CSC-682 Advanced Computer Security

1
CSC-682 Advanced
Computer Security

• Attacks
• on wireless networks
• using WEP encryption

presented by Pompi Rotaru
2
Wireless technology

• IEEE 802.11 a/b/g/n is the set of standards for
  W-LAN
• Wireless technology has been on the rise in
  recent years
• An individual can sit outside the building and
  connect to an unprotected wireless network
• Preserving privacy and integrity of wireless
  communications becomes an important objective of
  the network security team
• Basic service set
• infrastructure mode
  independent (ad-hoc) mode

3
WEP

• Wired Equivalent Privacy (WEP) is most common
  mechanism for protection
• Encryption with 40-bit key (aka 64-bit
  encryption)
• Encryption with 104-bit key (aka "128-bit
  encryption)
• Uses as the most common encryption algorithm the
  RC4 algorithm.

4
History of WEP

• 1997 Release of the first final version of IEEE
  802.11
• 2001 WEP broken by Fluhrer, Mantin, and Shamir
• 2004 WEP broken again by KoreK
• 2005 WEP broken again by KoreK again (chopchop
  attack)
• 2005 WEP broken again by Bittau, fragmentation
  attack
• 2007 WEP broken again by Pyshkin, Tews, Weinmann,
  with the help of Klein

5
RC4 algorithm description

• Stream cipher designed by Ron Rivest in 1987
• It works as a variable key-size stream cipher
  with byte-oriented operations
• Key Scheduling Algorithm (KSA) - which turns a
  random key into a permutation by scrambling the
  bits
• Pseudo-Random Generator Algorithm (PRGA) using
  swap operations for the previously permutation it
  generates pseudo-random numbers
• X RC4(K)

6
How WEP encryption works

• A 3 bytes initialization vector (IV) is chosen
• A key stream X RC4(K) is generated from secret
  key K
• A 32 bit long checksum called Integrity Check
  Value (ICV) is appended to the message to
  protect the integrity
• The resulting plain text is encrypted making an
  XOR operation with the generated key stream
• The unencrypted IV and the cipher-text are sent
  over the air

7
(No Transcript)
8
(No Transcript)
9
Types of WEP attacks

• Depending on key
• without recovering the WEP key
• recovering the key
• Depending on communication
• static (no communication with AP)
• dynamic (involves communication with AP)

10
General steps for attack

• Setup equipment (laptop, directional antenna)
• Find the target (airdump-ng, Kismet, NetStumbler)
• Capture data from air (airmon-ng, airodump-ng)
• Wait or make the target network busy
  (aireplay-ng)
• Start cracking from captured data (aircrack-ng)

11
The brute force / dictionary attack

• Power of the WEP relies in the difficulty of
  discovery of the secret key through a brute-force
  attack
• Dictionary attack uses dictionary of keys, not
  all possible keys
• Such attack requires less then a month for all
  keys
• Steps
• capture 2 WEP encrypted packets
• try to decrypt it using the captured IV and a
  potential key
• verify decrypted ICV (the CRC)
• (optional) verify the key on the 2nd packet

12
The FMS attack

• 2001 - Scott Fluhrer, Itsik Mantin and Adi Shamir
• Static - with key recovery
• RC4 weaknesses
• The Invariance Weakness - existence of large
  classes of weak keys
• The IV Weakness using IV attacker can
  rederive the secret part by analyzing the initial
  word
• Finding the key ? use key-output correlation
  propagation of a weak key pattern into the
  outputs combined with biased distribution of bits
  in English text
• Decision tree
• Requires 9 millions packets (listen to traffic
  for 12 hours)

13
The KoreK attack

• 2004 internet hacker KoreK
• Static - with key recovery
• Does not need weak IV
• Uses 16 additional correlations between the first
  1 byte of an RC4 key, the first 2 bytes of the
  generated key stream, and the next keybyte
• Same decision-tree based approach same as FMS
  attack
• Requires 700000 packets

14
The KoreK chop-chop attack

• 2005 same KoreK
• Does not recover the key, it just reveals the
  message
• Exploits an ICV vulnerability
• Process of truncation of packets while keeping
  them still valid
• Steps
• capture one packet
• truncate the last byte and try to guess one
  value for plaintext
• correct the checksum and send packet to AP
• if guess is correct the AP will reply
• repeat until all bytes are decrypted

15
The Bittau attack

• 2005 - Andrea Bittau, Mark Handley and Joshua
  Lackey
• Fragmentation
• Possible to send multiple fragments (16) using
  the same key stream
• Each packet is encrypted independently at MAC
  layer
• Steps
• listen to traffic, eavesdrop one packet then
  recover 8 bytes of key stream
• prepend an IP header to the eavesdropped packet
  and send to AP
• AP will sent the clear text to a controlled
  internet host
• Fragmentation is used to break 802.11s
  cryptography

16
The PTW attack

• 2007 - Andrei Pyshkin, Erik Tews Ralf-Philipp
  Weinmann
• They found a multibyte correlation between the
  first l bytes of an RC4 key, the generated
  keystream, and the next i bytes of the key.
• Steps
• captures packets and recovers their keystreams
  (FMS, KoreK)
• evaluate the multibyte correlation function
  (Klein)
• create decision tree for key and start voting
  (Rk0, Rk1, Rk2)
• Requires 35000 . 40000 packets
• Less then 60 seconds to crack a 104 bit WEP key

17
Protecting WEP

• Increase the number of bytes used for encryption
  (protects against FMS attack)
• Remove the weak IV - keystream re-use
  vulnerabilities
• Prevent key re-use
• Extensible Authentication Protocol (EAP) change
  often the WEP-key (not enough against Bittau
  attack)
• Deploy Intrusion Detection Systems (IDS) to
  protect against injected traffic (really protects
  against PTW attack)
• Companies sell hardware using modified versions
  of the WEP protocol claiming to be secure

18
Conclusions

• WEP has a long history of vulnerabilities and
  fixes
• WEP is a good example of how attacks evolve and
  mature over time
• Attacks that a few years ago took days, now take
  minutes if the right tools are used
• 2005 WEP is officially declared deprecated by
  IEEE 802.11 committee
• 2008 WEP used by 30 of users in a US university
• Today too many old networks, some using WEP
• WEP must be abandoned once and for all, rather
  than patch it yet again !!!

19
Bibliography

• http//www.drizzle.com/aboba/IEEE/rc4_ksaproc.pdf
  
• http//dl.aircrack-ng.org/breakingwepandwpa.pdf
• http//eprint.iacr.org/2007/120.pdf
• http//tapir.cs.ucl.ac.uk/bittau-wep.pdf
• http//www.netstumbler.org/showthread.php?t12489
• http//www.netstumbler.org/showpost.php?p93942po
  stcount35
•  
• http//www.pisa.org.hk/event/live-wifi-attack-defe
  nse/WEP_cracking_demo.pdf
• http//en.wikipedia.org/wiki/Fluhrer,_Mantin,_and_
  Shamir_attack
• http//www.cc.gatech.edu/traynor/cs8803-f08/slide
  s/lecture13-wep2.pdf
• http//www.rossbuffington.com/WEP_Insecurity.pdf
• http//www.franken.de/uploads/media/WEP-Cracking.p
  df
• http//www.quequero.org/How_To_Attack_a_WEP/WPA_Pr
  otected_Wireless_Network_(eng)
• http//yawcu.sourceforge.net/documentation.pdf
• http//eprint.iacr.org/2007/471.pdf