An Inductive Chosen Plaintext Attack against WEP/WEP2 - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

An Inductive Chosen Plaintext Attack against WEP/WEP2

Description:

How to Read WEP Encrypted Traffic (1) ... Inductive Chosen Plain Text ... Identify DHCP Discover messages from externals, e.g. size, and broadcast MAC address. ... – PowerPoint PPT presentation

Number of Views:197
Avg rating:3.0/5.0
Slides: 19
Provided by: billa164
Category:

less

Transcript and Presenter's Notes

Title: An Inductive Chosen Plaintext Attack against WEP/WEP2


1
An Inductive Chosen Plaintext Attack against
WEP/WEP2
  • William A. Arbaugh
  • University of Maryland, College Park
  • waa_at_cs.umd.edu

2
Talk Outline
  • Introduction
  • WEP/WEP2
  • IP
  • Walker/Berkeley Attacks
  • Attack Overview
  • Attack Details
  • Conclusions

3
WEP/WEP2
  • Encryption Algorithm RC4
  • Per-packet encryption key IV concatenated to a
    pre-shared key
  • WEP 24 bit IV
  • WEP2 128 bit IV
  • WEP allows IV to be reused with any frame
  • Data integrity provided by CRC-32 of the
    plaintext data (the ICV)
  • Data and ICV are encrypted under the per-packet
    encryption key

4
How to Read WEP Encrypted Traffic (1)
  • 50 chance of a collision exists already after
    only 4823 packets!!!
  • Pattern recognition can disentangle the XORd
    recovered plaintext.
  • Recovered ICV can tell you when youve
    disentangled plaintext correctly.
  • After only a few hours of observation, you can
    recover all 224 key streams.

5
How to Read WEP Encrypted Traffic (2)
  • Ways to accelerate the process
  • Send spam into the network no pattern
    recognition required!
  • Get the victim to send e-mail to you
  • The AP creates the plaintext for you!
  • Decrypt packets from one Station to another via
    an Access Point
  • If you know the plaintext on one leg of the
    journey, you can recover the key stream
    immediately on the other
  • Etc., etc., etc.

6
Observations
  • Walker/Berkeley attacks require either
  • Depth and post analysis
  • Cooperating agent for known plain text
  • Can we do better?

7
Inductive Chosen Plain Text
  • Base Case Recover an initial pseudo random
    stream of length n from known plain text.
  • Inductive step Extend size of known pseudo
    random to n1 by leveraging the redundant
    information in the CRC.

8
Base Case
  • Find initial pseudo random stream of size n.
  • Identify DHCP Discover messages from externals,
    e.g. size, and broadcast MAC address.
  • Known source (0.0.0.0), destination
    (255.255.255.255), header info
  • Allows the recovery of 24 bytes of pseudo random
    stream Let n 24

9
Inductive Step
  1. Create a datagram of size n-3 representing an ARP
    request, UDP open, ICMP etc.
  2. Compute ICV and append only the first three
    bytes.
  3. XOR with n bytes of pseudo random stream.
  4. Append last byte as the n1 byte

10
Inductive Step
11
Inductive Step
  • 5. Now send datagram and wait for a response.
  • 6. If no response, try another of the 254
    remaining possibilities.
  • 7. If there is a response, then we know
  • The n1 byte was the last byte of the ICV, thus
    we have matching plaintext and ciphertext which
    gives us the n1 byte of the pseudorandom stream.

12
After Response
n-3
3
n1 plaintext byte
byte
?
byte
n1
13
Attack Cost
  • Assume moderately aggressive attacker
  • 100 attacker transmissions per second
  • NOTE ICV failures will not be passed to OS and
    thus the attack is difficult to observe (failed
    ICV counter not withstanding)
  • 1.6 hours to recover 2300 byte MTU regardless of
    IV and key size in worst case
  • 40 minutes in average case

14
WEP Costs
  • 46 hours to build full dictionary of ltIV,
    pseudorandomgt with one attacking host (35GB)
  • But, the attack is embarrassingly parallel.
  • Four attacking hosts 11.5 hours
  • Eight attacking hosts 5.75 hours

15
WEP2 Costs
  • Prohibitive to build entire dictionary in terms
    of space and time, but we dont need to do so.
  • Because, we can still find enough
    ltIV,pseudorandomgt pairs to find and attack a
    vulnerable host on the LAN and recover key
    actively, e.g. blind scans and blind attacks.

16
This Attack Works
  1. Because of the redundant information provided by
    the CRC, and
  2. Because of the lack of a keyed MIC

17
Stopping/Mitigating the Attack
  • Add a keyed MIC (stops attack)
  • Adding a replay window (mitigates attack)
  • Modifying the CRC such that it cant be
  • Easily determined by an attacker
  • Not linear (bit flipping attack)
  • (mitigates attack)

18
Conclusions
  • Fundamental problem is that both WEP and WEP2
    vulnerable to packet forgery.
  • Its easy to dismiss this attack (and the
    Walker/Berkeley attacks) as academic. However,
    its only a matter of time before the attacks are
    implemented/scripted and released What then?
Write a Comment
User Comments (0)
About PowerShow.com