WEP and 802.11i
-
Upload
jael-elliott -
Category
Documents
-
view
31 -
download
1
description
Transcript of WEP and 802.11i
WEP and 802.11iWEP and 802.11i
J.W. PopeJ.W. Pope5/6/20045/6/2004
CS 589 – Advanced Topics in CS 589 – Advanced Topics in Information SecurityInformation Security
Papers on WEPPapers on WEP
Borisov, N., I. Goldberg, D. Wagner, Borisov, N., I. Goldberg, D. Wagner, “Intercepting Mobile Communications: The “Intercepting Mobile Communications: The Insecurity of 802.11”, Proceedings of the Insecurity of 802.11”, Proceedings of the Seventh Annual International Conference Seventh Annual International Conference on Mobile Computing and Networking, July on Mobile Computing and Networking, July 16-21, 2001, ACM 200116-21, 2001, ACM 2001
Arbaugh, W.A., N. Shankar, Y.C.J. Wan, Arbaugh, W.A., N. Shankar, Y.C.J. Wan, “Your 802.11 Wireless Network Has No “Your 802.11 Wireless Network Has No Clothes”, Clothes”, http://www.cs.umd.edu/~waa/wireless.pdf , http://www.cs.umd.edu/~waa/wireless.pdf , 20012001
What is WEP?What is WEP?
WEP is “Wired Equivalent Privacy” or WEP is “Wired Equivalent Privacy” or “Wireless Encryption Protocol”“Wireless Encryption Protocol”
It is the original wireless security It is the original wireless security protocol for the 802.11 standard.protocol for the 802.11 standard.
It uses the RC4 stream cipher, using a It uses the RC4 stream cipher, using a 64-bit key consisting of:64-bit key consisting of: A 24-bit master keyA 24-bit master key A 40-bit initialization vector (IV)A 40-bit initialization vector (IV)
It also employs a CRC integrity It also employs a CRC integrity checksum.checksum.
Main PointsMain Points
Borisov, et al.:Borisov, et al.: Keystream reuseKeystream reuse Key managementKey management Message authenticationMessage authentication Shared key authenticationShared key authentication
Arbaugh, et al.:Arbaugh, et al.: Proprietary access control mechanismsProprietary access control mechanisms Shared key authenticationShared key authentication
KeystreamsKeystreams
RC4 is a stream cipherRC4 is a stream cipher The key is used by a pseudo-random The key is used by a pseudo-random
number generator (PRNG) to generate a number generator (PRNG) to generate a keystreamkeystream
The keystream is XOR’ed with the The keystream is XOR’ed with the plaintext and checksum to produce the plaintext and checksum to produce the ciphertext.ciphertext.
Whenever the same IV is used with the Whenever the same IV is used with the same master key, the keystream will be same master key, the keystream will be the same as well.the same as well.
Keystream ReuseKeystream Reuse
IV’s are transmitted in the clear!IV’s are transmitted in the clear! Master keys are unlikely to be Master keys are unlikely to be
changed due to key management changed due to key management issues (more on this later…)issues (more on this later…)
24 bits of IV are not sufficient to avoid 24 bits of IV are not sufficient to avoid collisionscollisions If IVs are assigned randomly, collisions If IVs are assigned randomly, collisions
can be expected after 5000 packets.can be expected after 5000 packets. If IVs are assigned sequentially, collisions If IVs are assigned sequentially, collisions
are inevitable if cards are re-initialized.are inevitable if cards are re-initialized.
Recovering PlaintextRecovering Plaintext
Plaintexts can often be disentangled from each Plaintexts can often be disentangled from each other.other.
If not, it is easy to get a known plaintextIf not, it is easy to get a known plaintext Send an e-mail to a user on a wireless device, then Send an e-mail to a user on a wireless device, then
sniff for it!sniff for it! Decryption dictionaries can be builtDecryption dictionaries can be built
Key ManagementKey Management
WEP does not include any key WEP does not include any key management protocols!management protocols!
