OpenSig 2003:
Panel Discussion on the
Differences and Similarities of
Wired vs. Wireless Security
Russ Housley
V
S
igil
ecurity
LLC
9 October 2003
Ethernet vs. 802.11 Wireless LAN
Do Ethernet and 802.11 WLANs offer the
same services?
 From a protocol stack perspective, Ethernet
and WLANs are largely interchangeable.
Both allow the application layer protocols
to deliver the expected services.
 From a security perspective, they are quite
different.
Vigil
Security
LLC
Wired Guest Network Example
Guard
Guest
Network
Corporate
Network
Internet
Vigil
Security
LLC
With WLANs … (1 of 3)
Guard
Internet
Vigil
Security
LLC
With WLANs … (2 of 3)
Guard
Internet
Vigil
Security
LLC
With WLANs … (3 of 3)
Guard
Internet
Vigil
Security
LLC
Security Services
Mechanisms for confidentiality, integrity,
and authentication are essential for any
WLAN to offer comparable security to an
Ethernet.
Vigil
Security
LLC
WLAN Frame Security
 All currently deployed IEEE 802.11 WLAN
devices have flawed security


WEP data encryption easy to break
IEEE 802.11 authentication easy to subvert
 IEEE 802.11 security solution has two phases:

Short-term security solution called TKIP
 Accommodates existing hardware
 Firmware and driver upgrade

Long-term security solution called CCMP (uses AES)
 Targeted at new hardware designs
Vigil
Security
LLC
WEP Description
SNAP SAP
0xAA 0xAA 0x00 0x00 0x00 0x00 0x80 0x00
802.11 Hdr
Append ICV = CRC32(Data)
802.11 Hdr
Select and insert IV
Per-packet Key = IV || RC4 Base Key
RC4 Encrypt Data and ICV
802.11 Hdr
Vigil
Security
LLC
IV
24 bits
Data
Check ICV = CRC32(Data)
Data
ICV
Remove IV from packet
Per-packet Key = IV || RC4 Base Key
RC4 Decrypt Data and ICV
Data
ICV
RC4 is a Stream Cipher
RC4
Pseudo-random
number generator
“key stream” byte b
Plaintext data byte
p

Ciphertext data byte
c=pb
Decryption works the same way: p = c  b
What happens when p1 and p2 are encrypted under the same
“key stream” byte b?
c1 = p1  b and c2 = p2  b
Vigil
Security
LLC
Thus:
c1  c2 = (p1  b)  (p2  b) = p1  p2
IV Collisions
802.11 Hdr
IV
24 bits
Data
ICV
Per-packet Key = IV || RC4 Base Key
 WEP expands the RC4 Base Key into 224 per-packet keys
 Data can be recovered if IV is ever repeated with same per-packet key
 RC4 key must be changed at least every 224 packets, otherwise data is
exposed when the same IV is used for a second packet
 WEP does not provide a standard way to change keys!


Vigil
Security
LLC
Often all stations are using the same key
Immediate IV collisions between stations that share the RC4 Base Key
Weak Key Attacks
SNAP SAP provides known plaintext
0xAA 0xAA 0x00 0x00 0x00 0x00 0x80 0x00
First eight bytes of ciphertext

0xC0 0x15 0x7E 0xA5 0x3F 0x22 0xEA 0xA1
802.11 Hdr
IV
Data
ICV
Per-packet key = IV || RC4 Base Key, so the first three
bytes of the Per-packet Key are always exposed!



V
S
igil
ecurity
LLC

Some RC4 weak keys exist, where patterns in the first three bytes of
the key causes a corresponding pattern in first few bytes of the key
stream
The IV identifies the use of potential weak keys
Known plaintext allows direct computation of start of the key stream,
exposing some of the secret RC4 Base Key value
Iterate over a sequence of packets with different IVs until all the bits
in the RC4 base key are found
Forgery Attacks
Sample Attack 1 – Attacker has accomplice on the wired network:
1.
Recv-Addr, Src-Addr, Dest-Addr are unprotected
2.
Record any packet, replace the Dest-Addr with accomplice’s address; resend it
3.
AP will decrypt data and send it to the accomplice
Sample Attack 2 – Attacker alters recorded traffic:
802.11 Hdr
Recv-Addr, Src-Addr, Dest-Addr
Vigil
Security
LLC
Data
IV

0…

1
ICV


… 0 New ICV
1.
Create a blank message with same number of data bytes
2.
Flip some bits and compute the ICV on the flipped bits
3.
XOR resulting bit-flipped message + ICV into captured message
Replay Attacks
Authorized WEP communications
1. Record
2. Play back selections
Attacker
Vigil
Security
LLC
Must Address All Problems
 Solutions must address all of the problems,
otherwise new attack tools will be
developed to exploit the remaining holes
 Need to address all of the problems




Vigil
Security
LLC
IV Collisions
Weak Keys
Message Forgery
Replay
IEEE 802.11 TGi Short-term
 IEEE 802.11 Task Group i (TGi) is defining the
Temporal Key Integrity Protocol (TKIP)
 TKIP accommodates existing hardware with
firmware and driver upgrade
 TKIP mandates 4 new algorithms




Vigil
Security
LLC
Message Integrity Check (MIC) called Michael
New per-packet key construction, with a large IV
IV Sequencing
Key Distribution
Defeating IV Collision Attacks
 Expand IV space to 48-bits

At IEEE 802.11a rates, it would take about 1090 years
to exhaust the IV space
 Use IEEE 802.1X EAPOL Key message to
establish a new key at start of every association
IV
Vigil
Security
LLC
New Key
MIC
Defeating Weak Key Attacks

Compute Per-packet Key from:




TA
IV
Phase 1
Structure permits:



