1 / 23

WEP and 802.11i

WEP and 802.11i. J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security. Papers on WEP.

jael-elliott
Télécharger la présentation

WEP and 802.11i

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WEP and 802.11i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security

  2. Papers on WEP • Borisov, N., I. Goldberg, D. Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11”, Proceedings of the Seventh Annual International Conference on Mobile Computing and Networking, July 16-21, 2001, ACM 2001 • Arbaugh, W.A., N. Shankar, Y.C.J. Wan, “Your 802.11 Wireless Network Has No Clothes”, http://www.cs.umd.edu/~waa/wireless.pdf , 2001

  3. What is WEP? • WEP is “Wired Equivalent Privacy” or “Wireless Encryption Protocol” • It is the original wireless security protocol for the 802.11 standard. • It uses the RC4 stream cipher, using a 64-bit key consisting of: • A 24-bit master key • A 40-bit initialization vector (IV) • It also employs a CRC integrity checksum.

  4. Main Points • Borisov, et al.: • Keystream reuse • Key management • Message authentication • Shared key authentication • Arbaugh, et al.: • Proprietary access control mechanisms • Shared key authentication

  5. Keystreams • RC4 is a stream cipher • The key is used by a pseudo-random number generator (PRNG) to generate a keystream • The keystream is XOR’ed with the plaintext and checksum to produce the ciphertext. • Whenever the same IV is used with the same master key, the keystream will be the same as well.

  6. Keystream Reuse • IV’s are transmitted in the clear! • Master keys are unlikely to be changed due to key management issues (more on this later…) • 24 bits of IV are not sufficient to avoid collisions • If IVs are assigned randomly, collisions can be expected after 5000 packets. • If IVs are assigned sequentially, collisions are inevitable if cards are re-initialized.

  7. Recovering Plaintext • Plaintexts can often be disentangled from each other. • If not, it is easy to get a known plaintext • Send an e-mail to a user on a wireless device, then sniff for it! • Decryption dictionaries can be built

  8. Key Management • WEP does not include any key management protocols! • Master keys could be one of four globally shared keys • They could also be stored in an array specifying a separate key for each device (not widely used) • Key must be updated manually • Often, one key is relied on

  9. Message Authentication • Message modification: • The checksum can be modified to reflect any changes in the ciphertext • Message injection: • Any attacker who derives the plaintext also derives the keystream! • Message rerouting: • The server authenticates the client, but not vice versa.

  10. User Authentication • WEP uses a “Shared Key Authentication” protocol to authenticate stations • Initiator requests shared key authentication • Responder sends initiator random challenge text • Initiator sends responder encrypted challenge text • Responder signals successful completion of protocol • This is supposed to prove that the initiator knows the correct key • However, if a keystream is known, no key is necessary, so anybody can authenticate!

  11. Proprietary Access Control Mechanisms • Lucent closed networks: use SSID as shared secret • Other vendors use MAC addresses • Both appear in various management frames in the clear, which is not good if they’re supposed to be secret! • Vendor key management solutions are unknown, but do not appear to be very good.

  12. Problems with RC4 • It has been known for a while that RC4 has weak keys • 1 out of every 256 • These keys can be avoided • It was discovered recently that it is easy to decrypt RC4 ciphertext if part of the key is known. • Since WEP IVs are transmitted in the clear, that means…

  13. Who Weeps for WEP? • R.I.P. WEP

  14. Now What? • IEEE is working on 802.11i to address these issues, and it should be completed shortly. • In the meantime, the Wi-Fi Alliance has released WPA (Wi-Fi Protected Access) • Intended as a stopgap measure • Eventually, RSN (Robust Secure Networks) will be released as part of 802.11i

  15. WPA • Uses TKIP (Temporal Key Integrity Protocol) for cryptography and authentication • Still uses RC4 • Several WEP flaws have been corrected, but not permanently • Key management is improved • Uses 802.1x (EAP) for authentication • Adds MIC (Message integrity check) and frame counter • Two modes: PSK and Enterprise • PSK (Pre-Shared Key) suffers from similar key-management difficulties to WEP • Enterprise Mode requires a RADIUS server

  16. RSN • Uses CCMP for cryptography • Based on CCM mode of AES • TKIP also supported if necessary • Uses 802.1x for authentication and key management

  17. Boeing: A Case Study • Two Boeing employees evaluated WPA • Good points • Bad points • What they’d like to see from RSN • How they intend to proceed

  18. Boeing: Before • Wireless network was untrusted • Outside firewall, VPN used to tunnel in • Extra layers of encryption and authentication required • Application security required • No ad-hoc networks allowed • WEP used • What else is there? • VPNs unsatisfactory • Limited availability of software, frequent restarts

  19. Boeing: Trying out WPA • Bouquets: • Supports 802.1x and PEAP • Only software update required for APs and RADIUS server • Brickbats: • No VLAN support (this was later fixed) • Only works with Windows 2000 SP3+ and XP • Boeing’s own certificates often incompatible • Configuring APs and RADIUS server difficult

  20. Boeing: State of the System • Wireless devices range from laptops to palm devices to barcode scanners to sensors • Network architecture very fluid • Assumption of one user per computer not valid • Many devices are difficult to configure

  21. Boeing: What They Want • Usable, secure, and affordable systems (in that order) • Software upgrades as opposed to hardware upgrades • Lots of authentication for users as well as devices • Secure ad-hoc, and networks that can switch easily between ad-hoc and infrastructure

  22. Boeing: Getting There from Here • Likely that three virtual LANS will be running simultaneously: • The original WEP/VPN • The just-implemented WPA • An eventual RSN • Devices will be upgraded to RSN as needed, other two VLANs will shrink through attrition

  23. Sources • Main Papers: • Arbaugh, W.A., N. Shankar, Y.C.J. Wan, “Your 802.11 Wireless Network Has No Clothes”, http://www.cs.umd.edu/~waa/wireless.pdf , 2001 • Borisov, N., I. Goldberg, D. Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11”, Proceedings of the Seventh Annual International Conference on Mobile Computing and Networking, July 16-21, 2001, ACM 2001 • PowerPoint Presentations: • Whitlock, S., P. Dodd, “802.11i: The User Perspective”, NIST WLAN Security Meeting, December 4-5, 2002 • Dubrawsky, I., E. Vance, “Securing Wireless LANs”, Cisco Systems, 2002 • Other sources: • Walker, J.R., “Unsafe at Any Key Size: An Analysis of the WEP Encapsulation”, IEEE Document 802.11-00/362, Oct. 2000 • http://www.geek-faq.com

More Related