Wireless Network Security: WEP And Beyond

1
Wireless Network SecurityWEP And Beyond

• Heidi Parsaye
• Jason DeVries
• Roxanne Ilse

2
Outline

• Wireless networking basics
• Attempts at making wireless networking secure
• Wired Equivalent Privacy
• Why its no longer private
• Brief overview of how to crack
• Beyond WEP WiFi Protected Access (WPA)

3
Wireless Broadband

• How Does Wireless Broadband Work?
• Benefits of Wireless Broadband
• Disadvantage of Wireless Broadband

4
Wireless Network Security

• IEEE 802.11 WI-FI
• Wired Equivalent Privacy (WEP)
• TKIP (Temporal Key Integrity Protocol)
• MAC address filtering
• Wi-Fi Protected Access (WPA and WPA2)

5
Encryption Of WEP Data
6
Decryption Of WEP Data
7
Important Details About WEP Frames

• All 802.11 WEP frames contain a plaintext header
  followed by encrypted data.
• The Initialization Vector is included in the
  plaintext.
• There is no CRC on the plaintext header. We can
  easily spoof the BSSID to get around MAC address
  filtering.
• No attempt is made to hide packet lengths.

8
Important Details About WEP Frames

• The RC4 Initialization Vector must be sent in
  plaintext. The recipient needs to be combine it
  with the secret key to re-create the state array
  used for decryption.

9
The Problem With WEP

• Its actually a problem with RSA RC4 which was
  designed in 1987 by Ron Rivest (the R in RSA).
• In 2001, Scott Fluhrer, Itsik Mantin, and Adi
  Shamir (the S in RSA) discovered that the first
  few bytes of the RC4 data are non-random and leak
  information about the key.

10
The Problem With RC4

• The Secret Key used by KSA is actually the
  Initialization Vector (3 bytes) plus the Secret
  Key (5 or 13 bytes).
• Since we know the first three values, we know the
  output for the first three iterations of KSA.

11
The Problem With RC4

• If we can get the state array, we can now start
  plugging data into PRGA. More specifically, we
  can start running it in reverse to give us a hint
  about the secret key.

12
Another Weakness

• The 3-byte LLC Header is always the same on every
  frame, starting with 0xAA, indicating that SNAP
  is next.
• In fact, with a certain message well cover
  later, we know the values for 16 of the encrypted
  bytes.
• Knowing some of the encrypted plaintext makes the
  job even easier.

13
Getting The Secret Key

• What we really need to see is the exact same
  plaintext message encrypted thousands of times
  using different Initialization Vectors.
• If we get enough unique Initialization Vectors,
  we can crack the secret key.
• But how do we get a WEP network to encrypt and
  transmit the exact same message thousands of
  times?
• The answer Ask the network the same question
  get the same answer thousands of times!

14
We Have Ways Of Making You Talk

• Ok, so what question can we ask the network
  thousands of times and get the same answer?
• Hey network whats my IP address? This is known
  as an ARP request.
• Since we dont have the secret key, we cant
  encrypt our own ARP request.
• That means we need to steal a legitimate ARP
  request from the network. Once we get one, well
  replay it thousands of times. Well force the
  network to talk to us as it replies to these
  requests generating messages for us.

15
ARP Requests

• But if the data is encrypted, how could we find
  and read an ARP request?
• The answer We dont need to read it or decrypt
  its content. We just need to recognize it as
  what we need.
• Two facts about ARP requests help us
• Theyre always the same fixed length. We can
  look for that.
• It will be sent to a broadcast address.
  Remember, the destination MAC address is sent as
  plaintext in the 802.11 header so we can read
  that part.

16
Retransmitting ARP Requests

• Look at the 802.11 frame again. Once we steal a
  legitimate ARP request, theres absolutely
  nothing to keep us from spoofing our BSSID and
  retransmitting the exact same request as many
  times as we want.
• We dont know the values of the encrypted bytes
  were transmitting, but thats ok. We dont
  care.
• We also wont be able to read the ARP reply sent
  by the network. We dont care about the
  contents. The important part is that they are
  the same every time.

17
Recent Work

• In 2005, Andreas Klein extended the 2001 work of
  Fluhrer, Mantin, and Shamir. He found additional
  correlations between the encrypted data and the
  secret key. However, his method still relied on
  educated guesses to compute all bytes of the
  secret key sequentially.
• If while computing the 10th byte it turns out you
  made an incorrect guess on the 4th byte, you have
  to throw out all computations done from the 4th
  byte onward and start again.

18
Recent Work

• In 2007, Erik Tews, Ralf-Philipp Weinmann, and
  Andrei Pyshkin optimized Kleins 2005 attack for
  usage against WEP.
• Most notably, they modified the attack such that
  it is possible to compute the secret key bytes
  independently, instead of sequentially much more
  efficient, less wasted computations.
• Working at 802.11g data rates, they showed they
  could crack 128-bit WEP with just 85,000 packets,
  a success rate of 95... in less than 60 seconds.

19
Using AirCrack
20
Beyond WEP WPA2

• Implements mandatory elements of 802.11i
• Available in personal (SOHO) and enterprise mode
• Uses AES (Advanced Encryption Standards)

21
WPA2 Components

• WPA2 Wi-Fi certified client devices may require
  software/hardware upgrades
• Client supplicant, such as Microsoft or Funk
  Odyssey
• EAP Authentication Types
• WPA2-Enterprise Wi-Fi Certified APs may require
  firmware or hardware upgrade
• Authentication Server (RADIUS)/Database (SQL,
  LDAP or AD)

22
How WPA2 Works

• Initiated when user associates with an AP
• User must authenticate first before AP will allow
  access to network
• Authentication process enabled by IEEE 802.1X/EAP
  framework
• Client authentication server mutually
  authenticate with each other via the AP
• Once authenticated, the authentication server
  client simultaneously generate a Pairwise Master
  Key (PMK)
• 4-way handshake between client and AP to complete
  authentication and establish AES encryption keys
  to encrypt data exchanged between client and AP