Intercepting mobiles communications the insecurity of 802 11
1 / 41

Intercepting Mobiles Communications: The Insecurity of 802.11 - PowerPoint PPT Presentation

  • Uploaded on

Intercepting Mobiles Communications: The Insecurity of 802.11. Danny Bickson ACNS Course, IDC Spring 2007. Resources. Borisov, Goldberg, Wagner. Intercepting mobile communications: the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Intercepting Mobiles Communications: The Insecurity of 802.11' - august-lester

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Intercepting mobiles communications the insecurity of 802 11
Intercepting Mobiles Communications: The Insecurity of 802.11

Danny Bickson

ACNS Course, IDC

Spring 2007


  • Borisov, Goldberg, Wagner. Intercepting mobile communications:the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking.

  • Guillaume Lehembre

    Wifi Security: WEP, WPA and WPA2

Wep protocol
WEP Protocol

  • WEP – Wired Equivalent Privacy

  • Wireless standard 802.11

  • Link layer

  • Protocol goals:

    • Confidentiality: prevent eavesdropping

    • Access control: prevent unauthorized access

    • Data integrity: prevent tampering of messages

  • We show that none of the security goals are attained

Network model
Network Model


Wep algorithm encryption
WEP Algorithm Encryption






Wep algorithm decryption
WEP AlgorithmDecryption






Stream cipher properties
Stream cipher properties

  • Given two ciphers C1,C2–

    C1V C2 = P1V P2.

  • Keystream reuse can lead to a number of attacks:

    • If plaintext of one message is known, the other is immediately obtainable.

    • In the general case, known techniques for breaking reused keystreams.

    • As the number of reused keystream increases breaking them becomes easier.

  • Two conditions required for this class of attcks to succeed:

    • Availability of ciphertexts where keystream is used more than once.

    • Partial knowledge of some of the plain texts.

Finding instances of keystream reuse
Finding instances of keystream reuse

  • Shared key k changes rarely.

  • Reuse of IV causes reuse of keystream.

  • IV are public.

Iv usage
IV Usage

  • Standard recommends (but not requires) change of IV.

  • Common PCMCIA cards sets IV to zero and increment it by 1 for each packet.

  • IV size is only 24 bits.

  • Busy access point of 5Mbps will exhaust available space in 11 hours.

  • Birthday paradox: on random IV selection 5000 packets are needed w.h.p. to find a collision

Exploiting keystream reuse
Exploiting keystream reuse

  • Many fields of IP traffic are predictable.

  • For example: login sequences.

  • Active attack (known plaintext)

Decryption dictionaries
Decryption dictionaries

  • Once plaintext of encrypted message is obtained, keystream value stored in dictionary.

  • Full table requires 24GB

  • Size of dictionary does not depend of size of key

Message authentication
Message Authentication

  • Message modification

  • Message injection

Message modification
Message Modification

  • Checksum used is CRC-32 which is a linear function of the message:

  • In other words, checksum distributes over the XOR operation.

    C(x V y) = C(x) V C(y)

  • RC4 stream cipher also linear.

The attack
The attack

Given C we would like to create C’ s.t. C’ decrypts to M’ instead of M.




















Message injection
Message Injection

  • WEP checksum is an unkeyed function of the message.

  • After knowing one keystream we can use it forever.

    C’ = <M’, CRC(M’)> V RC4(IV,k)

Other attacks
Other attacks

  • IP redirection.

    Assumption: Destination address is known.

Ip redirection cont
IP redirection (cont.)

  • Need to calculate IP checksum

  • Several options

    • IP checksum for original packet is known

    • Original IP checksum is not known

    • Compensate by changing another IP field

Reaction attack
Reaction Attack

  • Works only for TCP protocol

  • Pick i at random, let D be all zeros, except for positions i and i+16.

    Calc C’ = C VD.

