An Analysis of Wireless Network Security and Practical Exploitation of the Weakness in the Encryption by Qi Liao (2005)

8/8/2019 An Analysis of Wireless Network Security and Practical Exploitation of the Weakness in the Encryption by Qi Liao (2

1/53

CISC 490Senior Project

An Analysis of Wireless NetworkSecurity and

Practical Exploitation of the Weaknessin

the Encryption Algorithm of the 802.11b

Wired Equivalent Privacy Protocol

Qi LiaoHartwick College

May 2005

IntroductionMy motivation:

Wireless communication has taken off.

Great potential: convenience, increasing speedand security.

How secure is it?


2/53

Almost every Univ. & College has wirelessnetwork on campus. Increasing necessity toinvestigate its security.

My Goal:

This project is to explore two basic wirelessnetworks architecture here at Hartwick College:open-system and WEP protected system, withemphasis on breaking WEP.

Does WEP really achieve its goal: Wired

Equivalent Privacy?

My Architecture:

Two laptop computers with wireless cards andone WEP encrypted AP.

One is used to passively intercept the

communication between the other computer andthe AP.

My Approach:

theoretical analysis supported with empiricaldata, and some implementations ofprogramming.

Wireless Communications


3/53

Wireless networks are diverse. Threecategories:

Wireless Wide Area Networks(WWAN)

(cell phones) 2G cellular, CDPD,GSM, Mobitex.

Wireless Local Area Network(WLAN)

802.11, HiperLAN

Wireless Personal Area Networks(WPAN)

Bluetooth, IR, ad hoc (noinfrastructures needed)

Wireless technologies are changingrapidly. New products and features

means new threats or vulnerabilities.

Security of cell phones, PDA, and otherad hoc or Bluetooth networks areinteresting.


4/53

My focus: Security of WLAN

802.11 Wireless Local Area Network(WLAN):

In contrast with traditional LAN, WLANhas the following advantages:

User Mobility

Rapid Installation

Flexibility & Scalability

Low Implementation Cost

WLAN connects computers to thenetwork using an Access Point (AP)device

WLAN are based on the IEEE 802.11standardWireless LAN Medium

Access Control (MAC) and PhysicalLayer Specifications--1999. (firstpublished in 1999)


5/53

Although 802.11g was available longtime ago, 802.11b is still the dominant

standard for WLAN for now.


Figure 1: A Basic Topology of a 802.11 WLAN


All the vulnerabilities that

exist in a conventionalwired network apply towireless technologies.

Furthermore, due to thecommunications medium,the airwave, is open to


6/53

intruders, making it the

logical equivalent of anEthernet port in theparking lot.

How to protect our

privacy?--WEP

Wired Equivalent Privacy

(WEP):

WEP protocol protects link-level dataduring wireless transmission betweenclients and access points.

Overall, WEP provides three basic

security services as defined by IEEE forthe WLAN environment:


7/53


8/53

Shared-key System:

requires the knowledge of a secret

WEP key in order to get on thenetwork.

not mutual authentication.

the client does not authenticate the

AP.

rogue APs. As long as the signal isstronger.

Figure 2: Taxonomy of 802.11 Authentication Techniques

Open-system Authentication and Shared-key

Authentication and Privacy:

Attacks to Open-System:

Architecture of Yager Hall Library: I usedNetStumbler version 0.4.0 to obtain the

basic information of the APs and WLAN.

There are one Avaya AP on the 5th floor of


9/53

the library (channel 9) and the other on the

2nd floor (channel 3).

Figure 3: AP Information Obtained through NetStumbler


I used Etherealthe Network ProtocolAnalyzer Version 0.10.9 to analyze

packet data.

I used host 147.205.100.135 as bothsource and destination address in thecapture filter to monitor all the trafficcome to and leave the machine that I

am testing in the lab on the 5th floor oflibrary.

It was more efficient in my own testenvironment. More importantly itprevented accidentally violate the

privacy of other users.

Below are the raw data of the packetsthat I captured under the open-system


10/53

wireless network by using MicrosoftOutlook to send and receive emails.

As we can clearly see the userinformation in Table 1, 2, and 3, the username is LiaoQ and password isM1234%^dd. The message is alsosent in plain text, which is This is a

secret message text here.


0000 00 02 b3 d0 cb 42 00 0d 88 58 ce 88 08 00 4500 .....B...X....E.

0010 00 34 04 61 40 00 80 06 14 71 93 cd 64 87 93

cd [email protected]...

0020 55 d0 0b f5 00 6e 1a 65 34 a3 9a 38 87 2b 5018 U....n.e4..8.+P.

0030 44 17 6b f9 00 00 55 53 45 52 20 6c 69 61 6f71 D.k...USER liaoq

0040 0d0a ..

Table 1: Captured Data under the Open-system WirelessNetwork in Yager Hall Library. POP3 Logon UserInformation.

