Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking Wireless Networks (Part II – WEP & WPA)

Similar presentations

Presentation on theme: "Hacking Wireless Networks (Part II – WEP & WPA)"— Presentation transcript:

1 Hacking Wireless Networks (Part II – WEP & WPA)
SCSC 555

2 802.11b Overview Standard for wireless networks
Approved by IEEE in 1999 Two modes: infrastructure and ad hoc BSS (infrastructure) mode IBSS (ad hoc) mode

3 Access Point SSID Service Set Identifier (SSID) differentiates one access point from another By default, access point broadcasts its SSID in plaintext “beacon frames” every few seconds Default SSIDs are easily guessable Linksys defaults to “linksys”, Cisco to “tsunami”, etc. This gives away the fact that access point is active Access point settings can be changed to prevent it from announcing its presence in beacon frames and from using an easily guessable SSID But then every user must know SSID in advance

4 Wired Equivalent Privacy (WEP)
Special-purpose protocol for b Intended to make wireless as secure as wired network Goals: confidentiality, integrity, authentication Assumes that a secret key is shared between access point and clients Uses RC4 stream cipher seeded with 24-bit initialization vector and 40-bit key Terrible design choice for wireless environment RC4 is used properly in SSL

5 Shared-Key Authentication
Prior to communicating data, access point may require client to authenticate Access Point Client beacon unauthenticated & unassociated OR probe request Passive eavesdropper recovers RC4(IV,K), can respond to any challenge from then on without knowing K authenticated & unassociated challenge challengeRC4(IV,K) association request authenticated & associated association response

6 How WEP Works no integrity! IV | shared key used as RC4 seed
Must never be repeated (why?) There is no key update protocol in b, so security relies on never repeating IV 24 bits 40 bits IV sent in the clear Worse: b says that changing IV with each packet is optional! CRC-32 checksum is linear in : if attacker flips some bit in plaintext, there is a known, plaintext-independent set of CRC bits that, if flipped, will produce the same checksum no integrity!

7 Why RC4 is a Bad Choice for WEP
Stream ciphers require synchronization of key streams on both ends of connection This is not suitable when packet losses are common WEP solution: a separate seed for each packet Can decrypt a packet even if a previous packet was lost But number of possible seeds is not large enough! RC4 seed = 24-bit initialization vector + fixed key Assuming 1500-byte packets at 11 Mbps, 224 possible IVs will be exhausted in about 5 hours Seed reuse is deadly for stream ciphers

8 Recovering Keystream Get access point to encrypt a known plaintext
Send spam, access point will encrypt and forward it Get victim to send an with known content If attacker knows plaintext, it is easy to recover keystream from ciphertext C  M = (MRC4(IV,key))  M = RC4(IV,key) Not a problem if this keystream is not re-used Even if attacker doesn’t know plaintext, he can exploit regularities (plaintexts are not random) For example, IP packet structure is very regular

9 Keystream Will Be Re-Used
In WEP, repeated IV means repeated keystream Busy network will repeat IVs often Many cards reset IV to 0 when re-booted, then increment by 1  expect re-use of low-value IVs If IVs are chosen randomly, expect repetition in O(212) due to birthday paradox (similar to hash collisions) Recover keystream for each IV, store in a table (KnownM  RC4(IV,key))  KnownM = RC4(IV,key) Even if don’t know M, can exploit regularities Wait for IV to repeat, decrypt and enjoy plaintext (M’  RC4(IV,key))  RC4(IV,key) = M’

10 It Gets Worse Misuse of RC4 in WEP is a design flaw with no fix
Longer keys do not help! The problem is re-use of IVs, their size is fixed (24 bits) Attacks are passive and very difficult to detect Perfect target for Fluhrer et al. attack on RC4 Attack requires known IVs of a special form WEP sends IVs in plaintext Generating IVs as counters or random numbers will produce enough “special” IVs in a matter of hours This results in key recovery (not just keystream) Can decrypt even ciphertexts whose IV is unique

11 Do Not Do This [Brian Lee] Ingredients: Laptop (with b card, GPS, Netstumbler, Airsnort, Ethereal) and the car of your choice Drive around, use Netstumbler to map out active wireless networks and (using GPS) their access points If network is encrypted, park the car, start Airsnort, leave it be for a few hours Airsnort will passively listen to encrypted network traffic and, after 5-10 million packets, extract the encryption key Once the encryption key is compromised, connect to the network as if there is no encryption at all Alternative: use Ethereal (or packet sniffer of your choice) to listen to decrypted traffic and analyze Many networks are even less secure

