- 196 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Wireless security' - zariel

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

Presentation Transcript

### Wireless security

Breaking WEP and WPA

Wireless security timeline

Message falsification attack on WPA

Attack on TKIP

WEP

introduced

WPA

introduced

WPA2

introduced

FMS attack on WEP

ChopChop attack on WEP

Fragmentation attackonWEP

PTW attack on WEP

Beck and Tews attack on WEP and WPA

RC4

- Was developed by Ron Rivest in 1987
- “Rivest Cipher 4”
- Most widely used stream cipher
- Used in i.e. SSL, WEP, WPA and TLS
- Was secret until 1994 when it was leaked

forifrom 0 to255

S[i] := i

endfor

l := keylength

j := 0

forifrom 0 to255

j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j])

endfor

i := 0

j := 0

whileGeneratingOutput:

i:= (i + 1) mod 256

j := (j + S[i]) mod 256 swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 256]

endwhile

Key Scheduling Algorithm (KSA)

- Initializes the state
- Permutes array S based on key K
- Array S controls the secret state
- S is later used to generate stream

forifrom 0 to 255

S[i] := i

endfor

l := K.length

j := 0

forifrom 0 to 255

j := (j + S[i] + K[imod l]) mod 256

swap(&S[i], &S[j])

endfor

KSA example

i

K =

5

3

S =

0

2

5

4

1

3

0

2

5

6

3

4

7

5

0

5

0

6

3

4

7

1

i

j

forifrom 0 to 7

j := (j + S[i] + K[i mod l]) mod 8

swap(&S[i],&S[j])

endfor

Pseudo Random Generation Algorithm (PRGA)

- Generates a stream of pseudo random numbers
- The state array is updated each iteration

i := 0

j := 0

whileGeneratingOutput:

i := (i + 1) mod 256

j := (j+S[i]) mod 256

swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 256]

endwhile

PRGA example

S =

2

7

4

3

1

6

7

4

5

0

3

1

i

j

whileGeneratingOutput:

i := (i + 1) mod 8

j := (j+S[i]) mod 8

swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 8]

endwhile

Question

What problem might we encounter if the same key is used to encrypt multiple messages?

Wired Equivalent Privacy (WEP)

- Introduced in November 1997
- Comes in 64-bit and 128-bit strength
- Uses initialization vectors to deal with the problem of key reuse
- Not meant to be secure (!)
- Adds Integrity Control Value (ICV) to the message to verify its correctness

WEP Initialization Vector (IV)

- Prepended to the key
- Sent in plaintext along with the message
- Only 3 bytes – reused every 224 message
- Reduces key size by 24 bits (!)
- 64 bit = 40 bit
- 128 bit = 104 bit

IV

+

Key

=

Dynamic key

Fluhrer, Mantin and Shamir attack

- Found a group of weak IV’s
- IV’s with format X + 3 || 255 || Y
- If X=0, there is a 5 % chance that the first number generated will be K[0] for any Y
- Same holds for respectively for 0X13

- The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form

Example

IV = [ 3, 255, 7 ]

K = [ 3, 255, 7, ?, ?, ?, ?, ? ]

C[0] = 165 = 15 170

j = S[i] = S[1] = 0

S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0] 170 = 15

j = j + S[i] + K[i] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15 K[3] = 2

Limitations

- Have to collect ~1 000 000-4 000 000 packets to get enough IV’s
- Could take 2-4 weeks to collect
- Weak IV’s no longer used
- Have since then been optimized and new attacks have been found
- Can now be broken in less than 60 seconds

ChopChop attack

- Truncates the message by one byte and xor with X
- If ICV control succeeds, the truncated byte is X
P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) )

- If ICV control succeeds, the truncated byte is X
- Decreases time of finding the key to ~30 minutes

Wi-fi Protected Access (WPA)

- Built around WEP to fix its flaws and provide backward compatibility
- Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems

Temporal Key Integrity Protocol (TKIP)

- Adds a new Message Integrity Check (MIC) generated using Michael algorithm
- Michael is insecure, but this was handled by countermeasures in TKIP
- Replay protection, slows down attacks but do not prevent them

Becks and Tews attack

- Attacks a TKIP
- A modified version of the ChopChop attack
- Truncates the message by one byte and xor last byte with X
- If ICV control fails nothing happens, increment X
- If ICV control succeeds, then MIC control will fail and an error message will be sent, the truncated byte is X

- Limited to networks with QoS enabled

Wireless security timeline

Message falsification attack on WPA

Attack on TKIP

WEP

introduced

WPA

introduced

WPA2

introduced

FMS attack on WEP

ChopChop attack on WEP

Fragmentation attackonWEP

PTW attack on WEP

Beck and Tews attack on WEP and WPA

Additional reading

- Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4
- Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)
- Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin
- Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds
- Beck, M., Tews, E.: Practical attacks against WEP and WPA
- Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack on TKIP
- Ohigashi, T., Morii, M.: A practical message falsification attack on WPA

Download Presentation

Connecting to Server..