Embed Size (px)
Citation preview
1
CSCD 439/539Wireless Networks and Security
Lecture 9WEP
Fall 2007
2
Introduction
• WEPWe read a lot about the problems with WEP …
kind of an afterthought for security– How does it work?– What are its weaknesses? – Are there any strengths?– What does an attacker need to do to break
WEP encryption?
3
WEP Overview
• WEP– Wired Equivalent Privacy
• Originally deployed with 802.11 networks• Only security for first 5 years • WEP was not ever meant to provide military levels
of security• WEP is efficient – one of its strengths!!
– Can be implemented in hardware or software
• WEP is exportable – Other countries can use it !!– Approved by US Department of Commerce
• Is optional !!! Can use NO security with 802.11
4
Recall Original Purpose of WEP
• Designed to …– Keep outsiders from connecting to a network
or monitoring traffic on that network– Nothing more– Was not designed to be end-to-end
encryption– Does not distribute and manage encryption
keys
5
WEP Overview
• WEP – More details– Typically is implemented as firmware
• Incorporated in all Wi-Fi AP’s and client adaptors
– Standard• Only defines 64 bit key • 128 bit, and now 256 bit keys are extensions• Mixing hardware risks some incompatibilities
6
Based on RC4 Cipher
• RC4 Cipher is a Stream Cipher– Stream cipher as opposed to block ciper
• Stream ciphers encode sequences of plain text into cipher text in a continuous process while
• Block ciphers process blocks of data
– Uses a stream of bits called keystream– Combined with text to produce cipher text– Ciphertext can then be combined with same
keystream to recover original data– Most stream ciphers take short secret key and
expand it into a pseudorandom keystream• Resulting keystream is same length as message
7
Basic WEP Function
• Each byte of data is encrypted using a different pseudorandom key
• Ensures that if this packet’s key is cracked, only information leaked is that which is contained in that packet
• Actual encryption logic in RC4 is very simple• Plain text is XOR-ed with an infinitely long keystream
• Security of RC4 comes from secrecy of pseudorandom key that’s derived from keystream
8
Plain Text
Cipher Text
Psedorandom key
9
WEP Definitions• Where …
• Pseudorandom key: is formed by combining a pre-shared passphrase or WEP key for each AP, a state array and an initialization vector (IV)
• Pre-shared passphrase: The same pre-shared password is used by all users
• State Array: It’s a series of numbers which are scrambled and then used by RC4 to construct the key stream.
• Initialization Vector (IV): The IV is a 3-byte random number generated by the computer
• It’s either prepended or appended to cipher text and sent to the receiver who strips the IV off before decrypting the cipher text
• Little bit more on IV’s and their purpose ….
10
IV’s Solve a Problem
• What’s the purpose of IV’s? • Make variable keys for each packet!!!• Problem using fixed key values• All data values encrypted with same key • So, get same encrypted result for same data• Attacker can spot same encrypted bytes and
possibly decipher plain text• This is a bad idea …
11
IV’s Solve a Problem
• IV is Solution to fixed key problem – Instead of using fixed secret key to encrypt
packets you combine key with 24-bit number• Changes for every packet
– IV not really part of key since its passed unencrypted with encrypted frame
– IV always changes, so same data will result in different ciphertext
12
IV’s Solve a Problem
• IV sent in clear – Receiver needs to know what IV to use to
decrypt data– In theory, knowledge of IV useless without
knowledge of secret part of key– So, never want to reuse the IV with the same
secret key … more about this later– Look more at the RC4 algorithm …
13
RC4 Algorithm
Who is this person?
