Wepwhacker !

WEP Whacker Aim of the project : To exploit the weaknesses in the key scheduling algorithm of RC4 as used in WEP and thus recover encryption keys with passive attack on 802.11 network

802.11 Wireless Networks Two modes of operation : Independent Basic Service Set (IBSS), aka ad-hoc mode No Wiring Cards in each PC/Server Access Point not needed Basic Service Set (BSS) Infrastructure Mode Multiple Access Points/Cells provide floor-wide coverage Wireless PC’s within range of the Access Points Access Point can be installed in wired server – server acts as bridge or router

A WiFi Setup An example of a 802.11 wireless network Internet

The Problem: Security ! Wireless networking is just radio communications Hence anyone with a radio can eavesdrop, inject traffic

WEP The industry’s solution: WEP (Wired Equivalent Privacy) Shares a single cryptographic key among all devices Encrypt all packets sent over the air, using the shared key Use a checksum to prevent injection of spoofed packets (encrypted traffic)

How WEP Works 24 bits 40 bits IV | shared key used as RC4 seed Must never be repeated (why?) There is no way key update protocol in 802.11b, so security relies on never repeating IV IV sent in the clear Worse: 802.11b says that changing IV with each packet is optional! CRC-32 checksum is linear in  : if attacker flips some bit in plaintext, there is a known, plaintext-independent set of CRC bits that, if flipped, will produce the same checksum no integrity!

WEP Data Transmission 802.11b Header IV[0] IV[1] IV[2] Key ID SNAP[0] SNAP[1] SNAP[2] SNAP[3] 32-bit Checksum Payload

WEP Data Transmission IV[0] IV[1] IV[2] SK[0] SK[4] SK[3] SK[2] SK[1] K = IV . SK

WEP Data Transmission K = IV . SK Node Node Generates IV through a counter or randomly

WEP Data Transmission Encrypted Data K = IV . SK Node Node

WEP Data Transmission K = IV . SK Encrypted Data K = IV . SK Node Node Uses received IV with Static Key to decrypt data

WEP Problems IV Reuse IVs are only 24 bits, or 3 bytes long, so there are only 2 24 unique IVs. Collisions occur when an IV is used more than once and so the same RC4 key stream is used to encrypt the data. c 1 = p 1  k c 2 = p 2  k c 1  c 2 = ( p 1  k )  ( p 2  k ) = p 1  p 2 This seemingly large IV space can be depleted quickly. On average reuse occurs after

WEP Problems (Cont.) IV Reuse An example in binary: 01011010101 Plaintext 1 10111110000 XOR Keystream 11100100101 ciphertext 1 11100101010 Plaintext 2 10111110000 XOR Keystream 01011011010 ciphtertext 2 11100100101 ciphertext 1 01011011010 XOR ciphtertext 2 10111111111 result of ciphertexts 10111111111 result 01011010101 XOR Plaintext 1 11100101010 plaintext 2

WEP Problems (Cont.) Weak IV’s Weak IVs have the form (B+3, 255, X), where B is the index of the shared key byte and X can be any number. When a weak IV is used, it is possible to recover the input of the RC4 (IV + Shared Key), knowing its first byte’s output. Knowing plaintext before it is encrypted allows people to exploit the weak IVs and gain knowledge of the shared key. The SNAP encapsulation header 0xAA is widely known and is almost always the first plaintext byte encrypted. There are 9000 known weak IVs and 2000-3000 are needed to crack a 104-bit shared key, which takes a minimum of ~1 million packets.

Attacks on WEP An active attack: Since RC4 is a stream cipher, an attacker can modify the plaintext bits over the ciphertext and fix the CRC checksum accordingly. Parts of the plaintext is predictable (e.g., the upper-layer protocol headers). Attacker sniffs a packet and changes its IP address to his machine from the ciphertext. Hence, the attacker obtains the decrypted text without breaking the encryption.

