Presentation is loading. Please wait.

Presentation is loading. Please wait.

2001. 9. 20NSRI1 Security of Wireless LAN ’01. 9. 20 Seongtaek Chee (NSRI)

Published byMorgan Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "2001. 9. 20NSRI1 Security of Wireless LAN ’01. 9. 20 Seongtaek Chee (NSRI)"— Presentation transcript:

1 2001. 9. 20NSRI1 Security of Wireless LAN ’01. 9. 20 Seongtaek Chee (NSRI)

2 2001. 9. 20NSRI2 Contents Introduction WEP 802.11 Security What’s Wrong Solutions Conclusions

3 2001. 9. 20NSRI3 Introduction IEEE 802.11 standard  Wired Equivalent Privacy (WEP)  Goal: data privacy to the level of wired network  Use of 40-bit RC4 for encryption mechanism Attack against WEP  Researchers at Univ. of California at Berkely published a document “security flaws in the 802.11 security protocol”  Main weakness: use of static WEP keys shared among users

4 2001. 9. 20NSRI4 Wireless LAN WEP (wireless network infrastructure)

5 2001. 9. 20NSRI5 Security Goal Confidentiality: the fundamental goal of WEP is to prevent casual eavesdropping Access control: to protect access to a wireless network infrastructure* Data integrity: to prevent tampering with transmitted messages** * 802.11 standard includes an optional feature to discard all packets that are not properly encrypted using WEP, and manufacturers advertise the ability of WEP to provide access control ** the integrity checksum field is included for this purpose

6 2001. 9. 20NSRI6 WEP Encryption RC4 IV(24-bit) K(40-bit) Plain-textCipher-text

7 2001. 9. 20NSRI7 Encrypted WEP Frame MessageCRC Keystream = RC4(IV, K) Cipher-textIV Plain-text Transmitted Data

8 2001. 9. 20NSRI8 WEP Encryption & Decryption A  B : IV, C = (P  RC4(IV, K)), where P = (M, c(M)) B : 1) 2) Verifies the checksum on P’

9 2001. 9. 20NSRI9 WEP Encapsulation Summary Encryption Algorithm = RC4 Per-packet encryption key = 24-bit IV concatenated to a pre-shared key WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “IV”) Data and IV are encrypted under the per-packet encryption key

10 2001. 9. 20NSRI10 WEP Authentication Challenge (Nonce) Response (Nonce RC4 encrypted under shared key) STA AP Shared secret distributed out of band Decrypted nonce OK? 802.11 Authentication Summary: Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret

11 2001. 9. 20NSRI11 Properties of Stream Cipher What happens when plaintext P 1 and P 2 are encrypted using same key K  It is a very bad idea to encrypt any two plain texts using the same key stream output by a stream cipher

12 2001. 9. 20NSRI12 Keystream reuse Key is fixed shared secret, that changes rarely if ever  In fact, in many setups, every user shares the same key So the keystream depends only on IV  If two packets ever get transmitted with the same IV, you reuse the keystream value, which is bad  Since IV gets transmitted in the clear for each packet, the adversary can even easily tell when a value of IV is reused(a “collision”)

13 2001. 9. 20NSRI13 Attack – Confidentiality(1)  Attacker obtains two cipher texts C 1 and C 2  C 1  C 2 = P 1  P 2  Using the redundancy of plaintexts, he can know (partial) P 1 and P 2 This is really easy if he knows the plaintext, because, for example, he sent it to you, say via pings, or spam email. If he knows one plaintext, he can recover all the other plaintexts.

14 2001. 9. 20NSRI14 Attack – Confidentiality(2) Note that he does not learn the value of the shared secret K Solutions  Use of different IV per packets  Some PCMCIA cards reset the IV to 0 each time they were re- initialized, and then incremented the IV by one for each packet transmitted.  These cards re-initialized themselves each time they are inserted in to the laptop, which can be expected to happen fairly frequently.  Consequently, keystreams corresponding to low-valued IV’s were likely to be reused many times during the lifetime of the key.  Increase the size of IV  24 bits is too small (Note that if the speed is 11Mbps  The probability of collision is 99% after 12,430 frames, or in 2 to 3 seconds of normal traffic at 11Mbps.

