Vulnerabilities in WEP Christopher Hoffman Cryptography

Transcription

1 Vulnerabilities in WEP Christopher Hoffman Cryptography Abstract Wired Equivalent Privacy (WEP) was the first encryption scheme used for protecting wireless traffic. It consisted of a private key algorithm that used an initialization vector and RC4 stream cipher. WEP has since been proven inadequate to protect traffic due to the ease of breaking the key. Key breaking attacks are possible due to the short IV used and given in plaintext, insecurities in the RC4 stream cipher, and predictable nature of the CRC32 check sum. In addition to the attacks outlined by Alex Blank[1], there are three others, each building off the previous. These are Klein's algorithm, PTW, and a process developed by Beck and Tews. 2. Introduction Since the advent of wireless networking, security has been a concern, the nature of the communication allowed it to be received by many without WiFi did not have a built in security protocol leaving traffic open to any attacker. This vulnerability was of great concern so IEEE started implementing security protocols for traffic. The initial security protocol was called wired equivalent privacy(wep) which appeared in 1999 [2,3]. When this was found insecure, WPA was implemented to improve the WEP standard by providing a software wrapper. Since this protocol worked off the WEP protocol, it was still vulnerable to the same types of attacks. To address the vulnerabilities, WPA-2 was built with security in mind. 3. Wireless Security 3.1 WEP Wired equivalent privacy was the first security implementation from IEEE which appeared in 1999 [2,3]. The original protocol used a 40 bit root key which was expanded to 104 bit for a higher level of security. Each packet had an initialization vector (IV) which was a 3 byte value which was used in two places. It was mainly used as a sequence number for the packet which was in plain text. It was also used as the first 3 bytes of the key to create either a 64 or 128 bit key. This is dangerous because part of the key for the RC4 cipher is known.

2 Figure 1: WEP encryption process[8]. WEP also used a CRC32 hash for data integrity. This algorithm has also been proven insecure and is used for some other types of attacks. 3.2 WPA In 2003, IEEE released WiFi protected access (WPA) encryption, also called Temporal Key Integrity Protocol (TKIP) because it improved the new integrity code using Michael and a rekeying mechanism [2,3]. The rekeying mechanism created a more secure protocol because the key was changed on a regular basis. Using this method, less information can be obtained because there is less collision of keys which could be exploited. WPA also included counter measures to prevent replay and forgery attacks. If these attacks were detected, it would shut the channel down for a certain amount of time and require a new key to reactivate communication. 3.3 WPA-2 Shortly after, WPA-2 was released in 2004 [2,3]. Its security was greatly improved using AES encryption instead of the RC4 cipher the previous implementations used. It can have two different modes of operation, home and corporate. In home use there is one key for all users, this is also called Pre-Shared Key(PSK). In corporate mode, each user will have a unique set of credentials and requires an authentication server. 4. Vulnerabilities 4.1 RC4 Cipher WEP uses an RC4 cipher for the encryption keystream[4,5]. The RC4 algorithm has two steps to get to the keystream, the key scheduling algorithm then the pseudo-random number generator. The two algorithms are shown below.

3 Figure 2: Key scheduling algorithm of RC4[4]. 4.2 Klein s Algorithm Klein s algorithm attempts to exploit vulnerabilities of RC4 [4,5]. This is largely possible since the first 3 bytes of the RC4 key are known because it is the IV which is plaintext in the packet. To break the key, many packets are needed. It is easier if there is a WEP oracle that takes plain text and returns cipher text. This can then be XORed to obtain the keystream which is used to break the key. The main algorithm used is: Figure 3: Pseudo-random number generator of RC4[4]. This will generate the i th value of the key with 1.36/ % accuracy. After running the algorithm on many packets, some guessed values will appear more frequently. The more frequent values have a higher probability of being the correct key value although not always. If a value is determined to be incorrect, the algorithm needs to be re-run for all index > i using the new key value. To be 50% certain that the correct key is found, 43,000 packets are needed. To be 95% certain the correct key is found, 70,000 packets are needed. 4.3 PTW PTW, developed by Pishkyn, Tews, and Weinmann, used the core of Klein s algorithm but voted on keys independently using an alternate key voting technique [4,6,7]. Instead of voting on a specific K[i], voting is on σ i which is. Although this gives up the simplicity of Klein s algorithm, it is more efficient when key bytes need to be recalculated. In Klein s there was potential for thousands of recalculations while in PTW, at most 12 subtractions need to take place to rebuild the new key guess.

4 The equations used for PTW are: The first line is the relation of j values, an internal variable in the cipher. The second line is when the line 1 is inserted into the equation from Klein s. Line 3 is the generation of σ i instead of the root key value. The last line is how the key gets calculated from the σ values. For a 50% success rate, 35,000 packets are needed. For at 95% success rate, 55,000 packets are needed. 4.4 Advanced PTW Beck and Tews developed a more efficient key breaking algorithm[6]. It takes steps from both the PTW attack and the KoreK attack. KoreK is an efficient algorithm that makes many correlations in the keystream but has the disadvantage that it cannot use all the packets it receives, they need to be configured a certain way. When PTW and KoreK are used together a much more efficient method is created. In this case, they altered the correlations in KoreK to vote for σ i instead of Rk[i]. This allows a 50% certainty after only 24,200 packets 5. Conclusion WEP is a very insecure protocol due to vulnerabilities in the RC4 cipher, CRC32 integrity check, and the IV which is reusable after a short time span. This paper outlined three attacks based on the RC4 cipher. They use the plaintext IV to run the first few rounds of the cipher algorithm. Once the first few rounds are generated, the rest of the key can be built using the packet keystream. Even though each packet provides a guess value with very low certainty, using many packets, values can be voted on to gain a higher probability. These attacks show the importance of updating to more secure standards to ensure wireless privacy. 6. References [1] Blank, Alex. WEP Vulnerabilities and Attacks. [2] Bulbul, Halil Ibrahim; Batmaz, Ihsan; Ozel, Mesut Wireless Network Security: Somparison of WEP (Wired Equivalent Privacy) Mechanism, WPA (Wi-Fi Protected Access) and RSN (Robust Security Network) security protocols. In Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications,

5 information, and multimedia and workshop (e-forensics '08). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), ICST, Brussels, Belgium, Belgium,, Article 9, 6 pages. [3] Lashkari, A.H.; Danesh, M.M.S.; Samadi, B.;, "A Survey on Wireless Security Protocols (WEP, WPA and WPA2/802.11i)," Computer Science and Information Technology, ICCSIT nd IEEE International Conference on, vol., no., pp.48-52, 8-11 Aug [4] Stolbunov, Anton. Klein s and PTW Attacks on WEP. NTNU, Department of Telematics. Sept 7, [5] Tews, Erik. Attacks on the WEP Protocol. Cryptology eprint Archive, Report 2007/471, [6] Tews, Erik; Beck, Martin Practical Attacks Against WEP and WPA. In Proceedings of the second ACM conference on Wireless network security (WiSec '09). ACM, New York, NY, USA, DOI= / [7] Tews, Erik; Weinmann, Ralf-Philipp; Pyshkin, Andrei. Breaking 104 bit WEP in Less than 60 Seconds. Cryptology eprint Archive, Report 2007/120, [8] Wired Equivalent Privacy (WEP). VOCAL Technologies, Ltd