WiredEquivalentPrivacy(WEP) Wired Equivalent Privacy (WEP)
Wireless networks rely on an open medium Wirelessnetworksrelyonanopenmedium Withanopennetworkmedium,unprotected traffic can be seen by anybody canbeseenbyanybody Guardingagainsttrafficinterceptionisthe domainofcryptographicprotocols d i f hi l
10/14/2008
GirishKumarPatnaik
�CryptographicBackgroundtoWEP Cryptographic Background to WEP
To protect data WEP requires the use of the Toprotectdata,WEPrequirestheuseofthe RC4cipher,whichisasymmetric (secretkey) streamcipher stream cipher Astreamcipherusesastreamofbits,called thekeystream the keystream
10/14/2008
GirishKumarPatnaik
�CryptographicBackgroundtoWEP Cryptographic Background to WEP
10/14/2008
GirishKumarPatnaik
�CryptographicBackgroundtoWEP Cryptographic Background to WEP
Moststreamciphersoperatebytakinga ost st ea c p e s ope ate by ta g a relativelyshortsecretkeyandexpandingitintoa pseudorandomkeystream thesamelengthas themessage. h Thepseudorandomnumbergenerator(PRNG)is asetofrulesusedtoexpandthekeyintoa t f l dt d th k i t keystream. To recover the data both sides must share the Torecover thedata,bothsidesmustsharethe samesecretkeyandusethesamealgorithmto expandthekeyintoapseudorandomsequence. p y p q
10/14/2008 GirishKumarPatnaik 5
�CryptographicBackgroundtoWEP Cryptographic Background to WEP
10/14/2008
GirishKumarPatnaik
�WEPCryptographicOperations WEP Cryptographic Operations
Communications security has three major Communicationssecurityhasthreemajor objectives
Confidentiality isthetermusedtodescribedata y thatisprotectedagainstinterceptionby unauthorizedparties. I Integrity meansthatthedatahasnotbeen i h h d h b modified. Authentication underpins any security strategy underpinsanysecuritystrategy becausepartofthereliabilityofdataisbasedon itsorigin.
10/14/2008 GirishKumarPatnaik 7
�WEPCryptographicOperations WEP Cryptographic Operations
Usersmustensurethatdatacomesfromthe Use s ust e su e t at data co es o t e sourceitpurportstocomefrom. y p Systemsmustuseauthenticationtoprotectdata appropriately. Authorizationandaccesscontrolareboth implementedontopofauthentication. Beforegrantingaccesstoapieceofdata,systems mustfindoutwhotheuseris(authentication) t fi d t h th i ( th ti ti ) andwhethertheaccessoperationisallowed (authorization). (authorization)
10/14/2008 GirishKumarPatnaik 8
�WEPCryptographicOperations WEP Cryptographic Operations
WEP provides operations that attempt to meet WEPprovidesoperationsthatattempttomeet theseobjectives,thoughtheyoftenfailunder seriousscrutinyorattack. serious scrutiny or attack Framebodyencryptionsupports confidentiality. confidentiality Anintegritychecksequenceprotectsdatain transitandallowsreceiverstovalidatethatthe i d ll i lid h h receiveddatawasnotalteredintransit.
10/14/2008 GirishKumarPatnaik 9
�WEPDataProcessing WEP Data Processing
Confidentialityandintegrityarehandled Co de t a ty a d teg ty a e a d ed simultaneously yp g Beforeencryption,theframeisrunthroughan integritycheckalgorithm,generatingahash calledanintegritycheckvalue(ICV) TheICVprotectsthecontentsagainsttampering byensuringthattheframehasnotchangedin transit. transit TheframeandtheICVarebothencrypted,so theICVisnotavailabletocasualattackers. the ICV is not available to casual attackers
10/14/2008 GirishKumarPatnaik 10
�WEPDataProcessing WEP Data Processing
10/14/2008
GirishKumarPatnaik
11
�WEPDataProcessing
Asinput,WEPrequiresthreeitems:
Thepayload tobeprotected,whichcomesfromthe upperlayerprotocolstack. l l k Asecretkey,usedinframeencryption.Dependingon implementation,keysmaybespecifiedasastringof implementation, keys may be specified as a string of keybits,orbykeynumber.WEPallowsfourkeystobe storedsimultaneously. A i iti li ti Aninitializationvector,usedalongwiththesecretkey t d l ith th tk inframetransmission.
After processing WEP has a single output: Afterprocessing,WEPhasasingleoutput:
Anencryptedframe,readyfortransmissionoveran untrusted networkwithenoughinformationtoenable decryptionattheremoteend.
