Embed Size (px)
DESCRIPTION
Security of Wireless LAN. ’ 01. 9. 20 Seongtaek Chee (NSRI). Contents. Introduction WEP 802.11 Security What ’ s Wrong Solutions Conclusions. Introduction. IEEE 802.11 standard Wired Equivalent Privacy (WEP) Goal: data privacy to the level of wired network - PowerPoint PPT Presentation
Citation preview
2001. 9. 20 NSRI 1
Security of Wireless LANSecurity of Wireless LANSecurity of Wireless LANSecurity of Wireless LAN
’’01. 9. 2001. 9. 20
Seongtaek Chee (NSRI)Seongtaek Chee (NSRI)
2001. 9. 20 NSRI 2
Contents
IntroductionWEP802.11 SecurityWhat’s WrongSolutionsConclusions
2001. 9. 20 NSRI 3
Introduction
IEEE 802.11 standard Wired Equivalent Privacy (WEP) Goal: data privacy to the level of wired network Use of 40-bit RC4 for encryption mechanismAttack against WEP Researchers at Univ. of California at Berkely published
a document “security flaws in the 802.11 security protocol”
Main weakness: use of static WEP keys shared among users
2001. 9. 20 NSRI 4
Wireless LAN
Mobile Station Mobile Station
Access Point
Ethernet
WEP
(wireless network infrastructure)
2001. 9. 20 NSRI 5
Security Goal
Confidentiality: the fundamental goal of WEP is to prevent casual eavesdroppingAccess control: to protect access to a wireless network infrastructure*Data integrity: to prevent tampering with transmitted messages**
* 802.11 standard includes an optional feature to discard all packets that are not properly encrypted using WEP, and manufacturers advertise the ability of WEP to provide access control
** the integrity checksum field is included for this purpose
2001. 9. 20 NSRI 6
WEP Encryption
RC4IV(24-bit)
K(40-bit)
Plain-text Cipher-text
4( , )RC IV KC = P
2001. 9. 20 NSRI 7
Encrypted WEP Frame
Message CRC
Keystream = RC4(IV, K)
Cipher-textIV
Plain-text
Transmitted Data
2001. 9. 20 NSRI 8
WEP Encryption & Decryption
A B : IV, C = (P RC4(IV, K)), where P = (M, c(M))
B : 1)
2) Verifies the checksum on P’
' 4( , )
( 4( , )) 4( , )
P C RC IV K
P RC IV K RC IV K
P
2001. 9. 20 NSRI 9
WEP Encapsulation Summary
Encryption Algorithm = RC4Per-packet encryption key = 24-bit IV concatenated to a pre-shared keyWEP allows IV to be reused with any frameData integrity provided by CRC-32 of the plaintext data (the “IV”)Data and IV are encrypted under the per-packet encryption key
2001. 9. 20 NSRI 10
WEP Authentication
Challenge (Nonce)
Response (Nonce RC4 encrypted under shared key)
STA APAP
Shared secret distributed out of band
Decrypted nonce OK?
802.11 Authentication Summary:
• Authentication key distributed out-of-band
• Access Point generates a “randomly generated” challenge
• Station encrypts challenge using pre-shared secret
2001. 9. 20 NSRI 11
Properties of Stream Cipher
What happens when plaintext P1 and P2 are encrypted using same key K
It is a very bad idea to encrypt any two plain texts using the same key stream output by a stream cipher
1 1 2 2
1 2 1 2 1 2
,
( ) ( )
i i i i i i
i i i i i i i
C P kss C P kss
C C P kss P kss P P
2001. 9. 20 NSRI 12
Keystream reuse
Key is fixed shared secret, that changes rarely if ever In fact, in many setups, every user shares the same ke
ySo the keystream depends only on IV If two packets ever get transmitted with the same IV, y
ou reuse the keystream value, which is bad Since IV gets transmitted in the clear for each packet,
the adversary can even easily tell when a value of IV is reused(a “collision”)
2001. 9. 20 NSRI 13
Attack – Confidentiality(1)
1) Attacker obtains two cipher texts C1 and C2
2) C1C2 = P1 P2
3) Using the redundancy of plaintexts, he can know (partial) P1 and P2
This is really easy if he knows the plaintext, because, for example, he sent it to you, say via pings, or spam email.If he knows one plaintext, he can recover all the other plaintexts.
