Wireless Encryption Disclaimer Sources include

Wireless Encryption

Disclaimer

• Sources include • a NIST publication: Wireless Network Security:

802.11, Bluetooth and Handheld Devices, published November 2002, written by Tom Karygiannis and Les Owens.

• Grad Students: Nathan Blackham, Charles Higby

Wireless LANs

• 802.11 sets the standards in the US.

• Specifications:

802.11 Classifications• 802.11

• 1-2 Mbps• 2.4 GHz spectrum• Uses FHSS (Frequency Hopping Spread Spectrum)

• 75+ frequencies per transmission• Max dwell time per frequency: 400 ms.

• Or DSSS (Direct Sequence Spread Spectrum)

802.11a• 54Mbps

• 5 GHz band (short range)

• OFDM (Orthogonal Frequency Division Multiplexing)

• Splits signal into smaller sub-signals and transmits multiple sub-signals on different frequencies.

• Less interference from other signals

• 8 simultaneous channels

• Not approved in Europe (military uses a portion of the 5 GHz band)

802.11b• Also known as High Rate or Wi-Fi

• 11 Mbps (with TI’s DSP chip 22Mbps)• 2.4 GHz – crowded band.• Still slower than wired Ethernet• Note: Any Wi-Fi (Wireless Fidelity) component that

is certified by WECA is interoperable with any other brand of client hardware (not always true)

• 3 Simultaneous channels• Uses CCK (complementary Code Keying)

802.11g• New technology is coming that will enable 20 -

54 Mbps over existing 802.11b networks.• Still operating in 2.4 GHz band range• Backward compatible with 802.11b components

at 11 Mbps• 3 Simultaneous channels• Uses both encoding techniques from ‘a’ and ‘b’

WLAN Security

• Brief History of WLAN security

In 1999 IEEE 802.11 Working Group proposed WEP.

WEP Seeks to provide a level of WLAN security similar to that of wired LANs.

By encrypting data transmissions and preventing unauthorized users from connecting.

WEP – Protection for 802.11b

• Wired Equivalent Privacy• “No worse than what you get with wire-based

systems”

• Criteria:• “Reasonably strong”• Self-synchronizing – stations often go in and out of

coverage• Computationally efficient – in HW or SW since low

MIPS CPUs might be used• Exportable –• Optional – not required to used it

WEP – How It Works• Secret key (40 bits or 104 bits)

• Initialization vector (24 bits, by IEEE std.)• Total of 64 or 128 bits “of protection.”

• RC4-based pseudo random number generator (PRNG)

• Integrity Check Value (ICV): CRC 32

IS WEP Secure?

• WEP is not a mandatory component of IEEE 802.11

• Most 802.11b products don’t have the computing power to run WEP encryption without significant performance degradation.

(This has enticed many users to turn off WEP)

• WEP has proven vulnerabilities.

Notable Papers that identify and describe WEP deficiencies.• A paper from UC Berkeley revealing WEP

weaknesses due to key reuse and inadequate message authentication.

• A paper from the University of Maryland highlighting weaknesses in 802.11 access control mechanisms.

• A paper by Scott Fluhrer, Itsik Mantin, and Adi Shamir identifying weaknesses in the WEP protocol due to improper usage of the underlying RC4 Algorithm.

RC4 Algorithm

• RC4 is a stream cipher symmetric key algorithm.

• Developed in 1987 by Ronald Rivest

• On September 9, 1994, the RC4 algorithm was anonymously posted on the Internet on Cyberpunks “anonymous remailers” list.

WEP Data Frame

IV(4 bytes)

Data (PDU)( 1 byte)

ICV(4 bytes)

Init Vector(3 bytes)

1 byte

Pad6 bits

Key ID2 bits

Note: can use up to 4 different keys.

WEP Encryption

InitializationVector (IV)

Secret Key

Plaintext

Integrity Algorithm

Seed WEP PRNG

Key Sequence

Integrity Check Value (ICV)

IV

CiphertextMessage

WEP Encryption Process1. Compute ICV using CRC-32 over plaintext msg.

