an inductive chosen plaintext attack against wep wep2 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
An Inductive Chosen Plaintext Attack against WEP/WEP2 PowerPoint Presentation
Download Presentation
An Inductive Chosen Plaintext Attack against WEP/WEP2

Loading in 2 Seconds...

play fullscreen
1 / 18

An Inductive Chosen Plaintext Attack against WEP/WEP2 - PowerPoint PPT Presentation


  • 474 Views
  • Uploaded on

An Inductive Chosen Plaintext Attack against WEP/WEP2. William A. Arbaugh University of Maryland, College Park waa@cs.umd.edu. Talk Outline. Introduction WEP/WEP2 IP Walker/Berkeley Attacks Attack Overview Attack Details Conclusions. 802.11 Hdr. ICV. Data. Encapsulate. Decapsulate.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

An Inductive Chosen Plaintext Attack against WEP/WEP2


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
an inductive chosen plaintext attack against wep wep2

An Inductive Chosen Plaintext Attack against WEP/WEP2

William A. Arbaugh

University of Maryland, College Park

waa@cs.umd.edu

William Arbaugh, University of Maryland

talk outline
Talk Outline
  • Introduction
    • WEP/WEP2
    • IP
    • Walker/Berkeley Attacks
  • Attack Overview
  • Attack Details
  • Conclusions

William Arbaugh, University of Maryland

wep wep2

802.11 Hdr

ICV

Data

Encapsulate

Decapsulate

802.11 Hdr

IV

Data

WEP/WEP2
  • Encryption Algorithm = RC4
  • Per-packet encryption key = IV concatenated to a pre-shared key
    • WEP: 24 bit IV
    • WEP2: 128 bit IV
  • WEP allows IV to be reused with any frame
  • Data integrity provided by CRC-32 of the plaintext data (the “ICV”)
  • Data and ICV are encrypted under the per-packet encryption key

William Arbaugh, University of Maryland

how to read wep encrypted traffic 1

ICV

24 luxurious bits

Encrypted under Key +IV using a Vernam Cipher

802.11 Hdr

IV

Data

How to Read WEP Encrypted Traffic (1)
  • 50% chance of a collision exists already after only 4823 packets!!!
  • Pattern recognition can disentangle the XOR’d recovered plaintext.
  • Recovered ICV can tell you when you’ve disentangled plaintext correctly.
  • After only a few hours of observation, you can recover all 224 key streams.

William Arbaugh, University of Maryland

how to read wep encrypted traffic 2
How to Read WEP Encrypted Traffic (2)
  • Ways to accelerate the process:
    • Send spam into the network: no pattern recognition required!
    • Get the victim to send e-mail to you
      • The AP creates the plaintext for you!
    • Decrypt packets from one Station to another via an Access Point
      • If you know the plaintext on one leg of the journey, you can recover the key stream immediately on the other
    • Etc., etc., etc.

William Arbaugh, University of Maryland

observations
Observations
  • Walker/Berkeley attacks require either:
    • Depth and post analysis
    • Cooperating agent for known plain text
  • Can we do better?

William Arbaugh, University of Maryland

inductive chosen plain text
Inductive Chosen Plain Text
  • Base Case: Recover an initial pseudo random stream of length n from known plain text.
  • Inductive step: Extend size of known pseudo random to n+1 by leveraging the redundant information in the CRC.

William Arbaugh, University of Maryland

base case
Base Case
  • Find initial pseudo random stream of size n.
    • Identify DHCP Discover messages from externals, e.g. size, and broadcast MAC address.
      • Known source (0.0.0.0), destination (255.255.255.255), header info
      • Allows the recovery of 24 bytes of pseudo random stream: Let n = 24

William Arbaugh, University of Maryland

inductive step
Inductive Step
  • Create a datagram of size n-3 representing an ARP request, UDP open, ICMP etc.
  • Compute ICV and append only the first three bytes.
  • XOR with n bytes of pseudo random stream.
  • Append last byte as the n+1 byte

William Arbaugh, University of Maryland

inductive step1

n-3

3

ICV-1

ICV

802.11 Hdr

IV

Data

Data

byte

Iterate over

the 255 possibilities

Encrypted Data

Pseudo Random Steam

byte

n+1

Inductive Step

William Arbaugh, University of Maryland

inductive step2
Inductive Step

5. Now send datagram and wait for a response.

6. If no response, try another of the 254 remaining possibilities.

7. If there is a response, then we know:

The n+1 byte was the last byte of the ICV, thus we have matching plaintext and ciphertext which gives us the n+1 byte of the pseudorandom stream.

William Arbaugh, University of Maryland

after response

ICV-1

ICV

802.11 Hdr

IV

Data

Data

n+1 ciphertext byte

byte

byte

n+1 pseudo byte

Encrypted Data

Pseudo Random Steam

After Response

n-3

3

n+1 plaintext byte

byte

byte

n+1

William Arbaugh, University of Maryland

attack cost
Attack Cost
  • Assume moderately aggressive attacker:
    • ~100 attacker transmissions per second
    • NOTE: ICV failures will not be passed to OS and thus the attack is difficult to observe (failed ICV counter not withstanding)
  • 1.6 hours to recover 2300 byte MTU regardless of IV and key size in worst case
  • ~40 minutes in average case

William Arbaugh, University of Maryland

wep costs
WEP Costs
  • 46 hours to build full dictionary of <IV, pseudorandom> with one attacking host (~35GB)
  • But, the attack is embarrassingly parallel.
    • Four attacking hosts: 11.5 hours
    • Eight attacking hosts: 5.75 hours

William Arbaugh, University of Maryland

wep2 costs
WEP2 Costs
  • Prohibitive to build entire dictionary in terms of space and time, but we don’t need to do so.
  • Because, we can still find enough <IV,pseudorandom> pairs to find and attack a vulnerable host on the LAN and recover key actively, e.g. blind scans and blind attacks.

William Arbaugh, University of Maryland

this attack works
This Attack Works
  • Because of the redundant information provided by the CRC, and
  • Because of the lack of a keyed MIC

William Arbaugh, University of Maryland

stopping mitigating the attack
Stopping/Mitigating the Attack
  • Add a keyed MIC (stops attack)
  • Adding a replay window (mitigates attack)
  • Modifying the CRC such that it can’t be:
    • Easily determined by an attacker
    • Not linear (bit flipping attack)

(mitigates attack)

William Arbaugh, University of Maryland

conclusions
Conclusions
  • Fundamental problem is that both WEP and WEP2 vulnerable to packet forgery.
  • It’s easy to dismiss this attack (and the Walker/Berkeley attacks) as “academic”. However, it’s only a matter of time before the attacks are implemented/scripted and released …What then?

William Arbaugh, University of Maryland