Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring...
-
date post
19-Dec-2015 -
Category
Documents
-
view
232 -
download
1
Transcript of Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring...
Intercepting Mobiles Communications: The Insecurity of 802.11
Danny BicksonACNS Course, IDCSpring 2007
Resources Borisov, Goldberg, Wagner. Intercepting
mobile communications: the insecurity of 802.11. the 7th annual international conference on Mobile computing and networking. http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf
• Guillaume LehembreWifi Security: WEP, WPA and WPA2http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf
WEP Protocol WEP – Wired Equivalent Privacy Wireless standard 802.11 Link layer Protocol goals:
Confidentiality: prevent eavesdropping Access control: prevent unauthorized access Data integrity: prevent tampering of messages
We show that none of the security goals are attained
Network Model
Internet
WEP Algorithm Encryption
Message CRC(M)
RC4(k,IV)
CipherIV
WEP AlgorithmDecryption
Message CRC(M)
RC4(k,IV)
CipherIV
Confidentiality
Stream cipher properties Given two ciphers C1,C2 –
C1 C2 = P1 P2. Keystream reuse can lead to a number of attacks:
If plaintext of one message is known, the other is immediately obtainable.
In the general case, known techniques for breaking reused keystreams.
As the number of reused keystream increases breaking them becomes easier.
Two conditions required for this class of attcks to succeed: Availability of ciphertexts where keystream is used
more than once. Partial knowledge of some of the plain texts.
Finding instances of keystream reuse
Shared key k changes rarely. Reuse of IV causes reuse of
keystream. IV are public.
IV Usage Standard recommends (but not requires)
change of IV. Common PCMCIA cards sets IV to zero and
increment it by 1 for each packet. IV size is only 24 bits. Busy access point of 5Mbps will exhaust
available space in 11 hours. Birthday paradox: on random IV selection
5000 packets are needed w.h.p. to find a collision
Exploiting keystream reuse
Many fields of IP traffic are predictable.For example: login sequences.Active attack (known plaintext)
Decryption dictionaries
Once plaintext of encrypted message is obtained, keystream value stored in
dictionary.Full table requires 24GBSize of dictionary does not depend of
size of key
Key management
Message Authentication
Message modification Message injection
Message Modification
Checksum used is CRC-32 which is a linear function of the message:
In other words, checksum distributes over the XOR operation.C(x y) = C(x) C(y)
RC4 stream cipher also linear.
The attackGiven C we would like to create C’ s.t.
C’ decrypts to M’ instead of M.
Message CRC(M)
RC4(k,IV)
Cipher CRC()
CRC()
=
Message CRC(M)RC4(k,IV)
CRC()=
RC4(k,IV) ’ CRC(’)
=
Message Injection
WEP checksum is an unkeyed function of the message.
After knowing one keystream we can use it forever.C’ = <M’, CRC(M’)> RC4(IV,k)
Other attacks
IP redirection.Assumption: Destination address is known.
IP redirection (cont.)
Need to calculate IP checksum Several options
IP checksum for original packet is known Original IP checksum is not known Compensate by changing another IP field
Reaction Attack Works only for TCP protocol Pick i at random, let be all zeros,
except for positions i and i+16.Calc C’ = C Two options:1. Got an acknowledgment, Pi Pi+16 = 1
2. Else Pi Pi+16 = 0 Each test reveals 1 bit of information
Example attacks
ARP Request
Conclusion
Design of security protocols is difficult (more than the design of network protocols)
Combining several secure algorithms does not mean that the result is secure
Engineering perspective dictated selection of cryptographic algorithms
Fixing WEP
WPA – Wi-Fi Protected Accessand 802.11i
WPA WPA – Wi-Fi Protected Access
Draft security enhancements for 802.11 A subset of the 802.11i proposed standard Proposed by IEEE 802.11 TGi (Task Group i)
Design goals Preserve packet format Work with deployed 802.11 hardware in AP and NICs
Composed of two components Authentication and master key generation– 802.1X TKIP (Temporal Key Integrity Protocol) - Temporal key
generation, Confidentiality and Integrity
802.11i A proposed standard Defines authentication, key management,
confidentiality, integrity and encapsulations for 802.11
Includes WEP (current implemented)
Encryption: RC4; Integrity: CRC-32 TKIP (temporary solution)
Encryption: RC4; Integrity: Michael WRAP (Wireless Robust Authenticated Protocol)
Encryption: AES; Integrity: HMAC-MD5
TKIP – Temporal Key Integrity Protocol
TKIP Components
TKIP is a wrapper around WEP A cryptographic MIC (Message
Integrity Code) A per-packet sequence number A per-packet key mixing function A rekeying mechanism (802.1X)
TKIP MIC MICHAEL the MIC function is designed for
very low bandwidth CPU (the ones that are used by the Access Point)
Key length – 64 bits The MIC is computed over the source
address, the destination address and the data Protects against packet modification (e.g. bit
flipping) Protects against header forgery
WEP with Enabled MIC
IV
802.11 Header
00
08
16
24
KeyID
ICV
Data
RC4
Encrypted
IV fields
802 Header (SNAP+LLC)
MIC
=CRC
=MAC
TKIP Sequence Counter The station and the Access Point maintain a TKIP
sequence counter The transmitter increments the TKIP sequence
counter each time it sends a packet The counters are reset when new temporal keys are
established The sequence counter is mixed with the temporal
key and the transmitter MAC address to create a RC4 seed key
On receipt the receiver de-mixed the key and checks that the resulting counter is indeed greater than the all the sequence counter that were encountered during this temporal key usage
Protects against replay attack
TKIP Keys
TKIP is using temporal keys The station and the Access Point
periodically exchange temporal keys Four keys
One Integrity (MIC) and one Encryption key per direction
TKIP ENCAPSULATION
TKIP Encapsulation Calculate the 64 bits MIC with the MIC temporal
key, over the source and destination addresses. The MIC is inserted into the message data
The sequence number, the MAC address and the temporal key are mixed to create a 128 bits RC4 seed key
The first three bytes of the key are stored in the IV field
The remaining 13 bytes are stored in a free WEP key buffer
The packet is sent to WEP processing
TKIP DECAPSULATION
TKIP Decapsulation The IV and the temporal key are concatenated, to
create the RC4 seed key The key is de-mixed – to create the TKIP sequence
counter. The counter is checked to be in sequence The key, the IV and the data are sent for WEP
decapsulation After RC4 decryption, the MIC, with the temporal
MIC key, is computed over the source and destination addressed and the decrypted packet , and is compared to the MIC field in the packet
TKIP Notes The TKIP temporal key must be exchanged
every less then 216 packets, since the key mixing can produce 216 different IVs
The MIC and key mixing algorithms are cryptographically weak But, all the WEP known problems are solved TKIP is a temporary solution – until NICs and APs
with new hardware arrives to the market The 802.11i uses AES encryption