1 / 22

Security of Wireless LAN

Security of Wireless LAN. ’ 01. 9. 20 Seongtaek Chee (NSRI). Contents. Introduction WEP 802.11 Security What ’ s Wrong Solutions Conclusions. Introduction. IEEE 802.11 standard Wired Equivalent Privacy (WEP) Goal: data privacy to the level of wired network

arion
Télécharger la présentation

Security of Wireless LAN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Wireless LAN ’01. 9. 20 Seongtaek Chee (NSRI) NSRI

  2. Contents • Introduction • WEP • 802.11 Security • What’s Wrong • Solutions • Conclusions NSRI

  3. Introduction • IEEE 802.11 standard • Wired Equivalent Privacy (WEP) • Goal: data privacy to the level of wired network • Use of 40-bit RC4 for encryption mechanism • Attack against WEP • Researchers at Univ. of California at Berkely published a document “security flaws in the 802.11 security protocol” • Main weakness: use of static WEP keys shared among users NSRI

  4. Wireless LAN WEP (wireless network infrastructure) NSRI

  5. Security Goal • Confidentiality: the fundamental goal of WEP is to prevent casual eavesdropping • Access control: to protect access to a wireless network infrastructure* • Data integrity: to prevent tampering with transmitted messages** * 802.11 standard includes an optional feature to discard all packets that are not properly encrypted using WEP, and manufacturers advertise the ability of WEP to provide access control ** the integrity checksum field is included for this purpose NSRI

  6. WEP Encryption RC4 IV(24-bit) K(40-bit) Plain-text Cipher-text NSRI

  7. Encrypted WEP Frame Plain-text Message CRC Keystream = RC4(IV, K) IV Cipher-text Transmitted Data NSRI

  8. WEP Encryption & Decryption • A  B : IV, C = (P  RC4(IV, K)), where P = (M, c(M)) • B : 1) 2) Verifies the checksum on P’ NSRI

  9. WEP Encapsulation Summary • Encryption Algorithm = RC4 • Per-packet encryption key = 24-bit IV concatenated to a pre-shared key • WEP allows IV to be reused with any frame • Data integrity provided by CRC-32 of the plaintext data (the “IV”) • Data and IV are encrypted under the per-packet encryption key NSRI

  10. Shared secret distributed out of band Challenge (Nonce) Response (Nonce RC4 encrypted under shared key) WEP Authentication AP STA Decrypted nonce OK? • 802.11 Authentication Summary: • Authentication key distributed out-of-band • Access Point generates a “randomly generated” challenge • Station encrypts challenge using pre-shared secret NSRI

  11. Properties of Stream Cipher • What happens when plaintext P1 and P2 are encrypted using same key K  It is a very bad idea to encrypt any two plain texts using the same key stream output by a stream cipher NSRI

  12. Keystream reuse • Key is fixed shared secret, that changes rarely if ever • In fact, in many setups, every user shares the same key • So the keystream depends only on IV • If two packets ever get transmitted with the same IV, you reuse the keystream value, which is bad • Since IV gets transmitted in the clear for each packet, the adversary can even easily tell when a value of IV is reused(a “collision”) NSRI

  13. Attack – Confidentiality(1) • Attacker obtains two cipher texts C1 and C2 • C1C2 = P1 P2 • Using the redundancy of plaintexts, he can know (partial) P1 and P2 • This is really easy if he knows the plaintext, because, for example, he sent it to you, say via pings, or spam email. • If he knows one plaintext, he can recover all the other plaintexts. NSRI

  14. Attack – Confidentiality(2) • Note that he does not learn the value of the shared secret K • Solutions • Use of different IV per packets • Some PCMCIA cards reset the IV to 0 each time they were re-initialized, and then incremented the IV by one for each packet transmitted. • These cards re-initialized themselves each time they are inserted in to the laptop, which can be expected to happen fairly frequently. • Consequently, keystreams corresponding to low-valued IV’s were likely to be reused many times during the lifetime of the key. • Increase the size of IV • 24 bits is too small (Note that if the speed is 11Mbps • The probability of collision is 99% after 12,430 frames, or in 2 to 3 seconds of normal traffic at 11Mbps. NSRI

  15. Attack – Message modification(1) • Attacker intercept a ciphertext C before it could reach its destination: • Assume that C corresponds to some unknown message M, so that • Claim: it is possible to find a new ciphertext C’ that decrypts to M’, where and △ may be chosen arbitrarily by the attacker. • Then we will be able to replace the original transmission with our new ciphertext by spoofing the source, and upon decryption, the recipient B will obtain the modified message M’ with the correct checksum. NSRI

  16. Attack – Message modification(2) • How to obtain C’ from C so that C’ decrypts to M’ instead of M. CRC is linear • Note that this attack can be applied without full knowledge of M: the attacker only needs to know the original ciphertext C and the desired plaintext difference △ in order to calculate C’=C(△,c(△)). NSRI

  17. Attack – Message Injection(1) • We can inject a fake message F of the adversary’s choice into the wireless net so that it will be accepted by a receiver as genuine • The adversary just needs to know a single plaintext, and its corresponding encrypted packet(ping or spam can provide this easily) • The encrypted packet is (IV, C), and the plain text is (M, c(M)), so the adversary can compute the keystream RC4(IV,K) = C  (M,c(M)) • Now he can take his fake message F, compute c(F), and compute C’ = (F, c(F))  RC4(IV,K). • Then he transmits (IV, C’) NSRI

  18. Attack – Message Injection(2) • The receiver • C’= (F, c(F))  RC4(IV, K) • C’ is a correct encryption of the message F, so he has to accept it • The adversary has succeeded • Solution • CRC does not depend on the key • MAC(keyed hash function must be used) NSRI

  19. Attack – Authentication(1) • Authentication: client to AP • AP  M: send a challenge string R(128-bit) to the client • M  AP: WEP-encrypted ciphertext (RC4(IV, K)  R) • AP: checks if the challenge is correctly encrypted, and if so, accepts the client • Goal: verify that a client joining the network really knows the shared secret key K • So the adversary has now just seen both the plaintext and the ciphertext of the challenge • This is enough not only to inject packets (as in the previous attack), but to execute the authentication protocol himself. NSRI

  20. Attack – Authentication(2) • Once the adversary obtains a single challenge/response pair for a given key K, he can extract IV and RC4(IV, K) • Now attacker tries to connect to the network • The AP sends a challenge string M’ to the adversary • The adversary replies with IV, (M’,c(M’))RC4(IV, K) • This is in fact the correct response, so the CP accepts the adversary • The adversary has succeeded even though he never did learn the value of K • Solution: Use challenge-response protocol using block cipher NSRI

  21. How to make secure WEP • RC4  128-bit block cipher • Precise decryptions • Setup procedure of Key • Generation method of IV • Detail of “mode of operation” • Never reuse of IV (if K is fixed) • Size of IV > 56 bit(??) • CRC  MAC • Challenge-response Authentication protocol based on block cipher NSRI

  22. Conclusion • WEP is totally insecure • Confidentiality  X • Access control  X • Data integrity  X • No matter if you’re using 40-bit keys or 104-bit keys( or IV) • CRC is useless against malicious errors(CRC detects random bit error in transmission) • It is quite difficult to adopt Stream cipher for the purpose of “message integrity” or “user authentication” • What about Bluetooth? NSRI

More Related