wireless security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Wireless security PowerPoint Presentation
Download Presentation
Wireless security

Loading in 2 Seconds...

play fullscreen
1 / 23

Wireless security - PowerPoint PPT Presentation


  • 211 Views
  • Uploaded on

Wireless security. Breaking WEP and WPA. Wireless security - Why?. DEMO!. Wireless security timeline. Message falsification attack on WPA. Attack on TKIP. WEP introduced. WPA introduced. WPA2 introduced. FMS attack on WEP. ChopChop attack on WEP. Fragmentation attack onWEP.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Wireless security' - zariel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
wireless security

Wireless security

Breaking WEP and WPA

wireless security timeline
Wireless security timeline

Message falsification attack on WPA

Attack on TKIP

WEP

introduced

WPA

introduced

WPA2

introduced

FMS attack on WEP

ChopChop attack on WEP

Fragmentation attackonWEP

PTW attack on WEP

Beck and Tews attack on WEP and WPA

slide5
RC4
  • Was developed by Ron Rivest in 1987
  • “Rivest Cipher 4”
  • Most widely used stream cipher
  • Used in i.e. SSL, WEP, WPA and TLS
  • Was secret until 1994 when it was leaked

forifrom 0 to255

S[i] := i

endfor

l := keylength

j := 0

forifrom 0 to255

j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j])

endfor

i := 0

j := 0

whileGeneratingOutput:

i:= (i + 1) mod 256

j := (j + S[i]) mod 256 swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 256]

endwhile

key scheduling algorithm ksa
Key Scheduling Algorithm (KSA)
  • Initializes the state
  • Permutes array S based on key K
  • Array S controls the secret state
  • S is later used to generate stream

forifrom 0 to 255

S[i] := i

endfor

l := K.length

j := 0

forifrom 0 to 255

j := (j + S[i] + K[imod l]) mod 256

swap(&S[i], &S[j])

endfor

ksa example
KSA example

i

K =

5

3

S =

0

2

5

4

1

3

0

2

5

6

3

4

7

5

0

5

0

6

3

4

7

1

i

j

forifrom 0 to 7

j := (j + S[i] + K[i mod l]) mod 8

swap(&S[i],&S[j])

endfor

pseudo random generation algorithm prga
Pseudo Random Generation Algorithm (PRGA)
  • Generates a stream of pseudo random numbers
  • The state array is updated each iteration

i := 0

j := 0

whileGeneratingOutput:

i := (i + 1) mod 256

j := (j+S[i]) mod 256

swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 256]

endwhile

prga example
PRGA example

S =

2

7

4

3

1

6

7

4

5

0

3

1

i

j

whileGeneratingOutput:

i := (i + 1) mod 8

j := (j+S[i]) mod 8

swap(&S[i],&S[j])

output S[(S[i]+S[j]) mod 8]

endwhile

question
Question

What problem might we encounter if the same key is used to encrypt multiple messages?

wired equivalent privacy wep
Wired Equivalent Privacy (WEP)
  • Introduced in November 1997
  • Comes in 64-bit and 128-bit strength
  • Uses initialization vectors to deal with the problem of key reuse
  • Not meant to be secure (!)
  • Adds Integrity Control Value (ICV) to the message to verify its correctness
wep initialization vector iv
WEP Initialization Vector (IV)
  • Prepended to the key
  • Sent in plaintext along with the message
  • Only 3 bytes – reused every 224 message
  • Reduces key size by 24 bits (!)
    • 64 bit = 40 bit
    • 128 bit = 104 bit

IV

+

Key

=

Dynamic key

fluhrer mantin and shamir attack
Fluhrer, Mantin and Shamir attack
  • Found a group of weak IV’s
    • IV’s with format X + 3 || 255 || Y
    • If X=0, there is a 5 % chance that the first number generated will be K[0] for any Y
    • Same holds for respectively for 0X13
  • The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form
example
Example

IV = [ 3, 255, 7 ]

K = [ 3, 255, 7, ?, ?, ?, ?, ? ]

C[0] = 165 = 15  170

j = S[i] = S[1] = 0

S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0]  170 = 15

j = j + S[i] + K[i] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15  K[3] = 2

limitations
Limitations
  • Have to collect ~1 000 000-4 000 000 packets to get enough IV’s
  • Could take 2-4 weeks to collect
  • Weak IV’s no longer used
  • Have since then been optimized and new attacks have been found
  • Can now be broken in less than 60 seconds
chopchop attack
ChopChop attack
  • Truncates the message by one byte and xor with X
    • If ICV control succeeds, the truncated byte is X

P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) )

  • Decreases time of finding the key to ~30 minutes
wi fi protected access wpa
Wi-fi Protected Access (WPA)
  • Built around WEP to fix its flaws and provide backward compatibility
  • Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems
temporal key integrity protocol tkip
Temporal Key Integrity Protocol (TKIP)
  • Adds a new Message Integrity Check (MIC) generated using Michael algorithm
  • Michael is insecure, but this was handled by countermeasures in TKIP
  • Replay protection, slows down attacks but do not prevent them
becks and tews attack
Becks and Tews attack
  • Attacks a TKIP
  • A modified version of the ChopChop attack
  • Truncates the message by one byte and xor last byte with X
    • If ICV control fails nothing happens, increment X
    • If ICV control succeeds, then MIC control will fail and an error message will be sent, the truncated byte is X
  • Limited to networks with QoS enabled
wireless security timeline1
Wireless security timeline

Message falsification attack on WPA

Attack on TKIP

WEP

introduced

WPA

introduced

WPA2

introduced

FMS attack on WEP

ChopChop attack on WEP

Fragmentation attackonWEP

PTW attack on WEP

Beck and Tews attack on WEP and WPA

additional reading
Additional reading
  • Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4
  • Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)
  • Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin
  • Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds
  • Beck, M., Tews, E.: Practical attacks against WEP and WPA
  • Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack on TKIP
  • Ohigashi, T., Morii, M.: A practical message falsification attack on WPA