1 / 19

802.11 Security – Wired Equivalent Privacy (WEP)

802.11 Security – Wired Equivalent Privacy (WEP). By Shruthi B Krishnan. Agenda for the presentation. Introduction 802.11 Wireless LAN – brief description Goals of WEP Confidentiality in WEP Data Integrity in WEP Access Control in WLANs Security loopholes and attacks on WEP

sidonia
Download Presentation

802.11 Security – Wired Equivalent Privacy (WEP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802.11 Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan

  2. Agenda for the presentation • Introduction • 802.11 Wireless LAN – brief description • Goals of WEP • Confidentiality in WEP • Data Integrity in WEP • Access Control in WLANs • Security loopholes and attacks on WEP • Lessons to be learnt

  3. Introduction • History of wireless technology • Inception of wireless networking took place at the University of Hawaii in 1971. It was called ALOHAnet. • Star topology with 7 computers • Spanned 4 Hawaiian islands with the central system in Oahu • In 1997, world’s first WLAN standard– 802.11– was approved by IEEE • Wired Equivalent Privacy – security standard proposed by 802.11 • Has many loopholes and has been completely broken

  4. 802.11 Wireless LAN – brief description Distribution system • Stations • Wireless medium • Access Points • Distribution System • Basic Service Set (BSS) • Extended Service set (ESS) Access Points Wireless Medium Mobile stations Mobile stations

  5. 802.11 Wireless LAN – brief description (cont’d)Network services • Distribution System services • Association • Disassociation • Reassociation • Station services • Authentication • Deauthentication • Privacy Inside the network Outside the network Successful Association/ Reassociation Successful Authentication Disassociation Deathentication Authenticated and Associated Unauthenticated and Unassociated Authenticated and Unassociated

  6. Goals of WEP • Confidentiality • Uses stream cipher RC4 for encryption • Data Integrity • Uses cyclic redundancy check • Access control • Shared key authentication

  7. Confidentiality in WEP • One-time pad vs Stream ciphers • Perfect randomness is compromised for practicality • RC4 algorithm used for encryption of data frames Plaintext Ciphertext + KEY Keystream IV

  8. Confidentiality in WEP – (cont’d)WEP keys and Initialization vector (IV) • Shared secret key • Shared among all users • Changed infrequently • Original standard – 40 bit key. Later implementations used 104 bit key • WEP uses set of up to 4 keys • Key distribution problems • Initialization vector • 24 bits • Prepended with the secret key • Need to be random to prevent key reuse or IV collision • IV sent in clear

  9. Data Integrity in WEP • Computes Integrity Check Value (ICV) • ICV is appended with data frame and encrypted • CRC-32 algorithm used • Efficient in capturing data tampering • Cryptographically insecure

  10. Confidentiality and data integrity in WEP 40 or 104 bit key CRC-32 Plaintext RC4 IV Plaintext ICV Keystream + Plaintext ICV Frame Header IV Plaintext ICV 3 bytes pad Key index 4 bytes

  11. Access Control in WLANs • Open System Authentication • Shared key authentication Request for access Challenge text, R Encrypt R using WEP Mobile station Access Point

  12. Security loopholes and attacks on WEPAttacks on shared key authentication Request for access Challenge text, R1 Encrypt R1 using WEP (C1) Good guy Access Point Keystream = R1 C1 + Request for access Challenge text, R2 Encrypt R2 using WEP (C2 = Keystream R2) + Bad guy Access Point

  13. Security loopholes and attacks on WEP - (cont’d)Attacks due to keystream reuse Plaintext Plaintext Ciphertext + • Improper IV management • IV-space is small • Implementation dependent • Sent in clear • Recovery of plaintexts • Decryption dictionary attacks • Independent of keysize + + Keystream + Ciphertext Plaintext Plaintext

  14. Security loopholes and attacks on WEP - (cont’d)Attacks due to CRC Δ = Plaintext + Plaintext • CRC is good for message authentication, but bad for security • Both CRC checksum and RC4 are linear and can be easily manipulated • CRC is unkeyed • Attacker can inject messages into the system Δc = ICV + ICV Plaintext ICV Δ Δc + + Plaintext ICV

  15. Security loopholes and attacks on WEP - (cont’d)Attacks exploiting the Access Points Mobile station Access Point Attacker Change destination address

  16. Security loopholes and attacks on WEP - (cont’d)Attacks exploiting the Access Points TCP ACK Message with flipped bits Mobile station Access Point Intercepted ciphertext with flipped bits TCP ACK • Access points can be used to monitor TCP/IP traffic • Recipient send an ACK only if TCP checksum is correct • TCP checksum remains unaltered if Pi ex-OR Pi+16 is 1. Attacker Modify any Pi and Pi+16

  17. Security loopholes and attacks on WEP - (cont’d)Attacks on RC4 used by WEP • Research by Scott Fluhrer, Itsik Mantin and Adi Shamir • First byte of plaintext has to be known. For WEP implementations, it is 0xAA • Set of weak keys that correspondingly reveal some part of the secret key • Format of weak IVs • First byte (B) can range from 0x03 to 0x07 • Second byte has to be 0xFF • Third byte (N) can be any known value between 0 & 255. • Probability to find a byte of secret key for 60 different values of N is non-negligible • Several successful experiments based on this attack • Popular key-recovery programs like Airsnort use this analysis

  18. Lessons learnt from the failure of WEP • Key shared by all users of the system • Key is changed infrequently • No Perfect forward secrecy • Manual key management • Key reuse due to non-random IVs • Random IVs are not insisted upon • Short IVs • No protection for replay attacks • Use of unkeyed CRC instead of SHA1-HMAC • Encryption cipher used was weak • WEP was not publicly reviewed before it became a standard WEP is insecure!!

  19. References • The Institute of Electrical and Electronics Engineers (IEEE) website http://www.ieee.org • 802.11Wireless Networks- The Definitive Guide By Matthew S. Gast, O’REILLY Publications. • History of wireless http://www.ac.aup.fr/a38972/final_projectIT338/history.html • Intercepting Mobile Communications: The Insecurity of 802.11 By Nikita Borisov, Ian Goldberg, and David Wagner http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html • Weaknesses in the Key Scheduling Algorithm of RC4 By Scott Fluhrer, Itsik Mantin and Adi Shamir http://www.crypto.com/papers/others/rc4_ksaproc.pdf • Unsafe at any key size: an analysis of the WEP encapsulation By J. Walker http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zi%p • Your 802.11 Wireless Network has No Clothes By William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan, Department of Computer Science, University of Maryland http://www.cs.umd.edu/~waa/wireless.pdf • Popular WEP cracking software http://airsnort.sourceforge.net/ http://sourceforge.net/projects/wepcrack/

More Related