Transcript Document
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006 Agenda Introduction Basics of the WEP-Protocol Weaknesses of WEP Breaking WEP Alternatives & Outlook Summary & Discussion Wireless Networking ALOHAnet 1997: IEEE 802.11 (IR) 1999: IEEE 802.11b (11Mbps) 2003: IEEE 802.11g (54Mbps) 2007: IEEE 802.11n (540Mbps) The need for security Why do we need the WEP-Protocoll? Wi-Fi networks use radio transmissions prone to eavesdropping Mechanism to prevent outsiders from accessing network data & traffic using network resources IEEE reactions 1999: Wired Equivalent Privacy (WEP) 2003: WiFi Protected Access (WPA) Agenda Introduction Basics of the WEP-Protocol Weaknesses of WEP Breaking WEP Alternatives & Outlook Summary & Discussion WEP – the basic idea WEP = Wired Equivalent Privacy As secure as a wired network Part of the IEEE 802.11 standard WEP – how it works Encrypt all network packages using a stream-cipher (RC4) for confidentiality a checksum (CRC) for integrity WEP – different flavors Originally (1999) 64 bit: Legal limits 24 bit Initialization Vector (IV) 40 bit key 128 bit: 104 bit (26 Hex-Characters) key 256 bit: 232 bit key Available, but not common Small steps? Evolution of WEP to WEP128 to WEP256: Initialization Vector remains at 24 bit Encryption key size increases Agenda Introduction Basics of the WEP-Protocol Weaknesses of WEP Breaking WEP Alternatives & Outlook Summary & Discussion The major flaw A Stream-Cipher should never use the same key twice The Stream-Cipher-Breakdown E(A) = A xor C [C is the key] E(B) = B xor C Compute E(A) xor E(B) xor is commutative, hence: E(A) xor E(B) = A xor C xor B xor C = A xor B xor C xor C = A xor B The major flaw A Stream-Cipher should never use the same key twice... ...or else we know A xor B, which is relatively easy to break if both messages are in a natural language. or if we know one of the messages. The WEP-repetition For a 24 bit Initialization Vector, there is a 50% chance of repetition after 5000 packets... The Theory Fluhrer, Mantin, and Shamir wrote a paper on the WEP weakness in the RC4 implementation... Cornell University “Weaknesses in the Key Scheduling Algorithm of RC4“ Agenda Introduction Basics of the WEP-Protocol Weaknesses of WEP Breaking WEP Alternatives & Outlook Summary & Discussion Feasibility of attack Practical Cheap Easy Fast Feasibility of attack Practical Cheap Easy Fast WEP Users: time to panic! How to do it... Stubblefield, Ioannidis, and Rubin wrote a paper about the implementation in 2001 Rice University & AT&T “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP” Only six pages! How to do it... Collect packets (about 6m for WEP128) Only observe the first byte Depends on only 3 values (S[1], S[S[1]], S[S[1]+S[S[1]]) May be known plaintext (“0xAA“) Try guessing the key, byte by byte chance of 1/20 per byte How WE do it... Aircrack-ng Available freely for Linux, Windows and certain PDAs Only requires about 1m packets for WEP128 Agenda Introduction Basics of the WEP-Protocol Weaknesses of WEP Breaking WEP Alternatives & Outlook Summary & Discussion Outlook for WEP WEP2 Enlarged IV enforced 128-bit encryption WEP+ Only use strong IVs has to be used on both ends ...a dead end... Outlook for WEP WEP2 No change in concept, just more packets needed WEP+ How does one enforce the client side? ...a dead end... Alternatives WPA, WPA2, 802.1X 48 bit IV, mutate key after certain time Depend on an authentication server IPsec, VPN Tunneling and secure wrapping of packets Agenda Introduction Basics of the WEP-Protocol Weaknesses of WEP Breaking WEP Alternatives & Outlook Summary & Discussion Summary: WEP WEP is not secure! Faulty implementation of RC4 Developing an attack was easy A successful attack only needs: Off-the-shelf hardware (Laptop, Prism2) Free software A very short time (a few days at most)