WEP

Weaknesses
Or
What on Earth does this
Protect


Roy Werber


2
Goals
Authorization
Prevent unauthorized access to network
Privacy
The P in WEP
Make it feel like LAN
Maintain data privacy from outsiders
3
Basic Flaws
Bad design
Each component is good, but not suited to
datagram environment
No key management
One key for all
Bad implementation
4
Stream Ciphers
C = P S
Key streams must never be reused
C1 C2 = (P1 S) (P2 S) = P1 P2
Forgery is easy Bit flip attack
If M2 = M1 X
Then C2 = C1 X

5
Stream Ciphers And Datagram
Key streams must never be reused
Encryptor and decryptor must remain
synchronized
Bad for datagram environment
Without Random Access property
encryption process starts for each packet
Different key for each packet

6
WEP Solution
ICV Prevents forgery
Checksum on the data prevents bit flipping
IV Prevents key reuse
Each packet a new key that starts a new stream
is used
7
ICV Prevents Forgery?
Uses CRC-32 checksum
CRC-32 is linear:
CRC(A B) = CRC(A) CRC(B)
RC4 is transparent to XOR
C = RC4 ( [M,CRC(M)] )
C = C [X,CRC(X)]
= [M,CRC(M)] S [X,CRC(X)]
= RC4 ([M X, CRC( M X)])
8
IV Prevents Key Reuse ?
IV space is very small : 2
24
Birthday attack:
50% chance of collision after only 4823 packets
99% collision after 12,430 packets
= 3 seconds in 11 Mbps traffic
Assuming random IV selection (Some
implemented IV as a counter from 0)
Assuming IV changes. Its optional


9
After IV Match Is Found
Pattern recognition on the XORd plaintext
ICV tells if the guess is correct
After only a few hours of observation, you
can recover all 2
24
key streams
Get active:
Send Spam to the network
Get the victim to send e-mail to you
Known plaintext Key stream
10
Authentication
SSID
Shared Key
MAC
11
Authentication Problems
SSID Easy to get by sniffing, it is
broadcasted (If WEP encryption deployed
access by key)
MAC It is broadcasted
Can be spoofed


12
How to Authenticate without the
Key
Challenge (Nonce)
Response ( RC4 [Nonce] under shared key)
STA
AP
Decrypted nonce OK?
Simple Attack:
Record one challenge/response with a sniffer
Use the challenge to decrypt the response and recover the key stream
Use the recovered key stream to encrypt any subsequent challenge
13
Types Of Attacks
IV re-use attack to decrypt traffic
We already seen it
Replay Attack
Trivial
Statistical attacks
IP Modification
Active attack to inject traffic
Bit flip attack to recover key stream

14
Improvement Techniques
Grow a partial keystream, Use key table

15
FMS Attack
Fluhrer, Martin and Shamir found a class of
RC4 keys called weak keys
If the first 2 bytes of enough key stream are
known -> The RC4 key is discovered
The first 8 bytes of WEP packet is a known
SNAP-SAP header
AirSnort implements this attack
Recovers key after 20,000 packets = 11 seconds
16
IP Modification
IP redirection:
Change the destination of an encrypted packet
to a machine controlled by the attacker on the
wired network.
Send modified frame to AP that will decrypt it
and send to attacker machine
Derive keystream from this ciphertext, plaintext
pair
Attacker can reuse keysteam to send/receive
WLAN traffic

17
Inject Traffic
If there is a known cipher plaintext pair
The cipher can be modified to any message
Correct CRC is calculated and inserted
Uses:
Unauthorized traffic can be sent
User commands can be altered. (telnet ,ftp, etc)
18
Bit Flipping Attack
19
Practicality
Available cheap equipment
Laptop and wireless card
Tools: AirSnort, Netstumbler, Kismet
Easy to sniff, harder to transmit

20
Main Points
WEP was badly designed
WEP was badly implemented
I didnt even speak about DoS attack,
MITMs, Impersonating to AP
Treat wireless the way you treat remote
traffic
Thank You!