14
RC4 Algorithm
• RC4 stands for – 4th cipher designed by Ron Rivest
• 1987 by RSA Labs• Regarded as a trade secret
– Algorithm was reverse engineered and made public in 1994 by anonymous person
– Still some controversy surrounding this event
15
RC4 Algorithm
• In September 1994– Description of it was anonymously posted to
the Cypherpunks mailing list– It was soon posted on the sci.crypt
newsgroup, and from there to many sites on the Internet
– Leaked code was confirmed to be genuine as its output was found to match that of proprietary software using licensed RC4
– No longer a trade secret …
16
RC4 Algorithm
Basic Idea1) Generate pseudorandom sequence of bytes
called a keystream
2) Combined with data using XOR XOR combines two bytes to get one by exclusive
or’ing each bit
00110101 XOR 11100011 = 1101011000110101 XOR 11100011 = 11010110
Characteristic of XOR – apply same value twice, get Characteristic of XOR – apply same value twice, get original valueoriginal value
17
RC4 Algorithm
• XOR
00110101 XOR 00110101 XOR 1110001111100011 = 11010110 = 11010110
11010110 XOR 11010110 XOR 1110001111100011 = 00110101 = 00110101
A XOR B = C, C XOR B = AA XOR B = C, C XOR B = A
Encryption use of RC4Encryption use of RC4
Plaintext XOR Plaintext XOR KeysequenceKeysequence = Ciphertext = Ciphertext
Ciphertxt XOR Ciphertxt XOR KeysequenceKeysequence = Plaintext = Plaintext
Same
Same
18
RC4 Algorithm
• Keysequence– Must be generated by both ends of the link– Idea is, can calculate next byte in sequence
only if you know key used to generate stream– If don’t know key, looks random– XOR easy to compute, challenge is generate
good pseudorandom number stream• One for each byte of message
19
RC4 Algorithm
• Two phases to Algorithm– Key Scheduling Algorithm and pseudorandom
generation
1. Key Scheduling algorithm establishes a 256 byte array with encoded with the numbers 0 – 255
S-Box -Create array of 0 – 255 in order
K-Box – 2nd 256 byte array, filled with secret keyKey is repeated to fill array
20
RC4 Algorithm
• Key Scheduling Algorithm continued …S-Box locations swapped with each other
j is computed index into S-boxSwap
Computed:
j = (value in S-box[0]) + (value in K-box[0])
j = single byte, value no greater than 255
j used as index into S-box and value at that location is swapped with value in first location
Procedure done 255 times until all bytes in S-box have been swapped
21
RC4 Algorithm
Key Sch. Algorithm …continued …
i = j = 0For i = 0 to 255
j = (j + S[i] + K[i]) mod 256);swap(S[i], S[j]);End;
After S-box initialized, next phase is pseudorandom number generation. Involves more swapping of bytes in S-box and creates one pseudorandom byte (R) per iteration
22
RC4 Algorithm2. Pseudorandom number generation, creates R
i = (i + 1) mod 256
j = (j + S[i]) mod 256
Swap S[i] and S[j]
k = (S[i] + S[j]) mod 256
R = S[k]
Later, ciphertext is created for each byte of plaintext by XORing byte with an R value
23
Example: Simple 4 byte password
i=0 j=0password = 6258length=4 index=4
Step-1 State array: State[0]=0 State[1]=1 State[2]=2 State[3]=3Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8
j = [0 + S[0] + K[0]] mod 4 = 6 mod 4 = 2Swap(State[0] , State[2]) = Swap(0,2)State[0]=2 State[1]=1 State[2]=0 State[3]=3
24
Example: Simple 4 byte password
Step-2
i=1 j=2
State array: State[0]=2 State[1]=1 State[2]=0 State[3]=3
Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8
j = [2 + S[1] + K[1]] mod 4 = 5 mod 4 = 1
Swap(State[1], State[2]) = Swap(1,0)
State[0]=2 State[1]=0 State[2]=1 State[3]=3
25
Example: Simple 4 byte passwordStep 3
i=2 j=1State array: State[0]=2 State[1]=0 State[2]=1 State[3]=3Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8j = [1 + State[2] + K[2]]mod 4 = 7 mod 4 = 3Swap(State[2], State[3]) = Swap(1,3)State[0]=2 State[1]=0 State[2]=3 State[3]=1
-------------------------------------------------------------------------------------------