Master keys could be one of four Master keys could be one of four globally shared keysglobally shared keys
They could also be stored in an array They could also be stored in an array specifying a separate key for each specifying a separate key for each device (not widely used)device (not widely used)
Key must be updated manuallyKey must be updated manually Often, one key is relied onOften, one key is relied on
Message AuthenticationMessage Authentication
Message modification:Message modification: The checksum can be modified to The checksum can be modified to
reflect any changes in the ciphertextreflect any changes in the ciphertext Message injection:Message injection:
Any attacker who derives the plaintext Any attacker who derives the plaintext also derives the keystream!also derives the keystream!
Message rerouting:Message rerouting: The server authenticates the client, but The server authenticates the client, but
not vice versa.not vice versa.
User AuthenticationUser Authentication WEP uses a “Shared Key Authentication” WEP uses a “Shared Key Authentication”
protocol to authenticate stationsprotocol to authenticate stations Initiator requests shared key authenticationInitiator requests shared key authentication Responder sends initiator random challenge textResponder sends initiator random challenge text Initiator sends responder encrypted challenge Initiator sends responder encrypted challenge
texttext Responder signals successful completion of Responder signals successful completion of
protocolprotocol This is supposed to prove that the initiator This is supposed to prove that the initiator
knows the correct keyknows the correct key However, if a keystream is known, no key is However, if a keystream is known, no key is
necessary, so anybody can authenticate!necessary, so anybody can authenticate!
Proprietary Access Control Proprietary Access Control MechanismsMechanisms
Lucent closed networks: use SSID as Lucent closed networks: use SSID as shared secretshared secret
Other vendors use MAC addressesOther vendors use MAC addresses Both appear in various management Both appear in various management
frames in the clear, which is not good frames in the clear, which is not good if they’re supposed to be secret!if they’re supposed to be secret!
Vendor key management solutions are Vendor key management solutions are unknown, but do not appear to be very unknown, but do not appear to be very good. good.
Problems with RC4Problems with RC4
It has been known for a while that It has been known for a while that RC4 has weak keysRC4 has weak keys 1 out of every 2561 out of every 256 These keys can be avoidedThese keys can be avoided
It was discovered recently that it is It was discovered recently that it is easy to decrypt RC4 ciphertext if easy to decrypt RC4 ciphertext if part of the key is known.part of the key is known. Since WEP IVs are transmitted in the Since WEP IVs are transmitted in the
clear, that means…clear, that means…
Who Weeps for WEP?Who Weeps for WEP?
R.I.P. WEPR.I.P. WEP
Now What?Now What?
IEEE is working on 802.11i to address IEEE is working on 802.11i to address these issues, and it should be these issues, and it should be completed shortly.completed shortly.
In the meantime, the Wi-Fi Alliance has In the meantime, the Wi-Fi Alliance has released WPA (Wi-Fi Protected Access)released WPA (Wi-Fi Protected Access) Intended as a stopgap measureIntended as a stopgap measure
Eventually, RSN (Robust Secure Eventually, RSN (Robust Secure Networks) will be released as part of Networks) will be released as part of 802.11i802.11i
WPAWPA Uses TKIP (Temporal Key Integrity Protocol) Uses TKIP (Temporal Key Integrity Protocol)
for cryptography and authenticationfor cryptography and authentication Still uses RC4Still uses RC4 Several WEP flaws have been corrected, but not Several WEP flaws have been corrected, but not
permanentlypermanently Key management is improvedKey management is improved
Uses 802.1x (EAP) for authenticationUses 802.1x (EAP) for authentication Adds MIC (Message integrity check) and Adds MIC (Message integrity check) and
frame counterframe counter Two modes: PSK and EnterpriseTwo modes: PSK and Enterprise
PSK (Pre-Shared Key) suffers from similar key-PSK (Pre-Shared Key) suffers from similar key-management difficulties to WEPmanagement difficulties to WEP
Enterprise Mode requires a RADIUS serverEnterprise Mode requires a RADIUS server
RSNRSN
Uses CCMP for cryptographyUses CCMP for cryptography Based on CCM mode of AESBased on CCM mode of AES TKIP also supported if necessaryTKIP also supported if necessary