0000 00 02 b3 d0 cb 42 00 0d 88 58 ce 88 08 00 4500 .....B...X....E.


11/53

0010 00 38 04 62 40 00 80 06 14 6c 93 cd 64 87 93cd [email protected]...

0020 55 d0 0b f5 00 6e 1a 65 34 af 9a 38 87 30 5018 U....n.e4..8.0P.

0030 44 12 4d c3 00 00 50 41 53 53 20 4d 31 32 3334 D.M...PASS M1234

0040 25 5e 64 64 0d0a %^dd..

Table 2: Captured Data under the Open-system Wireless Network in Yager

Hall Library. POP3 Logon Users Password Information.

00:02:b3:d0:cb:42 is the Destination MAC addressassociated with IP address of 147.205.85.210, whichis the Hartwick Mail Exchange server:hcexch.hartwick.edu. 00:0d:88:58:ce:88 is SourceMAC address of my test machine associated with IPaddress of 147.205.100.135, which is translated asyag5thd1.hartwick.edu.


0000 00 02 b3 d0 cb 42 00 0d 88 58 ce 88 08 00 4500 .....B...X....E.

0010 02 2b 04 5a 40 00 80 06 12 81 93 cd 64 87 93cd [email protected]...

0020 55 d0 0b f4 00 19 1a 63 8d 18 9a 35 d0 5b 5018 U......c...5.[P.

0030 43 4f 26 ec 00 00 46 72 6f 6d 3a 20 22 71 6922 CO&...From: "qi"


12/53

0040 20 3c 6c 69 61 6f 71 40 68 61 72 74 77 69 636b ..To: .

0070 0a 53 75 62 6a 65 63 74 3a 20 73 65 63 72 6574 .Subject: secret

0080 20 6d 65 73 73 61 67 65 0d 0a 44 61 74 65 3a20 message..Date:

0090 46 72 69 2c 20 34 20 46 65 62 20 32 30 30 3520 Fri, 4 Feb 2005

00a0 31 35 3a 32 38 3a 33 36 20 2d 30 35 30 30 0d0a 15:28:36 -0500..

00b0 4d 65 73 73 61 67 65 2d 49 44 3a 20 3c 4d 4345 Message-ID: ..M

00f0 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e30 IME-Version: 1.0

0100 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a20 ..Content-Type:

0110 74 65 78 74 2f 70 6c 61 69 6e 3b 0d 0a 09 6368 text/plain;...ch


13/53

0120 61 72 73 65 74 3d 22 69 73 6f 2d 38 38 35 392d arset="iso-8859-

0130 31 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 616e 1"..Content-Tran

0140 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 2037 sfer-Encoding: 7

0150 62 69 74 0d 0a 58 2d 50 72 69 6f 72 69 74 793a bit..X-Priority:


Hall Library. POP3 Email Content.


Hall Library. POP3 Email Content (continued).

0160 20 33 20 28 4e 6f 72 6d 61 6c 29 0d 0a 58 2d4d 3 (Normal)..X-M

0170 53 4d 61 69 6c 2d 50 72 69 6f 72 69 74 79 3a20 SMail-Priority:

0180 4e 6f 72 6d 61 6c 0d 0a 58 2d 4d 61 69 6c 6572 Normal..X-Mailer

0190 3a 20 4d 69 63 72 6f 73 6f 66 74 20 4f 75 746c : Microsoft Outl

01a0 6f 6f 6b 20 49 4d 4f 2c 20 42 75 69 6c 64 2039 ook IMO, Build 9

01b0 2e 30 2e 36 36 30 34 20 28 39 2e 30 2e 32 39

31 .0.6604 (9.0.291

01c0 31 2e 30 29 0d 0a 49 6d 70 6f 72 74 61 6e 6365 1.0)..Importance

01d0 3a 20 4e 6f 72 6d 61 6c 0d 0a 58 2d 4d 69 6d65 : Normal..X-Mime


14/53

01e0 4f 4c 45 3a 20 50 72 6f 64 75 63 65 64 20 4279 OLE: Produced By

01f0 20 4d 69 63 72 6f 73 6f 66 74 20 4d 69 6d 654f Microsoft MimeO

0200 4c 45 20 56 36 2e 30 30 2e 32 38 30 30 2e 3134 LE V6.00.2800.14

0210 34 31 0d 0a 0d 0a 54 68 69 73 20 69 73 20 6120 41....This is a

0220 73 65 63 72 65 74 20 6d 65 73 73 61 67 65 2074 secret message t

0230 65 78 74 20 68 65 72 652e ext here.



The Webmail also sends message inplain text both in send and receivemode.

I used Webmail to send a short email tomyself. As we can see in the following

captured data, the message is This is atop sceret message here. The detailedpacket information and interpretationenclosed in the Appendix in my paper.


