Transcript Document
Security flaws of the
WEP-Protocol
by Bastian Sopora,
Seminar Computer Security 2006
Agenda
Introduction
Basics of the WEP-Protocol
Weaknesses of WEP
Breaking WEP
Alternatives & Outlook
Summary & Discussion
Wireless Networking
ALOHAnet
1997: IEEE 802.11 (IR)
1999: IEEE 802.11b (11Mbps)
2003: IEEE 802.11g (54Mbps)
2007: IEEE 802.11n (540Mbps)
The need for security
Why do we need the WEP-Protocoll?
Wi-Fi networks use radio transmissions
prone
to eavesdropping
Mechanism to prevent outsiders from
accessing network data & traffic
using network resources
IEEE reactions
1999: Wired Equivalent Privacy (WEP)
2003: WiFi Protected Access (WPA)
Agenda
Introduction
Basics of the WEP-Protocol
Weaknesses of WEP
Breaking WEP
Alternatives & Outlook
Summary & Discussion
WEP – the basic idea
WEP = Wired Equivalent Privacy
As secure as a wired network
Part of the IEEE 802.11 standard
WEP – how it works
Encrypt all network packages using
a stream-cipher (RC4) for confidentiality
a checksum (CRC) for integrity
WEP – different flavors
Originally (1999) 64 bit:
Legal limits
24 bit Initialization Vector (IV)
40 bit key
128 bit:
104 bit (26 Hex-Characters) key
256 bit:
232 bit key
Available, but not common
Small steps?
Evolution of WEP to WEP128 to WEP256:
Initialization Vector remains at 24 bit
Encryption key size increases
Agenda
Introduction
Basics of the WEP-Protocol
Weaknesses of WEP
Breaking WEP
Alternatives & Outlook
Summary & Discussion
The major flaw
A Stream-Cipher should never use the same key
twice
The Stream-Cipher-Breakdown
E(A) = A xor C
[C is the key]
E(B) = B xor C
Compute E(A) xor E(B)
xor is commutative, hence:
E(A) xor E(B) = A xor C xor B xor C
= A xor B xor C xor C
= A xor B
The major flaw
A Stream-Cipher should never use the same key
twice...
...or else we know A xor B, which is relatively
easy to break
if both messages are in a natural language.
or
if we know one of the messages.
The WEP-repetition
For a 24 bit Initialization Vector, there is a 50%
chance of repetition after 5000 packets...
The Theory
Fluhrer, Mantin, and Shamir wrote a paper on
the WEP weakness in the RC4 implementation...
Cornell University
“Weaknesses in the Key Scheduling Algorithm of
RC4“
Agenda
Introduction
Basics of the WEP-Protocol
Weaknesses of WEP
Breaking WEP
Alternatives & Outlook
Summary & Discussion
Feasibility of attack
Practical
Cheap
Easy
Fast
Feasibility of attack
Practical
Cheap
Easy
Fast
WEP Users: time to panic!
How to do it...
Stubblefield, Ioannidis, and Rubin wrote a paper
about the implementation in 2001
Rice University & AT&T
“Using the Fluhrer, Mantin, and Shamir Attack to
Break WEP”
Only six pages!
How to do it...
Collect packets (about 6m for WEP128)
Only observe the first byte
Depends on only 3 values
(S[1], S[S[1]], S[S[1]+S[S[1]])
May be known plaintext (“0xAA“)
Try guessing the key, byte by byte
chance of 1/20 per byte
How WE do it...
Aircrack-ng
Available freely for Linux, Windows and certain
PDAs
Only requires about 1m packets for WEP128
Agenda
Introduction
Basics of the WEP-Protocol
Weaknesses of WEP
Breaking WEP
Alternatives & Outlook
Summary & Discussion
Outlook for WEP
WEP2
Enlarged IV
enforced 128-bit encryption
WEP+
Only use strong IVs
has to be used on both ends
...a dead end...
Outlook for WEP
WEP2
No change in concept, just more packets needed
WEP+
How does one enforce the client side?
...a dead end...
Alternatives
WPA, WPA2, 802.1X
48 bit IV, mutate key after certain time
Depend on an authentication server
IPsec, VPN
Tunneling and secure wrapping of packets
Agenda
Introduction
Basics of the WEP-Protocol
Weaknesses of WEP
Breaking WEP
Alternatives & Outlook
Summary & Discussion
Summary: WEP
WEP is not secure!
Faulty implementation of RC4
Developing an attack was easy
A successful attack only needs:
Off-the-shelf hardware (Laptop, Prism2)
Free software
A very short time (a few days at most)