Intercepting Mobile Communications: The Insecurity of 802.11 Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented by Kunjan Naik Agenda Introduction WEP protocol Brief description Security goals Keystream reuse attacks Attacks involving message authentication Countermeasures Conclusion Typical Scenario Ad-Hoc Network Infrastructure Network WEP Protocol Wired Equivalent Privacy Link Layer Security Protocol Goals : Confidentiality : Protection against eavesdropping Access Control : Restrict accessibility Data Integrity : Correctness of data RC4 and Stream Ciphers RC4 encryption is Vernam Cipher RC4 is a stream cipher Generates pseudo random keystream from the key( IV || Key) Encryption key Plain text data byte Pseudo-random number generator Cipher text byte WEP Protocol Mobile station shares key with Access Point Transmitting a message M Compute checksum of M and append it to M Generate keystream using RC4(IV,Key) Xor <M,C(M)> with keystream Transmit IV and cipher text Upon receiving Reverse steps Packet Format and Encapsulation Message CRC XOR Keystream = RC(IV,k) IV Cipher Text Encryption Algorithm = RC4 Key length = 40. IV length = 24 C = RC4(IV,K) xor <M, C(M> WEP Authentication Shared secret distributed out of band Challenge (Nonce) Response (Nonce RC4 encrypted under shared key) Decrypted nonce OK? Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret Denial of service attack So What are the Problems? Shared key mechanism Same shared key in the network Attacks based on Keystream Reuse IV collision Decryption Dictionaries Message modification Message injection. Shared key mechanism Single key or array of shared keys between all mobile stations in the network key length is just 40 bits. Key management is a misnomer Shared keys changes rarely. Chances of IV collision proportional to number of users. IV Collision P1 and P2 packets with same IV C1 = P1 xor RC4(IV,Shared Key) C2 = P2 xor RC4(IV,Shared Key) C1 xor C2 = P1 xor P2 Attacker knows the Xor of two plaintexts Given P1 or P2 easy to find other More packets with same IV : More easier Dragging cribs, frequency analysis methods Key Reuse Shared key same in both directions Keystream depends on IV as Key is fixed IV included in unencrypted portion of message IV reset to 0 when initialized Easy to find collisions After 16 million packets ( worst case ) IV repeats How to find keystream reuse? IV space - 2^24 possibilities Collision after few minutes on a busy AP WEP standard recommends IV to be changed (but does not require) per packet More so, IV set to 0 when re-initialized Finding keystream reuse is therefore easy How to get plaintext? IP traffic predictable - well defined structures and message content Login sequences and Welcome messages Sniffing Authentication challenge - plain and cipher text both Sending packets from outside - ping Broadcast packets in both encrypted and unencrypted form - for some implementations Attack from both ends Attacker sends data Internet AP AP encrypts plaintext data MS Attacker Attacker Attack from both sides cont’d Attacker will send packets from internet to mobile station and AP will encrypt them for attacker Flip bits to change destination address to host we control - IP checksum needs to be modified Sufficient number of packets with different IV’s will enable the attacker to build a decryption dictionary Decryption Dictionaries Xoring cipher text and plain text gives keystream Store one to one mapping of IV to RC4(IV,Key) Xor any packet with corresponding IV and read data Number of entries in table 2^24 1500 bytes per packet - 24 GB Independent of key size - depends on IV only. Building table ensures immediate decryption Message Authentication CRC checksum for data integrity CRC resilient against random errors and not malicious attacks CRC is independent of IV and key CRC and RC4 are linear CRC(X xor Y) = CRC(X) xor CRC(Y) So, changing bits in packet is easy Message modification C = RC4(IV,K) * {M,C(M)} Let M’ = M * D D is arbitrarily chosen and * => xor C’ = C * { D, C(D) } RC4(IV,K) * {M,C(M)} * {D,C(D)} RC4(IV,K) * {M * D,C(M) * C(D)} RC4(IV,K) * {M * D,C(M * D)} RC4(IV,K) * {M’, C(M’)} Effectively Attacker does C’ = C * {D, C(D)} Message Injection Attacker needs plain text and cipher text Attacker has fake message F and computes C(F) Computes C’ = {F,C(F)} xor RC4(VI,key) Transmits (VI, C’) Reuse old IV’s and circumvent access control Attacker can authenticate himself using message injection Message Decryption IP redirection - Send encrypted packet to host on the internet ; IP checksum and firewall issues Reaction attacks - TCP packets will be dropped for incorrect checksum and TCP ack for the correct packets. Modify packet and check recipients reaction Attack Practicality Use off the shelf wireless card and software radio Sit outside competitor’s office and sniff packets Reverse engineer firmware to inject packets Dictionaries - Has to be done once Countermeasures Data encryption is not enough - access control through data authentication is must Use block ciphers Increase key length Make checksum keyed function of message Put wireless network outside firewall -treat it as public network Conclusion Public review is essential All three goals Confidentiality - Attacker can read traffic Access Control - Attacker can inject traffic Data Integrity - Attacker can modify traffic Use VPN, IPSec, SSH along with WEP ESN is supposed to solve all problems