230 likes | 331 Vues
WEP and 802.11i. J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security. Papers on WEP.
E N D
WEP and 802.11i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security
Papers on WEP • Borisov, N., I. Goldberg, D. Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11”, Proceedings of the Seventh Annual International Conference on Mobile Computing and Networking, July 16-21, 2001, ACM 2001 • Arbaugh, W.A., N. Shankar, Y.C.J. Wan, “Your 802.11 Wireless Network Has No Clothes”, http://www.cs.umd.edu/~waa/wireless.pdf , 2001
What is WEP? • WEP is “Wired Equivalent Privacy” or “Wireless Encryption Protocol” • It is the original wireless security protocol for the 802.11 standard. • It uses the RC4 stream cipher, using a 64-bit key consisting of: • A 24-bit master key • A 40-bit initialization vector (IV) • It also employs a CRC integrity checksum.
Main Points • Borisov, et al.: • Keystream reuse • Key management • Message authentication • Shared key authentication • Arbaugh, et al.: • Proprietary access control mechanisms • Shared key authentication
Keystreams • RC4 is a stream cipher • The key is used by a pseudo-random number generator (PRNG) to generate a keystream • The keystream is XOR’ed with the plaintext and checksum to produce the ciphertext. • Whenever the same IV is used with the same master key, the keystream will be the same as well.
Keystream Reuse • IV’s are transmitted in the clear! • Master keys are unlikely to be changed due to key management issues (more on this later…) • 24 bits of IV are not sufficient to avoid collisions • If IVs are assigned randomly, collisions can be expected after 5000 packets. • If IVs are assigned sequentially, collisions are inevitable if cards are re-initialized.
Recovering Plaintext • Plaintexts can often be disentangled from each other. • If not, it is easy to get a known plaintext • Send an e-mail to a user on a wireless device, then sniff for it! • Decryption dictionaries can be built
Key Management • WEP does not include any key management protocols! • Master keys could be one of four globally shared keys • They could also be stored in an array specifying a separate key for each device (not widely used) • Key must be updated manually • Often, one key is relied on
Message Authentication • Message modification: • The checksum can be modified to reflect any changes in the ciphertext • Message injection: • Any attacker who derives the plaintext also derives the keystream! • Message rerouting: • The server authenticates the client, but not vice versa.
User Authentication • WEP uses a “Shared Key Authentication” protocol to authenticate stations • Initiator requests shared key authentication • Responder sends initiator random challenge text • Initiator sends responder encrypted challenge text • Responder signals successful completion of protocol • This is supposed to prove that the initiator knows the correct key • However, if a keystream is known, no key is necessary, so anybody can authenticate!
Proprietary Access Control Mechanisms • Lucent closed networks: use SSID as shared secret • Other vendors use MAC addresses • Both appear in various management frames in the clear, which is not good if they’re supposed to be secret! • Vendor key management solutions are unknown, but do not appear to be very good.
Problems with RC4 • It has been known for a while that RC4 has weak keys • 1 out of every 256 • These keys can be avoided • It was discovered recently that it is easy to decrypt RC4 ciphertext if part of the key is known. • Since WEP IVs are transmitted in the clear, that means…
Who Weeps for WEP? • R.I.P. WEP
Now What? • IEEE is working on 802.11i to address these issues, and it should be completed shortly. • In the meantime, the Wi-Fi Alliance has released WPA (Wi-Fi Protected Access) • Intended as a stopgap measure • Eventually, RSN (Robust Secure Networks) will be released as part of 802.11i
WPA • Uses TKIP (Temporal Key Integrity Protocol) for cryptography and authentication • Still uses RC4 • Several WEP flaws have been corrected, but not permanently • Key management is improved • Uses 802.1x (EAP) for authentication • Adds MIC (Message integrity check) and frame counter • Two modes: PSK and Enterprise • PSK (Pre-Shared Key) suffers from similar key-management difficulties to WEP • Enterprise Mode requires a RADIUS server
RSN • Uses CCMP for cryptography • Based on CCM mode of AES • TKIP also supported if necessary • Uses 802.1x for authentication and key management
Boeing: A Case Study • Two Boeing employees evaluated WPA • Good points • Bad points • What they’d like to see from RSN • How they intend to proceed
Boeing: Before • Wireless network was untrusted • Outside firewall, VPN used to tunnel in • Extra layers of encryption and authentication required • Application security required • No ad-hoc networks allowed • WEP used • What else is there? • VPNs unsatisfactory • Limited availability of software, frequent restarts
Boeing: Trying out WPA • Bouquets: • Supports 802.1x and PEAP • Only software update required for APs and RADIUS server • Brickbats: • No VLAN support (this was later fixed) • Only works with Windows 2000 SP3+ and XP • Boeing’s own certificates often incompatible • Configuring APs and RADIUS server difficult
Boeing: State of the System • Wireless devices range from laptops to palm devices to barcode scanners to sensors • Network architecture very fluid • Assumption of one user per computer not valid • Many devices are difficult to configure
Boeing: What They Want • Usable, secure, and affordable systems (in that order) • Software upgrades as opposed to hardware upgrades • Lots of authentication for users as well as devices • Secure ad-hoc, and networks that can switch easily between ad-hoc and infrastructure
Boeing: Getting There from Here • Likely that three virtual LANS will be running simultaneously: • The original WEP/VPN • The just-implemented WPA • An eventual RSN • Devices will be upgraded to RSN as needed, other two VLANs will shrink through attrition
Sources • Main Papers: • Arbaugh, W.A., N. Shankar, Y.C.J. Wan, “Your 802.11 Wireless Network Has No Clothes”, http://www.cs.umd.edu/~waa/wireless.pdf , 2001 • Borisov, N., I. Goldberg, D. Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11”, Proceedings of the Seventh Annual International Conference on Mobile Computing and Networking, July 16-21, 2001, ACM 2001 • PowerPoint Presentations: • Whitlock, S., P. Dodd, “802.11i: The User Perspective”, NIST WLAN Security Meeting, December 4-5, 2002 • Dubrawsky, I., E. Vance, “Securing Wireless LANs”, Cisco Systems, 2002 • Other sources: • Walker, J.R., “Unsafe at Any Key Size: An Analysis of the WEP Encapsulation”, IEEE Document 802.11-00/362, Oct. 2000 • http://www.geek-faq.com