an inductive chosen plaintext attack against wep wep2 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
An Inductive Chosen Plaintext Attack against WEP/WEP2 PowerPoint Presentation
Download Presentation
An Inductive Chosen Plaintext Attack against WEP/WEP2

Loading in 2 Seconds...

play fullscreen
1 / 18

An Inductive Chosen Plaintext Attack against WEP/WEP2 - PowerPoint PPT Presentation


  • 472 Views
  • Uploaded on

An Inductive Chosen Plaintext Attack against WEP/WEP2. William A. Arbaugh University of Maryland, College Park waa@cs.umd.edu. Talk Outline. Introduction WEP/WEP2 IP Walker/Berkeley Attacks Attack Overview Attack Details Conclusions. 802.11 Hdr. ICV. Data. Encapsulate. Decapsulate.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'An Inductive Chosen Plaintext Attack against WEP/WEP2' - foy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
an inductive chosen plaintext attack against wep wep2

An Inductive Chosen Plaintext Attack against WEP/WEP2

William A. Arbaugh

University of Maryland, College Park

waa@cs.umd.edu

William Arbaugh, University of Maryland

talk outline
Talk Outline
  • Introduction
    • WEP/WEP2
    • IP
    • Walker/Berkeley Attacks
  • Attack Overview
  • Attack Details
  • Conclusions

William Arbaugh, University of Maryland

wep wep2

802.11 Hdr

ICV

Data

Encapsulate

Decapsulate

802.11 Hdr

IV

Data

WEP/WEP2
  • Encryption Algorithm = RC4
  • Per-packet encryption key = IV concatenated to a pre-shared key
    • WEP: 24 bit IV
    • WEP2: 128 bit IV
  • WEP allows IV to be reused with any frame
  • Data integrity provided by CRC-32 of the plaintext data (the “ICV”)
  • Data and ICV are encrypted under the per-packet encryption key

William Arbaugh, University of Maryland

how to read wep encrypted traffic 1

ICV

24 luxurious bits

Encrypted under Key +IV using a Vernam Cipher

802.11 Hdr

IV

Data

How to Read WEP Encrypted Traffic (1)
  • 50% chance of a collision exists already after only 4823 packets!!!
  • Pattern recognition can disentangle the XOR’d recovered plaintext.
  • Recovered ICV can tell you when you’ve disentangled plaintext correctly.
  • After only a few hours of observation, you can recover all 224 key streams.

William Arbaugh, University of Maryland

how to read wep encrypted traffic 2
How to Read WEP Encrypted Traffic (2)
  • Ways to accelerate the process:
    • Send spam into the network: no pattern recognition required!
    • Get the victim to send e-mail to you
      • The AP creates the plaintext for you!
    • Decrypt packets from one Station to another via an Access Point
      • If you know the plaintext on one leg of the journey, you can recover the key stream immediately on the other
    • Etc., etc., etc.

William Arbaugh, University of Maryland

observations
Observations
  • Walker/Berkeley attacks require either:
    • Depth and post analysis
    • Cooperating agent for known plain text
  • Can we do better?

William Arbaugh, University of Maryland

inductive chosen plain text
Inductive Chosen Plain Text
  • Base Case: Recover an initial pseudo random stream of length n from known plain text.
  • Inductive step: Extend size of known pseudo random to n+1 by leveraging the redundant information in the CRC.

William Arbaugh, University of Maryland

base case
Base Case
  • Find initial pseudo random stream of size n.
    • Identify DHCP Discover messages from externals, e.g. size, and broadcast MAC address.
      • Known source (0.0.0.0), destination (255.255.255.255), header info
      • Allows the recovery of 24 bytes of pseudo random stream: Let n = 24

William Arbaugh, University of Maryland

inductive step
Inductive Step
  • Create a datagram of size n-3 representing an ARP request, UDP open, ICMP etc.
  • Compute ICV and append only the first three bytes.
  • XOR with n bytes of pseudo random stream.
  • Append last byte as the n+1 byte

William Arbaugh, University of Maryland

inductive step1

n-3

3

ICV-1

ICV

802.11 Hdr

IV

Data

Data

byte

Iterate over

the 255 possibilities

Encrypted Data

Pseudo Random Steam

byte

n+1

Inductive Step

William Arbaugh, University of Maryland

inductive step2
Inductive Step

5. Now send datagram and wait for a response.

6. If no response, try another of the 254 remaining possibilities.

7. If there is a response, then we know:

The n+1 byte was the last byte of the ICV, thus we have matching plaintext and ciphertext which gives us the n+1 byte of the pseudorandom stream.

William Arbaugh, University of Maryland

after response

ICV-1

ICV

802.11 Hdr

IV

Data

Data

n+1 ciphertext byte

byte

byte

n+1 pseudo byte

Encrypted Data

Pseudo Random Steam

After Response

n-3

3

n+1 plaintext byte

byte

byte

n+1

William Arbaugh, University of Maryland

attack cost
Attack Cost
  • Assume moderately aggressive attacker:
    • ~100 attacker transmissions per second
    • NOTE: ICV failures will not be passed to OS and thus the attack is difficult to observe (failed ICV counter not withstanding)
  • 1.6 hours to recover 2300 byte MTU regardless of IV and key size in worst case
  • ~40 minutes in average case

William Arbaugh, University of Maryland

wep costs
WEP Costs
  • 46 hours to build full dictionary of <IV, pseudorandom> with one attacking host (~35GB)
  • But, the attack is embarrassingly parallel.
    • Four attacking hosts: 11.5 hours
    • Eight attacking hosts: 5.75 hours

William Arbaugh, University of Maryland

wep2 costs
WEP2 Costs
  • Prohibitive to build entire dictionary in terms of space and time, but we don’t need to do so.
  • Because, we can still find enough <IV,pseudorandom> pairs to find and attack a vulnerable host on the LAN and recover key actively, e.g. blind scans and blind attacks.

William Arbaugh, University of Maryland

this attack works
This Attack Works
  • Because of the redundant information provided by the CRC, and
  • Because of the lack of a keyed MIC

William Arbaugh, University of Maryland

stopping mitigating the attack
Stopping/Mitigating the Attack
  • Add a keyed MIC (stops attack)
  • Adding a replay window (mitigates attack)
  • Modifying the CRC such that it can’t be:
    • Easily determined by an attacker
    • Not linear (bit flipping attack)

(mitigates attack)

William Arbaugh, University of Maryland

conclusions
Conclusions
  • Fundamental problem is that both WEP and WEP2 vulnerable to packet forgery.
  • It’s easy to dismiss this attack (and the Walker/Berkeley attacks) as “academic”. However, it’s only a matter of time before the attacks are implemented/scripted and released …What then?

William Arbaugh, University of Maryland