- 148 Views
- Uploaded on
- Presentation posted in: General

Wireless security

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Wireless security

Breaking WEP and WPA

DEMO!

Message falsification attack on WPA

Attack on TKIP

WEP

introduced

WPA

introduced

WPA2

introduced

FMS attack on WEP

ChopChop attack on WEP

Fragmentation attackonWEP

PTW attack on WEP

Beck and Tews attack on WEP and WPA

- Was developed by Ron Rivest in 1987
- “Rivest Cipher 4”
- Most widely used stream cipher
- Used in i.e. SSL, WEP, WPA and TLS
- Was secret until 1994 when it was leaked

forifrom 0 to255

S[i] := i

endfor

l := keylength

j := 0

forifrom 0 to255

j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j])

endfor

i := 0

j := 0

whileGeneratingOutput:

i:= (i + 1) mod 256

j := (j + S[i]) mod 256 swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 256]

endwhile

- Initializes the state
- Permutes array S based on key K
- Array S controls the secret state
- S is later used to generate stream

forifrom 0 to 255

S[i] := i

endfor

l := K.length

j := 0

forifrom 0 to 255

j := (j + S[i] + K[imod l]) mod 256

swap(&S[i], &S[j])

endfor

i

K =

5

3

S =

0

2

5

4

1

3

0

2

5

6

3

4

7

5

0

5

0

6

3

4

7

1

i

j

forifrom 0 to 7

j := (j + S[i] + K[i mod l]) mod 8

swap(&S[i],&S[j])

endfor

- Generates a stream of pseudo random numbers
- The state array is updated each iteration

i := 0

j := 0

whileGeneratingOutput:

i := (i + 1) mod 256

j := (j+S[i]) mod 256

swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 256]

endwhile

S =

2

7

4

3

1

6

7

4

5

0

3

1

i

j

whileGeneratingOutput:

i := (i + 1) mod 8

j := (j+S[i]) mod 8

swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 8]

endwhile

What problem might we encounter if the same key is used to encrypt multiple messages?

- Introduced in November 1997
- Comes in 64-bit and 128-bit strength
- Uses initialization vectors to deal with the problem of key reuse
- Not meant to be secure (!)
- Adds Integrity Control Value (ICV) to the message to verify its correctness

- Prepended to the key
- Sent in plaintext along with the message
- Only 3 bytes – reused every 224 message
- Reduces key size by 24 bits (!)
- 64 bit = 40 bit
- 128 bit = 104 bit

IV

+

Key

=

Dynamic key

- Found a group of weak IV’s
- IV’s with format X + 3 || 255 || Y
- If X=0, there is a 5 % chance that the first number generated will be K[0] for any Y
- Same holds for respectively for 0X13

- The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form

IV = [ 3, 255, 7 ]

K = [ 3, 255, 7, ?, ?, ?, ?, ? ]

C[0] = 165 = 15 170

j = S[i] = S[1] = 0

S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0] 170 = 15

j = j + S[i] + K[i] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15 K[3] = 2

- Have to collect ~1 000 000-4 000 000 packets to get enough IV’s
- Could take 2-4 weeks to collect
- Weak IV’s no longer used
- Have since then been optimized and new attacks have been found
- Can now be broken in less than 60 seconds

- Truncates the message by one byte and xor with X
- If ICV control succeeds, the truncated byte is X
P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) )

- If ICV control succeeds, the truncated byte is X
- Decreases time of finding the key to ~30 minutes

- Built around WEP to fix its flaws and provide backward compatibility
- Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems

- Adds a new Message Integrity Check (MIC) generated using Michael algorithm
- Michael is insecure, but this was handled by countermeasures in TKIP
- Replay protection, slows down attacks but do not prevent them

- Attacks a TKIP
- A modified version of the ChopChop attack
- Truncates the message by one byte and xor last byte with X
- If ICV control fails nothing happens, increment X
- If ICV control succeeds, then MIC control will fail and an error message will be sent, the truncated byte is X

- Limited to networks with QoS enabled

Message falsification attack on WPA

Attack on TKIP

WEP

introduced

WPA

introduced

WPA2

introduced

FMS attack on WEP

ChopChop attack on WEP

Fragmentation attackonWEP

PTW attack on WEP

Beck and Tews attack on WEP and WPA

- Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4
- Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)
- Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin
- Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds
- Beck, M., Tews, E.: Practical attacks against WEP and WPA
- Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack on TKIP
- Ohigashi, T., Morii, M.: A practical message falsification attack on WPA