2. Concatenate ICV to plaintext message.

3. Choose random IV and concat it to secret key and input it to RC4 to produce pseudo random key sequence.

4. Encrypt plaintext + ICV by doing bitwise XOR with key sequence to produce ciphertext.

5. Put IV in front of cipertext.

WEP Decryption

IV

Ciphertext

Secret Key

Message

WEP PRNG

Seed

Key Sequence

Integrity Algorithm

Plaintext

ICV’

ICV

ICV’ - ICV

WEP Decryption Process1. IV of message used to generate key sequence, k.

2. Ciphertext XOR k original plaintext + ICV.

3. Verify by computing integrity check on plaintext (ICV’) and comparing to recovered ICV.

4. If ICV ICV’ then message is in error; send error to MAC management and back to sending station.

WEP Station Authentication1. Wireless Station (WS) sends

Authentication Request to Access Point (AP).

2. AP sends (random) challenge text T.

3. WS sends challenge response (encrypted T).

4. AP sends ACK/NACK.

WS APAuth. Req.

Challenge Text

Challenge Response

Ack

WEP Weaknesses• Forgery Attack

• Packet headers are unprotected, can fake src and dest addresses.• AP will then decrypt data to send to other destinations.• Can fake CRC-32 by flipping bits.

• Replay • Can eavesdrop and record a session and play it back later.

• Collision (24 bit IV; how/when does it change?)• Sequential: roll-over in < ½ day on a busy net• Random: After 5000 packets, > 50% of reuse.

• Weak Key• If ciphertext and plaintext are known, attacker can determine key.• Certain RC4 weak keys reveal too many bits. Can then determine RC4 base

key.

Weakness

• The RC4 algorithm is vulnerable to analytic attacks of the state table.

• One in every 256 keys can be a weak key. These keys are identified by cryptoanalysis that is able to find circumstances under which one of more generated bytes are strongly correlated with a few bytes of the key.

WEAK KEYS: These are keys identified by cryptoanalysis that are able to find circumstances under which one or more generated bytes are strongly correlated with small subset of the key bytes. These keys can happen in one to 256 keys generated.

WEP Weakness• Key Management

• 4 possible keys, externally populated

• 802.11 standard does not specify distribution mechanism (backbone network)

• Can be unique key for each WS or single key for entire network (commonly used)

• Single key increases chances of IV reuse

IEEE 802.11i

• Was formed to establish a comprehensive solution for WLAN security.

• Group has nearly completed a standard called Robust Security Network (RSN).

Includes two parts

• Advanced Encryption Standard (AES) for encrypting WLAN traffic

• IEEE 802.1x a port-based network authentication standard for WLAN user authentication and key management.

• Also finished a series of fixes for WEP.

-- Fixes include Temporal Key Integrity Protocol (TKIP)

802.11i• Improved encryption Algorithms

• Temporal Key Integrity Protocol (TKIP) – for legacy hardware• Generates per-packet keys

• 48 bit IV prevents replay attacks

• Counter mode CBC-MAC Protocol (CCMP) – for new hardware• Not for legacy hardware—insufficient CPU power to run AES encryption

• 802.1x – port based network access control• Authentication• Encryption key distribution

802.1X

From Meetinghouse Data Communications, http://www.mtghouse.com/8021X.pdf

802.11i >> WEP• Forgery

• Stronger Message Integrity Code• Cryptographically secure hash• Apply hash to packet payload plus src and dest addresses

• Replay• 48 bit IV, strictly increasing sequence, cannot roll-over (must rekey),

receiver discards out-of-sequence packets• Weak Keys of WEP

• Per-packet key computed using transmitter address, IV, base key• Collision

• 48 bit IV, force a rekey after 215 packets• Use 802.1X EAPOL (Extensible Authentication Protocol Over LAN) to

configure a new key for every association

Tools

• Linux• Airsnort – used for cracking WEP and scanning

AP’s• Kismet – used to pickup AP’s whether broadcast

SSID or not, and to view some settings and clients• WEPcrack – Perl scripts to crack WEP from a

TCPdump• FakeAP – generates fake AP’s, used to hide a real

one

• BSD• Airtools – suite of multiple tools

Tools

• Windows• Netstumbler – auditing tool, finds APs• AeroPeek – packet analyzer• Sniffer Wireless – monitoring, capturing, decoding,

filtering, etc.

• Many others• Which do you know?