CSC-682 Advanced Computer SecurityCSC-682 Advanced Computer Security

Attackson wireless networks using WEP encryption

presented by : Pompi Rotaru

Wireless technology

• IEEE 802.11 a/b/g/n is the set of standards for W-LAN

• Wireless technology has been on the rise in recent years

• An individual can sit outside the building and connect to an

unprotected wireless network

• Preserving privacy and integrity of wireless communications

becomes an important objective of the network security team

• Basic service set :• infrastructure mode independent (ad-hoc) mode

WEP

• Wired Equivalent Privacy (WEP) is most common

mechanism for protection

• Encryption with 40-bit key (aka “64-bit encryption”)

• Encryption with 104-bit key (aka "128-bit encryption“)

• Uses as the most common encryption algorithm the RC4

algorithm.

History of WEP

• 1997 Release of the first final version of IEEE 802.11

• 2001 WEP broken by Fluhrer, Mantin, and Shamir

• 2004 WEP broken again by KoreK

• 2005 WEP broken again by KoreK again (chopchop attack)

• 2005 WEP broken again by Bittau, fragmentation attack

• 2007 WEP broken again by Pyshkin, Tews, Weinmann, with

the help of Klein

RC4 algorithm description

• Stream cipher designed by Ron Rivest in 1987

• It works as a variable key-size stream cipher with byte-

oriented operations

• Key Scheduling Algorithm (KSA) - which turns a random key

into a permutation by scrambling the bits

• Pseudo-Random Generator Algorithm (PRGA) – using swap

operations for the previously permutation it generates pseudo-

random numbers

• X = RC4(K)

How WEP encryption works

• A 3 bytes initialization vector (IV) is chosen

• A key stream X = RC4(K) is generated from secret key K

• A 32 bit long checksum called Integrity Check Value (ICV)

is appended to the message to protect the integrity

• The resulting plain text is encrypted making an XOR

operation with the generated key stream

• The unencrypted IV and the cipher-text are sent over the air

Types of WEP attacks

• Depending on key

• without recovering the WEP key

• recovering the key

• Depending on communication

• static (no communication with AP)

• dynamic (involves communication with AP)

General steps for attack

• Setup equipment (laptop, directional antenna)

• Find the target (airdump-ng, Kismet, NetStumbler)

• Capture data from air (airmon-ng, airodump-ng)

• Wait or make the target network busy (aireplay-ng)

• Start cracking from captured data (aircrack-ng)

The brute force / dictionary attack

• “Power” of the WEP relies in the difficulty of discovery of the

secret key through a brute-force attack

• “Dictionary attack” uses dictionary of keys, not all possible

keys

• Such attack requires less then a month for all keys

• Steps :• capture 2 WEP encrypted packets

• try to decrypt it using the captured IV and a potential key

• verify decrypted ICV (the CRC)

• (optional) verify the key on the 2nd packet

The FMS attack

• 2001 - Scott Fluhrer, Itsik Mantin and Adi Shamir

• Static - with key recovery

• RC4 weaknesses :• The “Invariance Weakness” - existence of large classes of weak keys

• The “IV Weakness” – using IV attacker can rederive the secret part by

analyzing the initial word

• Finding the key → use key-output correlation = propagation

of a weak key pattern into the outputs combined with biased

distribution of bits in English text

• Decision tree

• Requires 9 millions packets (listen to traffic for 1…2 hours)

The KoreK attack

• 2004 – internet hacker KoreK

• Static - with key recovery• Does not need weak IV

• Uses 16 additional correlations between the first 1 byte of an

RC4 key, the first 2 bytes of the generated key stream, and the

next keybyte

• Same decision-tree based approach same as FMS attack

• Requires 700000 packets

The KoreK chop-chop attack

• 2005 – same KoreK

• Does not recover the key, it just reveals the message

• Exploits an ICV vulnerability

• Process of truncation of packets while keeping them still valid

• Steps :• capture one packet

• truncate the last byte and try to guess one “value” for plaintext

• correct the checksum and send packet to AP

• if guess is correct the AP will reply

• repeat until all bytes are decrypted

The Bittau attack

• 2005 - Andrea Bittau, Mark Handley and Joshua Lackey

• Fragmentation :• Possible to send multiple fragments (16) using the same key stream

• Each packet is encrypted independently at MAC layer

• Steps:• listen to traffic, eavesdrop one packet then recover 8 bytes of key

stream

• prepend an IP header to the eavesdropped packet and send to AP

• AP will sent the clear text to a controlled internet host

• Fragmentation is used to break 802.11’s cryptography

The PTW attack

• 2007 - Andrei Pyshkin, Erik Tews & Ralf-Philipp Weinmann

• They found a “multibyte correlation” between the first l bytes

of an RC4 key, the generated keystream, and the next i bytes of

the key.

• Steps :• captures packets and recovers their keystreams (FMS,

KoreK)

• evaluate the multibyte correlation function (Klein)

• create decision tree for key and start voting (Rk[0], Rk[1], Rk[2]…)

• Requires 35000 …. 40000 packets

• Less then 60 seconds to crack a 104 bit WEP key

Protecting WEP

• Increase the number of bytes used for encryption (“protects”

against FMS attack)

• Remove the weak IV - keystream re-use vulnerabilities

• Prevent key re-use

• Extensible Authentication Protocol (EAP) – change often the

WEP-key (not enough against Bittau attack)

• Deploy Intrusion Detection Systems (IDS) to protect against

injected traffic (really protects against PTW attack)

• Companies sell hardware using modified versions of the WEP

protocol claiming to be secure

Conclusions

• WEP has a long history of vulnerabilities and “fixes” • WEP is a good example of how attacks evolve and mature

over time • Attacks that a few years ago took days, now take minutes if

the right tools are used• 2005 WEP is officially declared deprecated by IEEE 802.11

committee • 2008 WEP used by 30% of users in a US university• Today – too many old networks, some using WEP• WEP must be abandoned once and for all, rather than

patch it yet again !!!

Bibliography• http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf

• http://dl.aircrack-ng.org/breakingwepandwpa.pdf

• http://eprint.iacr.org/2007/120.pdf

• http://tapir.cs.ucl.ac.uk/bittau-wep.pdf

• http://www.netstumbler.org/showthread.php?t=12489

• http://www.netstumbler.org/showpost.php?p=93942&postcount=35

•  

• http://www.pisa.org.hk/event/live-wifi-attack-defense/WEP_cracking_demo.pdf

• http://en.wikipedia.org/wiki/Fluhrer,_Mantin,_and_Shamir_attack

• http://www.cc.gatech.edu/~traynor/cs8803-f08/slides/lecture13-wep2.pdf

• http://www.rossbuffington.com/WEP_Insecurity.pdf

• http://www.franken.de/uploads/media/WEP-Cracking.pdf

• http://www.quequero.org/How_To_Attack_a_WEP/WPA_Protected_Wireless_Network_(eng)

• http://yawcu.sourceforge.net/documentation.pdf

• http://eprint.iacr.org/2007/471.pdf