10/14/2008 GirishKumarPatnaik 12
�TypesofWEPkeys Types of WEP keys
Mappedkeysprotecttrafficbetweenaparticular sourceandreceiver. Mappedkeysaresometimesreferredtoasunicast keysorstationkeysbecausetheyarewell suitedto keys or station keys because they are wellsuited to protectunicast traffic Defaultkeys(broadcastkeys)areusedwhenno mappingrelationshipexistsbetweentwo802.11 mapping relationship exists between two 802 11 stations. Defaultkeysareforbroadcastandmulticastframes becausegroupaddressesrepresentmultiplestations b dd li l i andthereforecannotsupportkeymapping relationships
10/14/2008 GirishKumarPatnaik 13
�Manual(static)versusautomatic (dynamic)WEP (d )
InManualkeydistribution,Administratorswere y , responsiblefordistributingasingledefaultkeyto allstationsinthenetwork WEP without any key distribution mechanism is WEPwithoutanykeydistributionmechanismis oftencalledmanualWEPorstaticWEP In dynamic WEP each station uses two keys dynamicWEPeachstationusestwokeys
Oneisakeymappingkey,shared betweenthe stationandaccesspoint,usedtoprotectunicast frames. frames Thesecondkeyisadefaultkey,sharedbyallstations inthesameserviceset,thatprotectsbroadcastand multicastframes. multicast frames
10/14/2008 GirishKumarPatnaik 14
�WEPkeynumberingandstorage WEP key numbering and storage
WEP keys have an associated number so that up WEPkeyshaveanassociatednumbersothatup tofourkeysmaybedefinedonan802.11station Each station receives two keys from the access Eachstationreceivestwokeysfromtheaccess point:
a mapping key typically stored as key number 0 amappingkey,typicallystoredaskeynumber0, adefaultkey,typicallystoredaskeynumber1.
Stations use key 0 for protection of unicast Stationsusekey0 forprotectionofunicast traffic,andkey1 forprotectionofbroadcast traffic
10/14/2008 GirishKumarPatnaik 15
�WEPkeynumberingandstorage WEP key numbering and storage
Toefficientlyencryptframes,many802.11 o e c e t y e c ypt a es, a y 80 . chipsetsincludeadatastructurecalledthekey cache. Keycachesconsistofmappingsbetweentuples ofthedestinationaddress,thekeyidentifier number,andthebitsofthekeyitself b d th bit f th k it lf Mostchipsetsintendedforuseinstation interfacecardshavefourkeyslots. interface cards have four key slots StaticWEPusesonekeyslot;dynamicWEP solutionsusetwo. solutions use two
10/14/2008 GirishKumarPatnaik 16
�WEPEncapsulation
WhenWEPisinuse,theframebodyexpands y g y byeightbytes.
FourbytesareusedforaframebodyIVheader four are used for the ICV trailer areusedfortheICVtrailer
10/14/2008
GirishKumarPatnaik
17
�WEPEncapsulation
Whenadefaultkeyisused,theKeyIDsubfield identifiesthedefaultkeythatwasusedto encrypttheframe. t th f Ifakeymappingrelationshipisused,theKeyID subfieldis0. subfield is 0 The6paddingbitsofthelastbytemustbe0. The integrity check is a 32 bit CRC of the data Theintegritycheckisa32bitCRCofthedata frame;itisappendedtotheframebodyand protectedbyRC4. protected by RC4. Theframechecksequenceprotectsthe yp encrypteddata.
10/14/2008 GirishKumarPatnaik 18
�ProblemswithWEP Problems with WEP
Cryptographers have identified many flaws in Cryptographershaveidentifiedmanyflawsin WEP Methods of defeating WEP have come from MethodsofdefeatingWEPhavecomefrom everyangle
10/14/2008
GirishKumarPatnaik
19
�CryptographicPropertiesofRC4
Reuseofthekeystreamisthemajorweakness inanystreamcipherbasedcryptosystem. in any stream cipherbased cryptosystem Whenframesareencryptedwiththesame RC4keystream,theXORofthetwoencrypted RC4 ke stream the XOR of the t o encr pted packetsisequivalenttotheXORofthetwo plaintextpackets. plaintext packets Byanalyzingdifferencesbetweenthetwo streamsinconjunctionwiththestructureof theframebody,attackerscanlearnaboutthe contentsoftheplaintextframesthemselves.
