1 / 24

Intercepting Mobile Communications: The Insecurity of 802.11

Intercepting Mobile Communications: The Insecurity of 802.11. Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented by Kunjan Naik. Agenda. Introduction

landers
Download Presentation

Intercepting Mobile Communications: The Insecurity of 802.11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intercepting Mobile Communications:The Insecurity of 802.11 Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented by Kunjan Naik

  2. Agenda • Introduction • WEP protocol Brief description Security goals • Keystream reuse attacks • Attacks involving message authentication • Countermeasures • Conclusion

  3. Typical Scenario Ad-Hoc Network Infrastructure Network

  4. WEP Protocol • Wired Equivalent Privacy • Link Layer Security Protocol • Goals : Confidentiality : Protection against eavesdropping Access Control : Restrict accessibility Data Integrity : Correctness of data

  5. RC4 and Stream Ciphers • RC4 encryption is Vernam Cipher • RC4 is a stream cipher • Generates pseudo random keystream fromthe key( IV || Key) Pseudo-random number generator Encryptionkey Cipher text byte Plain text data byte

  6. WEP Protocol • Mobile station shares key with Access Point • Transmitting a message M Compute checksum of M and append it to M Generate keystream using RC4(IV,Key) Xor <M,C(M)> with keystream Transmit IV and cipher text • Upon receiving Reverse steps

  7. Packet Format and Encapsulation • Encryption Algorithm = RC4 • Key length = 40. IV length = 24 • C = RC4(IV,K) xor <M, C(M> Message CRC XOR Keystream = RC(IV,k) IV Cipher Text

  8. Shared secret distributed out of band Challenge (Nonce) Response (Nonce RC4 encrypted under shared key) WEP Authentication • Authentication key distributed out-of-band • Access Point generates a “randomly generated” challenge • Station encrypts challenge using pre-shared secret • Denial of service attack Decrypted nonce OK?

  9. So What are the Problems? • Shared key mechanism Same shared key in the network • Attacks based on Keystream Reuse IV collision • Decryption Dictionaries • Message modification • Message injection.

  10. Shared key mechanism • Single key or array of shared keys betweenall mobile stations in the network • key length is just 40 bits. • Key management is a misnomer • Shared keys changes rarely. • Chances of IV collision proportional to number of users.

  11. IV Collision • P1 and P2 packets with same IV • C1 = P1 xor RC4(IV,Shared Key) • C2 = P2 xor RC4(IV,Shared Key) • C1 xor C2 = P1 xor P2 • Attacker knows the Xor of two plaintexts • Given P1 or P2 easy to find other • More packets with same IV : More easier • Dragging cribs, frequency analysis methods

  12. Key Reuse • Shared key same in both directions • Keystream depends on IV as Key is fixed • IV included in unencrypted portion of message • IV reset to 0 when initialized • Easy to find collisions • After 16 million packets ( worst case ) IV repeats

  13. How to find keystream reuse? • IV space - 2^24 possibilities • Collision after few minutes on a busy AP • WEP standard recommends IV to be changed (but does not require) per packet • More so, IV set to 0 when re-initialized • Finding keystream reuse is therefore easy

  14. How to get plaintext? • IP traffic predictable - well defined structures and message content • Login sequences and Welcome messages • Sniffing Authentication challenge - plain and cipher text both • Sending packets from outside - ping • Broadcast packets in both encrypted and unencrypted form - for some implementations

  15. Attack from both ends Internet Attacker sends data Attacker AP AP encrypts plaintext data Attacker MS

  16. Attack from both sides cont’d • Attacker will send packets from internet to mobile station and AP will encrypt them for attacker • Flip bits to change destination address to host we control - IP checksum needs to be modified • Sufficient number of packets with different IV’swill enable the attacker to build a decryption dictionary

  17. Decryption Dictionaries • Xoring cipher text and plain text gives keystream • Store one to one mapping of IV to RC4(IV,Key) • Xor any packet with corresponding IV and read data • Number of entries in table 2^24 • 1500 bytes per packet - 24 GB • Independent of key size - depends on IV only. • Building table ensures immediate decryption

  18. Message Authentication • CRC checksum for data integrity • CRC resilient against random errors and not malicious attacks • CRC is independent of IV and key • CRC and RC4 are linear • CRC(X xor Y) = CRC(X) xor CRC(Y) • So, changing bits in packet is easy

  19. Message modification • C = RC4(IV,K) * {M,C(M)} • Let M’ = M * D • D is arbitrarily chosen and * => xor • C’ = C * { D, C(D) } RC4(IV,K) * {M,C(M)} * {D,C(D)} RC4(IV,K) * {M * D,C(M) * C(D)} RC4(IV,K) * {M * D,C(M * D)} RC4(IV,K) * {M’, C(M’)} • Effectively Attacker does C’ = C * {D, C(D)}

  20. Message Injection • Attacker needs plain text and cipher text • Attacker has fake message F and computes C(F) • Computes C’ = {F,C(F)} xor RC4(VI,key) • Transmits (VI, C’) • Reuse old IV’s and circumvent access control • Attacker can authenticate himself using message injection

  21. Message Decryption • IP redirection - Send encrypted packet to host on the internet ; IP checksum and firewall issues • Reaction attacks - TCP packets will be dropped for incorrect checksum and TCP ack for the correct packets. Modify packet and check recipients reaction

  22. Attack Practicality • Use off the shelf wireless card and software radio • Sit outside competitor’s office and sniff packets • Reverse engineer firmware to inject packets • Dictionaries - Has to be done once

  23. Countermeasures • Data encryption is not enough - access control through data authentication is must • Use block ciphers • Increase key length • Make checksum keyed function of message • Put wireless network outside firewall -treat it as public network

  24. Conclusion • Public review is essential • All three goals Confidentiality - Attacker can read traffic Access Control - Attacker can inject traffic Data Integrity - Attacker can modify traffic • Use VPN, IPSec, SSH along with WEP • ESN is supposed to solve all problems

More Related