Uses 802.1x for authentication and Uses 802.1x for authentication and key managementkey management
Boeing: A Case StudyBoeing: A Case Study
Two Boeing employees evaluated Two Boeing employees evaluated WPAWPA Good pointsGood points Bad pointsBad points
What they’d like to see from RSNWhat they’d like to see from RSN How they intend to proceedHow they intend to proceed
Boeing: BeforeBoeing: Before
Wireless network was untrustedWireless network was untrusted Outside firewall, VPN used to tunnel inOutside firewall, VPN used to tunnel in Extra layers of encryption and authentication Extra layers of encryption and authentication
requiredrequired Application security requiredApplication security required
No ad-hoc networks allowedNo ad-hoc networks allowed WEP usedWEP used
What else is there?What else is there? VPNs unsatisfactoryVPNs unsatisfactory
Limited availability of software, frequent restartsLimited availability of software, frequent restarts
Boeing: Trying out WPABoeing: Trying out WPA Bouquets:Bouquets:
Supports 802.1x and PEAPSupports 802.1x and PEAP Only software update required for APs and Only software update required for APs and
RADIUS serverRADIUS server Brickbats:Brickbats:
No VLAN support (this was later fixed)No VLAN support (this was later fixed) Only works with Windows 2000 SP3+ and Only works with Windows 2000 SP3+ and
XPXP Boeing’s own certificates often incompatibleBoeing’s own certificates often incompatible Configuring APs and RADIUS server difficultConfiguring APs and RADIUS server difficult
Boeing: State of the Boeing: State of the SystemSystem
Wireless devices range from laptops Wireless devices range from laptops to palm devices to barcode scanners to palm devices to barcode scanners to sensorsto sensors
Network architecture very fluidNetwork architecture very fluid Assumption of one user per Assumption of one user per
computer not validcomputer not valid Many devices are difficult to Many devices are difficult to
configureconfigure
Boeing: What They WantBoeing: What They Want
Usable, secure, and affordable Usable, secure, and affordable systems (in that order)systems (in that order)
Software upgrades as opposed to Software upgrades as opposed to hardware upgradeshardware upgrades
Lots of authentication for users as Lots of authentication for users as well as deviceswell as devices
Secure ad-hoc, and networks that can Secure ad-hoc, and networks that can switch easily between ad-hoc and switch easily between ad-hoc and infrastructureinfrastructure
Boeing: Getting There Boeing: Getting There from Herefrom Here
Likely that three virtual LANS will Likely that three virtual LANS will be running simultaneously:be running simultaneously: The original WEP/VPNThe original WEP/VPN The just-implemented WPAThe just-implemented WPA An eventual RSNAn eventual RSN
Devices will be upgraded to RSN as Devices will be upgraded to RSN as needed, other two VLANs will shrink needed, other two VLANs will shrink through attritionthrough attrition
SourcesSources Main Papers:Main Papers:
Arbaugh, W.A., N. Shankar, Y.C.J. Wan, “Your 802.11 Arbaugh, W.A., N. Shankar, Y.C.J. Wan, “Your 802.11 Wireless Network Has No Clothes”, Wireless Network Has No Clothes”, http://www.cs.umd.edu/~waa/wireless.pdf , 2001http://www.cs.umd.edu/~waa/wireless.pdf , 2001
Borisov, N., I. Goldberg, D. Wagner, “Intercepting Mobile Borisov, N., I. Goldberg, D. Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11”, Proceedings of Communications: The Insecurity of 802.11”, Proceedings of the Seventh Annual International Conference on Mobile the Seventh Annual International Conference on Mobile Computing and Networking, July 16-21, 2001, ACM 2001Computing and Networking, July 16-21, 2001, ACM 2001
PowerPoint Presentations:PowerPoint Presentations: Whitlock, S., P. Dodd, “802.11i: The User Perspective”, NIST Whitlock, S., P. Dodd, “802.11i: The User Perspective”, NIST
WLAN Security Meeting, December 4-5, 2002WLAN Security Meeting, December 4-5, 2002 Dubrawsky, I., E. Vance, “Securing Wireless LANs”, Cisco Dubrawsky, I., E. Vance, “Securing Wireless LANs”, Cisco
Systems, 2002Systems, 2002 Other sources:Other sources:
Walker, J.R., “Unsafe at Any Key Size: An Analysis of the WEP Walker, J.R., “Unsafe at Any Key Size: An Analysis of the WEP Encapsulation”, IEEE Document 802.11-00/362, Oct. 2000Encapsulation”, IEEE Document 802.11-00/362, Oct. 2000
http://www.geek-faq.comhttp://www.geek-faq.com