15 2001. 9. 20NSRI15 Attack – Message modification(1)  Attacker intercept a ciphertext C before it could reach its destination:  Assume that C corresponds to some unknown message M, so that  Claim: it is possible to find a new ciphertext C’ that decrypts to M’, where and △ may be chosen arbitrarily by the attacker.  Then we will be able to replace the original transmission with our new ciphertext by spoofing the source, and upon decryption, the recipient B will obtain the modified message M’ with the correct checksum.

16 2001. 9. 20NSRI16 Attack – Message modification(2)  How to obtain C’ from C so that C’ decrypts to M’ instead of M. CRC is linear Note that this attack can be applied without full knowledge of M: the attacker only needs to know the original ciphertext C and the desired plaintext difference △ in order to calculate C’=C  ( △,c( △ )).

17 2001. 9. 20NSRI17 Attack – Message Injection(1) We can inject a fake message F of the adversary’s choice into the wireless net so that it will be accepted by a receiver as genuine  The adversary just needs to know a single plaintext, and its corresponding encrypted packet(ping or spam can provide this easily)  The encrypted packet is (IV, C), and the plain text is (M, c(M)), so the adversary can compute the keystream RC4(IV,K) = C  (M,c(M))  Now he can take his fake message F, compute c(F), and compute C’ = (F, c(F))  RC4(IV,K).  Then he transmits (IV, C’)

18 2001. 9. 20NSRI18 Attack – Message Injection(2) The receiver  C’= (F, c(F))  RC4(IV, K)  C’ is a correct encryption of the message F, so he has to accept it  The adversary has succeeded Solution  CRC does not depend on the key  MAC(keyed hash function must be used)

19 2001. 9. 20NSRI19 Attack – Authentication(1) Authentication: client to AP  AP  M: send a challenge string R(128-bit) to the client  M  AP: WEP-encrypted ciphertext (RC4(IV, K)  R)  AP: checks if the challenge is correctly encrypted, and if so, accepts the client  Goal: verify that a client joining the network really knows the shared secret key K So the adversary has now just seen both the plaintext and the ciphertext of the challenge  This is enough not only to inject packets (as in the previous attack), but to execute the authentication protocol himself.

20 2001. 9. 20NSRI20 Attack – Authentication(2) Once the adversary obtains a single challenge/response pair for a given key K, he can extract IV and RC4(IV, K) Now attacker tries to connect to the network  The AP sends a challenge string M’ to the adversary  The adversary replies with IV, (M’,c(M’))  RC4(IV, K)  This is in fact the correct response, so the CP accepts the adversary  The adversary has succeeded even though he never did learn the value of K Solution: Use challenge-response protocol using block cipher

21 2001. 9. 20NSRI21 How to make secure WEP RC4  128-bit block cipher Precise decryptions  Setup procedure of Key  Generation method of IV  Detail of “mode of operation” Never reuse of IV (if K is fixed) Size of IV > 56 bit(??) CRC  MAC Challenge-response Authentication protocol based on block cipher

22 2001. 9. 20NSRI22 Conclusion WEP is totally insecure  Confidentiality  X  Access control  X  Data integrity  X No matter if you’re using 40-bit keys or 104-bit keys( or IV) CRC is useless against malicious errors(CRC detects random bit error in transmission) It is quite difficult to adopt Stream cipher for the purpose of “message integrity” or “user authentication” What about Bluetooth?

Download ppt "2001. 9. 20NSRI1 Security of Wireless LAN ’01. 9. 20 Seongtaek Chee (NSRI)"

Similar presentations

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wireless Privacy: Analysis of 802.11 Security Nikita Borisov UC Berkeley

Wireless Privacy: Analysis of Security Nikita Borisov UC Berkeley
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.

COMP4690, HKBU1 Security of COMP4690: Advanced Topic.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Wireless Network Security Issues By Advait Kothare SJSU CS265 Fall 2004.

Wireless Network Security Issues By Advait Kothare SJSU CS265 Fall 2004.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Similar presentations

Ads by Google