Wireless Encryption

1
Wireless Encryption
2
Disclaimer

• Sources include
• a NIST publication Wireless Network Security
  802.11, Bluetooth and Handheld Devices, published
  November 2002, written by Tom Karygiannis and Les
  Owens.
• Grad Students Nathan Blackham, Charles Higby

3
Wireless LANs

• 802.11 sets the standards in the US.
• Specifications

4
802.11 Classifications

• 802.11
• 1-2 Mbps
• 2.4 GHz spectrum
• Uses FHSS (Frequency Hopping Spread Spectrum)
• 75 frequencies per transmission
• Max dwell time per frequency 400 ms.
• Or DSSS (Direct Sequence Spread Spectrum)

5
802.11a

• 54Mbps
• 5 GHz band (short range)
• OFDM (Orthogonal Frequency Division Multiplexing)
• Splits signal into smaller sub-signals and
  transmits multiple sub-signals on different
  frequencies.
• Less interference from other signals
• 8 simultaneous channels
• Not approved in Europe (military uses a portion
  of the 5 GHz band)

6
802.11b

• Also known as High Rate or Wi-Fi
• 11 Mbps (with TIs DSP chip 22Mbps)
• 2.4 GHz crowded band.
• Still slower than wired Ethernet
• Note Any Wi-Fi (Wireless Fidelity) component
  that is certified by WECA is interoperable with
  any other brand of client hardware (not always
  true)
• 3 Simultaneous channels
• Uses CCK (complementary Code Keying)

7
802.11g

• New technology is coming that will enable 20 - 54
  Mbps over existing 802.11b networks.
• Still operating in 2.4 GHz band range
• Backward compatible with 802.11b components at 11
  Mbps
• 3 Simultaneous channels
• Uses both encoding techniques from a and b

8
WLAN Security

• Brief History of WLAN security
• In 1999 IEEE 802.11 Working Group
  proposed WEP.
• WEP Seeks to provide a level of WLAN security
  similar to that of wired LANs.
• By encrypting data transmissions and
  preventing unauthorized users from connecting.

9
WEP Protection for 802.11b

• Wired Equivalent Privacy
• No worse than what you get with wire-based
  systems
• Criteria
• Reasonably strong
• Self-synchronizing stations often go in and out
  of coverage
• Computationally efficient in HW or SW since low
  MIPS CPUs might be used
• Exportable
• Optional not required to used it

10
WEP How It Works

• Secret key (40 bits or 104 bits)
• Initialization vector (24 bits, by IEEE std.)
• Total of 64 or 128 bits of protection.
• RC4-based pseudo random number generator (PRNG)
• Integrity Check Value (ICV) CRC 32

11
IS WEP Secure?

• WEP is not a mandatory component of IEEE
  802.11
• Most 802.11b products dont have the computing
  power to run WEP encryption without significant
  performance degradation.
• (This has enticed many users to turn off WEP)
• WEP has proven vulnerabilities.

12
Notable Papers that identify and describe WEP
deficiencies.

• A paper from UC Berkeley revealing WEP weaknesses
  due to key reuse and inadequate message
  authentication.
• A paper from the University of Maryland
  highlighting weaknesses in 802.11 access control
  mechanisms.
• A paper by Scott Fluhrer, Itsik Mantin, and Adi
  Shamir identifying weaknesses in the WEP protocol
  due to improper usage of the underlying RC4
  Algorithm.

13
RC4 Algorithm

• RC4 is a stream cipher symmetric key algorithm.
• Developed in 1987 by Ronald Rivest
• On September 9, 1994, the RC4 algorithm was
  anonymously posted on the Internet on Cyberpunks
  anonymous remailers list.

14
WEP Data Frame
IV(4 bytes)
Data (PDU)(? 1 byte)
ICV(4 bytes)
1 byte
Init Vector(3 bytes)
Note can use up to 4 different keys.
Pad6 bits
Key ID2 bits
15
WEP Encryption
IV
InitializationVector (IV)
Key Sequence
Seed
Message
WEP PRNG
Secret Key
Ciphertext
Plaintext
Integrity Algorithm
Integrity Check Value (ICV)
16
WEP Encryption Process

• Compute ICV using CRC-32 over plaintext msg.
• Concatenate ICV to plaintext message.
• Choose random IV and concat it to secret key and
  input it to RC4 to produce pseudo random key
  sequence.
• Encrypt plaintext ICV by doing bitwise XOR with
  key sequence to produce ciphertext.
• Put IV in front of cipertext.