Attacks on WEP (cont’d) A table-based attack: An insider generates a packet for each IV. Extracts the key stream by xoring the ciphertext with the plaintext. Stores all the key streams in a table indexed by the IV. (Requires ~15GB in total.) Now he can decrypt any packet sent to that AP. Note: All these attacks are practical. Some assume a shared key, which is realistic.

RC4 Fluhrer, Mantin, Shamir Attack First few bits of several thousand messages reveals key. Based on an analysis of the RC4 code. Originally kept secret, but later leaked on the internet.

RC4 Fluhrer, Mantin, Shamir Attack Key Scheduling Algorithm Sets up RC4 state array S S is a permutation of 0, 1, … 255 Output generator uses S to create a pseudo-random sequence. First byte of output is given by S[S[1]+S[S[1]]]. First byte depends on {S[1], S[S[1], S[S[1]+S[S[1]]}

RC4 Fluhrer, Mantin, Shamir Attack Key Scheduling Algorithm First byte of plain text package is part of the SNAP header 0xAA for IP and ARP packages 0xFF or 0xE0 for IPX Guessing the first byte is trivial Some IVs are vulnerable: “resolved” (KeyByte+3, 0xFF, *) Plus some more Easy to test whether an IV is vulnerable. Search for vulnerable IVs. They leak key bytes probabilistically. Large number of packets does it.

RC4 Fluhrer, Mantin, Shamir Attack Optimization needs about 5,000,000 to 1,000,000 packages. Counter-measures: Change key frequently. Change IV counters to avoid bad IVs.

FMS Attack - RC4 Algorithms KSA(K) Initialization: For i = 0 .. N - 1 S[i] = i j = 0 Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) PRGA(K) Initialization: i = 0 j = 0 Generation Loop: i = i + 1 j = j + S[i] Swap(S[i], S[j]) Output z = S[S[i] + S[j]]

FMS Attack - RC4 Algorithms K = IV . SK

FMS Attack - RC4 Algorithms K = IV . SK KSA(K)

FMS Attack - RC4 Algorithms K = IV . SK KSA(K) PRGA(K)

FMS Attack - RC4 Algorithms K = IV . SK KSA(K) PRGA(K) XOR Data

FMS Attack - RC4 Algorithms K = IV . SK KSA(K) PRGA(K) XOR Data Air

FMS Attack - RC4 Algorithms K = IV . SK KSA(K) PRGA(K) XOR Data Air K = IV . SK

FMS Attack - RC4 Algorithms K = IV . SK KSA(K) PRGA(K) XOR Data Air K = IV . SK KSA(K)

FMS Attack - RC4 Algorithms K = IV . SK KSA(K) PRGA(K) XOR Data Air K = IV . SK KSA(K) PRGA(K)

FMS Attack - RC4 Algorithms K = IV . SK KSA(K) PRGA(K) XOR Data Air K = IV . SK KSA(K) PRGA(K) XOR

FMS Attack - RC4 Algorithms K = IV . SK KSA(K) PRGA(K) XOR Data Air K = IV . SK KSA(K) PRGA(K) XOR Data

FMS Attack - KSA Initialization KSA(K) Initialization: For i = 0 .. N - 1 S[i] = i j = 0 Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization

FMS Attack - KSA Scrambling KSA(K) Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3 , f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j= 0 + 0 + 3 =3

FMS Attack - KSA Scrambling KSA(K) Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f , 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3= 3 0 1 i=1, j= 3 + 1 + f =3

FMS Attack - KSA Scrambling KSA(K) Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7 , 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f= 3 c 2 i=2, j= 3 + 2 + 7 =c

FMS Attack - KSA Scrambling KSA(K) Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1 , 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1 , 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f=3 c 2 i=2, j=3+2+7= c 5 1 i=3, j= c + 1 + 1 =e Note that S[B+3] contains information relating to SK[B], since SK[B] is used to calculate j

FMS Attack - KSA Scrambling KSA(K) Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1 , 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f=3 c 2 i=2, j=3+2+7= c 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Done with KSA e 1 i=3, j= c + 1 + 1 =e