15/53

0000 00 02 b3 d0 cb 42 00 0d 88 58 ce 88 08 00 4500 .....B...X....E.

0010 01 d9 0a ad 40 00 80 06 0c 7f 93 cd 64 87 93cd [email protected]...

0020 55 d1 0c 45 00 50 34 2f 89 33 d6 af 26 ae 5018 U..E.P4/.3..&.P.

0030 41 1c bf 5f 00 00 43 6d 64 3d 73 65 6e 64 0a4d A.._..Cmd=send.M

0040 73 67 54 6f 3d 6c 69 61 6f 71 40 68 61 72 7477 sgTo=liaoq@hartw

0050 69 63 6b 2e 65 64 75 0a 4d 73 67 43 63 3d 0a4d ick.edu.MsgCc=.M


Hall Library. Webmail Message Content Sent


Table 4: Captured Data under the Open-system Wireless Network in YagerHall Library. Webmail Message Content Sent (continued).

0060 73 67 42 63 63 3d 0a 75 72 6e 3a 73 63 68 656d sgBcc=.urn:schem

0070 61 73 3a 68 74 74 70 6d 61 69 6c 3a 69 6d 706f as:httpmail:impo

0080 72 74 61 6e 63 65 3d 31 0a 68 74 74 70 3a 2f

2f rtance=1.http://

0090 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f66 schemas.microsof

00a0 74 2e 63 6f 6d 2f 65 78 63 68 61 6e 67 65 2f73 t.com/exchange/s


16/53

00b0 65 6e 73 69 74 69 76 69 74 79 2d 6c 6f 6e 673d ensitivity-long=

00c0 0a 75 72 6e 3a 73 63 68 65 6d 61 73 3a 68 7474 .urn:schemas:htt

00d0 70 6d 61 69 6c 3a 73 75 62 6a 65 63 74 3d 7365 pmail:subject=se

00e0 63 72 65 74 20 6d 65 73 73 61 67 65 0a 75 726e cret message.urn

00f0 3a 73 63 68 65 6d 61 73 3a 68 74 74 70 6d 6169 :schemas:httpmai

0100 6c 3a 68 74 6d 6c 64 65 73 63 72 69 70 74 696f l:htmldescriptio

0110 6e 3d 3c 21 44 4f 43 54 59 50 45 20 48 54 4d4c n=

0150 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 4d 4554


17/53

0190 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e3c charset=utf-8">This is a top s

01c0 63 65 72 65 74 20 6d 65 73 73 61 67 65 20 6865 ceret message he

01d0 72 65 2e 3c 2f 44 49 56 3e 3c 2f 42 4f 44 593e re.

01e0 3c 2f 48 54 4d 4c3e

Attacks to WEP

The basic network model that I used

consists of one WEP encrypted AP, onelaptop PC with Orinoco Silver WirelessCard running Windows XP Professional(used to intercept the wirelesscommunication data), and one laptopPC with Orinoco Silver Wireless Card

running Red Hat Linux Fedora Core 3(used to send and receive data).

Architecture at CISC clubhouse:


18/53

There are two open-system APs of SSID ofJohnstone.

There is one WEP encrypted AP, running on

channel 6,located at Professor Lichtmans office.D-Link AirPremier DWL-2200AP 802.11gWireless 108Mbps Access Point with PoE.

Figure 6: Basic AP Information Obtained Through NetStumbler.

Attacks to WEP

A user needs a secret WEP key in order to

be connected to the CISC wireless network.

Figure 8: Connecting to the WEP Protected Wireless Network by Providing the

Shared Key.


Capturing a WEP encrypted rawpackets is not easy.

There are basically three modes for

certain Network Interface Card (NIC):

Normal Mode

Promiscuous Mode


19/53

Monitor Mode.

right chip + right driver = monitor mode

The two wireless cards that I used areOrinoco PC Card Silver (5 volt) with bluecolor, and Orinoco PC Card T2Extended H1T2R1 Proxim World WEPKit Silver with purple color. (Show cards)

I checked out those cards from thecirculation desk in library, so they arethe cards that Hartwick students areusing.

Patches and Drivers for Orinoco cards(Linux)

WaveLAN Station firmware Updateutility (WSU) version 606, 616, 728, 752,810 by Lucent Technologies

Agere Systems v7.82 NDIS 5.x MiniportDriver (Windows)


20/53


I used AirSnort v0.2.7c to capture WEP

raw packets.

demo version of AiroPeek(peek5.sysand peek.dll) + AirSnort ==>capture inmonitor mode

How to view the contents of thecaptured raw WEP packets?

AirSnort+Ethereal=0,Ethereal+AirSnort=Blue Screen, modifyEthereal source code=complicated, log

to file + Etheral=yes!

