WEP, WPA, and EAP

Drew Kalina

Overview

Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Extensible Authentication Protocol

(EAP)

WEP

Encryption method: RC4 Key size: 40 bits Hash method: ICV 802.11x authentication: optional Key distribution: manual

WEP Vulnerabilities

ICV insecure – based on CRC32 (bad) ICV can be modified to match message

contents IV key reuse attack

Small IV allows this IV sent as plaintext

WEP Vulnerabilities (cont)

Known plaintext attack Lots of unencrypted TCP/IP traffic Send pings from internet to access point String length N can be recovered for a

given IV Packets of size N can be forged using IV

WEP Vulnerabilities (cont)

Partial Known Plaintext Only a portion of message is known (e.g.

IP header) Can recover M octets of key stream

where M<N Extend then known key stream from M to

N through probing Divert packets to attacker by flipping

CRC32 bits

WEP Vulnerabilities (cont) Authentication forging

Use recovered key stream and IV because client specifies IV

Dictionary attacks Key derived from vulnerable password

Realtime decryption Dictionary of IVs and keystreams Only 2^24 possibilities Can be stored in 24GB disk space

WEP summary

Weak encryption with other problems If possible, use some other protocol Still better than plaintext

WPA

Encryption method: RC4, TKIP Key size: 128 bits (varies) Hash method: ICV, Michael 802.11x authentication: can be

required Key distribution: TKIP

WPA (cont) Michael generates MIC (Message

Integrity Code) 8 bits Placed between data and ICV

TKIP (Temporal Key Integral Protocol) Resolves keys to be used, looks at

client’s configuration Changes encryption key every frame Sets unique default key for each client

WPA Vulnerabilities

Birthday attack Get a pair D,M where D1 = MIC(M1) When Di = D1 where Di != 1, attack is

successful Probability for success: 2^32 If keys change during attack, forgery is

garbage

WPA Vulnerabilities (cont) Differential cryptanalytic attack

Michael results have special characteristics

M = Mi XOR Mj and D = Di XOR Dj called characteristic differentials

After characteristic differentials obtained, try to find MIC (learn parts of the key)

Probability of success 2^30 Optimal attack exists with O(2^29)

WPA Vulnerabilities (cont)

Temporal Key Lost RC4 Keys Can discover TK and MIC Can forge messages Not a practical attack, O(2^105) Does show susceptibility in parts of WPA

WPA Vulnerabilities (cont) DOS

Access point shuts down for 60 seconds if forged unauthorized data detected

Possible to shut access points with little network activity

PSK Used in absence of 802.1x, 1 per ESS (usually). Internal person can use this, and a captured MAC

address/nonce to imitate another client Vulnerable to external dictionary attacks, if short

WPA summary

Much better than WEP (if 802.1x) WEP2 even better using AES-CCMP There are still vulnerabilities Many WEP devices are upgradeable to

WPA (not WPA2)

Suggestions for WPA

Rekey security associations after failures

Lower/eliminate timeouts after detecting forged packets Currently would take 1000+ years to

break with 60 second timeouts

EAP

Transmission method and framework for authentication protocols

Works with many authen. protocols such as RADIUS, Kerberos.

Uses a variety of transport methods

EAP Transport methods

EAP-TLS EAP-TTLS PEAP (Protected EAP) LEAP (Light EAP)

Vulnerabilities in LEAP

Dictionary attack Early versions of MS-CHAP weak

That’s all!