Intercepting mobiles communications the insecurity of 802 11
This presentation is the property of its rightful owner.
Sponsored Links
1 / 41

Intercepting Mobiles Communications: The Insecurity of 802.11 PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on
  • Presentation posted in: General

Intercepting Mobiles Communications: The Insecurity of 802.11. Danny Bickson ACNS Course, IDC Spring 2007. Resources. Borisov, Goldberg, Wagner. Intercepting mobile communications: the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking.

Download Presentation

Intercepting Mobiles Communications: The Insecurity of 802.11

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Intercepting mobiles communications the insecurity of 802 11

Intercepting Mobiles Communications: The Insecurity of 802.11

Danny Bickson

ACNS Course, IDC

Spring 2007


Resources

Resources

  • Borisov, Goldberg, Wagner. Intercepting mobile communications:the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking.

    http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf

  • Guillaume Lehembre

    Wifi Security: WEP, WPA and WPA2

    http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf


Wep protocol

WEP Protocol

  • WEP – Wired Equivalent Privacy

  • Wireless standard 802.11

  • Link layer

  • Protocol goals:

    • Confidentiality: prevent eavesdropping

    • Access control: prevent unauthorized access

    • Data integrity: prevent tampering of messages

  • We show that none of the security goals are attained


Network model

Network Model

Internet


Wep algorithm encryption

WEP Algorithm Encryption

Message

CRC(M)

RC4(k,IV)

IV

Cipher


Wep algorithm decryption

WEP AlgorithmDecryption

IV

Cipher

RC4(k,IV)

Message

CRC(M)


Confidentiality

Confidentiality


Stream cipher properties

Stream cipher properties

  • Given two ciphers C1,C2–

    C1V C2 = P1V P2.

  • Keystream reuse can lead to a number of attacks:

    • If plaintext of one message is known, the other is immediately obtainable.

    • In the general case, known techniques for breaking reused keystreams.

    • As the number of reused keystream increases breaking them becomes easier.

  • Two conditions required for this class of attcks to succeed:

    • Availability of ciphertexts where keystream is used more than once.

    • Partial knowledge of some of the plain texts.


Finding instances of keystream reuse

Finding instances of keystream reuse

  • Shared key k changes rarely.

  • Reuse of IV causes reuse of keystream.

  • IV are public.


Iv usage

IV Usage

  • Standard recommends (but not requires) change of IV.

  • Common PCMCIA cards sets IV to zero and increment it by 1 for each packet.

  • IV size is only 24 bits.

  • Busy access point of 5Mbps will exhaust available space in 11 hours.

  • Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision


Exploiting keystream reuse

Exploiting keystream reuse

  • Many fields of IP traffic are predictable.

  • For example: login sequences.

  • Active attack (known plaintext)


Decryption dictionaries

Decryption dictionaries

  • Once plaintext of encrypted message is obtained, keystream value stored in dictionary.

  • Full table requires 24GB

  • Size of dictionary does not depend of size of key


Key management

Key management


Message authentication

Message Authentication

  • Message modification

  • Message injection


Message modification

Message Modification

  • Checksum used is CRC-32 which is a linear function of the message:

  • In other words, checksum distributes over the XOR operation.

    C(x V y) = C(x) V C(y)

  • RC4 stream cipher also linear.


The attack

The attack

Given C we would like to create C’ s.t. C’ decrypts to M’ instead of M.

Cipher

D

CRC(D)

=

RC4(k,IV)

D

CRC(D)

Message

CRC(M)

=

D

CRC(D)

RC4(k,IV)

Message

CRC(M)

=

RC4(k,IV)

M’

CRC(M’)


Message injection

Message Injection

  • WEP checksum is an unkeyed function of the message.

  • After knowing one keystream we can use it forever.

    C’ = <M’, CRC(M’)> V RC4(IV,k)


Other attacks

Other attacks

  • IP redirection.

    Assumption: Destination address is known.


Ip redirection cont

IP redirection (cont.)

  • Need to calculate IP checksum

  • Several options

    • IP checksum for original packet is known

    • Original IP checksum is not known

    • Compensate by changing another IP field


Reaction attack

Reaction Attack

  • Works only for TCP protocol

  • Pick i at random, let D be all zeros, except for positions i and i+16.

    Calc C’ = C VD.