Figure 11: Using AirSnort to Capture the WEP Encrypted Packets with the

Wireless Card Set in Monitor Mode.

RC4 Encryption Algorithm and WEPprotocol

The RC4 encryption algorithm wasdeveloped in 1987 by Ron Rivest, forRSA Data Security.


21/53

was a propriety algorithm until 1994.

RC stands for Rons Code or Rivest

Cipher.

RSA claims that the algorithm isimmune to differential and linearcryptanalysis.

RC4 actually consists of two parts:

the Key Scheduling Algorithm (KSA)and

the Pseudo Random GenerationAlgorithm (PRGA).

The RC4 algorithm generates akeystreami.e., a long sequence ofpseudorandom bytesas a function ofthe initialization vector (iv) and secretWEP key (k)

keystream = RC4 (iv,k)


22/53


Plaintext is the concatenation ofmessage and checksum.

P = (M,CRC32(M))

where M stands for the message, and

CRC32(M) is the Cyclic RedundancyChecksum on M.

RC4 encryption algorithm usesexclusive-OR (XOR)

XOR = (a b) (a b).

0

1

1

0

1

0

1

0

XOR


23/53

1

1

0

0

We encrypt the plaintext by simplyXORing or adding modulo 2 thekeystream to the plaintext.

Encryption: C = Pkeystream


Figure 12: Encrypted WEP frame.

To decrypt a frame protected by WEP, reverses the

encryption process.

Regenerates the keystream RC4(iv,k) and XORs it against

the ciphertext to recover the initial plaintext.

Decryption: P = Ckeystream

= (Pkeystream)keystream

= P


24/53

decrypted plaintext P = (M, c). Verifies the checksum:

c(M)?=c


Figure 13: The WEP Encryption and Decryption using the RC4 Algorithm.

IV Collision Attack

The WEP standard recommends that the IV bechanged after every packet.

This way, each packet receives a different keystream.

However, it does not say anything else about how toselect IVs, and each individual vendor does thingsdifferently.

random vs constant

As through my observation, both my Orinoco PC CardSilver (5 volt) by Lucent Technology, increments the

IV by one for each packet it transmits.

I unplugged and re-inserted the cardinto the laptop each time I need it to re-initialize the card.


25/53

Blue color:

For three sessions of capturing, I got packetswith IV ranging from 0x78df14--0x7ddf14,

0xc4d16a--0xcbd16a, 0xcffb78--d7fb78

My conjecture: it somehow stores a seed in thefirmware, so each time it initializes, it will start ata different random number.

Purple color:

Resets the IV to a low number (although I wasnever able to get a 0) each time it was re-initialized.

For five test sessions of capturing, I got packetswith such IV as 0x2e0000--0x310000, 0x130000--0x210000, 0x250000--0x2b0000, 0x050000--0x120000, and 0x270000-- 0x2c0000.

IV Collision Attack

I will address my Brute-force attack later. But my firstapproach is to explore the vulnerability of WEPregardless of keysize.

No matter the 64-bit or 128-bit key, the IV field usedby WEP is only 24 bits wide, nearly guaranteeing thatthe same IV will reused for multiple messages.


26/53

Statistically, an IV collision occurs for every 5000packets with a random IV implementation.

I measured that the AP at CISC department send and

receive about 1000 packets each minute.

That means for every five minutes, there is an IVcollision.

When two packets assigned with two identical IV, oran IV collision, happens, RC4(iv,k) will produce thesame keystream for the two packets since the secret

WEP key do not change. We can see an interestingproperty here:

If C1 = P1keystream

and C2 = P2keystream

then C1C2 = (P1keystream)(P2keystream) =

P1P2

In other words, XORing the two ciphertexts (C1 andC2) together causes the keystream to cancel out, and

the result is the XOR of the two plaintexts (P1P2).

IV Collision Attack

0000 08 41 d5 00 00 0f 3d fa 97 93 00 02 2d 29 2625 .A....=.....-)&%

0010 00 02 b3 d0 cb 42 30 02 16 00 00 00 aa 17 65a3 .....B0.......e.


27/53

0020 ba fe bd 42 68 60 2d 76 2e fb b3 3d 87 a5 3910 ...Bh`-v...=..9.

0030 2f c5 6d 18 d8 c8 7e 7a 23 6e ce 7f 28 37 01c5 /.m...~z#n..(7..

0040 4c 4c 80 0f f9 86 b3 7e 63 06 b1 9b d9 eb 5942 LL.....~c.....YB

0050 50 93 5f ce d9 9a d4 45 da 87 0c 5f 38 90 f6d1 P._....E..._8...

0060 8f 8d 30c7 ..0.

Table 6: Captured Data of the First Packet with theIV 0x160000.

0000 08 41 d5 00 00 0f 3d fa 97 93 00 02 2d 29 2625 .A....=.....-)&%

0010 00 04 23 0d 6e 7c f0 01 16 00 00 00 aa 17 65a3 ..#.n|........e.

