From jsy6@postoffice2.mail.cornell.edu Wed Oct 23 23:05:40 2002 Received: from postoffice2.mail.cornell.edu (postoffice2.mail.cornell.edu [132.236.56.10]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9O35eh02724 for ; Wed, 23 Oct 2002 23:05:40 -0400 (EDT) Received: from Janet.cornell.edu (syr-24-58-41-193.twcny.rr.com [24.58.41.193]) by postoffice2.mail.cornell.edu (8.9.3/8.9.3) with ESMTP id XAA13448 for ; Wed, 23 Oct 2002 23:05:38 -0400 (EDT) Message-Id: <5.1.0.14.2.20021023230436.00bb5008@postoffice2.mail.cornell.edu> X-Sender: jsy6@postoffice2.mail.cornell.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 23 Oct 2002 23:05:30 -0400 To: egs@CS.Cornell.EDU From: Janet Suzie Yoon Subject: 615 PAPER 42 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed The Wired Equivalent Privacy (WEP) protocol, a component of the 802.11 standard for wireless LAN communication, is an attempt at providing link-level security in a broadcast environment. The three goals of WEP are confidentiality, access control, and data integrity. All three rely on the difficulty of discovery the secret key used for message encryption, and thus all of these goals are unattained. Data confidentiality is provided in WEP via stream cipher which is dependent upon a keystream (a public initializing vector (IV) and a secret key). Reuse of a keystream can result in revealing the plaintext of the messages. WEP tries to protect from key reuse by generating a new IV for each packet. Unfortunately, reuse of IV is feasible, especially since IV's are only 24 bits long. A duplicate IV is easy to detect since it is public. Since the plaintext for an intercepted message can be obtained, the keystream used for encryption can also be learned. A dedicated attacker can thus create a table of keystreams corresponding to each IV and thus be able to immediately decrypt any ciphertext. Message authentication is achieved by using an integrity checksum. Due to the WEP property that the checksum is a linear function of the message, the message can be changed without disrupting the checksum and hence have the changes can go undetected. Secure access control is threatened do to another WEP checksum property (checksum is an unkeyed function of the message) that enables an attacker to inject arbitrary traffic into the network. Access points can be tricked into decrypting cypertext due to its use of cipher streams by either IP redirection or Reaction attacks (named since this attacks is based on the recipient's reaction to forgeries). To increase security, Robust Security Network (RSN) has been proposed, which utilizes IEEE 802.1X (which specifies standards for the MAC and physical level) and 802.11. RSN has two big security holes: session hijacking (defeating access-control mechanisms to gain network connectivity) and man-in-the-middle (attacker gets all network traffic from supplicant to pass through it) due to the lack of message authentication and machine synchronization in 802.11 and IEEE. All the above security issues arise due to weaknesses in the key scheduling algorithm (KSA) of RC4 (which is used by802.11). The two most significant weaknesses are the large classes of weak keys whose initial outputs are heavily affected by a small number of bits and key vulnerability (the secret part of the key is exposed to the attacker via key reuse). From hs247@cornell.edu Thu Oct 24 00:34:41 2002 Received: from mailout5-0.nyroc.rr.com (mailout5-0.nyroc.rr.com [24.92.226.122]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9O4Yfh18138 for ; Thu, 24 Oct 2002 00:34:41 -0400 (EDT) Received: from hubby.cornell.edu (syr-24-58-42-130.twcny.rr.com [24.58.42.130]) by mailout5-0.nyroc.rr.com (8.11.6/RoadRunner 1.20) with ESMTP id g9O4Ycc13070 for ; Thu, 24 Oct 2002 00:34:38 -0400 (EDT) Message-Id: <5.1.0.14.2.20021024003419.00b43e90@postoffice2.mail.cornell.edu> X-Sender: hs247@postoffice2.mail.cornell.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 24 Oct 2002 00:34:38 -0400 To: egs@CS.Cornell.EDU From: Hubert Sun Subject: 615 Paper 42 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed This set of papers introduces vulnerabilities in the 802.11 and 802.11X standard for wireless networks. The main contribution of these papers to enlighten the readers on how 802.11 can be attacked and in some of the papers possible solutions to prevent these attacks are introduced. The "Intercepting Mobile Communications: The Insecurity of 802.11" paper analyzes the WEP protocol used in 802.11. The WEP (Wired Equivalent Privacy) uses RC4 and check sums to try to guarantee 3 things: Message Confidentiality (via RC4 encryption), Access Control (discard packets that are not properly encrypted by RC4), and Data Integrity (achieved by checksum). RC4 in this environment is based on a shared secret key and a public vector. Because the public vector is small (24 bits) and must be transferred unencrypted so the other party can initialize their key stream, an adversary can easily detect when the same vector is used. This protocol is then