FMS Attack - PRGA Initialization PRGA(K) Initialization: i = 0 j = 0 Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Initialization 0 1 2 3 4 5 6 7 8 9 a b c d e f

FMS Attack - PRGA Generation Loop PRGA(K) Generation Loop: i = i + 1 j = j + S[i] Swap(S[i], S[j]) Output z = S[ S[i] + S[j] ] Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Initialization 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 3 i=1, j= 0 + 0 =0, z=S[ 3 + 0 ]=e e is the output for the first byte

FMS Attack - PRGA Generation Loop PRGA(K) Generation Loop: i = i + 1 j = j + S[i] Swap(S[i], S[j]) Output z = S[ S[i] + S[j] ] Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Initialization 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 3 i=1, j= 0 + 0 =0, z=S[ 3 + 0 ]=e e is the output for the first byte e is then xor’ed with the first byte of data, which is always 0xaa on ip networks

FMS Attack - KSA Scrambling KSA(K) Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f=3 c 2 i=2, j=3+2+7=c 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Done with KSA e 1 i=3, j=c+1+1=e

FMS Attack - KSA Scrambling KSA(K) Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f=3 c 2 i=2, j=3+2+7= c 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Done with KSA e 1 i=3, j= c + 1 +1=e

FMS Attack - Reversing Output to Key Byte S -1 [X] is the location of X in S SK[B] = S -1 [Out] - j - S[i + 1] SK[B] = S -1 [e] - c - 1 = 1

FMS Attack - Analysis of Results Results are correct ~ e -3 = 5% of the time In cases where results rely on only 2 elements in the array not being swapped, it is correct ~ e -2 = 13% of the time The correct key values will become more evident as you collect more data Once the first key byte is derived, it is used to crack the next byte, and so on

FMS Attack - Detection of Weak IVs How do you find IV’s that setup S so that it reveals key information? Baseline attack is to look for IV’s that conform to: (A + 3, N - 1, X) But is recommended that you use the following equations right after the KSA: X = S B+3 [1] < B+3 X + S B+3 [X] = B+3 The main dilemma is that this equation is dependent on the previous key bytes, so it has to be applied to the entire sample set for every key byte that is tried

FMS Attack - Filtering Weak IVs Weak IV Filter: Let l = the amount of elements in SK i = 0 For B = 0 .. l - 1 If (((0 <= a and b < B) or (a = B and b = (B + 1) / 2 : 1)) and (B % 2 ? a != (B + 1) / 2 : 1)) or (a = B + 1 and (B = 0 ? B = (B + 1) * 2 : 1)) or (x = B + 3 and y = N - 1) or (B != 0 and !(B % 2) ? (x = 1 and y = (B / 2) + 1) or (x = (B / 2) + 2 and y = (N - 1) - x) : 0) Then ReportWeakIV

Conclusion / Expected Results We can recover a secret WEP key with off-the-shelf products and open source tools. The chief barriers: wireless products that select IVs that are cryptographically superior configuring linux system to work properly with a wireless card in promiscuous mode non-trivial – drivers, recompiling kernel, etc Sniffing adequate # of packets Need sufficient hardware muscle WEP is insecure – proper precautions should be taken.

Attacks on the Wired Equivalent Privacy protocol which defeat each of the security goals of: Confidentiality: We can read WEP-protected traffic. Access Control: We can inject traffic on WEP-protected networks. Data Integrity: We can modify WEP-protected traffic in transit. Conclusions

Improving WEP’s Security Recommended Practice includes Per-link keys Unique key per node IV Sequencing Check for monotonically increasing IVs Weak IV avoidance 104-bit keys IV + Key = 128-bits Rapid Rekey Derive WEP keys from master key Change encryption key frequently

Thank You Project Mentor: Mrs. Navdeep Kaur Project Undertaken by: Sumit Khandelwal(02928) Arunjit Singh(02919) Sandeep Singh(02925) Arpit Sharma(02918)

Wepwhacker !

More Related Content

Similar to Wepwhacker !

Recently uploaded

Wepwhacker !