280 likes | 290 Vues
This seminar discusses the basics of the WEP protocol, its weaknesses, ways to break it, alternative security options, and an outlook on its future. It highlights the major flaw of WEP and presents feasible ways to attack it.
E N D
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006
Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion
Wireless Networking • ALOHAnet • 1997: IEEE 802.11 (IR) • 1999: IEEE 802.11b (11Mbps) • 2003: IEEE 802.11g (54Mbps) • 2007: IEEE 802.11n (540Mbps)
The need for security • Why do we need the WEP-Protocoll? • Wi-Fi networks use radio transmissions • prone to eavesdropping • Mechanism to prevent outsiders from • accessing network data & traffic • using network resources
IEEE reactions • 1999: Wired Equivalent Privacy (WEP) • 2003: WiFi Protected Access (WPA)
Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion
WEP – the basic idea • WEP = Wired Equivalent Privacy • As secure as a wired network • Part of the IEEE 802.11 standard
WEP – how it works • Encrypt all network packages using • a stream-cipher (RC4) for confidentiality • a checksum (CRC) for integrity
WEP – different flavors • Originally (1999) 64 bit: • Legal limits • 24 bit Initialization Vector (IV) • 40 bit key • 128 bit: • 104 bit (26 Hex-Characters) key • 256 bit: • 232 bit key • Available, but not common
Small steps? Evolution of WEP to WEP128 to WEP256: • Initialization Vector remains at 24 bit • Encryption key size increases
Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion
The major flaw • A Stream-Cipher should never use the same key twice
The Stream-Cipher-Breakdown • E(A) = A xor C [C is the key] E(B) = B xor C • Compute E(A) xor E(B) xor is commutative, hence: E(A) xor E(B) = A xor C xor B xor C = A xor B xor C xor C = A xor B
The major flaw • A Stream-Cipher should never use the same key twice... • ...or else we know A xor B, which is relatively easy to break • if both messages are in a natural language. or • if we know one of the messages.
The WEP-repetition • For a 24 bit Initialization Vector, there is a 50% chance of repetition after 5000 packets...
The Theory • Fluhrer, Mantin, and Shamir wrote a paper on the WEP weakness in the RC4 implementation... • Cornell University • “Weaknesses in the Key Scheduling Algorithm of RC4“
Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion
Feasibility of attack • Practical • Cheap • Easy • Fast
Feasibility of attack • Practical • Cheap • Easy • Fast • WEP Users: time to panic!
How to do it... • Stubblefield, Ioannidis, and Rubin wrote a paper about the implementation in 2001 • Rice University & AT&T • “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP” • Only six pages!
How to do it... • Collect packets (about 6m for WEP128) • Only observe the first byte • Depends on only 3 values (S[1], S[S[1]], S[S[1]+S[S[1]]) • May be known plaintext (“0xAA“) • Try guessing the key, byte by byte • chance of 1/20 per byte
How WE do it... • Aircrack-ng • Available freely for Linux, Windows and certain PDAs • Only requires about 1m packets for WEP128
Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion
Outlook for WEP • WEP2 • Enlarged IV • enforced 128-bit encryption • WEP+ • Only use strong IVs • has to be used on both ends ...a dead end...
Outlook for WEP • WEP2 • No change in concept, just more packets needed • WEP+ • How does one enforce the client side? ...a dead end...
Alternatives • WPA, WPA2, 802.1X • 48 bit IV, mutate key after certain time • Depend on an authentication server • IPsec, VPN • Tunneling and secure wrapping of packets
Agenda • Introduction • Basics of the WEP-Protocol • Weaknesses of WEP • Breaking WEP • Alternatives & Outlook • Summary & Discussion
Summary: WEP • WEP is not secure! • Faulty implementation of RC4 • Developing an attack was easy • A successful attack only needs: • Off-the-shelf hardware (Laptop, Prism2) • Free software • A very short time (a few days at most)