Wireless security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Wireless security PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on
  • Presentation posted in: General

Wireless security. Breaking WEP and WPA. Wireless security - Why?. DEMO!. Wireless security timeline. Message falsification attack on WPA. Attack on TKIP. WEP introduced. WPA introduced. WPA2 introduced. FMS attack on WEP. ChopChop attack on WEP. Fragmentation attack onWEP.

Download Presentation

Wireless security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Wireless security

Wireless security

Breaking WEP and WPA


Wireless security why

Wireless security - Why?


Wireless security

DEMO!


Wireless security timeline

Wireless security timeline

Message falsification attack on WPA

Attack on TKIP

WEP

introduced

WPA

introduced

WPA2

introduced

FMS attack on WEP

ChopChop attack on WEP

Fragmentation attackonWEP

PTW attack on WEP

Beck and Tews attack on WEP and WPA


Wireless security

RC4

  • Was developed by Ron Rivest in 1987

  • “Rivest Cipher 4”

  • Most widely used stream cipher

  • Used in i.e. SSL, WEP, WPA and TLS

  • Was secret until 1994 when it was leaked

forifrom 0 to255

S[i] := i

endfor

l := keylength

j := 0

forifrom 0 to255

j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j])

endfor

i := 0

j := 0

whileGeneratingOutput:

i:= (i + 1) mod 256

j := (j + S[i]) mod 256 swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 256]

endwhile


Key scheduling algorithm ksa

Key Scheduling Algorithm (KSA)

  • Initializes the state

  • Permutes array S based on key K

  • Array S controls the secret state

  • S is later used to generate stream

forifrom 0 to 255

S[i] := i

endfor

l := K.length

j := 0

forifrom 0 to 255

j := (j + S[i] + K[imod l]) mod 256

swap(&S[i], &S[j])

endfor


Ksa example

KSA example

i

K =

5

3

S =

0

2

5

4

1

3

0

2

5

6

3

4

7

5

0

5

0

6

3

4

7

1

i

j

forifrom 0 to 7

j := (j + S[i] + K[i mod l]) mod 8

swap(&S[i],&S[j])

endfor


Pseudo random generation algorithm prga

Pseudo Random Generation Algorithm (PRGA)

  • Generates a stream of pseudo random numbers

  • The state array is updated each iteration

i := 0

j := 0

whileGeneratingOutput:

i := (i + 1) mod 256

j := (j+S[i]) mod 256

swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 256]

endwhile


Prga example

PRGA example

S =

2

7

4

3

1

6

7

4

5

0

3

1

i

j

whileGeneratingOutput:

i := (i + 1) mod 8

j := (j+S[i]) mod 8

swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 8]

endwhile


Question

Question

What problem might we encounter if the same key is used to encrypt multiple messages?


Wired equivalent privacy wep

Wired Equivalent Privacy (WEP)

  • Introduced in November 1997

  • Comes in 64-bit and 128-bit strength

  • Uses initialization vectors to deal with the problem of key reuse

  • Not meant to be secure (!)

  • Adds Integrity Control Value (ICV) to the message to verify its correctness


Wep initialization vector iv

WEP Initialization Vector (IV)

  • Prepended to the key

  • Sent in plaintext along with the message

  • Only 3 bytes – reused every 224 message

  • Reduces key size by 24 bits (!)

    • 64 bit = 40 bit

    • 128 bit = 104 bit

IV

+

Key

=

Dynamic key


Fluhrer mantin and shamir attack

Fluhrer, Mantin and Shamir attack

  • Found a group of weak IV’s

    • IV’s with format X + 3 || 255 || Y

    • If X=0, there is a 5 % chance that the first number generated will be K[0] for any Y

    • Same holds for respectively for 0X13

  • The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form


Example

Example

IV = [ 3, 255, 7 ]

K = [ 3, 255, 7, ?, ?, ?, ?, ? ]

C[0] = 165 = 15  170

j = S[i] = S[1] = 0

S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0]  170 = 15

j = j + S[i] + K[i] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15  K[3] = 2


Statistics

Statistics


Aircrack

Aircrack


Limitations

Limitations

  • Have to collect ~1 000 000-4 000 000 packets to get enough IV’s

  • Could take 2-4 weeks to collect

  • Weak IV’s no longer used

  • Have since then been optimized and new attacks have been found

  • Can now be broken in less than 60 seconds


Chopchop attack

ChopChop attack

  • Truncates the message by one byte and xor with X

    • If ICV control succeeds, the truncated byte is X

      P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) )

  • Decreases time of finding the key to ~30 minutes


Wi fi protected access wpa

Wi-fi Protected Access (WPA)

  • Built around WEP to fix its flaws and provide backward compatibility

  • Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems


Temporal key integrity protocol tkip

Temporal Key Integrity Protocol (TKIP)

  • Adds a new Message Integrity Check (MIC) generated using Michael algorithm

  • Michael is insecure, but this was handled by countermeasures in TKIP

  • Replay protection, slows down attacks but do not prevent them


Becks and tews attack

Becks and Tews attack

  • Attacks a TKIP

  • A modified version of the ChopChop attack

  • Truncates the message by one byte and xor last byte with X

    • If ICV control fails nothing happens, increment X

    • If ICV control succeeds, then MIC control will fail and an error message will be sent, the truncated byte is X

  • Limited to networks with QoS enabled


Wireless security timeline1

Wireless security timeline

Message falsification attack on WPA

Attack on TKIP

WEP

introduced

WPA

introduced

WPA2

introduced

FMS attack on WEP

ChopChop attack on WEP

Fragmentation attackonWEP

PTW attack on WEP

Beck and Tews attack on WEP and WPA


Additional reading

Additional reading

  • Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4

  • Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)

  • Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin

  • Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds

  • Beck, M., Tews, E.: Practical attacks against WEP and WPA

  • Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack on TKIP

  • Ohigashi, T., Morii, M.: A practical message falsification attack on WPA


  • Login