WEP, WPA, and EAP

1
WEP, WPA, and EAP

• Drew Kalina

2
Overview

• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
• Extensible Authentication Protocol (EAP)

3
WEP

• Encryption method RC4
• Key size 40 bits
• Hash method ICV
• 802.11x authentication optional
• Key distribution manual

4
WEP Vulnerabilities

• ICV insecure
• based on CRC32 (bad)
• ICV can be modified to match message contents
• IV key reuse attack
• Small IV allows this
• IV sent as plaintext

5
WEP Vulnerabilities (cont)

• Known plaintext attack
• Lots of unencrypted TCP/IP traffic
• Send pings from internet to access point
• String length N can be recovered for a given IV
• Packets of size N can be forged using IV

6
WEP Vulnerabilities (cont)

• Partial Known Plaintext
• Only a portion of message is known (e.g. IP
  header)
• Can recover M octets of key stream where MltN
• Extend then known key stream from M to N through
  probing
• Divert packets to attacker by flipping CRC32 bits

7
WEP Vulnerabilities (cont)

• Authentication forging
• Use recovered key stream and IV because client
  specifies IV
• Dictionary attacks
• Key derived from vulnerable password
• Realtime decryption
• Dictionary of IVs and keystreams
• Only 224 possibilities
• Can be stored in 24GB disk space

8
WEP summary

• Weak encryption with other problems
• If possible, use some other protocol
• Still better than plaintext

9
WPA

• Encryption method RC4, TKIP
• Key size 128 bits (varies)
• Hash method ICV, Michael
• 802.11x authentication can be required
• Key distribution TKIP

10
WPA (cont)

• Michael generates MIC (Message Integrity Code)
• 8 bits
• Placed between data and ICV
• TKIP (Temporal Key Integral Protocol)
• Resolves keys to be used, looks at clients
  configuration
• Changes encryption key every frame
• Sets unique default key for each client

11
WPA Vulnerabilities

• Birthday attack
• Get a pair D,M where D1 MIC(M1)
• When Di D1 where Di ! 1, attack is successful
• Probability for success 232
• If keys change during attack, forgery is garbage

12
WPA Vulnerabilities (cont)

• Differential cryptanalytic attack
• Michael results have special characteristics
• ?M Mi XOR Mj and ?D Di XOR Dj called
  characteristic differentials
• After characteristic differentials obtained, try
  to find MIC (learn parts of the key)
• Probability of success 230
• Optimal attack exists with O(229)

13
WPA Vulnerabilities (cont)

• Temporal Key
• Lost RC4 Keys
• Can discover TK and MIC
• Can forge messages
• Not a practical attack, O(2105)
• Does show susceptibility in parts of WPA

14
WPA Vulnerabilities (cont)

• DOS
• Access point shuts down for 60 seconds if forged
  unauthorized data detected
• Possible to shut access points with little
  network activity
• PSK
• Used in absence of 802.1x, 1 per ESS (usually).
• Internal person can use this, and a captured MAC
  address/nonce to imitate another client
• Vulnerable to external dictionary attacks, if
  short

15
WPA summary

• Much better than WEP (if 802.1x)
• WEP2 even better using AES-CCMP
• There are still vulnerabilities
• Many WEP devices are upgradeable to WPA (not WPA2)

16
Suggestions for WPA

• Rekey security associations after failures
• Lower/eliminate timeouts after detecting forged
  packets
• Currently would take 1000 years to break with 60
  second timeouts

17
EAP

• Transmission method and framework for
  authentication protocols
• Works with many authen. protocols such as RADIUS,
  Kerberos.
• Uses a variety of transport methods

18
EAP Transport methods

• EAP-TLS
• EAP-TTLS
• PEAP (Protected EAP)
• LEAP (Light EAP)

19
Vulnerabilities in LEAP

• Dictionary attack
• Early versions of MS-CHAP weak

20
Thats all!