17
WEP Decryption
Secret Key
Key Sequence
Plaintext
WEP PRNG
IV
Seed
Ciphertext
Message
ICV
ICV - ICV
Integrity Algorithm
ICV
18
WEP Decryption Process

• IV of message used to generate key sequence, k.
• Ciphertext XOR k ? original plaintext ICV.
• Verify by computing integrity check on plaintext
  (ICV) and comparing to recovered ICV.
• If ICV ? ICV then message is in error send
  error to MAC management and back to sending
  station.

19
WEP Station Authentication

• Wireless Station (WS) sends Authentication
  Request to Access Point (AP).
• AP sends (random) challenge text T.
• WS sends challenge response (encrypted T).
• AP sends ACK/NACK.

WS
AP
Auth. Req.
Challenge Text
Challenge Response
Ack
20
WEP Weaknesses

• Forgery Attack
• Packet headers are unprotected, can fake src and
  dest addresses.
• AP will then decrypt data to send to other
  destinations.
• Can fake CRC-32 by flipping bits.
• Replay
• Can eavesdrop and record a session and play it
  back later.
• Collision (24 bit IV how/when does it change?)
• Sequential roll-over in lt ½ day on a busy net
• Random After 5000 packets, gt 50 of reuse.
• Weak Key
• If ciphertext and plaintext are known, attacker
  can determine key.
• Certain RC4 weak keys reveal too many bits. Can
  then determine RC4 base key.

21
Weakness

• The RC4 algorithm is vulnerable to analytic
  attacks of the state table.
• One in every 256 keys can be a weak key. These
  keys are identified by cryptoanalysis that is
  able to find circumstances under which one of
  more generated bytes are strongly correlated with
  a few bytes of the key.
• WEAK KEYS These are keys identified by
  cryptoanalysis that are able to find
  circumstances under which one or more generated
  bytes are strongly correlated with small subset
  of the key bytes. These keys can happen in one
  to 256 keys generated.

22
WEP Weakness

• Key Management
• 4 possible keys, externally populated
• 802.11 standard does not specify distribution
  mechanism (backbone network)
• Can be unique key for each WS or single key for
  entire network (commonly used)
• Single key increases chances of IV reuse

23
IEEE 802.11i

• Was formed to establish a comprehensive solution
  for WLAN security.
• Group has nearly completed a standard called
  Robust Security Network (RSN).

24
Includes two parts

• Advanced Encryption Standard (AES) for encrypting
  WLAN traffic
• IEEE 802.1x a port-based network authentication
  standard for WLAN user authentication and key
  management.
• Also finished a series of fixes for WEP.
• -- Fixes include Temporal Key Integrity Protocol
  (TKIP)

25
802.11i

• Improved encryption Algorithms
• Temporal Key Integrity Protocol (TKIP) for
  legacy hardware
• Generates per-packet keys
• 48 bit IV prevents replay attacks
• Counter mode CBC-MAC Protocol (CCMP) for new
  hardware
• Not for legacy hardwareinsufficient CPU power to
  run AES encryption
• 802.1x port based network access control
• Authentication
• Encryption key distribution

26
802.1X
From Meetinghouse Data Communications,
http//www.mtghouse.com/8021X.pdf
27
802.11i gtgt WEP

• Forgery
• Stronger Message Integrity Code
• Cryptographically secure hash
• Apply hash to packet payload plus src and dest
  addresses
• Replay
• 48 bit IV, strictly increasing sequence, cannot
  roll-over (must rekey), receiver discards
  out-of-sequence packets
• Weak Keys of WEP
• Per-packet key computed using transmitter
  address, IV, base key
• Collision
• 48 bit IV, force a rekey after 215 packets
• Use 802.1X EAPOL (Extensible Authentication
  Protocol Over LAN) to configure a new key for
  every association

28
Tools

• Linux
• Airsnort used for cracking WEP and scanning
  APs
• Kismet used to pickup APs whether broadcast
  SSID or not, and to view some settings and
  clients
• WEPcrack Perl scripts to crack WEP from a
  TCPdump
• FakeAP generates fake APs, used to hide a real
  one
• BSD
• Airtools suite of multiple tools

29
Tools

• Windows
• Netstumbler auditing tool, finds APs
• AeroPeek packet analyzer
• Sniffer Wireless monitoring, capturing,
  decoding, filtering, etc.
• Many others
• Which do you know?