IEEE 802.11 Security Specifically WEP, WPA, and WPA2
Brett Boge, PresenterCS 450/650University of Nevada, Reno
• IEEE 802.11 standard for wireless LAN (802.11-1997)• Ratified September 1999
• WEP included• 2001 UC Berkeley
Fluhrer, Mantin, and Shamir"Weaknesses in the Key Scheduling Algorithm of RC4“
• ~2002 WPA• 2004 802.11i ratified with WPA2• IEEE 802.11-2007
Introduction / History
WEPWired Equivalent Privacy
• Part of the original 802.11 standard
• Uses RC4 for confidentiality• Uses CRC32 for integrity
• 64 bit WEP uses a 40-bit key (aka WEP-40)• Limited by the government
• 128 bit WEP uses a 104-bit key
• Deprecated in 2004
RC4
• 1987, "Rivest Cipher 4“, aka “Ron’s Code”• 1994 spread on the internet• Stream cipher
KSA (Key scheduling algorithm):
S[i] = {0,1,2,3…}j = 0for i = 0 – 255
j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j]
end
RC4
PRGA:
i = 0j = 0as long as we need output: i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap S[i] and S[j] output S[(S[i] + S[j]) mod 256]
WEP
• Uses RC4 for encryption• Uses CRC32 for integrity
Encryption:
• Fixed-sized input into a crypto function• Prevents repetition• Uniqueness important• WEP uses 24 bit
Initialization Vector
WEP “Authentication”
2 Methods
Attacking WEPFluhrer, Mantin, and Shamir
With certain weak IVs, knowing the nth byte of a keystreamallows the attacker to derive the n+1th byte.
IV’s of form (a + 3, n − 1, x) will help to provide a possible key value at index a
• 2001 “Weaknesses in the Key Scheduling Algorithm of RC4”• Key recovery• Requires a sufficiently large number of messages• Exploits weak IVs
Additional WEP Weaknesses
• No key management, shared key
• Statistical attack against duplicate IVs
• 2005 - FBI showed that WEP can be cracked in 3 minutes usingpublicly available tools
• More correlations between the keystream and the key thanshowed by Fluhrer, Mantin, and Shamir (KSA weaknesses)
• 2007 - Erik Tews, Andrei Pychkine, and Ralf-Philipp Weinmann
104bit WEP key:50% - 40,00080% - 60,00095% - 80,000
• 2002 Wi-Fi AllianceWPA stopgap until 802.11i
• No shared key, uses TKIP• 128 bit• Per-packed• Subject to old weaknesses
• Uses RC4 to run on old hardware
• Stronger Integrity, no CRC, uses MACs
WPAWi-Fi Protected Access
• 2004 Wi-Fi AllianceIEEE 802.11i-2004
• No TKIP, uses CCMP as standard• Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol• Block Cipher using AES
• Mandatory for all devices bearing the Wi-Fi mark
WPA2Wi-Fi Protected Access
WPA/WPA2Authentication
Conclusion
• WEP • Many weaknesses, deprecated
• WPA• uses weaker TKIP, better than WEP• Less intensive• Supported on older equipment
• WPA2• uses AES• 802.11i standard
Despite wireless security, using a tunnel (IPsec, SSH) when on a wireless network is a good idea to double yourProtection.