12 Weak Countermeasures Run VPN on top of wireless
Treat wireless as you would an insecure wired network VPNs have their own security and performance issues Compromise of one client may compromise entire network Hide SSID of your access point Still, raw packets will reveal SSID (it is not encrypted!) Have each access point maintain a list of network cards addresses that are allowed to connect to it Infeasible for large networks Attacker can sniff a packet from a legitimate card, then re-code (spoof) his card to use a legitimate address

13 Fixing the Problem Extensible Authentication Protocol (EAP)
Developers can choose their own authentication method Cisco EAP-LEAP (passwords), Microsoft EAP-TLS (public-key certificates), PEAP (passwords OR certificates), etc. 802.11i standard fixes b problems Patch: TKIP. Still RC4, but encrypts IVs and establishes new shared keys for every 10 KBytes transmitted No keystream re-use, prevents exploitation of RC4 weaknesses Use same network card, only upgrade firmware Long-term: AES in CCMP mode, 128-bit keys, 48-bit IVs Block cipher (in special mode) instead of stream cipher Requires new network card hardware

14 Hacking Wireless Networks (Part III – WPA)

15 What is WPA? WPA (Wireless Protected Access) or WEP2
■ An interim solution to replace WEP. ■ Aimed to work well with hardware designed for WEP. ■ Still use RC4 for encryption. ■ Several new elements were introduced: - TKIP (Temporal Key Integrity Protocol). - MIC (message integrity code) for preventing forgery. - IV=48 bits for preventing replay attack. - A mixing function for generating per-frame key. 15

16 WPA Structure 802.11 Hdr data TKIP || MIC MIC Function RC4 Encryption
WEP Key Per-Frame Key RC4 Encryption Mixing Function K K’ Integrity Key Hdr IV Data MIC 16 16

17 WPA Structure (in details)

18 WPA - Modes of Operation
Enterprise Mode: Requires an authentication server – RADIUS (Remote Authentication Dial In Service) for authentication and key distribution RADIUS has centralized management of user credentials Pre-shared key (PSK) Mode: Does not require authentication server A “shared secret” is used for authentication to access point vulnerable to dictionary attacks WPA runs in enterprise mode or pre-shared key (PSK) mode. Enterprise mode: Used for corporate users Requires an authentication server Uses RADIUS (Remote Authentication Dial-In User Service) protocols for authentication and key distribution RADIUS has centralized management of user credentials The RADIUS server stores user credentials like usernames and passwords and authenticates wireless users before they gain access to the network. Pre-Shared Key Mode: Used for home and small office/home office (SOHO) users Does not require authentication server A “shared secret” is used for authentication to access point. vulnerable to dictionary attacks 18 18

19 Enterprise Mode Diagram

20 PSK Mode Diagram 20

21 Issues of PSK Mode Needed if no authentication server is in use
“shared secret” – revealed, network security is compromised No standardized way of changing shared secret It increases the attacker’s effort to do decryption of messages The more complex the shared secret is, the better it is as there are less chances of dictionary attacks 21 21

22 Summary: Security Mechanisms in WPA
The table shows WPA’s security mechanisms and its chain of trust. WPA can be expressed as a combination of all these 4 technologies. Strong user – based authentication by using 802.1x standard and Extensible Authentication Protocol (EAP) Robust encryption through 128 – bit encryption keys and use of Temporal Key Integrity Protocol (TKIP) – dynamic generation of encryption keys Message Integrity Check (MIC) prevents an attacker from capturing and altering data packets RADIUS allows access control by allowing only authorized clients onto the network This combination of technologies protects the confidentiality and integrity of WLAN while helping with access control. Also, it increases security and manageability with automatic key distribution, unique master keys for each user and each session, and unique per-packet encryption keys. 22 22

23 802.1X Authentication prevents end users from accessing Enterprise networks
WPA adopts 802.1X standard to authenticate user. This standard provides access control and mutual authentication between the wireless clients and access points via authentication server (RADIUS) Here: Using EAP an end-user contacts a wireless access point and requests to be authenticated The Access point passes the request to the RADIUS server The RADIUS server challenges the end user for a password and the end user responds with a password to the RADIUS Server The RADIUS server authenticates the end user and the access point open a port to accept data from the end user 23 23

