An Examination of Security Algorithm Flaws in Wireless Networks

1
An Examination of Security Algorithm Flaws in
Wireless Networks

• Mehmet Ucal
• Faculty Mentor Dr. Sennur Ulukus
• Other Mentors Shabnam Shafiee, Nick Petroni, Jr.

2
Introduction

• Wireless Local Area Networks (WLANs)
• Data sharing without the need to connect to a
  common wire line network
• IEEE 802.11 High Rate Standard (IEEE 802.11b)
• Dominated wireless data-networking
• Operates within the 2.4GHz radio spectrum
• Data rate capabilities from 1Mbps to 11Mbps
• Utilizes the Wired Equivalent Privacy (WEP)
  protocol
• Other notable wireless standards HomeRF,
  Bluetooth

3
WEP

• Protects wireless data transmissions
• Security goals
• Data Confidentiality Prevent eavesdropping
• Access Control Control network access
• Data Integrity Prevent message modification
• All of these security goals are compromised
• Uses an encryption algorithm called Rons Code 4
  (RC4)

4
WEP Encryption/Decryption Block Diagram
Receiver (decryptor)
Sender (encryptor)
Sender (encryptor)
5
RC4 Algorithm

• Developed by RSA labs
• Symmetric Same key is used in encryption and
  decryption
• Synchronous Key stream is generated separately
  from the plaintext
• Stream Cipher Data is encrypted one byte at a
  time
• Two algorithm elements
• Key Scheduling Algorithm (KSA)
• Pseudo Random Generation Algorithm (PRGA)

6
RC4 Algorithm

• KSA Generates a random 256-value state array S,
  based on the secret key, K (length l)
• PRGA Outputs a streaming key based on the KSA
  array S

KSA(K) Initialization For i0255
Sii j0 Scrambling For i0255
jjSiKi mod l
Swap(Si, Sj)
PRGA(K) Initialization i0
j0 Generation Loop For i0255 ii1
jjSi Swap(Si, Sj)
Output z SSiSj
7
WEP Implementation Problems

• No key management protocol in WEP
• IV incrementation unregulated
• Manually entered shared key
• Stream vs. Block cipher
• Harder to secure a stream cipher
• RC4 used in software but this is a wireless
  environment
• Data modification without the knowledge of the
  receiver
• Poor implementation of CRC-32 algorithm
• Possible for an attacker to flip selected bits of
  the message, and still have the message pass the
  ICV test
• Possible to change the destination addresses
• One way authentication verification
• Rogue APs

8
WEP Problems (Cont.)

• IV Reuse
• IVs are only 24 bits, or 3 bytes long, so there
  are only 224 unique IVs.
• Collisions occur when an IV is used more than
  once and so the same RC4 key stream is used to
  encrypt the data.
• c1 p1 ? k
• c2 p2 ? k
• c1 ? c2 (p1 ? k) ? (p2 ? k) p1 ? p2
• This seemingly large IV space can be depleted
  quickly. On average reuse occurs after

9
WEP Problems (Cont.)

• IV Reuse
• An example in binary
• 01011010101 Plaintext 1
• 10111110000 XOR Keystream
• 11100100101 ciphertext 1
•  
•  11100101010 Plaintext 2
• 10111110000 XOR Keystream
• 01011011010 ciphtertext 2
•  
• 11100100101 ciphertext 1
• 01011011010 XOR ciphtertext 2
• 10111111111 result of ciphertexts
•  
• 10111111111 result
• 01011010101 XOR Plaintext 1
• 11100101010 plaintext 2

10
WEP Problems (Cont.)

• Weak IVs
• Weak IVs have the form (B3, 255, X), where B is
  the index of the shared key byte and X can be any
  number.
• When a weak IV is used, it is possible to recover
  the input of the RC4 (IV Shared Key), knowing
  its first bytes output.
• Knowing plaintext before it is encrypted allows
  people to exploit the weak IVs and gain knowledge
  of the shared key. The SNAP encapsulation header
  0xAA is widely known and is almost always the
  first plaintext byte encrypted.
• There are 9000 known weak IVs and 2000-3000 are
  needed to crack a 104-bit shared key, which takes
  a minimum of 1 million packets.

11
Simulated Attack

• Available programs
• WEPCrack
• AirSnort
• Infrastructure mode
• Client A
• Sends data packets to AP using
• 40-bit WEP encryption
• Ping floods the AP
• Shared key-AABBCCDDEE
• SSID-mysterynet
• Client B
• Attacker using AirSnort

12
Simulation Result
13
Possible Improvements to WEP

• Weak IVs can be filtered out
• Hash IV and shared key combination before sending
  through RC4
• A hashing algorithm takes a variable length data
  message and creates a fixed size message digest
• A good hashing algorithm MD-5
• Discard first 256 outputs of RC4 algorithm to
  reduce correlation between input and output
• Use longer IV space
• Have additional protection
• Firewalls
• Virtual Private Networks (VPNs)
• These precautions only mitigate the problems,
  successful attacks against WEP are inevitable!

14
Patches/Upgrades for WEP

• 802.1X
• Uses Extensible Authentication Protocol (EAP) to
  handle authentication requests
• Mutual authentication accomplished through a
  server on
• network, behind the access point
• Provides dynamically varying encryption keys
• Re-authentication and new encryption key
  generation
• No full network connection until successful
  authentication
• Stronger encryption and data integrity
• Only cover the authentication deficiencies

15
Patches/Upgrades for WEP

• Temporary Key Integrity Protocol (TKIP)
• Backwards compatible with WEP
• Uses longer IV (48 bits) reduces IV repetition
• IV sent encrypted
• The temporal keys are dynamically changed
• Since each packet uses a different IV value, the
  key stream is different for each packet
• Adds sender MAC address, 48-bit IV, and 128-bit
  temporal key to create a unique key for each
  packet
• Message Integrity Check (MIC) replaces CRC-32
  algorithm
• Uses a HMAC function A hashing function with a
  symmetric key
• Input is a 64-bit key and produces a 64-bit output

16
Permanent Replacements for WEP

• Wi-Fi Protected Access (WPA)
• Based on a subset of the IEEE802.11i
• Combines TKIP encryption scheme with 802.1X/EAP
• authentication
• Compatible with WEP enabled systems
• Uses Michael Message Integrity Check (MMIC)
• Advanced Encryption Standard (AES)
• Uses a mathematical algorithm called Rijndael
  instead of RC4
• Various key size choices (128-, 192-, or
  256-bits)
• Not compatible with 802.11a, b, and g standards
• Long processing time

17
Permanent Replacements for WEP

• 802.11i (WPA2)
• Ratified on June 2004
• IEEE 802.11i is backwards compatible with WPA
• Requires AES support but backwards compatible
  with legacy devices
• Endorses TKIP encryption over WEP
• Uses 802.1X/EAP authentication
• Utilizes Counter mode with CBC-MAC Protocol
  (CCMP), which uses AES instead of RC4 algorithm
• Major hardware upgrade is needed
• WPA eases this transition

18
Conclusion

• WEP, as implemented in 802.11b standard, is
  susceptible to attacks
• Some other means of protection is needed to
  provide a more secure wireless computing
  environment
• Increasing IV space does not prevent attack
  only prolongs it
• Businesses must weigh the benefits of the
  enhanced security that IEEE802.11i offers against
  the cost of the new equipment