    Two options:

    1. Got an acknowledgment, PiV Pi+16 = 1

    2. Else PiV Pi+16 = 0

  • Each test reveals 1 bit of information


  • Design of security protocols is difficult (more than the design of network protocols)

  • Combining several secure algorithms does not mean that the result is secure

  • Engineering perspective dictated selection of cryptographic algorithms

Fixing wep wpa wi fi protected access and 802 11i

Fixing WEPWPA – Wi-Fi Protected Accessand 802.11i


  • WPA – Wi-Fi Protected Access

    • Draft security enhancements for 802.11

    • A subset of the 802.11i proposed standard

    • Proposed by IEEE 802.11 TGi (Task Group i)

  • Design goals

    • Preserve packet format

    • Work with deployed 802.11 hardware in AP and NICs

  • Composed of two components

    • Authentication and master key generation– 802.1X

    • TKIP (Temporal Key Integrity Protocol) - Temporal key generation, Confidentiality and Integrity

802 11i

  • A proposed standard

  • Defines authentication, key management, confidentiality, integrity and encapsulations for 802.11

  • Includes

    • WEP (current implemented)

      • Encryption: RC4; Integrity: CRC-32

    • TKIP (temporary solution)

      • Encryption: RC4; Integrity: Michael

    • WRAP (Wireless Robust Authenticated Protocol)

      • Encryption: AES; Integrity: HMAC-MD5

Tkip temporal key integrity protocol

TKIP – Temporal Key Integrity Protocol

Tkip components
TKIP Components

  • TKIP is a wrapper around WEP

  • A cryptographic MIC (Message Integrity Code)

  • A per-packet sequence number

  • A per-packet key mixing function

  • A rekeying mechanism (802.1X)

Tkip mic

  • MICHAEL the MIC function is designed for very low bandwidth CPU (the ones that are used by the Access Point)

  • Key length – 64 bits

  • The MIC is computed over the source address, the destination address and the data

    • Protects against packet modification (e.g. bit flipping)

    • Protects against header forgery

Tkip sequence counter
TKIP Sequence Counter

  • The station and the Access Point maintain a TKIP sequence counter

  • The transmitter increments the TKIP sequence counter each time it sends a packet

  • The counters are reset when new temporal keys are established

  • The sequence counter is mixed with the temporal key and the transmitter MAC address to create a RC4 seed key

  • On receipt the receiver de-mixed the key and checks that the resulting counter is indeed greater than the all the sequence counter that were encountered during this temporal key usage

  • Protects against replay attack

Tkip keys

  • TKIP is using temporal keys

  • The station and the Access Point periodically exchange temporal keys

  • Four keys

    • One Integrity (MIC) and one Encryption key per direction

Tkip encapsulation1
TKIP Encapsulation

  • Calculate the 64 bits MIC with the MIC temporal key, over the source and destination addresses. The MIC is inserted into the message data

  • The sequence number, the MAC address and the temporal key are mixed to create a 128 bits RC4 seed key

  • The first three bytes of the key are stored in the IV field

  • The remaining 13 bytes are stored in a free WEP key buffer

  • The packet is sent to WEP processing

Tkip decapsulation1
TKIP Decapsulation

  • The IV and the temporal key are concatenated, to create the RC4 seed key

  • The key is de-mixed – to create the TKIP sequence counter. The counter is checked to be in sequence

  • The key, the IV and the data are sent for WEP decapsulation

  • After RC4 decryption, the MIC, with the temporal MIC key, is computed over the source and destination addressed and the decrypted packet , and is compared to the MIC field in the packet

Tkip notes
TKIP Notes

  • The TKIP temporal key must be exchanged every less then 216 packets, since the key mixing can produce 216 different IVs

  • The MIC and key mixing algorithms are cryptographically weak

    • But, all the WEP known problems are solved

    • TKIP is a temporary solution – until NICs and APs with new hardware arrives to the market

  • The 802.11i uses AES encryption