vulnerable because of key-stream reuse and confidentiality is violated when an adversary could use this information to launch a plain text attack. Another weakness is the checksum. Because the creation of the checksum does not require a key, any attacker can easily change the message and come up with a message that maps to the same checksum. This violates the Data Integrity goal and also Access Control as now an attacker can not only change data but also spoof messages. The solution they propose is to assume the wireless network is completely insecure and require hosts to use a VPN solution to access data inside a secure wired network. The second paper actually exploits weaknesses of the Key Scheduling Algorithm of RC4. Because WEP uses RC4, the authors of this paper conclude that RC4 in a wireless environment is completely insecure. First the paper proves that there is a certain class of weak keys. This means that a very small part of the key determines the output of the output, making it easy to break. Then they show how this weakness can be exploited in WEP where the information of the IV can allow an attacker to figure the secret K (like the previous paper). The last paper analysis RSN (Robust Security Network) designed on the 802.1X standard. RSN tries to address 3 security issues: access control, authentication and key management. This paper goes in to details on how a mobile node authenticates itself to an access point. The main flaw in this protocol as defined in this paper is the absence of Mutual Authentication. The node authenticates itself to an access point, but the access point doesn't authenticate itself to the node. This makes the network vulnerable to Man in the Middle attack and Session Hijacking. In essence the adversary can pretend to be an access point and therefore all traffic from the mobile node will go to through it. Also, because all packets now go through the attacker, the attacker can also hijack the session by using the MAC address of the mobile node. From pj39@CS.Cornell.EDU Thu Oct 24 01:06:35 2002 Received: from postoffice2.mail.cornell.edu (postoffice2.mail.cornell.edu [132.236.56.10]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9O56Yh24071 for ; Thu, 24 Oct 2002 01:06:34 -0400 (EDT) Received: from pj39.cornell.edu (syr-24-59-67-50.twcny.rr.com [24.59.67.50]) by postoffice2.mail.cornell.edu (8.9.3/8.9.3) with ESMTP id BAA19390 for ; Thu, 24 Oct 2002 01:06:32 -0400 (EDT) Message-Id: <5.1.0.14.2.20021024010527.018619f8@postoffice2.mail.cornell.edu> X-Sender: pj39@postoffice2.mail.cornell.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 24 Oct 2002 01:06:34 -0400 To: egs@CS.Cornell.EDU From: Piyoosh Jalan Subject: 615 PAPER 42 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Intercepting Mobile Communications: The Insecurity of 802.11 This paper discusses the security flaws in Wired Equivalent Privacy (WEP) the security protocol used in 802.11 wireless LANs. The major security goals of WEP is confidentiality so as to prevent casual eavesdropping. The other goals WEP are Access Control and Data Integrity. The security in all the above three cases relies on the difficulty of discovering the secret key. WEP protocol uses symmetric key (private key cryptography). The secret key denoted by k is shared between the communicating parties. Encryption takes place in the following way - Random Keystream generation RC4 - Plain text to be encrypted is P= where c(M) is the CRC checksum and M is the message. - Keystream = RC4(v,k) where v is the initialization vector and k is the secret key. - Ciphertext (C) = P XOR RC4(v,k) - Alice -> Bob Transmission: v,C Decryption takes place in the following way - It simply reverses the encryption process given that it has the secret key k. - Regenerate the keystream using k and initialization vector v using the RC4 algorithm Keystream = RC4(v,k) - Plaintext (P) = Ciphertext XOR RC4(v,k) The resource requirements for the attack include understanding the physical layer of 802.11 and monitoring the 2.4 Ghz frequency range used in WLANs. For active attack it is also required to transmit at same frequencies. As the Lucent Orinoco cards allow its firmware to be upgraded, it might be possible to produce a modified version by reverse-engineering to make to inject arbitrary traffic. The risks associated with the cryptographic approach used by WEP include - Get to know the secret key k. - use brute force attack to find the key esp if the key length is 40 bits. Though the 128 (actually 104) bit keys could be broken with brute force attack. - use other security holes in WEP. Let C1 and C2 be two cipher. An eavesdropper could thus calculate C1 XOR C2 = P1 XOR P2. Thus if one plaintext is know the other could be easily obtained. Reuse of keystrem will result in having n ciphertexts and hence some algorithm such as frequency analysis could be applied along with partial knowledge of plaintext to find the ciphertext. The keystream reuse increases vulnerability as there are many ways obtaining the plaintext. - Many