Encryption Protocols used in Wireless Networks

1. Encryption Protocols used in Wireless Networks Derrick Grooms

2. Introduction • WEP • WPA • WP2

3. History - WEP • Wired Equivalent Privacy (WEP) • WEP was part of the IEEE 802.11 standard ratified in September 1999 • Initially used a 40 bit key (for 64 bit protocol), later increased to 104 bit (for 128 bit protocol) when initial restraints on cryptography were lessened by congress • Susceptible to eavesdropping, related-key, and key guessing attacks

4. WEP - implementation • WEP uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity. • RC4 – user provides a key, the key is used to create a pseudo-random string of bits that are then XOR’d with plaintext for the cipher text • CRC-32 (cyclic redundancy check ) – same system used for DVDs and CDs • In general terms, a mathematical formula is created for a specific stream of text and appended to the string, after the text arrives the append is compared to a second calculation based on the text that arrived

5. WEP – implementation (cont.) • WEP is sound in theory but fails due to implementation • WEP fails because it uses IVs (initialization vectors) to generate uniquely different streams using the same RC4 encryption key • WEP’s IVs were not long enough to generate unique streams so every 5000 transmissions the same IV was used and with enough collected IV’s the RC4 key could be determined • IV is only 48 bits

6. WEP – implementation (cont.) • Cracking process • Once you have 2 messages that use the same IV you then have 2 cipher texts that can be XOR’d together to produce the same result that you would get by XORing the two plaintexts

7. WEP – implementation (cont.) • Cracking process • By providing your own plaintext and using the XOR’d result of the two cipher text’s you can then derive the unknown plain text

8. WEP – implementation (cont.) • Cracking process – brute force • Once the stream key is known it’s just a matter of sending stream key encrypted messages to an access point using different WEP keys until the access acknowledges you’ve used a successful WEP key

9. WEP – implementation (cont.) • Cracking process • Since it’s not possible to provide your own plaintext and receive a cipher text version without having access to the host computer, most programs use a slightly modified process to achieve the same result • RFC 1042 (SNAP headers), all IP and ARP packets always start with 0xAA, so the first few bytes of plaintext are almost always known, by collecting enough cipher text derived from the known plaintext, the stream key can eventually be determined (airsnort, WEPcrack, etc. use this method)

10. WPA - implementation • WPA was created as a temporary fix for WEP until WPA2 was fully developed • Uses 128 bit RC4 encryption key, and 48 bit IV, like WEP • Unlike WEP it addressed repeating IV’s by only a portion of the IV key to be sent • Also implemented a packet counter to insure the same packet could not be sent an unreasonable amount of times • Dynamic keying – WPA encryption keys update once in about every 10,000 packets • Not always compatible with older technology

11. WPA2 - implementation • Wi-Fi Protected Access (WPA) • Implements full IEEE 802.11i standard • Standard in wi-fi certified devices as of March 13, 2006 • Not compatible with older technology, but the new standard • Currently believed to be un-crackable

12. Questions?