Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College."— Presentation transcript:

1 The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College

2 Paper Outline Introduction Who Uses WEP? Why? How Does WEP Work? History of WEP Attacks Fragmentation Attack Conclusions

3 Introduction What is WEP (Wired Equivalent Privacy)? WEP uses a RC4 cipher (stream cipher) which attempts to keep the wireless data private and exact. WEP is broken (well-known fact) However, few people are capable of carrying out an attack Why?  Lack of knowledge. Attack requires long waiting time. Therefore – many still use WEP… (alternative is WPA – more difficult to setup and manage?)

4 Who Uses WEP? Vendors recommend 802.11i – however only a small percentage use it. Why? New cards needed Some believe “dynamic re-keying” is enough Encryption methods used in encrypted networks (%)

5 How Does WEP Work? Goals of WEP: Privacy of frames Integrity of frames Uses a symmetric stream cipher…(RC4)

6 How Does WEP Work? symmetric stream cipher Plaintext

7 How Does WEP Work? Input: Data Frame Key IV (initialization vector) Output: Encrypted payload IV Keynumber

8 How Does WEP Work? Keystream Each IV (initialization vector) produces a different seed  different keystream IV = 24 bits therefore 2 24 different keystreams Possible to know one keystream (IV/Key produced) and transmit everything with it (thus an attacker need only know one keystream to transmit) KEYSTREAM xor TEXT  CIPHERTEXT

9 How Does WEP Work? What gets encrypted? “802.11 header is always in CLEARTEXT and both MANAGEMENT and CONTROL frames are transmitted unscrambled”

10 History of WEP Attacks Brute-force Try all possible combinations (40-bit key) Less than a month on a single computer Passphrase generated keys lessen the effort Keys connected to actual meaningful words Solution: 104-bit WEP defends against attack

11 History of WEP Attacks Keystream Re-use Known cleartext then keystream recovered ciphertext xor cleartext  keystream “shared key authentication” AP sends cleartext challenge “encrypt this…” Peer sends encrypted version back to AP Snooping attacker now has keystream for IV  802.11 standard says “don’t reuse keystream for IV” However, attacker can now transmit indefinitely Solution: SSID cloaking & MAC address filters

12 History of WEP Attacks Weak IV Attacks Key could be calculated (based on RC4 properties) Takes approx. 1,000,000 packets Major threat – automated tool (anyone can hack) Solution: NIC hardware filter to filter weak IVs - could now take days - Problem: fewer keystreams (< 2 24 keystreams) A single legacy host (without filter) can compromise network

13 Two Main Attacker Problems Weak IV attack is slow Hacker Solution: Replay WEP packets – generate traffic Need to get keystream reliably Hacker Solution: Get a byte of keystream after sending only 256 packets WEP IS FINALLY DEAD? Good Guy Solution: Change key often…( frequent re- keying ) NEW ATTACK: fragmentation – instant results

14 Fragmentation Attack Works against frequent re-keying WEP design flaw: layer 2 fragmentation… Step 1. Need known plaintext in frames LLC/SNAP header contained in 802.11 data frames 8 bytes of known plaintext

15 Fragmentation Attack Step 2. Recover keystream associated with IV. cipher xor known plaintext  keystream Step 3. send 4 bytes payload/4 bytes ICV ( integrity check value ) Note: never considered a problem - LLC/SNAP alone needs 4 bytes.

16 Fragmentation Attack Only 4 bytes of payload? Answer: fragmentation Send up to 16 fragments of 4 byte payload 4x16  64 bytes of data

17 Pure Fragmentation Attack Transmission Steps 1. eavesdrop one packet – get 8 bytes 2. send data up to 64 bytes use IP fragmentation to send larger payloads Datagram IP fragment – 64 bytes 802.11 frag 4 bytes 802.11 frag 4 bytes 802.11 frag 4 bytes 802.11 frag 4 bytes

