The Ultimate Break of WEP

1
The Ultimate Break of WEP

• Recovering the Secret Key through a Passive
  Attack
• David Düblin, Ramun BergerMay 2003

2
Talk Overview

• Introduction
• WEP
• Fluhrer, Mantin, Shamir Attack
• RC4 Review
• Implementation of Attack
• Demonstration

3
Corporate Network
?
4
WEP

• Overview
• Encryption
• Decryption
• Insecurities

5
WEP Overview

• Wired Equivalent Privacy protocol (WEP)
• WEP is the link-layer security protocol commonly
  used for 802.11 (wireless data transmissions)BUT
  by default disabled !
• Security goals
• Prevent eavesdropping privacy
• Prevent message modification integrity
• Control network access access control
• Only protects the wireless link
• not an end-to-end solution

6
WEP Overview

• WEP uses RC4 cipher and relies on a (40-bit or
  104-bit) secret key and (24-bit) initialisation
  vector IV
• Current WEP standard fails to specify how to
  choose IV
• 3 Modes of IV Selection
• incremental (counter)
• random selection
• value flipping

7
Key Entry Example
8
WEP Encryption
ICV Integrity Check Value (CRC-32) IV
Initialisation Vector (plaintext) 24 bitkey
Pre-shared Key 40 or 104 bit
XOR
C P ? RC4(IV,key)?WEP packet IV prepended to
C
9
WEP Decryption

• P C ? RC4(v,k) (P ? RC4(v,k)) ? RC4(v,k)
  P
• ICV recomputed and compared against original

10
WEP Insecurities

• WEP is vulnerable to a number of attacks(refer
  to last weeks talk on Wireless LAN Security and
  see Appendix)
• The Fluhrer, Mantin, Shamir Attack compromises
  WEP entirely by recovering the private key by
  passive means

11
Fluhrer, Mantin, Shamir Attack

• WEP protects packets with RC4, which occasionally
  produces ciphers that are cryptographically weak.
• These weak (resolved) packets can be identified
  by their unencrypted initialisation vectors.
• Resolved packets can leak information about the
  subsequent byte of the current key.

12
RC4

• Key Scheduling Algorithm (KSA)
• Pseudo-Random Generation Algorithm (PRGA)
• Resolved Case
• Weakness

13
RC4 Overview KSA(K)
14
RC4 Overview PRGA(S)
15
RC4 Resolved Case
The output word depends only on 3 specific
permutation elements.
If the KSA reaches a stage i where XSi1 and
XY Si1 SiSi1, then with Prgt0.05, the
value ZSS1 SS1 will be output as the
first word of the PRGA ? resolved case.
16
RC4 Resolved Case
Output of PRGA in round 1
? SS1SS1S03S35 So the packet
Pbyte1 XOR 5 is sent.
BUT we know byte1 ? we know S3 as we know
every byte up to K2, we can determine K3 by
recurrence!
17
RC4 Weakness

• We must correctly guess each key byte before any
  packet gives us information about a later key
  byte.
• First word of plaintext is often an easily
  guessed word (in WEPknown).
• We have a 5 chance of correctly guessing the
  next key byte.
• This makes the attack statistical in nature.

18
Fluhrer, Mantin, Shamir Attack

• To bias the probabilistic guessing toward the
  right key, many encrypted packets are needed (5
  million).
• Specifically, unique initialisation vectors are
  needed (2 thousand)
• Theoretical description of attack only (no
  implementation)

19
Implementation

• Goals
• Preparation
• Mounting
• Improvements
• Discussion
• Demonstration

20
Implementation of Attack

• by A. Stubblefield, J. Ioannidis, A.D. Rubin
  (August 2001)
• Goals
• Show that attack works in real-world
• Verify how cheap and easy it is
• Find improvements

21
Preparation of attack

• Simulation of RC4 attack
• Capturing WEP encrypted packets- Using normal
  wireless card- Linux driver and patch- Modified
  version of ethereal - Not that easy

22
Mounting the attack

• Determine the true value of the first plaintext
  byte of each packet- Well known (0xAA) thanks to
  802.2 encapsulation header (identical for ARP
  and IP traffic)
• Collect a large number of packets- Found that IV
  is simply incremented (counter mode)- 5 mio
  packets few hours on a partially loaded network

23
Key Recovery Algorithm
RecoverWEPKey() Key0. . .KeySize 0 for
KeyByte 0. . .KeySize Counts0. . .255
0 foreach packet P if P.IV ?
(KeyByte3,0xFF,N) N ? 0x00. .
.0xFF CountsSimulateResolved(P,Key)
1 KeyKeyByte IndexOfMaximumElement(Counts)r
eturn Key
24
Improvements

• WEP keys have to be entered manually ? human
  memorable pass phrase ? ASCII (7 bits only)
  reduces key space
• Improvements resulted in a drop of number of
  required packets from around 5 Mio to around 1
  Mio

25
Discussion - IV selection

• Value flipping mode Not vulnerable to this
  attack, but same key is used every other packet!
• Other modes vulnerable
• Only solution Testing IV before sending to see
  if resolved case ? extra processing? decreases
  IV space (24 bit already small)

26
Discussion - Key selection

• No key management results ? human memorable pass
  phrase? very low frequency of change
• Currently pass phrase mapped directly to key
  (ASCII only)
• Hashing would make attack slightly more
  complicated

27
Discussion - Key selection

• Ciscos LEAP protocol allows per user and per
  session key
• Prevents attack only if session is short
• ?Suggestion Rekeying after approx. 10000
  packets

28
Discussion - RC4

• RC4- Efficient stream cipher- When used
  correctly ? good security
• In case of WEP- Protocol designers insufficient
  knowledge in security ? incorrect implementation
  ? insecure

29
Conclusions

• Attack implemented with off the shelf hardware
  and software in a few days
• WEP is insecure and does not add security to the
  wireless link layer
• Place Access Points outside firewall
• Use higher-level security mechanisms ? VPN (EPFL)
• Tools available for script kiddies (e.g.
  Airsnort, WEPcrack)

30
Appendix WEP Insecurities I

• Violating Confidentiality via Keystream Reuse
• Build Decryption Dictionary of keystreams
• Step 1 Gather plaintext using IP fields,
  well-defined message structures (eg login), fake
  emails, etc... P ? C P ? (P ? RC4(v,k))
  RC4(v,k)
• Step 2 Use this particular keystream to decrypt
  any message with the same IV.C ? RC4(v,k) (P ?
  RC4(v,k)) ? RC4(v,k) P

31
Appendix WEP Insecurities II

• Violating Access Control via Message Injection
• With a retrieved keystream, valid ciphertext can
  be constructedC P ? RC4(v,k)
• The messages in the constructed ciphertext can be
  injected into the network without triggering any
  alarms because IVs are reusable.

32
Appendix WEP Insecurities III

• Violating Data Integrity via Message Modification
• Construct C that decrypts to MM M ? ?
• C C ? ?, c(?) RC4(v,k) ? M,c(M) ?
  ?,c(?) RC4(v,k) ? M ? ?,c(M) ? c(?)
  RC4(v,k) ? M,c(M ? ?) RC4(v,k) ?
  M,c(M)
• This attack allows IP Redirection which can lead
  to further attacks.