    Two options:

    1. Got an acknowledgment, PiV Pi+16 = 1

    2. Else PiV Pi+16 = 0

  • Each test reveals 1 bit of information


Example attacks

Example attacks


Arp request

ARP Request


Conclusion

Conclusion

  • Design of security protocols is difficult (more than the design of network protocols)

  • Combining several secure algorithms does not mean that the result is secure

  • Engineering perspective dictated selection of cryptographic algorithms


Fixing wep wpa wi fi protected access and 802 11i

Fixing WEPWPA – Wi-Fi Protected Accessand 802.11i


Intercepting mobiles communications the insecurity of 802 11

WPA

  • WPA – Wi-Fi Protected Access

    • Draft security enhancements for 802.11

    • A subset of the 802.11i proposed standard

    • Proposed by IEEE 802.11 TGi (Task Group i)

  • Design goals

    • Preserve packet format

    • Work with deployed 802.11 hardware in AP and NICs

  • Composed of two components

    • Authentication and master key generation– 802.1X

    • TKIP (Temporal Key Integrity Protocol) - Temporal key generation, Confidentiality and Integrity


802 11i

802.11i

  • A proposed standard

  • Defines authentication, key management, confidentiality, integrity and encapsulations for 802.11

  • Includes

    • WEP (current implemented)

      • Encryption: RC4; Integrity: CRC-32

    • TKIP (temporary solution)

      • Encryption: RC4; Integrity: Michael

    • WRAP (Wireless Robust Authenticated Protocol)

      • Encryption: AES; Integrity: HMAC-MD5


Tkip temporal key integrity protocol

TKIP – Temporal Key Integrity Protocol


Tkip components

TKIP Components

  • TKIP is a wrapper around WEP

  • A cryptographic MIC (Message Integrity Code)

  • A per-packet sequence number

  • A per-packet key mixing function

  • A rekeying mechanism (802.1X)


Tkip mic

TKIP MIC

  • MICHAEL the MIC function is designed for very low bandwidth CPU (the ones that are used by the Access Point)

  • Key length – 64 bits

  • The MIC is computed over the source address, the destination address and the data

    • Protects against packet modification (e.g. bit flipping)

    • Protects against header forgery


Wep with enabled mic

WEP with Enabled MIC

=MAC

=CRC


Tkip sequence counter

TKIP Sequence Counter

  • The station and the Access Point maintain a TKIP sequence counter

  • The transmitter increments the TKIP sequence counter each time it sends a packet

  • The counters are reset when new temporal keys are established

  • The sequence counter is mixed with the temporal key and the transmitter MAC address to create a RC4 seed key

  • On receipt the receiver de-mixed the key and checks that the resulting counter is indeed greater than the all the sequence counter that were encountered during this temporal key usage

  • Protects against replay attack


Tkip keys

TKIP Keys

  • TKIP is using temporal keys

  • The station and the Access Point periodically exchange temporal keys

  • Four keys

    • One Integrity (MIC) and one Encryption key per direction


Tkip encapsulation

TKIP ENCAPSULATION


Tkip encapsulation1

TKIP Encapsulation

  • Calculate the 64 bits MIC with the MIC temporal key, over the source and destination addresses. The MIC is inserted into the message data

  • The sequence number, the MAC address and the temporal key are mixed to create a 128 bits RC4 seed key

  • The first three bytes of the key are stored in the IV field

  • The remaining 13 bytes are stored in a free WEP key buffer

  • The packet is sent to WEP processing


Tkip decapsulation

TKIP DECAPSULATION


Tkip decapsulation1

TKIP Decapsulation

  • The IV and the temporal key are concatenated, to create the RC4 seed key

  • The key is de-mixed – to create the TKIP sequence counter. The counter is checked to be in sequence

  • The key, the IV and the data are sent for WEP decapsulation

  • After RC4 decryption, the MIC, with the temporal MIC key, is computed over the source and destination addressed and the decrypted packet , and is compared to the MIC field in the packet


Tkip notes

TKIP Notes

  • The TKIP temporal key must be exchanged every less then 216 packets, since the key mixing can produce 216 different IVs

  • The MIC and key mixing algorithms are cryptographically weak

    • But, all the WEP known problems are solved

    • TKIP is a temporary solution – until NICs and APs with new hardware arrives to the market

  • The 802.11i uses AES encryption


  • Login