18 Pure Fragmentation Attack Decryption (Forwarding to the Internet) Steps 1. capture packet to decrypt 2. prepend additional IP header & forward to AP 3. AP assembles into single packet & decrypts 4. AP sends cleartext packet to destination host 5. Attacker recovers packet from controlled host Wait, it’s not quite that easy…

19 Pure Fragmentation Attack Why is it not quite that easy? Problem 1: Need Router’s MAC address and proper source address for network…to send. Problem 2: How about packets which meet the MTU limit? Using the AP to decrypt & send along

20 Pure Fragmentation Attack Problem 1: Need Router’s MAC address and proper source address for network…to send. Need MAC address of router Often AP is router (look for beacon frames) Most popular MAC used Need correct source IP In some networks this is not needed

21 Pure Fragmentation Attack Problem 2: How about packets which meet the MTU limit? MTU packets ( if packet > MTU-28 bytes then trouble ) Techniques Bit-flip destination address Chop-chop Spoof ICMP “packet too big” message Pure Fragmentation requires access to internet controlled host – not possible with private network Solution: Keystream Based Attacks

22 Keystream Attacks 1. Discover all possible keystreams (Dictionary attacks) - however the result is one long list of keystreams 2. Discover one specific keystream Remember: if keystream known & packet snooped with corresponding IV then plaintext is now known. ATTACKER’s GOAL

23 Keystream Attacks Discovering Keystreams Steps Acquire ability to send data (discussed earlier) Send large broadcast frame in small fragments AP will reassemble it and relay as large frame Attacker listens & obtains keystream for the new IV chosen by the AP Attacker does plaintext XOR to get new keystream for IV

24 Keystream Attacks Discovering Keystreams 34 fragments  1500 bytes of keystream 16 frags (4 bytes/frag)  64 bytes of keystream 16 frags (64 bytes/frag)  1024 bytes 2 frags (1024 bytes/frag & 476 bytes/frag)  1500 bytes

25 Keystream Attacks Discovering Keystreams To recover other keystreams – attacker sends 1500 bytes (without fragmentation) and snoops the relayed version by AP (most likely using a different IV) By sending approx. 16M (2 24 ) packets a complete IV dictionary is built.

26 Keystream Attacks Discovering a Specific Keystream What happens if you need a specific keystream in order to decrypt a specific packet? steps 1. recover keystream (8 bytes) via known plaintext 2. generate datagram of size 5 (8 – 3 bytes) 3. compute 4 byte CRC for payload (use only 3 bytes) 4. XOR with 8 byte pseudo-random stream 5. Append last byte (9 th byte – guess)

27 Keystream Attacks Discovering a Specific Keystream CRCData 5 bytes xorkeystream encrypted data Iterate through all 256 possibilities IV 802.11 Hdr

28 Keystream Attacks Discovering a Specific Keystream steps (cont.) 6. send frame & wait for AP to broadcast 7. if no response from AP – try again with new last byte else we know that our last byte guess matches the last byte of the correct CRC (which we know) therefore we can calculate one more byte of the keystream. next byte of keystream = byte guessed xor last known byte of CRC

29 Keystream Attacks Instead of Timing the AP: Use multicast to do this – All 256 guesses sent in parallel to 256 different multicast addresses When AP relays one then simply read off the correct guess from the multicast address. Therefore after sending 380,928 packets (most often less) – an arbitrary packet may be decrypted Well-known multicast addresses

30 Conclusion Using Fragmentation: Takes less than a minute for an attacker to be able to send MTU-sized packets (and find out the IP address range of the network) About 15 minutes to recover 40-bit WEP keys About 60-120 minutes to recover 104-bit WEP keys WEP is officially DEAD – fragmentation used in conjunction with these other attacks counters the final countermeasure: frequent re-keying Checkmate!

Download ppt "The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College."

Similar presentations

1 Intercepting Mobile Communications: The Insecurity of 802.11 …or “Why WEP Stinks” Dustin Christmann.

1 Intercepting Mobile Communications: The Insecurity of …or “Why WEP Stinks” Dustin Christmann.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.

The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Similar presentations

Ads by Google