0020 ba fe bd 42 68 a0 2d 20 20 ea f3 3d 38 a2 a7

05 ...Bh.- ..=8...

0030 2f c5 6d 18 d8 c8 7e 4b a0 74 01 24 80 d6 3be8 /.m...~K.t.$..;.

0040 09 4c 80 41 28 f3 a5 ae 5b 22 46 a8 48 22 0917 .L.A(...["F.H"..

0050 c7 5c 03 bc d9 49 97 f9 da bd 58 dc a0 24 f5d3 .\...I....X..$..

0060 d0 ef 29 79 6f ca 9c 48 1e 42 5e 8a 4a df a6af ..)yo..H.B^.J...

0070 98 b8 c0 b4 dd 46 8b 55 f7 72 83 e7 f5 8e 5ef8 .....F.U.r....^.


28/53

0080 cf e6 9c df 8a 04 8d 1e 3b ee 19 a9 1d fd 4689 ........;.....F.

0090 605e `^

Table 7: Captured Data of the Second Packet with the IV 0x160000.

IV Collision Attack

I wrote a small program in Java to perform the XORoperations on captured data.

Show my program.

00000000 00000000 00000000 00000000 00000000 0000000000000000 00000000

00000000 11000000 00000000 01010110 00001110 0001000101000000 00000000

10111111 00000111 10011110 00010101 00000000 0000000000000000 00000000

00000000 00000000 00000000 00110001 10000011 0001101011001111 01011011

10101000 11100001 00111010 00101101 01000101 0000000000000000 01001110

11010001 01110101 00010110 11010000 00111000 00100100

11110111 00110011

10010001 11001001 01010000 01010101 10010111 1100111101011100 01110010

00000000 11010011 01000011 10111100 00000000 0011101001010100 10000011


29/53

10011000 10110100 00000011 00000010 11010000 1110111100101001 01111001

01101111 11001010 10011100 01001000 00011110 0100001001011110 10001010

01001010 11011111 10100110 10101111 10011000 1011100011000000 10110100

11011101 01000110 10001011 01010101 11110111 0111001010000011 11100111

11110101 10001110 01011110 11111000 11001111 1110011010011100 11011111

10001010 00000100 10001101 00011110 00111011 1110111000011001 10101001

00011101 11111101

Table 8: the Bitwise XOR Results of Two Binary DataCaptured with the IV Collision.

Note that the 0 bits mean the contentsof the two plain texts are all thesame.

IV Collision Attack

One may make an educative guess of

some components of the packet, suchas some fields of IP traffic, sinceprotocols usually have commonstructures.


30/53

If the bit of C1C2 is 1, then the bits in

P1 and P2 have to be of different parity,

namely one 0 and one 1.

If the bit of C1C2 is 0, then the bits in

P1 and P2 have to be the same.

Some linear ciphers can be solved byanalyzing frequency of English letters.The first seven most frequently usedletters are E, T, N, R, I, O, and A, sosome probability approaches may work.

If we have n ciphertexts that all reusethe same keystream, as n increases, it

gets easier to guess the contents.

Keystream Recovery Approach

One logic extension of the IV collision attack is that ifwe capture two packets with the same IV and we

know the content of one of them, we can recover thepseudo random keystream used to encrypt thepacket.


31/53

Recall that Encryption: C = Pkeystream. We can

easily recover the keystream by XORing the ciphertext and plain text, that is:

keystream = CP

If I send traffic from the outside to a host inside thewireless network, since the contents of such traffic arecreated by me, I know exactly what I send, yieldingknown plaintexts.

Imagine such a scenario that I send emails tolegitimate users (professors or students) on theHartwick network and wait for them to check it over awireless link. Sending spam email might be a goodmethod of doing this without raising too many alarms.

In my test environment:

I used the Linux machine to send emails and didsome web browsing while running Ethereal torecord the original data coming and leaving thatmachine.

On my Windows XP machine, I set up mywireless card in monitor mode and used AirSnortto capture the encrypted version of all those

communication by logging to a binary file.



32/53

0000 01 00 0c cc cc cc 00 30 c1 63 36 f2 00 84 aaaa .......0.c6.....

0010 03 00 00 0c 20 00 01 b4 42 73 00 01 00 20 4d49 .... ...Bs... MI

0020 4c 53 57 30 2e 35 35 2e 32 33 34 28 30 30 3330 LSW0.55.234(0030

0030 63 31 2d 36 33 33 36 38 30 29 00 02 00 11 0000 c1-633680)......

