Wired Equivalent Privacy A memorandum in Secure Computer Systems

Transcription

1 Wired Equivalent Privacy A memorandum in Secure Computer Systems March 3, 2009 Group members: Hongyu Ju <hongyu.ju@gmail.com> Kim Honkaniemi <Kim.Honkaniemi.3207@student.uu.se> Torbjörn Svangård <trptorbjorn@gmail.se> 1

2 Contents 1 Wired Equivalent Privacy CRC Dierent WEP standards Authentication Generating trac to get IV's Packet injection De-authentication Fake authentication Bittau's fragmentation attack Attacking WEP Brute force FMS attack KoreK's chopchop attack The PTW attack Number of IV's needed to crack WEP between

3 1 Wired Equivalent Privacy To secure the communication over IEEE (Wireless) standard, the encryption used is the Stream Cipher RC4 for encrypting and keeping the messages condentiality. For checking integrity CRC-32 is used, this check does not give any defense for targeted modication of the data but mainly for detecting random errors. This Stream Cipher will take a key as input and produce a long stream as output, a keystream. To encrypt your message, you XOR the keystream together with your plaintext to produce a Stream Cipher, this is your message encrypted. The key that is used is a concatenated string of the WEPkey and an Initializing Vector. The IV where introduced in the WEP protocol as a nonce to prevent the usage of two dierent packets ciphered with the same key. The RC4 is only secure if there never will be two messages encrypted with the same keystream which would be the same key and IV. The IV is sent together with the packet in plaintext so that the user on the other side can just insert this IV and decrypt the cipher. The RC4 is a safe way to encrypt messages as long as you keep your key secret, and for WEP this would include also to never re-use the same IV. The XOR of two ciphers with the same key, is equal to the XOR of its two plaintexts and the statistical properties of this can be used for cryptoanalysis to reconstructs the two plaintexts together with the key stream. 1.1 CRC-32 To ensure the integrity of the packet CRC-32 is used. CRC-32 is a cyclic redundancy check used to compute the checksum in WEP packets. There is a big problem with this CRC-32 tho, it has no defense against targeted modication, meaning an attacker could easily modify the packet and then making a new CRC checksum to match the new packet. CRC-32 is only protecting against random errors. 1.2 Dierent WEP standards There are mainly two versions of WEP used today, WEP-40 and WEP-104. WEP-40 uses a 40 bit, 10 hexadecimal characters, key concatenated with a 26 bit IV. WEP-104 uses a 104 bit, 26 hexedecimal characters, key concatenated with a 24 bit IV. 1.3 Authentication There are two ways to authenticate yourself onto a WEP WLAN, Open System Auth. and Shared Key Auth. For Shared Key Auth you will contact the Access Point and request to authenticate yourself, the AP will send back plaintext string which you encrypt data with a key and send it back in another auth request. The AP will decrypt the message with the correct key and if the decrypted data is the same as the plaintext rstly sent the AP will allow this user onto the network. The Open System Auth will just let the AP know that it wishes to 3

4 join the network and he's allowed. You will still need to have the correct keys to decrypt any data. The shared key auth sounds as if it was the better choice, BUT there is a big problem with this. If someone picks up both the plaintext and the cipher packet the can just XOR them together to get the specic Key Stream generated by the RC4 which is one step in retrieving the key. 2 Generating trac to get IV's In order to perform any crack on WEP based on its poor implementation of RC4 IV packets are needed. They can either be gathered passively by just collecting trac on a network, however this is very timeconsuming. If there is little or no trac on the network it will take a very long time in order to get enough IV's. However there are some tricks in order to make the AP (Access Point) send IV's. 2.1 Packet injection Lets assume that we are using a IPv4-network. We have a host A and a B. If A wants to send data to B it will need B's physical address or the gateway to B. To resolve addresses ARP-packets, Address Resolution Protocol, is used. A sends ARP-request to the linklayer broadcast address. This means that A signals that it wants to know B's physical address. B responds A with an ARP-reply containing B's physical address. Since an ARP-packet is a linklayer protocol it is not ltered or has any limited speed rate. From the an ARP-packet we can get the rst 16 bytes of the key stream. The corresponding IV is transmitted in clear with the packet. To speed up the time getting IV's, it is possible to re-inject a ARP-packet that was previously captured. By doing this more arp-replys will be generated. 2.2 De-authentication It is possible to send a de-authenticate message to a connected client on the network. This tells the client that it has lost connection to the base-station. Often clients reconnect automatically and when this occurs their ARP-cache is ushed, and will generate more ARP-requests. More ARP-requests means more IV's that we collect in order to crack the key. 2.3 Fake authentication The fake authentication attack allows an attacker to join a WEP protected network, even if the attacker has not got the secret root key. In the IEEE standard there are two specied ways of a client can authenticate itself. One is called Open System authentication, a client simply asks if it can join the network and if the access point will grant this if it supports Open System authentication. The secret root key is not used in this method. 4

