How To Not Make a Secure Protocol

1
How To Not Make a Secure Protocol

• 802.11 WEP
• Dan Petro

2
What is WEP?

• Wired Equivalent Privacy
• Wireless LAN security protocol
• Uses IEEE 802.11 a,b,g, and n
• Provides certain security services
• Originally 64 bits, but has been extended to 128
  bits and even 256 bits
• Easily broken
• Why? And How?
• Fundamentally poor design choices

3
How does WEP work?

• It works like a One Time Pad
• Keystream is pseudorandom
• XOR'd with plaintext
• Perfectly secret ciphertext
• Right? What's the worst that could happen?

4
Design Goals of WEP

• Confidentiality
• RC4 cipher and XOR operation
• Integrity
• CRC of message inside plaintext
• Authentication?!
• Availability?!

5
Keys

• Not one, but two keys.
• Primary Master Key or just key (Secret)
• Initialization Vector (Well known)
• Key 40 bits
• IV 24 bits
• Total 64 bits

6
Failure 1

• ONE TIME Pad
• You must never use the same key(stream) twice.
• In WEP, Key PMK IV
• IV changes for each message
• If an IV is ever used twice, the same keystream
  will be used twice
• IV is only 24 bits
• Birthday Attack collision every 5,000 frames.

7
Failure 1

• What's the harm?
• Cipher1 Plaintext1 ? Keystream
• Cipher2 Plaintext2 ? Keystream
• You now know Plaintext1 ? Plaintext2
• If you happen to know one of the plaintexts, then
  you can decrypt any new ciphertext that uses the
  same Keystream
• Full and partial knowledge
• No diffusion!
• Even worse WEP does not specify how to select
  IV's.

8
Failure 1 Example

• Capture multiple Ciphertexts with the same IV
• Obtain a (partial) Known Plaintext
• Decrypt corresponding bits in the other messages.

9
Failure 2

• Integrity Failure
• Linear CRC is used for Integrity.
• Not a Cryptographically Secure Hash Function
• Linear means distributive
• CRC(a) xor CRC(b)
• Equals
• CRC(a xor b)

10
Failure 2

• Arbitrary packet forgery!
• Even with partial knowledge.
• If you know the plaintext of any part of a
  message, you can change it.
• WEP sends DST IP in plaintext

11
Failure 2.5

• IP Redirection Attack
• Change every IP address to that of the attacker
  outside the network.

12
Failure 3

• Authentication Fail
• 1) Client Hello
• 2) Server Plaintext Challenge (128 Bytes)
• 3) Client Sends Encrypted Challenge back

13
Failure 3

• But we can change the contents of any message,
  remember?
• Observe one valid authentication.

14
Failure 3

• Now just change the contents of this captured
  response to be the challenge you need!

15
Failure 4

• Getting a Known Plaintext Attack
• WEP does not mask the size of frames
• You can see exactly how long each message is.
• Mix that with TCP/IP, and you get a known
  plaintext attack
• ARP messages are very short, and of known length.
  (28 ARP bytes 14 Layer 1 Bytes 42 Bytes Total)
• Lots of routers automatically send tons of ARP
  messages constantly

16
Failure 4.5

• ARP Replay Attack
• ARP is stateless
• One ARP request packet can be replayed over and
  over
• Hosts will respond with fresh traffic as
  responses
• Allows for an arbitrary amount of traffic to be
  generated in use with other attacks.
• Upgrade the attack to Chosen Plaintext

17
Failure 5

• No Server Authentication
• Rouge AP's
• Attacker makes another AP with the same SSID
• Victim connects to the wrong AP
• Now you have a Man-in-the-Middle

18
Failure 6

• The Cafe Latte Attack
• No authentication
• Clients keep a list of favorite AP's
• One's they've used before
• When powering on, they try to connect to those
  AP's
• Stimulate traffic from client, crack key

19
Failure 7

• If the PMK is known, all bets are off
• WEP does not specify how PMKs are chosen or
  exchanged.
• It's a standard Shared Secret problem!
• Social Engineering
• Use a Rouge AP
• Dictionary attacks
• Out of Band attacks
• Does your company have a piece of paper with the
  key laying around? It probably does.

20
Failure 8

• Denial of Service
• Firstly, it is legal to jam 2.4GHz signals
• Just not cell phones!
• 802.11 Wifi is naturally vulnerable to this
• But not Bluetooth!
• Associate / Disassociate Packets are unencrypted
• If there is a single malicious user on your
  network, he can bring the whole thing down
• ARP Cache Poisoning
• DOSS (Denial of Service... with Style)

21
Failure 9

• No Session Keys!
• How the network's perimeters should look
• How it does look

22
Failure 9

• Airpwn
• First displayed at Defcon 12
• Intercepts data just like with a Rouge AP
• Responds to HTTP traffic before the real web
  server can
• Result?
• Anything you want!

23
The Breaks

• Key recovery attacks due to RC4
• Fluhrer, Mantin and Shamir attack
• Discovered that the first few bytes produced is
  highly non-random
• Andreas Klein
• Even more correlations between key and keystream
  found
• Tews, Weinmann, and Pyshkin. (PTW)
• Built upon Klein's analysis and built
  Aircrack-ptw
• (Now Aircrack-ng)

24
References and links

• Intercepting Mobile Communications The
  Insecurity of 802.11
• http//www.isaac.cs.berkeley.edu/isaac/mobicom.pdf
  
• Wikipedia
• http//en.wikipedia.org/wiki/Wired_Equivalent_Priv
  acy
• Weaknesses in the Key Scheduling Algorithm of RC4
• http//www.drizzle.com/aboba/IEEE/rc4_ksaproc.pdf
  
• CC-BY-SA