10/14/2008 GirishKumarPatnaik 20
�CryptographicPropertiesofRC4
WEPusestheIVtoencryptdifferentpackets withdifferentRC4keys,theIVispartofthe with different RC4 keys the IV is part of the packetheader WEP incorporates an integrit check b t the WEPincorporatesanintegritycheck,butthe algorithmusedisacyclicredundancycheck (CRC) CRCsarenotcryptographicallysecure Cryptographicallysecureintegritychecksare basedonhashfunctions,whichare unpredictable.
10/14/2008 GirishKumarPatnaik 21
�DesignFlawsoftheWEPSystem Design Flaws of the WEP System
Manual key management is a minefield of Manualkeymanagementisaminefieldof problems
rekeying whenever anybody using WEP leaves the rekeyingwheneveranybodyusingWEPleavesthe company Widely distributed secrets tend to become public Widelydistributedsecretstendtobecomepublic overtime Once a user has obtained the WEP keys, sniffing OnceauserhasobtainedtheWEPkeys,sniffing attacksareeasy
10/14/2008
GirishKumarPatnaik
22
�DesignFlawsoftheWEPSystem Design Flaws of the WEP System
As standardized static WEP offers a shared Asstandardized,staticWEPoffersashared secretofonly40bits
sensitive data be protected by at least 128 bit keys sensitivedatabeprotectedbyatleast128bitkeys theindustrystandardextendedkeylengthisonly 104bits 104 bits
Streamciphersarevulnerabletoanalysis whenthekeystreamisreused when the keystream is reused
TwoframesthatsharethesameIValmost certainlyusethesamesecretkeyandkeystream certainly use the same secret key and keystream
10/14/2008 GirishKumarPatnaik 23
�DesignFlawsoftheWEPSystem
Infrequentrekeyingallowsattackersto assemble(decryptiondictionaries)large collectionsofframesencryptedwiththesame keystreams CRCsarenotcryptographicallysecure Framesreceivedbytheaccesspointwouldbe y p decryptedandthenretransmittedtothe attacker'sstation.
IftheattackerisusingWEP,theaccesspoint wouldhelpfullyencrypttheframeusingthe p y yp g attacker'skey.
10/14/2008 GirishKumarPatnaik 24
�KeyRecoveryAttacksAgainstWEP Key Recovery Attacks Against WEP
FluhrerMantinShamir (FMS) attack Fluhrer Mantin Shamir(FMS)attack
thecleartext valueofthefirstbyteofaSNAP headerisknowntobe0xAA. header is known to be 0xAA Becausethefirstcleartext byteisknown,thefirst byteofthekeystream canbeeasilydeducedfrom byte of the keystream can be easily deduced from atrivialXORoperationwiththefirstencrypted byte.
EachweakIVisusedtoattackaparticular byteofthesecretportionoftheRC4key y p y
10/14/2008 GirishKumarPatnaik 25
�Keyrecoverydefenses Key recovery defenses
Longer keys are no defense against key Longerkeysarenodefenseagainstkey recoveryattacks One defense adopted by many vendors is to Onedefenseadoptedbymanyvendorsisto avoidusingweakIVs
eachIVtobeusedisfirstcheckedagainsta h IV t b d i fi t h k d i t classifier,andanyweakIVsarereplacedbynon weakIVs. weak IVs Unfortunately,reducingthesizeoftheIVspace maycauseIVre usetohappenearlier. may cause IV reuse to happen earlier.
10/14/2008 GirishKumarPatnaik 26
�Keyrecoverydefenses Key recovery defenses
Network administrators have responded to Networkadministratorshaverespondedto keyrecoveryattacksbyusingstronger protocols,suchasthe802.11iprotocols protocols such as the 802 11i protocols
10/14/2008
GirishKumarPatnaik
27
�DynamicWEP Dynamic WEP
Allstationsinanetworkshareakeytoencrypt broadcastframes,andeachstationhasits broadcast frames and each station has its ownmappingkeyforunicastframes DynamicWEPusesstrongcryptographic i hi protocolstogeneratekeysandthen distributethem,inencryptedform,over di ib h i df untrustednetworks. WEPkeygenerationtypicallydependsonthe useofacryptographicauthenticationprotocol
10/14/2008 GirishKumarPatnaik 28
�DynamicWEP Dynamic WEP
Theautomatickeymanagementofdynamic WEPachievesmuchgreatersecuritythan WEP achieves much greater security than staticWEPbecauseitdramaticallyshortens thelifetimeofakey the lifetime of a key Frameinitializationvectorscanbereused afterakeyrefreshbecausetheycorrespond f k f hb h d totwodifferentWEPseeds.
10/14/2008
GirishKumarPatnaik
29
