1 / 28

Security flaws of the WEP-Protocol

Security flaws of the WEP-Protocol. by Bastian Sopora, Seminar Computer Security 2006. Agenda. Introduction Basics of the WEP-Protocol Weaknesses of WEP Breaking WEP Alternatives & Outlook Summary & Discussion. Wireless Networking. ALOHAnet 1997: IEEE 802.11 (IR)

jovita
Download Presentation

Security flaws of the WEP-Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006

  2. Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion

  3. Wireless Networking • ALOHAnet • 1997: IEEE 802.11 (IR) • 1999: IEEE 802.11b (11Mbps) • 2003: IEEE 802.11g (54Mbps) • 2007: IEEE 802.11n (540Mbps)

  4. The need for security • Why do we need the WEP-Protocoll? • Wi-Fi networks use radio transmissions • prone to eavesdropping • Mechanism to prevent outsiders from • accessing network data & traffic • using network resources

  5. IEEE reactions • 1999: Wired Equivalent Privacy (WEP) • 2003: WiFi Protected Access (WPA)

  6. Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion

  7. WEP – the basic idea • WEP = Wired Equivalent Privacy • As secure as a wired network • Part of the IEEE 802.11 standard

  8. WEP – how it works • Encrypt all network packages using • a stream-cipher (RC4) for confidentiality • a checksum (CRC) for integrity

  9. WEP – different flavors • Originally (1999) 64 bit: • Legal limits • 24 bit Initialization Vector (IV) • 40 bit key • 128 bit: • 104 bit (26 Hex-Characters) key • 256 bit: • 232 bit key • Available, but not common

  10. Small steps? Evolution of WEP to WEP128 to WEP256: • Initialization Vector remains at 24 bit • Encryption key size increases

  11. Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion

  12. The major flaw • A Stream-Cipher should never use the same key twice

  13. The Stream-Cipher-Breakdown • E(A) = A xor C [C is the key] E(B) = B xor C • Compute E(A) xor E(B) xor is commutative, hence: E(A) xor E(B) = A xor C xor B xor C = A xor B xor C xor C = A xor B

  14. The major flaw • A Stream-Cipher should never use the same key twice... • ...or else we know A xor B, which is relatively easy to break • if both messages are in a natural language. or • if we know one of the messages.

  15. The WEP-repetition • For a 24 bit Initialization Vector, there is a 50% chance of repetition after 5000 packets...

  16. The Theory • Fluhrer, Mantin, and Shamir wrote a paper on the WEP weakness in the RC4 implementation... • Cornell University • “Weaknesses in the Key Scheduling Algorithm of RC4“

  17. Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion

  18. Feasibility of attack • Practical • Cheap • Easy • Fast

  19. Feasibility of attack • Practical • Cheap • Easy • Fast • WEP Users: time to panic!

  20. How to do it... • Stubblefield, Ioannidis, and Rubin wrote a paper about the implementation in 2001 • Rice University & AT&T • “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP” • Only six pages!

  21. How to do it... • Collect packets (about 6m for WEP128) • Only observe the first byte • Depends on only 3 values (S[1], S[S[1]], S[S[1]+S[S[1]]) • May be known plaintext (“0xAA“) • Try guessing the key, byte by byte • chance of 1/20 per byte

  22. How WE do it... • Aircrack-ng • Available freely for Linux, Windows and certain PDAs • Only requires about 1m packets for WEP128

  23. Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion

  24. Outlook for WEP • WEP2 • Enlarged IV • enforced 128-bit encryption • WEP+ • Only use strong IVs • has to be used on both ends ...a dead end...

  25. Outlook for WEP • WEP2 • No change in concept, just more packets needed • WEP+ • How does one enforce the client side? ...a dead end...

  26. Alternatives • WPA, WPA2, 802.1X • 48 bit IV, mutate key after certain time • Depend on an authentication server • IPsec, VPN • Tunneling and secure wrapping of packets

  27. Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion

  28. Summary: WEP • WEP is not secure! • Faulty implementation of RC4 • Developing an attack was easy • A successful attack only needs: • Off-the-shelf hardware (Laptop, Prism2) • Free software • A very short time (a few days at most)

More Related