128-bit Base Key
48-bit Transmitter Address (TA)
48-bit IV
Base
Key
Efficient on deployed hardware
Supports caching and precomputation
Avoids the weak keys exploited by
AirSnort and other hacker tools
Vigil
Security
LLC
Phase 2
Per-Packet
Key
Defeat Forgeries
 Compute MIC using Michael (a new algorithm)


Designed for deployed hardware by Niels Ferguson
 3-4 cycles/byte on ARM7 (2.7 – 3.6 MHz)
 5-6 cycles/byte on i486 (4.5 – 5.4 MHz)
Provides about 30 bits of security – best possible in time budget
 The most critical step – it takes away active attacks
802.11 Hdr
IV
Data
MIC  Michael ( Key, Src-Addr || Dest-Addr || Data )
ICV  CRC ( Data || MIC )
802.11 Hdr
Vigil
Security
LLC
IV
Data
MIC
ICV
Defeating Replays
 Use the IV as a sequence number
 IV management rules:




Reinitialize IV to 0 when the base key is established
IV is a strictly increasing counter
Data traffic halts if IV value reaches maximum value
Receiver discards any packets associated with the same key when
the IV value is less than a previously received packet
802.11 Hdr
IV
IV  IV + 1
Vigil
Security
LLC
Data
MIC
ICV
TKIP Summary
 “Fixes” all known WEP vulnerabilities
 Designed and scrutinized by well-known
cryptographers
 Pragmatic sacrifice of bullet-proof security to
minimize performance degradation on existing
hardware
TKIP provides only minimal security on deployed
equipment and degrades performance
Vigil
Security
LLC
IEEE 802.11 TGi Long-term
 IEEE 802.11 Task Group i (TGi) is defining
the AES-based long-term solution
 A more robust security solution is not hard
to design (there are many places to borrow
from); however, it does require:


Vigil
Security
LLC
New hardware
Protocol changes
Updated Protocol Requirements






Message integrity — prevent forgeries
Packet sequencing — detect replays
Avoid rekeying — 48 bit packet sequence number
Eliminate per-packet key
Protect source and destination addresses
Interoperate with proposed quality of service
(QoS) enhancements (IEEE 802.11 TGe)
 Desirable to use one strong cryptographic
primitive for both confidentiality and integrity
Vigil
Security
LLC
Mechanisms
 48-bit IV used for replay detection




First four bits of IV indicate QoS traffic class
Remaining 44 bits used as counter
Decryption/integrity check fail if traffic class bits are
altered
Sender uses single counter space, but receiver needs
one for each traffic class
 AES with CCM or OCB authenticated encryption



Vigil
Security
LLC
CCM is mandatory, and OCB is optional
Header authentication
Payload authentication and confidentiality
Counter Mode with CBC-MAC
 Authenticated Encryption composed of Counter
(CTR) mode and CBC-MAC using a single key

Assumes 128 bit block cipher – IEEE 802.11i uses AES
 Designed for IEEE 802.11i



By D. Whiting, N. Ferguson, and R. Housley
Intended for packet environment
No attempt to accommodate streams
 RFC 3610 and NIST SP 800-38C define CCM
 Expansion results from:


Vigil
Security
LLC
Nonce value used in the CTR blocks
Message Integrity Check (MIC) value
CCM Mode Overview
Encrypted
Header
Payload
MIC
Authenticated
 Use CBC-MAC to compute a MIC on the
plaintext header, length of the plaintext header,
and the payload
 Use CTR mode to encrypt the payload

Counter values 1, 2, 3, …
 Use CTR mode to encrypt the MIC

Vigil
Security
LLC
Counter value 0
...
E
...
E
E
padding
B0
B1
...
Bk 0
padding
Bk+1
Header
LLC
Br
0
MIC
Payload
A1
Vigil
Security
...
S1
...
SSmm
E
... Am
E
S0Sm
A0
E
CCM Security Proof
 Jakob Jonsson did a security proof of CCM

Published last August at SAC ’02
 The proof shows that CCM provides a level
of confidentiality and authenticity that is
comparable to other proposed authenticated
encryption modes, such as OCB mode.
Vigil
Security
LLC
CCM Patent Status
 The authors have explicitly released any
intellectual property rights to CCM to the public
domain
 The authors are not aware of any patent or patent
application anywhere in the world that covers
CCM mode
 The authors believe that CCM is a simple
combination of well-established techniques;
it is obvious to a person of ordinary skill in the
arts
Vigil
Security
LLC
Long-term Solution Summary
 Builds on the lessons learned from IEEE 802.10
and IPsec ESP protocol designs

Relies on proper use of strong cryptographic primitives
 Strong security against all known attacks
 Requires new hardware
New hardware, proper protocol design, AES
… Success
Vigil
Security
LLC
Short-term vs. Long-term
Key Size
Key Life
Packet Key
Integrity
Data
Header
Replay
Key Mgmt.
Vigil
Security
LLC
WEP (RC4)
40 or 104 bits
24-bit IV, wrap
Concat.
TKIP (RC4) CCMP (AES)
128 bits
128 bits
48-bit IV 48-bit IV
TKIP KDF Not Needed
CRC-32
None
None
None
Michael
Michael
Use IV
EAP-based
CCM or OCB
CCM or OCB
Use IV
EAP-based
WLAN Frame Security Conclusion
 Any solution that does not address all the
problems is a failure
 TKIP provides only minimal security, but much
more than WEP


Meets deployed equipment constraints (most devices)
Degrades performance
 Long-term solution … Success



Vigil
Security
LLC
New hardware
Proper protocol design
AES
For More Information
Russ Housley
Vigil Security, LLC
housley@vigilsec.com
Vigil
Security
LLC