Intercepting Mobile Communications: The Insecurity of 802.11

advertisement
Intercepting Mobile Communications:
The Insecurity of 802.11
Nikita Borisov Ian Goldberg
David Wagner
UC Berkeley Zero-Knowledge Sys UC Berkeley
Presented by
Kunjan Naik
Agenda






Introduction
WEP protocol
Brief description
Security goals
Keystream reuse attacks
Attacks involving message authentication
Countermeasures
Conclusion
Typical Scenario
Ad-Hoc Network
Infrastructure Network
WEP Protocol



Wired Equivalent Privacy
Link Layer Security Protocol
Goals :
Confidentiality : Protection against
eavesdropping
Access Control : Restrict accessibility
Data Integrity : Correctness of data
RC4 and Stream Ciphers



RC4 encryption is Vernam Cipher
RC4 is a stream cipher
Generates pseudo random keystream from
the key( IV || Key)
Encryption
key
Plain text data
byte
Pseudo-random
number generator
Cipher text
byte
WEP Protocol



Mobile station shares key with Access Point
Transmitting a message M
Compute checksum of M and append it to M
Generate keystream using RC4(IV,Key)
Xor <M,C(M)> with keystream
Transmit IV and cipher text
Upon receiving
Reverse steps
Packet Format and
Encapsulation
Message
CRC
XOR
Keystream = RC(IV,k)
IV

Cipher Text
Encryption Algorithm = RC4

Key length = 40. IV length = 24

C = RC4(IV,K) xor <M, C(M>
WEP Authentication
Shared secret distributed out of band
Challenge (Nonce)
Response (Nonce RC4 encrypted under shared key)
Decrypted nonce OK?




Authentication key distributed out-of-band
Access Point generates a “randomly generated”
challenge
Station encrypts challenge using pre-shared secret
Denial of service attack
So What are the Problems?





Shared key mechanism
Same shared key in the network
Attacks based on Keystream Reuse
IV collision
Decryption Dictionaries
Message modification
Message injection.
Shared key mechanism





Single key or array of shared keys between
all mobile stations in the network
key length is just 40 bits.
Key management is a misnomer
Shared keys changes rarely.
Chances of IV collision proportional to
number of users.
IV Collision








P1 and P2 packets with same IV
C1 = P1 xor RC4(IV,Shared Key)
C2 = P2 xor RC4(IV,Shared Key)
C1 xor C2 = P1 xor P2
Attacker knows the Xor of two plaintexts
Given P1 or P2 easy to find other
More packets with same IV : More easier
Dragging cribs, frequency analysis methods
Key Reuse






Shared key same in both directions
Keystream depends on IV as Key is fixed
IV included in unencrypted portion of message
IV reset to 0 when initialized
Easy to find collisions
After 16 million packets ( worst case ) IV
repeats
How to find keystream reuse?





IV space - 2^24 possibilities
Collision after few minutes on a busy AP
WEP standard recommends IV to be changed
(but does not require) per packet
More so, IV set to 0 when re-initialized
Finding keystream reuse is therefore easy
How to get plaintext?





IP traffic predictable - well defined structures
and message content
Login sequences and Welcome messages
Sniffing Authentication challenge - plain and
cipher text both
Sending packets from outside - ping
Broadcast packets in both encrypted and
unencrypted form - for some implementations
Attack from both ends
Attacker sends data
Internet
AP
AP encrypts plaintext data
MS
Attacker
Attacker
Attack from both sides cont’d



Attacker will send packets from internet to
mobile station and AP will encrypt them for
attacker
Flip bits to change destination address to host
we control - IP checksum needs to be modified
Sufficient number of packets with different IV’s
will enable the attacker to build a decryption
dictionary
Decryption Dictionaries







Xoring cipher text and plain text gives keystream
Store one to one mapping of IV to RC4(IV,Key)
Xor any packet with corresponding IV and read
data
Number of entries in table 2^24
1500 bytes per packet - 24 GB
Independent of key size - depends on IV only.
Building table ensures immediate decryption
Message Authentication






CRC checksum for data integrity
CRC resilient against random errors and not
malicious attacks
CRC is independent of IV and key
CRC and RC4 are linear
CRC(X xor Y) = CRC(X) xor CRC(Y)
So, changing bits in packet is easy
Message modification





C = RC4(IV,K) * {M,C(M)}
Let M’ = M * D
D is arbitrarily chosen and * => xor
C’ = C * { D, C(D) }
RC4(IV,K) * {M,C(M)} * {D,C(D)}
RC4(IV,K) * {M * D,C(M) * C(D)}
RC4(IV,K) * {M * D,C(M * D)}
RC4(IV,K) * {M’, C(M’)}
Effectively Attacker does C’ = C * {D, C(D)}
Message Injection






Attacker needs plain text and cipher text
Attacker has fake message F and computes C(F)
Computes C’ = {F,C(F)} xor RC4(VI,key)
Transmits (VI, C’)
Reuse old IV’s and circumvent access control
Attacker can authenticate himself using message
injection
Message Decryption


IP redirection - Send encrypted packet to host
on the internet ; IP checksum and firewall issues
Reaction attacks - TCP packets will be dropped
for incorrect checksum and TCP ack for the
correct packets. Modify packet and check
recipients reaction
Attack Practicality




Use off the shelf wireless card and software
radio
Sit outside competitor’s office and sniff packets
Reverse engineer firmware to inject packets
Dictionaries - Has to be done once
Countermeasures





Data encryption is not enough - access control
through data authentication is must
Use block ciphers
Increase key length
Make checksum keyed function of message
Put wireless network outside firewall -treat it as
public network
Conclusion




Public review is essential
All three goals
Confidentiality - Attacker can read traffic
Access Control - Attacker can inject traffic
Data Integrity - Attacker can modify traffic
Use VPN, IPSec, SSH along with WEP
ESN is supposed to solve all problems
Download