Title: 802.11 Security
1802.11 Security Wired Equivalent Privacy
(WEP)
2Agenda for the presentation
- Introduction
- 802.11 Wireless LAN brief description
- Goals of WEP
- Confidentiality in WEP
- Data Integrity in WEP
- Access Control in WLANs
- Security loopholes and attacks on WEP
- Lessons to be learnt
3Introduction
- History of wireless technology
- Inception of wireless networking took place at
the University of Hawaii in 1971. It was called
ALOHAnet. - Star topology with 7 computers
- Spanned 4 Hawaiian islands with the central
system in Oahu - In 1997, worlds first WLAN standard 802.11 was
approved by IEEE - Wired Equivalent Privacy security standard
proposed by 802.11 - Has many loopholes and has been completely broken
4802.11 Wireless LAN brief description
Distribution system
Access Points
Wireless Medium
Mobile stations
Mobile stations
- Stations
- Wireless medium
- Access Points
- Distribution System
- Basic Service Set (BSS)
- Extended Service set (ESS)
5802.11 Wireless LAN brief description
(contd)Network services
- Distribution System services
- Association
- Disassociation
- Reassociation
- Station services
- Authentication
- Deauthentication
- Privacy
Inside the network
Outside the network
Successful Association/ Reassociation
Successful Authentication
Disassociation
Deathentication
Authenticated and Associated
Unauthenticated and Unassociated
Authenticated and Unassociated
6Goals of WEP
- Confidentiality
- Uses stream cipher RC4 for encryption
- Data Integrity
- Uses cyclic redundancy check
- Access control
- Shared key authentication
7Confidentiality in WEP
- One-time pad vs Stream ciphers
- Perfect randomness is compromised for
practicality - RC4 algorithm used for encryption of data frames
Plaintext
Ciphertext
KEY
Keystream
IV
8Confidentiality in WEP (contd)WEP keys and
Initialization vector (IV)
- Shared secret key
- Shared among all users
- Changed infrequently
- Original standard 40 bit key. Later
implementations used 104 bit key - WEP uses set of up to 4 keys
- Key distribution problems
- Initialization vector
- 24 bits
- Prepended with the secret key
- Need to be random to prevent key reuse or IV
collision - IV sent in clear
9Data Integrity in WEP
- Computes Integrity Check Value (ICV)
- ICV is appended with data frame and encrypted
- CRC-32 algorithm used
- Efficient in capturing data tampering
- Cryptographically insecure
10Confidentiality and data integrity in WEP
40 or 104 bit key
CRC-32
Plaintext
RC4
IV
Plaintext ICV
Keystream
Plaintext ICV
Plaintext ICV
IV
Frame Header
4 bytes
3 bytes
pad
Key index
11Access Control in WLANs
- Open System Authentication
- Shared key authentication
Request for access
Challenge text, R
Encrypt R using WEP
Mobile station
Access Point
12Security loopholes and attacks on WEPAttacks on
shared key authentication
Request for access
Challenge text, R1
Encrypt R1 using WEP (C1)
Good guy
Access Point
Request for access
Challenge text, R2
Encrypt R2 using WEP (C2 Keystream R2)
Bad guy
Access Point
13Security loopholes and attacks on WEP -
(contd)Attacks due to keystream reuse
Plaintext
Plaintext
Ciphertext
Keystream
Ciphertext
Plaintext
Plaintext
- Improper IV management
- IV-space is small
- Implementation dependent
- Sent in clear
- Recovery of plaintexts
- Decryption dictionary attacks
- Independent of keysize
14Security loopholes and attacks on WEP -
(contd)Attacks due to CRC
?
Plaintext
Plaintext
?c
ICV
ICV
Plaintext ICV
?
?c
Plaintext ICV
- CRC is good for message authentication, but bad
for security - Both CRC checksum and RC4 are linear and can be
easily manipulated - CRC is unkeyed
- Attacker can inject messages into the system
15Security loopholes and attacks on WEP -
(contd)Attacks exploiting the Access Points
Mobile station
Access Point
Attacker
Change destination address
16Security loopholes and attacks on WEP -
(contd)Attacks exploiting the Access Points
TCP ACK
Message with flipped bits
Mobile station
Access Point
Intercepted ciphertext with flipped bits
TCP ACK
- Access points can be used to monitor TCP/IP
traffic - Recipient send an ACK only if TCP checksum is
correct - TCP checksum remains unaltered if Pi ex-OR Pi16
is 1.
Attacker
Modify any Pi and Pi16
17Security loopholes and attacks on WEP -
(contd)Attacks on RC4 used by WEP
- Research by Scott Fluhrer, Itsik Mantin and Adi
Shamir - First byte of plaintext has to be known. For WEP
implementations, it is 0xAA - Set of weak keys that correspondingly reveal some
part of the secret key - Format of weak IVs
- First byte (B) can range from 0x03 to 0x07
- Second byte has to be 0xFF
- Third byte (N) can be any known value between 0
255. - Probability to find a byte of secret key for 60
different values of N is non-negligible - Several successful experiments based on this
attack - Popular key-recovery programs like Airsnort use
this analysis
18Lessons learnt from the failure of WEP
- Key shared by all users of the system
- Key is changed infrequently
- No Perfect forward secrecy
- Manual key management
- Key reuse due to non-random IVs
- Random IVs are not insisted upon
- Short IVs
- No protection for replay attacks
- Use of unkeyed CRC instead of SHA1-HMAC
- Encryption cipher used was weak
- WEP was not publicly reviewed before it became a
standard - WEP is insecure!!
19References
- The Institute of Electrical and Electronics
Engineers (IEEE) website - http//www.ieee.org
- 802.11Wireless Networks- The Definitive Guide
- By Matthew S. Gast, OREILLY Publications.
- History of wireless
- http//www.ac.aup.fr/a38972/final_projectIT338/hi
story.html - Intercepting Mobile Communications The
Insecurity of 802.11 - By Nikita Borisov, Ian Goldberg, and David
Wagner - http//www.isaac.cs.berkeley.edu/isaac/wep-faq.ht
ml - Weaknesses in the Key Scheduling Algorithm of RC4
- By Scott Fluhrer, Itsik Mantin and Adi Shamir
- http//www.crypto.com/papers/others/rc4_ksaproc.p
df