2001. 9. 20 NSRI 14
Attack – Confidentiality(2)
Note that he does not learn the value of the shared secret KSolutions Use of different IV per packets
Some PCMCIA cards reset the IV to 0 each time they were re-initialized, and then incremented the IV by one for each packet transmitted.
These cards re-initialized themselves each time they are inserted in to the laptop, which can be expected to happen fairly frequently.
Consequently, keystreams corresponding to low-valued IV’s were likely to be reused many times during the lifetime of the key.
Increase the size of IV 24 bits is too small (Note that if the speed is 11Mbps The probability of collision is 99% after 12,430 frames, or in 2 to
3 seconds of normal traffic at 11Mbps.
2001. 9. 20 NSRI 15
Attack – Message modification(1)
1) Attacker intercept a ciphertext C before it could reach its destination:
2) Assume that C corresponds to some unknown message M, so that
3) Claim: it is possible to find a new ciphertext C’ that decrypts to M’, where and △ may be chosen arbitrarily by the attacker.
4) Then we will be able to replace the original transmission with our new ciphertext by spoofing the source,
and upon decryption, the recipient B will obtain the modified message M’ with the correct checksum.
( ) : ( , )A B IV C
4( , ) ( , ( ))C RC IV K M c M
'M M
( ) : ( , ')A B IV C
2001. 9. 20 NSRI 16
Attack – Message modification(2)
5) How to obtain C’ from C so that C’ decrypts to M’ instead of M.
' ( , ( ))
4( , ) ( , ( )) ( , ( ))
4( , ) ( , ( ) ( ))
4( , ) ( ', ( ))
4( , ) ( ', ( '))
C C c
RC IV K M c M c
RC IV K M c M c
RC IV K M c M
RC IV K M c M
CRC is linear
Note that this attack can be applied without full knowledge of M: the attacker only needs to know the original ciphertext C and the desired plaintext difference △ in order to calculate C’=C(△,c(△)).
2001. 9. 20 NSRI 17
Attack – Message Injection(1)
We can inject a fake message F of the adversary’s choice into the wireless net so that it will be accepted by a receiver as genuine
1) The adversary just needs to know a single plaintext, and its corresponding encrypted packet(ping or spam can provide this easily)
2) The encrypted packet is (IV, C), and the plain text is (M, c(M)), so the adversary can compute the keystream RC4(IV,K) = C (M,c(M))
3) Now he can take his fake message F, compute c(F), and compute C’ = (F, c(F)) RC4(IV,K).
4) Then he transmits (IV, C’)
2001. 9. 20 NSRI 18
Attack – Message Injection(2)
The receiver C’= (F, c(F)) RC4(IV, K) C’ is a correct encryption of the message F, so
he has to accept it The adversary has succeededSolution CRC does not depend on the key MAC(keyed hash function must be used)
2001. 9. 20 NSRI 19
Attack – Authentication(1)
Authentication: client to AP AP M: send a challenge string R(128-bit) to the client M AP: WEP-encrypted ciphertext (RC4(IV, K) R) AP: checks if the challenge is correctly encrypted, and if so, accep
ts the client Goal: verify that a client joining the network really knows the share
d secret key KSo the adversary has now just seen both the plaintext and the ciphertext of the challenge This is enough not only to inject packets (as in the previous attac
k), but to execute the authentication protocol himself.
2001. 9. 20 NSRI 20
Attack – Authentication(2)
Once the adversary obtains a single challenge/response pair for a given key K, he can extract IV and RC4(IV, K)Now attacker tries to connect to the network
1) The AP sends a challenge string M’ to the adversary2) The adversary replies with IV, (M’,c(M’))RC4(IV, K)3) This is in fact the correct response, so the CP accepts
the adversary4) The adversary has succeeded even though he never did
learn the value of K
Solution: Use challenge-response protocol using block cipher
2001. 9. 20 NSRI 21
How to make secure WEP
RC4 128-bit block cipherPrecise decryptions Setup procedure of Key Generation method of IV Detail of “mode of operation”Never reuse of IV (if K is fixed)Size of IV > 56 bit(??)CRC MACChallenge-response Authentication protocol based on block cipher
2001. 9. 20 NSRI 22
Conclusion
WEP is totally insecure Confidentiality X Access control X Data integrity XNo matter if you’re using 40-bit keys or 104-bit keys( or IV)CRC is useless against malicious errors(CRC detects random bit error in transmission)It is quite difficult to adopt Stream cipher for the purpose of “message integrity” or “user authentication”What about Bluetooth?