fields of IP traffic are predictable. For eg login sequence - It may be possible to recognize the contents by analyzing the traffic pattern and lengths. - Attacker could build an entire decryption dictionary which would be 24 GB. WEP uses a 32 bit cyclic redundancy code (CRC) checksum to ensure packets are not modified in between. But is easily broke since - CRC is a linear function of the message ie c(a XOR b) = c(x) XOR c(y). Thus the cipthertext could be modfied by an interceptor so that CRC remains same. Also since CRC is completely based on message it could be easily computed someone who knows message. Also WEP compromises access since it allows both encrypted and non-encrypted traffic at Access Points. The protocol could be enhanced by - Using secret key of large length. This should be made standard instead of the present 40 bits. - The initialization vector length should be increased thus rendering the dictionary size too large - There should be some means of distributing the secret key among users, such as one used in kerberos (MIT) (key distribution center (kdc)). As the key is shared with many users, one of the user may be malicioius and share it with others. From liuhz@CS.Cornell.EDU Thu Oct 24 02:10:28 2002 Received: from exchange.cs.cornell.edu (exchange.cs.cornell.edu [128.84.97.8]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9O6ASh03960 for ; Thu, 24 Oct 2002 02:10:28 -0400 (EDT) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Subject: 615 PAPER 42 Date: Thu, 24 Oct 2002 02:10:27 -0400 Message-ID: <706871B20764CD449DB0E8E3D81C4D4302CEE689@opus.cs.cornell.edu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: 615 PAPER 42 Thread-Index: AcJ7JAyH/ZhqPuQdS5mvM5qc4b7GRg== From: "Hongzhou Liu" To: "Gun Sirer" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by sundial.cs.cornell.edu id g9O6ASh03960 These three papers identify the design flaws in the WEP protocol, RC4 algorithm and 802.1X standard respectively. The WEP paper introduces two flaws of WEP that make it insecure: the reuse of keystream and the use of a linear, unkeyed checksum funtion. The reuse of keystream enable the attacker to eavesdrop and decrypt packets easily. Give two ciphertexts with the same IV, it is very easy to get the XOR of two plaintexts(say p1 and p2) that are encrypted in them. Then given knowledge of one plaintext of them ore using some well-known techniques, the attacker can pratically recover both plaintexts. The lesson here is that keystream should never get reused. However it's much more difficult to enforce than just say it. The WEP protocol contains vulnerability despite the designers' apparent knowledge of the dangers of keystream reuse attacks. What makes WEP more vulnerable is the use of CRC checksum and its negligence of the reuse of IV value. The combination of CRC and RC4, both linear, enable the attacker to modify the packets, although encrypted, in any way easily however still maintain the correctness of checksum. And because the checksum is unkeyed, an attacker can fake a packet, compute the checksum and inject the faked packet into the network if he knows an entire plaintext and its corresponding ciphertext, which is highly possible as stated above. Once the attacker can modify the packets as he want, he can start some other kinds of attacks like IP redirection, reaction attacks etc. Thus, it's very important to use a cryptographically secure message authentication code to protect integrity of transmissions. Any unkeyed functions are insecure. The 802.1X paper introduce 802.1X standard and RSN, which are designed to provide access control, authentication, and key management in wireless networks since 802.11 standard are unable to provide any security guarantee, however prove to be insecure in the paper. 802.1X standard employs EAP to permit a wide variety of authentication mechanisms. It's based on a security framework that abstracts three entities: the supplicant, the authenticator(the AP) and the authentication server. It contains mechanisms for per-packet authenticity and integrity verification between the AP and the authentication server. However, it provides only one-way authentication between the supplicant and the AP(the supplicant is authenticated to the AP). The lack of mutual authentication can be exploited to mount MiM attacks. For example, an attacker can forge the EAP success message on behalf of the AP and potentially start a simple MiM attack. The adversary can thus get all network traffic from the supplicant to pass through it. Another problem of 802.1X is the lack of sychronization of state machine with that of RSN. An attacker can easily deassociate an authenticated supplicant with letting the AP know. Thus the attacker can communicate with the AP on behalf of the authenticated supplicant. At the last of the paper, the authors suggest per-packet authenticity and integrity as well as a peer-to-peer based authentication model to solve these security problems. The RC4 paper reveals the weaknesses in the key scheduling