0040 00 01 01 01 cc 00 04 93 cd 37 ea 00 03 00 0642 .........7.....B

0050 36 00 04 00 08 00 00 00 08 00 05 00 2d 52 6576 6...........-Rev

0060 69 73 69 6f 6e 20 43 2e 30 39 2e 32 32 20 2f73 ision C.09.22 /s

0070 77 2f 63 6f 64 65 2f 62 75 69 6c 64 2f 76 6772 w/code/build/vgr

0080 6f 28 63

30 o(c0

0000 08 42 00 00 01 00 0c cc cc cc 00 0f 3d fa 9793 .B..........=...

0010 00 30 c1 63 36 f2 10 eb f4 26 09 00 d7 4e f651 .0.c6....&...N.Q

0020 00 a5 b8 94 3f 54 2f d8 5f 09 c2 0f 74 02 dac3 ....?T/._...t...

0030 e0 41 24 b3 2b 3d c7 7b 21 a4 64 a5 bb 7c 70ea .A$.+=.{!.d..|p.

0040 0f 84 fd 53 79 89 9c 02 24 c2 80 8a 20 97 f9e2 ...Sy...$... ...


33/53

0050 b6 a7 a8 f5 b1 f9 af 9d 97 dc 61 f2 63 56 663d ..........a.cVf=

0060 00 b2 53 2e f7 8a 89 9d 08 e7 e3 6a 0b 3b 0f60 ..S........j.;.`

0070 78 c2 c5 9f 91 5b 53 8e 5a 24 e9 9c a2 45 adb0 x....[S.Z$...E..

0080 bf f9 e5 ea d6 00 02 17 db bc 6e b2 bb ec 7ef9 ..........n...~.

0090 72 6f 79 43 9b c4 fc 86 f4 9b 7a 2b c7 af 1414 royC......z+....

00a0 c7 1e 0c3b ...;

Table 9: Original data with IV f4 26 09.

Table 10: WEP Encrypted Version of the Same Packetwith IV f4 26 09.


Using the same Java program that I developed toXOR the two cipher texts, I recovered the value of thekeystream for this specific value of IV 0xf42609,namely keystream = RC4(0xf42609, k), where k is thesecret WEP key.

11010110 01001110 11111010 10011101 11001100 0110100110111000 10100100

11111110 00110111 00011001 00101010 01011111 1000110101101000 10100101


34/53

01110111 00000010 11011010 11001111 11000000 0100000100100101 00000111

01101001 01001110 11000111 01111010 00100001 1000010000101001 11101100

11110111 00101111 00100111 11011010 00100001 1011000111001000 01111101

01001011 10111010 10101000 00101010 00010100 1111001010110011 10111010

01000011 10100110 11010100 11010100 10000101 1001010010011110 11001101

10000001 11010000 10101111 10011111 10010111 1100110101100001 11110010

01100011 01010111 01100111 00111100 11001100 1011001001010111 10111101

00111010 10111101 01100011 10011101 00001011 1110011111100101 00101000

00111101 00111011 00001011 01100000 01110000 11000010

11000101 10011111

10011001 01011011 01010110 10001110 01110111 0111011010001100 11101010

11001011 00110110 11000100 11011111 11010001 1101100110100110 11000100

11100110 00111001 00101100 00100101 11101001 1001110001000001 11000001

11001100 11000011 00011101 10010110 00010110 0000101001010110 00100001

11101110 10101101 10010000 11100010 11011011 1110110100011101 01011001

10101000 10000111 01110111 00100100


35/53

Table 11: the Keystream Used to Encrypt Message underthe IV f4 26 09.


Note that the keystream is 132 byteslong. It can be applied to any packetless than or equal to 132 bytes with theIV f4 26 09.

I can either XOR it with my arbitrarydata and send it as if I am the legitimateuser, or I can XOR it with any WEPencrypted packet that I intercept anddecrypt its content, doing all of these

even without knowledge of the WEPkey!

Although we know the keystream = RC4(iv, k) and we know iv, we do NOT knowk. Having the knowledge of the

keystream and the IV do not necessarilyyield the recovery of the private WEPkey since it is a one-way function.


36/53

Over time, I can build a table of thekeystreams corresponding to each IV,

provided that the WEP key remainsunchanged.

The full table has modest spacerequirements, perhaps an averagelength of 300 bytes of keystream for

each of the 224 possible IVs, or roughly(224 * 300) / 230 4.69 GB.

I added a method to my program tosave the recovered keystream to thehard disk.


With a dedicated effort, it is absolutely possible for meto accumulate enough data to build a full decryptiondictionary or a database.

This approach can decrypt all traffic without evenknowing the secret WEP key.

This attack is effective regardless of key size. Thesize of the dictionary depends NOT on the size of the


37/53

key, but solely on the size of the IV, which is fixed bythe standard at 24 bits.

Furthermore, for the wireless cards that I used for this

project, it reset the IV to 0 each time they were re-initialized. For a public environment like the library,people check out the wireless cards at the circulationdesk, plug them into their laptop and use them for arelatively short time before leaving. Building adictionary for only the first few thousand IVs will bequite good enough for me to decrypt most of their

traffic directed towards the access point.