5 The other way is called Shared Key authentication. It uses the secret root key and a challenge-response authentication mechanism, which should make it more secure. It is however possible for an attacker to sni an Shared Key authentication handshake and use it to join the network. Example of fake authentication attack using Shared Key authentication: 1. Erik tries connecting to the network. 2. The access point sends out a clear text challenge. 3. Erik takes the challenge packet, encrypts it with his WEP key, and sends it back to the access point. 4. The attacker Anna extracts the IV (sent in the clear) and key by XORing the challenge with Erik's response. 5. Now Anna tries connecting to the network. 6. The access point sends out a challenge string. 7. Now that Anna has derived the key from the plaintext cryptanalysis, she can correctly respond to the access point's challenge. 8. Anna connects to the network. 2.4 Bittau's fragmentation attack Bittau's fragmentation attack from 2005 can get 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but only obtains the PRGA. The PRGA can then be used to generate packets which are in turn used for injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack. This attack is used to speed up IV collection. 1. Eavesdrop WEP-trac 2. Get the PRGA 3. Transmit fragmeted data using the same IV - this generates trac. 4. Collect weak IV's 5. Perform the FMS or PWT attack 3 Attacking WEP 3.1 Brute force The rst attacks ever performed on WEP was by brute force, which means trying every possible key until the correct key is discovered. The standard species a 40-bit key, a focused attack on a network would require less than a month to crack the key. For a well motivated attacker this is not very long time. 5

6 It was noted that many used plaintext pass phrase instead of a random hexadecimal crypt-key, this fact was used and narrowed down the attack to rst try all ASCII characters rst, converted to hexadecimal numbers. Maybe it would have been a good idea to have had an standardized algorithm for hashing the pass phrase, to make bruteforcing attacks more timeconsuming. The eect of this problem was that 104-bit keys were introduced. 3.2 FMS attack RC4 in its implementation in WEP has been found to have weak keys. Having a weak key means there is more correlation between the key and the output than there should be for good security. Determining which packets were encrypted with weak keys is easy because the rst three bytes of the key are taken from the IV that is sent unencrypted in each packet. This weakness can be exploited by a passive attack. The attack works in a passive way which makes it impossible to detect that it is even taking place. This works because the system running the attack does not need to transmit, instead it only needs to receive network trac. The attack takes advantage of a number of so called weak IV's. Out of the 16,777,216 possible (24-bit) IV's 9000 are considered as weak. A 40 bit WEP key can be cracked in a few seconds with around 250, ,000 IV's. So the time consuming part is collecting the IV-packets. For a 104 bit WEP key up to IV's and maybe even more is needed. 3.3 KoreK's chopchop attack The development of new attacks did not stop after the FMS attack. A person using the name KoreK posted a new kind of attack on a forum in His attack actually uses 17 dierent kinds of attacks, some previously published but most of them was found by KoreK. With this attack the need for IV's were reduced to about 150,000 for a 40-bit WEP key and 500,000 for a 104-bit key. 3.4 The PTW attack With the PTW-attack it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauthentication and ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds on a Pentium-M 1.7 GHz. The same attack can be used for 40 bit keys too with an even higher success probability. 3.5 Number of IV's needed to crack WEP between

7 Figure 1: 7