Step 4 i=3 j=3State array: State[0]=2 State[1]=0 State[2]=3 State[3]=1Password: K[0]=6 K[1]=2 K[2]=5 K[3]=8j = [3 + State[3] +K[3]]mod 4 = 12 mod 4 = 0Swap(State[3], State[0]) = Swap(1,2)State[0]=1 State[1]=0 State[2]=3 State[3]=2
Final State Array:State[0]=1 State[1]=0 State[2]=3 State[3]=2
26
Example: Simple 4 byte password
1. Pseudorandom number generation, z1-z4
Initially i=0 j=0
K[0]=6 K[1]=2 K[2]=5 K[3]=8
First Loop:
State[0]=1 State[1]=0 State[2]=3 State[3]=2
i=1 j=0+State[1]=0+0=0
Swap(State[1], State[0]) = Swap(0,1)
State[0]=0 State[1]=1 State[2]=3 State[3]=2
z = State[State[1] + State[0] mod 4] = State[1] = 1
z1 = 00000001
27
Example: Simple 4 byte password
• Second Loop: State[0]=0 State[1]=1 State[2]=3 State[3]=2
i=2 j=0+State[2]=3
Swap(State[2], State[3]) = Swap(3,2)
State[0]=0 State[1]=1 State[2]=2 State[3]=3
z = State[State[2] + State[3] mod 4] = State[1] = 1
z2 = 00000001
28
Example: Simple 4 byte password• Third Loop:
State[0]=0 State[1]=1 State[2]=2 State[3]=3i=3 j=3+State[3]=6 mod 4 = 2Swap(State[3],State[2]) = Swap(3,2)State[0]=0 State[1]=1 State[2]=3 State[3]=2z = State[State[3] + State[2]] mod 4 = State[1] = 1z3=00000001
• Fourth Loop: State[0]=0 State[1]=1 State[2]=3 State[3]=2i=4 j=2+State[4]=2+State[4 mod 4] = 2+State[0] = 2Swap(State[4],State[2]) = Swap(State[0],State[2]) = Swap(0,3)State[0]=3 State[1]=1 State[2]=0 State[3]=2z4 = State[State[4] + State[2]] = State[State[0] +
State[2]] = State[3] = 2z4=00000010
29
Example: Simple 4 byte password
• After calculating Z’s, use them to encrypt z1 = 00000001
z2= 00000001
z3= 00000001
z4= 00000010 T xor z1 = 01010100 xor 00000001 = 01010101 = U
E xor z2 = 01000101 xor 00000001 = 01000100 = D
S xor z3 = 01010011 xor 00000001 = 01010010 = R
T xor z4 = 01010100 xor 00000010 = 01010110 = U
The word TEST when encrypted with WEP is UDRU
Example came from:
http://palisade.plynt.com/issues/2006Dec/wep-encryption/
30
RC4 Cipher is Fairly Strong
• RC4 is secure– Implementation that makes crypto insecure– Difficult to implement strong crypto– Implementation weakens crypto
• Insecure key storage• Poor random number generation• Flaws in key generation
– Specifically for WEP, Initialization Vector has problems
31
WEP IV Problems
• Two problems with way IV’s created1. IV’s are reused over time
• Never want that to happen, attacker can figure out plaintext using identical keys
2. IV’s have a certain percentage that are weak• Easier to break encryption than typical IV
32
Initialization Vector Reuse (IV)
• However, 24 bits is not that long …– Maximum value = 16,777,216 ≈ 17 million– Busy AP at 11 Mpbs is capable of
transmitting/receiving about 700 average packets/sec
– If different IV used for each packet, use all IV’s in about 7 hours!
– IV’s are then reset … and the sequence is started over
33
IV Weakness
• Explanation – Limited number of rearrangements between the initial
setup of the key table and the first pseudorandom byte – Found by Fluhrer et al 2001 (See ref at end …)
– Showed that for certain key values, weak keys, disproportionate number of bits in first few bytes of key stream were determined by a few bits in the key itself
– If you change one bit in key then output should be different. Yet, some bits of key had a bigger effect on output which reduced the number of effective bits
– So, certain key combinations don’t produce sufficiently random data for first few bytes
34
IV Weakness• Fluher et al showed problems
– Allowed attacker to wait for potentially weak key and directly attack the key
Works like this:• Assume know first few plaintext bytes• Watch transmission looking for a weak key • Know there is a correlation between
ciphertext, plaintext and secret key bytes
35
IV Weakness• Continued …
• Since, only limited number of possible values for first secret key byte
• After capturing about 60 messages, attacker can guess first key byte with reasonable certainty.
