Wepwhacker !

WEP Whacker Aim of the project : To exploit the weaknesses in the key scheduling algorithm of RC4 as used in WEP and thus recover encryption keys with passive attack on 802.11 network

802.11 Wireless Networks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

A WiFi Setup ,[object Object],Internet

The Problem: Security ! ,[object Object],[object Object]

WEP ,[object Object],[object Object],[object Object],[object Object],(encrypted traffic)

How WEP Works 24 bits 40 bits ,[object Object],[object Object],[object Object],[object Object],IV sent in the clear Worse: 802.11b says that changing IV with each packet is optional! CRC-32 checksum is linear in  : if attacker flips some bit in plaintext, there is a known, plaintext-independent set of CRC bits that, if flipped, will produce the same checksum no integrity!

WEP Data Transmission 802.11b Header IV[0] IV[1] IV[2] Key ID SNAP[0] SNAP[1] SNAP[2] SNAP[3] 32-bit Checksum Payload

WEP Data Transmission IV[0] IV[1] IV[2] SK[0] SK[4] SK[3] SK[2] SK[1] K = IV . SK

WEP Data Transmission K = IV . SK Node Node Generates IV through a counter or randomly

WEP Data Transmission Encrypted Data K = IV . SK Node Node

WEP Data Transmission K = IV . SK Encrypted Data K = IV . SK Node Node Uses received IV with Static Key to decrypt data

WEP Problems ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

WEP Problems (Cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

WEP Problems (Cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object]

Attacks on WEP ,[object Object],[object Object],[object Object],[object Object],[object Object]

Attacks on WEP (cont’d) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

RC4 Fluhrer, Mantin, Shamir Attack ,[object Object],[object Object],[object Object]

RC4 Fluhrer, Mantin, Shamir Attack ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

RC4 Fluhrer, Mantin, Shamir Attack ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

RC4 Fluhrer, Mantin, Shamir Attack ,[object Object],[object Object],[object Object],[object Object]

FMS Attack - RC4 Algorithms ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

FMS Attack - RC4 Algorithms ,[object Object]

FMS Attack - RC4 Algorithms ,[object Object],KSA(K)

FMS Attack - RC4 Algorithms ,[object Object],KSA(K) PRGA(K)

FMS Attack - RC4 Algorithms ,[object Object],KSA(K) PRGA(K) XOR Data

FMS Attack - RC4 Algorithms ,[object Object],KSA(K) PRGA(K) XOR Data Air

FMS Attack - RC4 Algorithms ,[object Object],KSA(K) PRGA(K) XOR Data Air K = IV . SK

FMS Attack - RC4 Algorithms ,[object Object],KSA(K) PRGA(K) XOR Data Air K = IV . SK KSA(K)

FMS Attack - RC4 Algorithms ,[object Object],KSA(K) PRGA(K) XOR Data Air K = IV . SK KSA(K) PRGA(K)

FMS Attack - RC4 Algorithms ,[object Object],KSA(K) PRGA(K) XOR Data Air K = IV . SK KSA(K) PRGA(K) XOR

FMS Attack - RC4 Algorithms ,[object Object],KSA(K) PRGA(K) XOR Data Air K = IV . SK KSA(K) PRGA(K) XOR Data

FMS Attack - KSA Initialization ,[object Object],[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization

FMS Attack - KSA Scrambling ,[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3 , f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j= 0 + 0 + 3 =3

FMS Attack - KSA Scrambling ,[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f , 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3= 3 0 1 i=1, j= 3 + 1 + f =3

FMS Attack - KSA Scrambling ,[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7 , 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f= 3 c 2 i=2, j= 3 + 2 + 7 =c

FMS Attack - KSA Scrambling ,[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1 , 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1 , 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f=3 c 2 i=2, j=3+2+7= c 5 1 i=3, j= c + 1 + 1 =e Note that S[B+3] contains information relating to SK[B], since SK[B] is used to calculate j

FMS Attack - KSA Scrambling ,[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1 , 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f=3 c 2 i=2, j=3+2+7= c 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Done with KSA e 1 i=3, j= c + 1 + 1 =e

FMS Attack - PRGA Initialization ,[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Initialization 0 1 2 3 4 5 6 7 8 9 a b c d e f

FMS Attack - PRGA Generation Loop ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Initialization 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 3 i=1, j= 0 + 0 =0, z=S[ 3 + 0 ]=e e is the output for the first byte

FMS Attack - PRGA Generation Loop ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Initialization 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 3 i=1, j= 0 + 0 =0, z=S[ 3 + 0 ]=e e is the output for the first byte e is then xor’ed with the first byte of data, which is always 0xaa on ip networks

FMS Attack - KSA Scrambling ,[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f=3 c 2 i=2, j=3+2+7=c 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Done with KSA e 1 i=3, j=c+1+1=e

FMS Attack - KSA Scrambling ,[object Object],[object Object],[object Object],[object Object],Let N = 16 Let B = 0 Let IV = B + 3, f, 7 Let SK = 1, 2, 3, 4, 5 Let K = IV . SK = 3, f, 7, 1, 2, 3, 4, 5 Let l = the # of elements in K Assume no elements get swapped when I > B + 3 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f Initialization 3 0 i=0, j=0+0+3=3 0 1 i=1, j=3+1+f=3 c 2 i=2, j=3+2+7= c 3 0 c e 4 5 6 7 8 9 a b 2 d 1 f Done with KSA e 1 i=3, j= c + 1 +1=e

FMS Attack - Reversing Output to Key Byte ,[object Object],[object Object],[object Object]

FMS Attack - Analysis of Results ,[object Object],[object Object],[object Object],[object Object]

FMS Attack - Detection of Weak IVs ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

FMS Attack - Filtering Weak IVs Weak IV Filter: Let l = the amount of elements in SK i = 0 For B = 0 .. l - 1 If (((0 <= a and b < B) or (a = B and b = (B + 1) / 2 : 1)) and (B % 2 ? a != (B + 1) / 2 : 1)) or (a = B + 1 and (B = 0 ? B = (B + 1) * 2 : 1)) or (x = B + 3 and y = N - 1) or (B != 0 and !(B % 2) ? (x = 1 and y = (B / 2) + 1) or (x = (B / 2) + 2 and y = (N - 1) - x) : 0) Then ReportWeakIV

Conclusion / Expected Results ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

[object Object],[object Object],[object Object],[object Object],Conclusions

Improving WEP’s Security ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Thank You ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Wepwhacker !

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (6)

Similaire à Wepwhacker !

Similaire à Wepwhacker ! (20)

Dernier

Dernier (20)

Wepwhacker !