One thing I should mention here is since the RC4algorithm determines the length of the generatedkeystream according to the actual length per packet,my recovered keystream might be shorter than theactual ciphertext that I want to decrypt.

I can always send a known plaintext that is as long aspossible. However, there is another way to extend theknown keystream that I recovered. Here are somepseudo codes for doing this.


Base Case: read in the cipher data with the IV;

read in the plain data with the same IV;

XOR (cipher data, plain data);


38/53

saveResult(iv-keystream.dat); // thekeystream size = n

Inductive Case: create a message(m) of size n-3

instead of n-4;

ICV=CRC32(m); // compute thechecksum(4 bytes)

plain data = append(m, the first 3 bytes ofICV);

cipher data = XOR (plain data, iv-keystream.dat);

while (returned AP error) // maxloop=256=1 byte

{

cipher data = append(cipher data,cipherByte);

send cipher data to AP;

}

// cipherBytekeyByte=ICV byte

keyByte=XOR(cipherByte, last byte of ICV);

// recovered the n+1 byte for thekeystream of size n

return keyByte;


39/53

Brute-Force Attack

Bruteforcing has been a panacea for breaking allencryption of a moderate key length.

This mode of attack generally only requires twopackets.

Work well on a 64-bit system. Dont try it on 128-bitsystem, because it will take longer than your great-

great-grandchildren would want to wait.

My old, slow laptop:

HP Omnibook xe4100 running MS Windows XPPro v. 2002 SP 2 with Intel Celeron CPU of 1.20GHz and 240 MB of RAM.

It seems I can get approximately 20,000passphrases checked per second on my laptopcomputer.

I needed to read passwords from a ASCII dictionary.Doing I/O is expensive.

I used Java, which runs on a virtual machine, is

considered much slower than complied C codes.

What if we use a newer, faster computer, usecomplied C, and test every combination of binary bitsinstead of reading from a file?


40/53

Suppose we can test 10,000,000 keys per seconds, aquick calculation shows 2104-1 / 10,000,000 1024seconds 32,157,549 billion years!

Normally, key sizes of greater than 80-bits, for robustdesigns and implementations, make brute-forecryptanalysis an impossible task, since doing soexceeds contemporary computing power.

Brute-Force Attack

Here is my algorithm for a dictionary-based brute-force attack:

Read in 3 WEP encrypted packets (IV,Mc+ICVc);

Loop:

Read in passphrasei from adictionary file;

ki=MD5(passphrasei); // or no hashing

function applied at all.

keystreami=RC4(IV, ki);

Mp+ICVp=(Mc+ICVc)keystreami;//try to decrypt


41/53


42/53

Tried many times, but gotjava.security.InvalidAlgorithmParameter

Exception: ARCFOUR key generationdoes not take any parameters

I concluded that it was not implementedin Java API to specify a secret key withthe RC4 algorithm but we have to use

the default random key instead.

Finally, I decided to write my own RC4class in Java. I used the algorithmdescribed in the famous paperWeakness in the Key Scheduling

Algorithm of RC4 written by Fluhrer,Mantin, and Shamir.

The basic algorithm of RC4 is showedbelow.

Brute-Force Attack

Pseudo Random Generation Algorithm(PRGA)


43/53

Initialization:

i=0

j=0

Generation loop:

i=i+1

j=j+S[i]

swap(S[i],S[j])

Output z=S[S[i]+S[j]]

Key Scheduling Algorithm (KSA)

Initialization:

For i=0N-1

S[i]=i

j=0

Scrambling:

For i=0N-1


44/53

j=j+S[i]+K[i mod l]

swap(S[i],S[j])

Table 12: KSA & PRGA Algorithms of RC4

Show my RC4 class.

Brute-Force Attack

Ok, we got RC4 done. Whats next?

MD5, also developed by ProfessorRivest of MIT, takes as input a messageof arbitrary length and produces asoutput a 128-bit message digest of the

input.

Java supports MD5 natively.

MD5 is widely used on APs to generatekeys from a passphrase for 128 bitskeys. However, I could not make it workwith my program, as I could not specifya size of 64 but only 128 in Java API.


45/53

After many tests, I found out the AP atCISCClub, using 64-bit instead of 128-

bit key, does not apply MD5 but insteaddirectly uses the ASCII value of theplaintext key of a length of five letters,thus a 40-bit key. This made things eveneasier.

CRC-32 calculates a checksum. TheCRC is acronym for CyclicRedundancy Code and 32 representsthe length of checksum in bits: 32 bits=4bytes. This algorithm is based on thepolynomial division. The idea is to take

the data as a very long binary numberand divide it by a constant divisor. Theremainder is the CRC checksum.

