![Page 1: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/1.jpg)
WEP Weaknesses
Or“What on Earth does this
Protect”
Roy Werber
![Page 2: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/2.jpg)
2
Goals
Authorization– Prevent unauthorized access to network
Privacy– The P in WEP– Make it feel like LAN– Maintain data privacy from outsiders
![Page 3: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/3.jpg)
3
Basic Flaws
Bad design– Each component is good, but not suited to
datagram environment
No key management– One key for all
Bad implementation
![Page 4: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/4.jpg)
4
Stream Ciphers
C = P S Key streams must never be reused
– C1 C2 = (P1 S) (P2 S) = P1 P2
Forgery is easy – Bit flip attack– If M2 = M1 X– Then C2 = C1 X
![Page 5: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/5.jpg)
5
Stream Ciphers And Datagram
Key streams must never be reused Encryptor and decryptor must remain
synchronized Bad for datagram environment Without Random Access property
encryption process starts for each packet Different key for each packet
![Page 6: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/6.jpg)
6
WEP Solution
ICV – Prevents forgery– Checksum on the data prevents bit flipping
IV – Prevents key reuse– Each packet a new key that starts a new stream
is used
![Page 7: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/7.jpg)
7
ICV Prevents Forgery?
Uses CRC-32 checksum CRC-32 is linear:
– CRC(A B) = CRC(A) CRC(B)
RC4 is transparent to XOR– C = RC4 ( [M,CRC(M)] )– C’ = C [X,CRC(X)]
= [M,CRC(M)] S [X,CRC(X)]
= RC4 ([M X, CRC( M X)])
![Page 8: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/8.jpg)
8
IV Prevents Key Reuse ?
IV space is very small : 224
Birthday attack: – 50% chance of collision after only 4823 packets– 99% collision after 12,430 packets = 3 seconds in 11 Mbps traffic– Assuming random IV selection (Some
implemented IV as a counter from 0)– Assuming IV changes. Its optional
![Page 9: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/9.jpg)
9
After IV Match Is Found
Pattern recognition on the XOR’d plaintext ICV tells if the guess is correct After only a few hours of observation, you
can recover all 224 key streams Get active:
– Send Spam to the network– Get the victim to send e-mail to you– Known plaintext Key stream
![Page 10: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/10.jpg)
10
Authentication
SSID Shared Key MAC
![Page 11: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/11.jpg)
11
Authentication Problems
SSID – Easy to get by sniffing, it is broadcasted (If WEP encryption deployed – access by key)
MAC – It is broadcasted – Can be spoofed
![Page 12: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/12.jpg)
12
How to Authenticate without the Key
Challenge (Nonce)
Response ( RC4 [Nonce] under shared key)
STA
APAP
Decrypted nonce OK?
Simple Attack:
• Record one challenge/response with a sniffer
• Use the challenge to decrypt the response and recover the key stream
• Use the recovered key stream to encrypt any subsequent challenge
![Page 13: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/13.jpg)
13
Types Of Attacks
IV re-use attack to decrypt traffic– We already seen it
Replay Attack– Trivial
Statistical attacks IP Modification Active attack to inject traffic Bit flip attack to recover key stream
![Page 14: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/14.jpg)
14
Improvement Techniques“Grow” a partial keystream, Use key table
![Page 15: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/15.jpg)
15
FMS Attack
Fluhrer, Martin and Shamir found a class of RC4 keys called “weak keys”
If the first 2 bytes of enough key stream are known -> The RC4 key is discovered
The first 8 bytes of WEP packet is a known SNAP-SAP header
AirSnort implements this attack– Recovers key after 20,000 packets = 11 seconds
![Page 16: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/16.jpg)
16
IP Modification
IP redirection:– Change the destination of an encrypted packet
to a machine controlled by the attacker on the wired network.
– Send modified frame to AP that will decrypt it and send to attacker machine
– Derive keystream from this ciphertext, plaintext pair
– Attacker can reuse keysteam to send/receive WLAN traffic
![Page 17: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/17.jpg)
17
Inject Traffic
If there is a known cipher plaintext pair The cipher can be modified to any message Correct CRC is calculated and inserted Uses:
– Unauthorized traffic can be sent– User commands can be altered. (telnet ,ftp, etc)
![Page 18: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/18.jpg)
18
Bit Flipping Attack
![Page 19: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/19.jpg)
19
Practicality
Available cheap equipment Laptop and wireless card Tools: AirSnort, Netstumbler, Kismet Easy to sniff, harder to transmit
![Page 20: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/20.jpg)
20
Main Points
WEP was badly designed WEP was badly implemented I didn’t even speak about DoS attack,
MITMs, Impersonating to AP Treat wireless the way you treat remote
traffic
![Page 21: WEP Weaknesses Or “What on Earth does this Protect” Roy Werber](https://reader031.vdocuments.pub/reader031/viewer/2022032703/56649d355503460f94a0cdc5/html5/thumbnails/21.jpg)
Thank You!