EverLab Workshop, June 7-8, 2006, Jerusalem Working with PlanetLab/EverLab Danny Bickson.
Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner...
-
Upload
winfred-mcdaniel -
Category
Documents
-
view
215 -
download
2
Transcript of Intercepting Mobiles Communications: The Insecurity of 802.11 ► Paper by Borisov, Goldberg, Wagner...
Intercepting Mobiles Intercepting Mobiles Communications: Communications:
The Insecurity of 802.11The Insecurity of 802.11
►Paper by Borisov, Goldberg, Paper by Borisov, Goldberg, Wagner – Berkley – MobiCom 2001Wagner – Berkley – MobiCom 2001
►Lecture by Danny BicksonLecture by Danny Bickson
21.3.0421.3.04
WEP ProtocolWEP Protocol
► WEP – Wired Equivalent PrivacyWEP – Wired Equivalent Privacy► Wireless standard 802.11Wireless standard 802.11► Link layerLink layer► Protocol goals:Protocol goals:
Confidentiality: prevent eavesdroppingConfidentiality: prevent eavesdropping Access control: prevent unauthorized accessAccess control: prevent unauthorized access Data integrity: prevent tampering of messagesData integrity: prevent tampering of messages
► We show that none of the security goals are We show that none of the security goals are attainedattained
Network ModelNetwork Model
Internet
WEP Algorithm WEP Algorithm EncryptionEncryption
Message CRC(M)
RC4(k,IV)
CipherIV
WEP AlgorithmWEP AlgorithmDecryptionDecryption
Message CRC(M)
RC4(k,IV)
CipherIV
ConfidentialityConfidentiality
Stream cipher propertiesStream cipher properties► Given two ciphers CGiven two ciphers C11,C,C22 – –
CC11 C C22 = P = P11 P P22..► Keystream reuse can lead to a number of Keystream reuse can lead to a number of
attacks:attacks: If plaintext of one message is known, the other is If plaintext of one message is known, the other is
immediately obtainable.immediately obtainable. In the general case, known techniques for breaking In the general case, known techniques for breaking
reused keystreams.reused keystreams. As the number of reused keystream increases As the number of reused keystream increases
breaking them becomes easier.breaking them becomes easier.► Two conditions required for this class of attcks Two conditions required for this class of attcks
to succeed:to succeed: Availability of ciphertexts where keystream is used Availability of ciphertexts where keystream is used
more than once.more than once. Partial knowledge of some of the plain texts.Partial knowledge of some of the plain texts.
Finding instances of Finding instances of keystream reusekeystream reuse
►Shared key k changes rarely.Shared key k changes rarely.►Reuse of IV causes reuse of Reuse of IV causes reuse of
keystream.keystream.► IV are public.IV are public.
IV UsageIV Usage► Standard recommends (but not requires) Standard recommends (but not requires)
change of IV.change of IV.► Common PCMCIA cards sets IV to zero and Common PCMCIA cards sets IV to zero and
increment it by 1 for each packet.increment it by 1 for each packet.► IV size is only 24 bits.IV size is only 24 bits.► Busy access point of 5Mbps will exhaust Busy access point of 5Mbps will exhaust
available space in 11 hours.available space in 11 hours.► Birthday paradox: on random IV selection Birthday paradox: on random IV selection
5000 packets are needed w.h.p. to find a 5000 packets are needed w.h.p. to find a collisioncollision
Exploiting keystream reuseExploiting keystream reuse
► Many fields of IP traffic are predictable.Many fields of IP traffic are predictable.► For example: login sequences.For example: login sequences.► Active attack (known plaintext)Active attack (known plaintext)
Decryption dictionariesDecryption dictionaries
►Once plaintext of encrypted message Once plaintext of encrypted message is obtained, keystream value stored in is obtained, keystream value stored in dictionary.dictionary.
►Full table requires 24GBFull table requires 24GB►Size of dictionary does not depend of Size of dictionary does not depend of
size of keysize of key
Key managementKey management
Message AuthenticationMessage Authentication
►Message modificationMessage modification►Message injectionMessage injection
Message ModificationMessage Modification
►Checksum used is CRC-32 which is a Checksum used is CRC-32 which is a linear function of the message:linear function of the message:
► In other words, checksum distributes In other words, checksum distributes over the XOR operation.over the XOR operation.
C(x C(x y) = C(x) y) = C(x) C(y) C(y)►RC4 stream cipher also linear.RC4 stream cipher also linear.
The attackThe attackGiven C we would like to create C’ Given C we would like to create C’
s.t. C’ decrypts to M’ instead of M.s.t. C’ decrypts to M’ instead of M.
Message CRC(M)
RC4(k,IV)
Cipher CRC()
CRC()
=
Message CRC(M)RC4(k,IV)
CRC()=
RC4(k,IV) ’ CRC(’)
=
Relation to GSMRelation to GSM
Encryption:
C = G(M) A5/2(IV,k)
Decryption:
1. G(M) = C A5/2 (IV,k)
2. H(G(M)) = 0 ?
3. M = G-1(G(M))
Attack on GSMAttack on GSM
H(C) = H(C) =
H(A5/2(Iv, k) H(A5/2(Iv, k) G(M)) = G(M)) =
H(A5/2(IV,k)) H(A5/2(IV,k)) H(G(M)) = H(G(M)) =
H(A5/2(IV,k)) H(A5/2(IV,k)) 0 = 0 =
H(A5/2(IV,k)) H(A5/2(IV,k))
Message InjectionMessage Injection
►WEP checksum is an unkeyed function WEP checksum is an unkeyed function of the message.of the message.
►After knowing one keystream we can After knowing one keystream we can use it forever.use it forever.
C’ = <M’, CRC(M’)> C’ = <M’, CRC(M’)> RC4(IV,k) RC4(IV,k)
Other attacksOther attacks
► IP redirection.IP redirection.
Assumption: Destination address is Assumption: Destination address is known.known.
IP redirection (cont.)IP redirection (cont.)
►Need to calculate IP checksumNeed to calculate IP checksum►Several optionsSeveral options
IP checksum for original packet is knownIP checksum for original packet is known Original IP checksum is not knownOriginal IP checksum is not known Compensate by changing another IP fieldCompensate by changing another IP field
Reaction AttackReaction Attack
►Works only for TCP protocolWorks only for TCP protocol►Pick i at random, let Pick i at random, let be all zeros, be all zeros,
except for positions i and i+16.except for positions i and i+16.Calc C’ = C Calc C’ = C Two options:Two options:
1. Got an acknowledgment, P1. Got an acknowledgment, Pii P Pi+16i+16 = 1 = 1
2. Else P2. Else Pii P Pi+16i+16 = 0 = 0►Each test reveals 1 bit of informationEach test reveals 1 bit of information
ConclusionConclusion
►Design of security protocols is difficult Design of security protocols is difficult (more than the design of network (more than the design of network protocols)protocols)
►Combining several secure algorithms Combining several secure algorithms does not mean that the result is does not mean that the result is securesecure
►Engineering perspective dictated Engineering perspective dictated selection of cryptographic algorithmsselection of cryptographic algorithms
THE ENDTHE END
►Thank You!Thank You!