WEP Weaknesses

Or“What on Earth does this

Protect”

Roy Werber

2

Goals

Authorization– Prevent unauthorized access to network

Privacy– The P in WEP– Make it feel like LAN– Maintain data privacy from outsiders

3

Basic Flaws

Bad design– Each component is good, but not suited to

datagram environment

No key management– One key for all

Bad implementation

4

Stream Ciphers

C = P S Key streams must never be reused

– C1 C2 = (P1 S) (P2 S) = P1 P2

Forgery is easy – Bit flip attack– If M2 = M1 X– Then C2 = C1 X

5

Stream Ciphers And Datagram

Key streams must never be reused Encryptor and decryptor must remain

synchronized Bad for datagram environment Without Random Access property

encryption process starts for each packet Different key for each packet

6

WEP Solution

ICV – Prevents forgery– Checksum on the data prevents bit flipping

IV – Prevents key reuse– Each packet a new key that starts a new stream

is used

7

ICV Prevents Forgery?

Uses CRC-32 checksum CRC-32 is linear:

– CRC(A B) = CRC(A) CRC(B)

RC4 is transparent to XOR– C = RC4 ( [M,CRC(M)] )– C’ = C [X,CRC(X)]

= [M,CRC(M)] S [X,CRC(X)]

= RC4 ([M X, CRC( M X)])

8

IV Prevents Key Reuse ?

IV space is very small : 224

Birthday attack: – 50% chance of collision after only 4823 packets– 99% collision after 12,430 packets = 3 seconds in 11 Mbps traffic– Assuming random IV selection (Some

implemented IV as a counter from 0)– Assuming IV changes. Its optional

9

After IV Match Is Found

Pattern recognition on the XOR’d plaintext ICV tells if the guess is correct After only a few hours of observation, you

can recover all 224 key streams Get active:

– Send Spam to the network– Get the victim to send e-mail to you– Known plaintext Key stream

10

Authentication

SSID Shared Key MAC

11

Authentication Problems

SSID – Easy to get by sniffing, it is broadcasted (If WEP encryption deployed – access by key)

MAC – It is broadcasted – Can be spoofed

12

How to Authenticate without the Key

Challenge (Nonce)

Response ( RC4 [Nonce] under shared key)

STA

APAP

Decrypted nonce OK?

Simple Attack:

• Record one challenge/response with a sniffer

• Use the challenge to decrypt the response and recover the key stream

• Use the recovered key stream to encrypt any subsequent challenge

13

Types Of Attacks

IV re-use attack to decrypt traffic– We already seen it

Replay Attack– Trivial

Statistical attacks IP Modification Active attack to inject traffic Bit flip attack to recover key stream

14

Improvement Techniques“Grow” a partial keystream, Use key table

15

FMS Attack

Fluhrer, Martin and Shamir found a class of RC4 keys called “weak keys”

If the first 2 bytes of enough key stream are known -> The RC4 key is discovered

The first 8 bytes of WEP packet is a known SNAP-SAP header

AirSnort implements this attack– Recovers key after 20,000 packets = 11 seconds

16

IP Modification

IP redirection:– Change the destination of an encrypted packet

to a machine controlled by the attacker on the wired network.

– Send modified frame to AP that will decrypt it and send to attacker machine

– Derive keystream from this ciphertext, plaintext pair

– Attacker can reuse keysteam to send/receive WLAN traffic

17

Inject Traffic

If there is a known cipher plaintext pair The cipher can be modified to any message Correct CRC is calculated and inserted Uses:

– Unauthorized traffic can be sent– User commands can be altered. (telnet ,ftp, etc)

18

Bit Flipping Attack

19

Practicality

Available cheap equipment Laptop and wireless card Tools: AirSnort, Netstumbler, Kismet Easy to sniff, harder to transmit

20

Main Points

WEP was badly designed WEP was badly implemented I didn’t even speak about DoS attack,

MITMs, Impersonating to AP Treat wireless the way you treat remote

traffic

Thank You!