Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology

Wireless security

Breaking WEP and WPA


Wireless security - Why?


DEMO!


Wireless security timeline

1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

WEPintroduced

WPAintroduced

FMS attack on WEP

ChopChop attack on

WEP

Fragmentation attack onWEP

PTW attack on WEP

Beck and Tews attack on WEP

and WPA

Message falsification

attack on WPA

Attack on TKIP

WPA2introduced


RC4

• Was developed by Ron Rivest in 1987

• “Rivest Cipher 4”• Most widely used

stream cipher• Used in i.e. SSL,

WEP, WPA and TLS• Was secret until 1994

when it was leaked

for i from 0 to 255S[i] := i

endforl := keylengthj := 0for i from 0 to 255

j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j])

endfori := 0j := 0while GeneratingOutput:

i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(&S[i],&S[j])output S[(S[i]+S[j]) mod 256]

endwhile


Key Scheduling Algorithm (KSA)

• Initializes the state• Permutes array S

based on key K• Array S controls the

secret state• S is later used to

generate stream

for i from 0 to 255S[i] := i

endforl := K.lengthj := 0for i from 0 to 255

j := (j + S[i] + K[i mod l]) mod 256swap(&S[i], &S[j])

endfor


KSA example

S = 0 1 2 3 4 5 6 7

5 3K =

for i from 0 to 7j := (j + S[i] + K[i mod l]) mod 8swap(&S[i],&S[j])

endfor

i

i

j

05 52 6 37 450 03 14


Pseudo Random Generation Algorithm (PRGA)

• Generates a stream of pseudo random numbers

• The state array is updated each iteration

i := 0j := 0while GeneratingOutput:

i := (i + 1) mod 256 j := (j+S[i]) mod 256swap(&S[i],&S[j])output S[(S[i]+S[j]) mod 256]

endwhile


PRGA example

S =

i

j

2 6 7 5 03 14

while GeneratingOutput:i := (i + 1) mod 8j := (j+S[i]) mod 8swap(&S[i],&S[j])output S[(S[i]+S[j]) mod 8]

endwhile

47 31


Question

What problem might we encounter if the same key is used to encrypt multiple messages?


Wired Equivalent Privacy (WEP)

• Introduced in November 1997• Comes in 64-bit and 128-bit strength• Uses initialization vectors to deal with the

problem of key reuse• Not meant to be secure (!)• Adds Integrity Control Value (ICV) to the

message to verify its correctness


WEP Initialization Vector (IV)

• Prepended to the key • Sent in plaintext along

with the message• Only 3 bytes – reused

every 224 message• Reduces key size by

24 bits (!)– 64 bit = 40 bit– 128 bit = 104 bit

+

=

IV

Key

Dynamic key


Fluhrer, Mantin and Shamir attack

• Found a group of weak IV’s– IV’s with format X + 3 || 255 || Y– If X=0, there is a 5 % chance that the first

number generated will be K[0] for any Y– Same holds for respectively for 0X13

• The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form


Example

KSA Loop i j S[0] S[1] S[2] S[3] S[12]

1 0 0 0 1 2 3 12

2 1 3 3 1 2 0 12

3 2 2593 3 0 2 1 12

4 3 12 3 0 12 1 2

5 4 ? 3 0 12 ? 2

IV = [ 3, 255, 7 ] K = [ 3, 255, 7, ?, ?, ?, ?, ? ]

1. C[0] = 165 = 15 1702. j = S[i] = S[1] = 03. S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0] 170 = 154. j = j + S[i] + K[i] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15 K[3] = 2


Statistics

0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 2400

2

4

6

8

10

12

14

Series 1

Series 1


Aircrack


Limitations

• Have to collect ~1 000 000-4 000 000 packets to get enough IV’s

• Could take 2-4 weeks to collect• Weak IV’s no longer used• Have since then been optimized and new

attacks have been found• Can now be broken in less than 60 seconds


ChopChop attack

• Truncates the message by one byte and xor with X– If ICV control succeeds, the truncated byte is X

P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) )

• Decreases time of finding the key to ~30 minutes


Wi-fi Protected Access (WPA)

• Built around WEP to fix its flaws and provide backward compatibility

• Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems


Temporal Key Integrity Protocol (TKIP)

• Adds a new Message Integrity Check (MIC) generated using Michael algorithm

• Michael is insecure, but this was handled by countermeasures in TKIP

• Replay protection, slows down attacks but do not prevent them


Becks and Tews attack

• Attacks a TKIP• A modified version of the ChopChop attack• Truncates the message by one byte and xor

last byte with X– If ICV control fails nothing happens, increment X– If ICV control succeeds, then MIC control will fail and

an error message will be sent, the truncated byte is X

• Limited to networks with QoS enabled


Wireless security timeline

1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

WEPintroduced

WPAintroduced

FMS attack on WEP

ChopChop attack on

WEP

Fragmentation attack onWEP

PTW attack on WEP

Beck and Tews attack on WEP

and WPA

Message falsification

attack on WPA

Attack on TKIP

WPA2introduced


Additional reading

• Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4

• Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)

• Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin• Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less

than 60 seconds• Beck, M., Tews, E.: Practical attacks against WEP and WPA• Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack

on TKIP• Ohigashi, T., Morii, M.: A practical message falsification attack on

WPA

Chalmers University of Technology Wireless security Breaking WEP and WPA.

Documents

j si mod

j si mod

j si ki mod

j si keyi mod

sj endfor i

keylength j

wpa slide

sj endfor slide