24 TKIP – Temporal Key Integrity Protocol
TKIP is responsible for generating the encryption key, encrypting the message and verifying its integrity TKIP ensures: - Encryption key changes with every packet - Encryption key is unique for every client - TKIP encryptions keys are 256 bit long WEP Encryption key = shared secret + IV TKIP packet comprises of: bit temporal key (shared by both clients and AP) - Client Device MAC address - 48 bit IV (Packet sequence number) to prevent known plain text attacks (WEP = 24 bit IV) TKIP is responsible for generating the encryption key, encrypting the message and verifying its integrity. The actual encryption is performed using the same RC4 algorithm which was used in WEP, it adds more enhancements to ensure : Encryption key changes with every packet Encryption key is unique for every client TKIP encryption keys : - 256 bit long - they are generated using below mentioned process WEP generates the encryption key using the shared secret and the IV as an input. whereas TKIP packet is comprised of 3 parts: A 128 bit temporal key that is shared by both the clients and the access points Client Device MAC Address 48-bit IV describes a packet sequence number TKIP increased the size of IV from 24 to 48 bits to prevent known plain text attacks based on duplicate IV’s. All 3 combined together guarantees that different wireless clients use different keys 24 24

25 TKIP for Data Privacy TKIP key mixing function + temporal key = per packet key Temporal keys bit, change frequently, definite life MAC Address + Temporal key + four most significant octets of the packet sequence number are fed into the S-Box to generate intermediate key Results in a unique encryption key Then, mix the intermediate key with two least significant octets of packet sequence number = 128 bit per packet key Each key encrypts only one packet of data and prevents weak key attacks Here, in TKIP it generates a per packet key by TKIP key mixing function, and uses the temporal key. The temporal keys have a definite life and are changed frequently. It is 128 bit shared secret – temporal key. The client device’s MAC address is mixed with the temporal key and the four most significant octets of the packet sequence number. And that is used as an index into an S-box to generate a intermediate key. When you mix up the client device’s MAC address with the temporal key, it results in a unique encryption key. Thus, different wireless client have different keys. In the second phase, a cipher is used to mix the intermediate key with the two least significant octets of the packet sequence number and generates a 128 bit per-packet key. Thus, each key encrypts only one packet of data and prevents weak key attacks. 25 25

26 Message Integrity Check (MIC)
Used to enforce data integrity “Message Integrity Code” (MIC) = 64 bit message calc. using Michael’s algorithm MIC is inserted in the TKIP packet The sender and the receiver each compute MIC and then compare. MIC does not match = data is manipulated Detects potential packet content altercation due to transmission error or purposeful manipulation Uses 64 bit key and partitions the data into 32 bit blocks Various operations: shifts, XOR’s, additions Message Integrity Check is used to enforce data integrity. It is designed to prevent an attacker from capturing data packets, altering them and resending them over the transmission channel. MIC provides strong mathematical function (Michael’s algorithm) - The sender and the receiver each compute MIC and then compare. If MIC do not match then it means that the data is manipulated or forged. MIC preserves both source and destination addresses so the data packets cannot be manipulated and resend to unauthorized destinations. Also, it has a frame counter and this prevents from replay attacks. Michael uses the 64-bit key and partitions the data into 32-bit blocks. Various operations of shifts, XOR’s, and additions and stores the result in two 32-bit registers which is the MIC. 26 26

27 WPA2 A long term solution specified by IEEE 802.11i
Use AES (in a new mode called CCM) for encryption. Counter Mode with CBC-MAC Protocol (CCMP) encryption CCMP = CTR + CBC + MAC ■ Several new elements were introduced: - The base key K=128 bits. - MIC is 64 bits for preventing forgery. - IV=48 bits for preventing replay attack. - Packet sequence number is used to generate IV. Will require or replacement hardware (AP’s and NIC’s) Wi – Fi Protected Access version 2: Uses the Advanced Encryption Standard (AES) Symmetric Key Block 128 bit key Full i support including Counter Mode with CBC-MAC Protocol (CCMP) encryption CCMP = CTR + CBC + MAC CTR = Counter Mode Encryption CBC = Cipher Block Chaining MAC = Message Authentication Code Will require new Hardware (AP’s and NIC’s) Certified Equipments are expected to be due in late 2004 The notes and slides for WPA2 are almost identical to the slide available on this web-site: 27 27

28 WPA2 Encrypted by AES 802.11 Hdr 802.11i Hdr Data MIC FCS
IV Key ID Encrypted by AES Hdr i Hdr Data MIC FCS Authenticated by MIC 28 28

29 Encryption Method Comparison Table

30 Conclusions WEP is not secure anymore !
WPA solves almost all WEP weaknesses WPA still considered secure and provides secure authentication, encryption and access control WPA is not yet broken…! WPA2 is a stronger cipher than WPA and will provide robust security for WLANs 30 30

Download ppt "Hacking Wireless Networks (Part II – WEP & WPA)"

Similar presentations

Ads by Google