames.

7 Failure #1 What's the harm?  Cipher1 = Plaintext1 ⊕ Keystream  Cipher2 = Plaintext2 ⊕ Keystream You now know Plaintext1 ⊕ Plaintext2  If you happen to know one of the plaintexts, then you can decrypt any new ciphertext that uses the same Keystream  Full and partial knowledge No diffusion! Even worse: WEP does not specify how to select IV's.

8 Failure #1 Example Capture multiple Ciphertexts with the same IV Obtain a (partial) Known Plaintext Decrypt corresponding bits in the other messages.

9 Failure #2 Integrity Failure  Linear CRC is used for Integrity.  Not a Cryptographically Secure Hash Function Linear means distributive  CRC(a) xor CRC(b) Equals  CRC(a xor b)

10 Failure #2 Arbitrary packet forgery!  Even with partial knowledge. If you know the plaintext of any part of a message, you can change it. WEP sends DST IP in plaintext

11 Failure #2.5 IP Redirection Attack – Change every IP address to that of the attacker outside the network.

12 Failure #3 Authentication Fail 1) Client Hello 2) Server Plaintext Challenge (128 Bytes) 3) Client Sends Encrypted Challenge back

13 Failure #3 But we can change the contents of any message, remember? Observe one valid authentication.

14 Failure #3 Now just change the contents of this captured response to be the challenge you need!

15 Failure #4 Getting a “Known Plaintext Attack”  WEP does not mask the size of frames  You can see exactly how long each message is. Mix that with TCP/IP, and you get a known plaintext attack ARP messages are very short, and of known length. (28 ARP bytes + 14 Layer 1 Bytes= 42 Bytes Total)  Lots of routers automatically send tons of ARP messages constantly

16 Failure #4.5 ARP Replay Attack  ARP is stateless  One ARP request packet can be replayed over and over  Hosts will respond with fresh traffic as responses  Allows for an arbitrary amount of traffic to be generated in use with other attacks.  Upgrade the attack to “Chosen Plaintext”

17 Failure #5 No Server Authentication Rouge AP's Attacker makes another AP with the same SSID Victim connects to the wrong AP Now you have a Man- in-the-Middle

18 Failure #6 The Cafe Latte Attack  No authentication Clients keep a list of favorite AP's  One's they've used before When powering on, they try to connect to those AP's Stimulate traffic from client, crack key

19 Failure #7 If the PMK is known, all bets are off  WEP does not specify how PMKs are chosen or exchanged. It's a standard “Shared Secret” problem!  Social Engineering Use a Rouge AP  Dictionary attacks  Out of Band attacks Does your company have a piece of paper with the key laying around? It probably does.

20 Failure #8 Denial of Service Firstly, it is legal to jam 2.4GHz signals  Just not cell phones!  802.11 Wifi is naturally vulnerable to this But not Bluetooth! Associate / Disassociate Packets are unencrypted If there is a single malicious user on your network, he can bring the whole thing down  ARP Cache Poisoning  DOSS (Denial of Service... with Style)

21 Failure #9 No Session Keys! How the network's perimeters should look: How it does look:

22 Failure #9 Airpwn  First “displayed” at Defcon 12 Intercepts data just like with a Rouge AP Responds to HTTP traffic before the real web server can Result?  Anything you want!

23 The Breaks Key recovery attacks due to RC4 Fluhrer, Mantin and Shamir attack  Discovered that the first few bytes produced is highly non-random Andreas Klein  Even more correlations between key and keystream found Tews, Weinmann, and Pyshkin. (PTW)  Built upon Klein's analysis and built Aircrack- ptw  (Now Aircrack-ng)

24 References and links Intercepting Mobile Communications: The Insecurity of 802.11  http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf Wikipedia  http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy Weaknesses in the Key Scheduling Algorithm of RC4  http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf CC-BY-SA

Download ppt "How To Not Make a Secure Protocol 802.11 WEP Dan Petro."

Similar presentations

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

Similar presentations

Ads by Google