WEP – Wireless Encryption Protocol
description
Transcript of WEP – Wireless Encryption Protocol
![Page 1: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/1.jpg)
WEP – Wireless Encryption Protocol
A. Gabriel W. Daleson
CS 610 – Advanced Security
Portland State University
![Page 2: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/2.jpg)
WEP – Wired Equivalent Privacy
A. Gabriel W. Daleson
CS 610 – Advanced Security
Portland State University
![Page 3: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/3.jpg)
WEP: Weak Encryption Protocol
A. Gabriel W. Daleson
CS 610 – Advanced Security
Portland State University
![Page 4: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/4.jpg)
“It seemed like a good idea at the time”
• Let’s make it at least as difficult to eavesdrop on wireless traffic as wired traffic…
• …which, by the way, is not that hard to eavesdrop on to begin with.
• So, instead, let’s just add some neat encryption to 802.11 a/b/g.
![Page 5: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/5.jpg)
Ideas, Good and Bad
• WEP is based on RC4
• RC4 is a stream cipher
• We use an initialization vector (IV)
![Page 6: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/6.jpg)
In the Beginning, there was the Plan (for WEP-PSK)
Alice and Bob share a private shared key (PSK) K, and Alice wants to send Bob the message m.
1. Alice calculates m1, the message m followed by its CRC.
2. Alice takes an IV v and uses the stream RC4(v,K) to generate a session key k of the same length as m1.
![Page 7: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/7.jpg)
In the Beginning, there was the Plan (for WEP-PSK) cont.
3. Alice sends Bob the ciphertext (v,k XOR m1).
• Alice picks a new IV for each packet.
![Page 8: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/8.jpg)
RC4
• RC4 is old. (1987)
• There are known attacks, including a weak key being generated with probability 1 in 256
• RC4 is a stream cipher; we’re probably much better off with a block cipher for this sort of application
![Page 9: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/9.jpg)
Initialization Vectors
• The only requirement of the IV is that it be 24 bits long.
• Some Wi-Fi cards start with an IV of 0x000000 when they’re plugged in and just increment the IV with each packet sent.
• It’s perfectly legal WEP to never change the IV at all!
![Page 10: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/10.jpg)
More Initialization Vectors
• Even if the IVs are chosen randomly, the Birthday Paradox tells us that the chance of finding two packets with the same IV is 1 in 212.
![Page 11: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/11.jpg)
THE 11TH COMMANDMENT
Thou shalt not encrypt two plaintexts with the same key, lest Eve and her Evil Empire crack your code and make a fool of ye. (Shamir 17:29)
![Page 12: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/12.jpg)
Why?
• Suppose – f’rinstance – Alice used WEP with the same IV on two messages, m and n, and sent Bob (and thus Eve) the ciphertexts M and N.
![Page 13: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/13.jpg)
Why? cont. 1
• Eve – thanks to the fact that the IVs are included as plaintext along with the ciphertexts – will detect this awful mistake, and note that M = m XOR k and N = n XOR k.
• Eve will then calculate M XOR N, and the two ks will cancel out; this is just m XOR n.
![Page 14: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/14.jpg)
Why? cont. 2
• If Eve was able to mount a known plaintext attack, she now has the other plaintext.
• Even if she wasn’t, the plaintexts will be patterned enough that simple frequency analysis can get both.
![Page 15: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/15.jpg)
The IV Dictionary Attack
• Eve thus sits and sniffs traffic, building a dictionary of ciphertexts, IVs, and keys (once she gets them).
• Every collision of IVs makes her job easier.
• She gets matches in virtually every other set of 4096 packets.
![Page 16: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/16.jpg)
Other issues
• If the AP requires WEP use, Eve can use the keys she finds to encrypt her own messages and thus inject traffic.
• The PSK is no defense; even if it’s perfectly random and 4096 bits long, there will still only be 224 streams in use.
![Page 17: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/17.jpg)
Defenses
• The problem is that there aren’t enough streams, right?
• So make some more!
• Only problem is, now it’s no longer WEP as far as the standard is concerned.
![Page 18: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/18.jpg)
Easy Defense 1
• Instead of using a static PSK and only 224 IVs, make more of the key vary from packet to packet.
• This is basically how SSL does it. (There, the whole 128-bit key can be random.)
![Page 19: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/19.jpg)
Easy Defense 2
• Get rid of RC4. (Use AES instead.)
• At least, no stream ciphers.
• Big benefit! No longer stuck using ECB mode – feedback modes like CBCs are possible.
![Page 20: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/20.jpg)
One Last Note
• Where is encryption (or security, for that matter) in the OSI stack?
• To use feedback modes, we need the guarantee of linearity – which TCP promises.
• So why are we doing this down in the link layer?
![Page 21: WEP – Wireless Encryption Protocol](https://reader035.fdocuments.in/reader035/viewer/2022062803/56814759550346895db49665/html5/thumbnails/21.jpg)
The OSI Stack
• 802.11 a/b/g + WEP, TCP, and IPSec
• Which layer(s) of the stack should we include confidentiality? integrity? linearity? Should these be restricted to certain layers?