• Can attack each secret key byte in turn, so extracts entire message.
• Increasing key size from 40 to 104 bytes only increases time to do this by 2.5 times
• Time increases linearly instead of exponentially• In their favor, manufacturers try to disallow weak
IV values
36
WEP Keys
• Reason for four keys– Supposed to help you change your keys– Can use multiple keys simultaneously until you, the
manager wants to switch permanently to the new key– Only one key at a time is the active key for encrypting– But can decrypt using non-active keys– Active key is identified by key number
• 0, 1, 2, 3
– Still need to figure out how to distribute keys ...
37
WEP Keys
• How to distribute keys?• Standard does not specify how keys are distributed• At home, easy to configure several computers to
use same key• Corporate setting, hundreds of computers
– Distribution more difficult– Change key, and how to update everyone to
new key– For now, up to individual sites to manage keys
38
Diagram of Encryption Process
39
WEP Mechanics• User has plaintext message
First, Create an Integrity Check Value– Integrity Check Value (ICV)– Computed on unencrypted message– Added to message and encrypted so attacker can’t change message and recompute a CRC on altered message
40
WEP Mechanics
DATA ICV
Compute Check
Encrypt
DATA ICV
41
WEP Mechanics
• Preparing Frame for Transmission– System selects an Initial Vector (IV) value and
appends it to the secret WEP key
• Encrypts message– Passes each byte
from data and ICV block
to encryption engine– For each byte plaintext going
in, encrypted byte comes out• Until all bytes processes
42
WEP Mechanics
• Preparing Frame for Transmission– For decryption, key number (0 – 3) and IV
value stuck on front of message • Takes 4 bytes for these values
Unencrypted
DATA ICVIV Key ID
Encrypted
43
WEP Mechanics
• Frame for Transmission• MAC header is added and CRC for transmission
errors• One bit in MAC header for WEP on/off
• Receive Process• WEP on, reads and stores IV values• Reads Key ID so it knows to use correct key• Appends IV value to Secret Key and initializes RC4
crypto engine with that value
44
WEP Mechanics
• Receive Process• RC4 requires same process for both encryption
and decryption• After encryption engine initialized, data run through
one byte at a time to get back original message• Final step, recompute ICV and verify value
matches that sent in message
45
History of WEP
• WEP began in – 1999 – Most systems supported key extensions of up
to 104 bits– Industry still wasn’t sure WEP was secure– By 2000, wireless was everywhere and
researchers began to investigate security– Major attack was discovered and published in
2001 showing keys could be extracted in hours – no matter the key length
46
WEP Insecurity
• Other problems in WEP– Want security to provide number of
mechanisms• Authentication• Access Control• Replay prevention• Message modification• Message privacy• Key protection
– WEP doesn’t provide any of these
47
Authentication
• Proof between two entities– You are you– Should not be a one-time process
• Every time you communicate should authenticate
– Wireless, want mutual authentication• Both mobile device and AP• Use different keys for authentication and
encryption
48
Authentication
• Open authentication– No real authentication mechanism– Systems have used MAC address lists – OK, unless MAC address is spoofed
49
Message Replay
• Watch a stream between AP and device– If WEP encrypted, can guess user has sent
login and password• Save all data• User shuts down• Bring up own client and using her MAC address,
connect to the network• Can replay login message and hopefully login to
server• Still need WEP key for unencrypting data
50
References
• S. Fluhrer, I. Mantin, A, Shamir. Weakness in the Key Scheduling Algorithm of RC4,
http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
• Nikita Borisov,Ian Goldberg,David Wagner, Intercepting Mobile Communications: The Insecurity of 802.11
http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf
• W. A. Arbaugh, N. Shankar, and Y. J. Wan. Your 802.11 wireless network has no clothes,
http://www.cs.umd.edu/~waa/wireless.pdf
51
Finish
Next time: WPA/IEEE 802.11iReading: Read Articles on CourseNotes page See Assignments page … new assignment