Java also supports CRC32 natively.

Brute-Force Attack

If the key checks out, I should alsocheck it with another packet to make


46/53


47/53

Countermeasure

The computing power has been increasedtremendously.

Although it is not outdated yet, RC4 is getting old. It istherefore very likely that RC4 will not be a sufficientencryption in the near future.

Some Network Administration Strategy:

Use strong passphrase. Use MAC AccessControl Lists (ACL). Change default SSID anddisable the broadcast SSID. Use IntrusionDetection System (IDS). Not a fundamentalimprovement to the algorithm and protocol.

Use WEP:

This sounds ridiculous, but the fact is that badsecurity is generally better than no security at all.

Use SSH:

Assume that the current link layer offers nosecurity. Use higher-level security mechanisms.

Use VPN:

place the wireless network outside the collegefirewall.


48/53

Use Remote Authentication Dial-In User Service(RADIUS):

Increase key size:

>=128 bits

When I say key size, I not only mean the size ofcryptographic keys, but also the size of IVs. Ihave shown in my paper that the IV collisionleads to the keystream reuse, significantlyimpairing the security of WEP. 24-bit IVs are

definitely too short.

Countermeasure

Disable Weak Keys:

RC4 has a weak key schedule.The probabilistic correlation between some bits ofthe shared WEP key and some bits of the outputkeystream (for a large class of weak keys) is oneof prime vulnerabilities of the RC4implementation in WEP.

The firmware for the old 802.11b based wirelesscards can be modified (newer hardware now hasbuilt-in feature) so that, the weak IVs are skippedand no longer sent out as part of a WEPencrypted packet.


49/53

Dropping the initial bytes from the RC4 output:

An alternative to disabling weak keys is to dropsome initial bytes, say 128 bytes, of the RC4

stream cipher.

Modifying the CRC algorithm:

Make it non-linear.

Dynamic key management techniques:

Cryptographic keys should be updatedautomatically and changed frequently.

Use temporal keys.

Periodical change of keys:

Changing WEP keys will result in reconfiguringAP and client machines.

How to change encryption key for EVERYpacket?!

Instead of doing keystream = RC4 (iv, key), wecan do keystream = RC4 (iv, MD5 (iv, key)).Hashing the concatenation of the per-packet IVand the secret WEP key before feeding it to a

RC4 stream generator would prevent the IV fromrevealing any useful information about the sharedWEP key.


50/53

Future Works and Trends

If I would have more time to spend on this one-

semester project, I would very much want to do morework in the following fields.

Probabilistic Attack based on the Weakness in theKey Scheduling Algorithm of RC4:

The basic idea is that the PRGA uses the statearray to create a pseudorandom sequence and

the first byte of output is given by S[ S[1] + S[S[1] ] ], where S is the state array.

After the key setup phase, the first byte of outputdepends on only 3 values of the state array: S[1],S[S[1]], and S[ S[1] + S[ S[1] ] ].

There is a strong probabilistic correlation

between some bits of the WEP key and somebits of the output keystream for a large class ofweak keys, which are of the form ,where i corresponds to the current WEP key bytekey[i], and the value of X is unrestricted.

If I had had enough time, I might haveimplemented this attack in the Java program.

Distributed Brute-force Attack:

My Java program works well with a key length of64 bits. But as the key bits increase, the time of aBrute-force attack increases exponentially.


51/53

It would be nice if I could have programmedconcurrently, testing a group of keys on eachJava Virtual Machine in a distributed computing

environment. The communication, cooperationand security problem need to be considered.

Vulnerability of WPA and AES Encryption Algorithm:

RC4 and WEP are getting old. More advancedalgorithm and protocol are going to be deployed.It would be very exciting and challenging to find

the vulnerability of these more advancedencryption methods.

Future Works and Trends

Trends:

Shift from WEP to Wi-Fi ProtectedAccess (WPA):

Short-term solution.

Use Temporal Key Integrity Protocol (TKIP) tochange the key every 10,000 packets.

The basic idea is to keep current infrastructureunchanged, but increase the key and IV size.

doubles the IV space from 24-bit size to a 48-bitIV value.


52/53

Uses 12-byte ICV instead of 4-byte in WEP.

Shift from RC4 to Advanced Encryption

Standard (AES):

AES has been adopted by the U.S. governmentas the replacement for 3DES as the encryptionstandard.

Require much more processing power than RC4,which means the exiting infrastructures need to

be replaced.

Upgrade from 802.11b/g to 802.11i(WPA2):

Use the IEEE 802.1X port-based access control

Enables an AP and client stations to mutually

authenticate one another.

Use TKIP and AES ciphers with a 256-bit keyand a four way key management handshake.

The End


53/53

Thank you!

Documents

An Analysis of Wireless Network Security and Practical Exploitation of the Weakness in the Encryption by Qi Liao (2005)