algorithm of RC4, which is the fundmental security algorithm used in 802.11. The paper identifies two weaknesses of KSA. The first weakness, called invariance weekness, is the existence of large classes of weak keys, in which a small part of the secret key determines a large number of bits of the initial permutation(KSA output). In addition, the PRGA translates these patterns in the initial permutation into patterns in the prefix of the output stream, and thus RC4 has the undesirable property that for theses weak keys its initial output are disproportionally affected by a small number of key bits. This weakness gives rise to a new distinguisher that can distinguish between RC4 and truly random sequences with much less cost compared to previous distinguishers. The strong correlation between classes of RC4 keys and corresponding output patterns also means RC4 has retively low sampling resistance and vulnerable to the time/memory/data tradeoff attacks. The second weakness, called IV weakness , which means if the attacker knows part of the key used in KSA, he can combine a single secret part of the key with numerous different exposed values which he can get easily and rederive the secret part by analyzing the initial word of the keystream with relatively little work. Since this concatenation of a long term secret part with an attacker visible part is a commonly used mode of RC4, and in particular it's used in the WEP, that means the result of the known IV attacks can be devastating. From mr228@cornell.edu Thu Oct 24 03:40:58 2002 Received: from cornell.edu (cornell.edu [132.236.56.6]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9O7evh22226 for ; Thu, 24 Oct 2002 03:40:57 -0400 (EDT) Received: from cornell.edu (syr-24-58-48-238.twcny.rr.com [24.58.48.238]) by cornell.edu (8.9.3/8.9.3) with ESMTP id DAA03469 for ; Thu, 24 Oct 2002 03:40:57 -0400 (EDT) Message-ID: <3DB7A454.CBE9868B@cornell.edu> Date: Thu, 24 Oct 2002 03:42:12 -0400 From: Mark Robson X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: egs@CS.Cornell.EDU Subject: 615 PAPER 42 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit These papers present a set of security goals for wireless networks. They describe several different efforts to provide security in 802.11. The primary protocol in wide use is WEP, wireless encryption protocol; it uses the RC4 stream cipher and keyless checksums to try to provide 3 things: data confidentiality, access control, and data integrity. The papers discuss a variety of different reasons why 802.11 is inherently insecure; most are due to improper use of cryptographic primitives. First, RC4 itself has the problem that certain choices of keys are not good. That is, certain keys are considered "weak" and need to be avoided. WEP does not require that strong keys are used. Secondly, in order to make dictionary attacks infeasible, an initialization vector of 24bits is used. The problem here is that many devices restart the IV at 0 each time they are reset and then increment by 1 for each packet. This makes reuse of a low numbered IV frequent. That fact, combined with 2^24 not being such a large number, means that it is relatively easy to obtain multiple ciphertext's created with the same key. Combine this with the fact that network packet structures/content can be "guessed" or even "forced", and things become rapidly insecure. Furthermore, these protocols rely heavily on keys remaining secret, and provide no automatic way to change keys if a key should be compromised. A third criticism involves the check summing. The check sum algorithm is keyless and it is a linear function. RC4 therefore transposes nicely with it, allowing attackers to rewrite legitimate packets in a variety of ways. Maybe you want to change the destination ip address; you simply modify other less essential portions of the packet to compensate and allow the checksum to remain the same. WEP also does not specify a key exchange protocol. One somewhat popular way to disseminate keys is to preload devices with key(s). This has the obvious problem of someone tampering with the device and recovering the key. The papers suggest a series of improvements/modifications to make things more secure. (1) Use longer keys. 64-bit keys are insufficient. (2) Use longer IVs (3) Impose restrictions on how IVs are used, such as not resetting each time or beginning the counter at a random location each time (4) Impose a secure, online key exchange mechanism (5) Use #4 to change keys regularly (6) Require strong RC4 keys be used (7) Use a keyed checksum algorithm such as MAC From ashieh@CS.Cornell.EDU Thu Oct 24 04:49:39 2002 Received: from zinger.cs.cornell.edu (zinger.cs.cornell.edu [128.84.96.55]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9O8nch04506 for ; Thu, 24 Oct 2002 04:49:38 -0400 (EDT) Received: from localhost (ashieh@localhost) by zinger.cs.cornell.edu (8.11.3/8.11.3/C-3.2) with ESMTP id g9O8ncU21467 for ; Thu, 24 Oct 2002 04:49:38 -0400 (EDT) Date: Thu, 24 Oct 2002 04:49:38 -0400 (EDT) From: Alan Shieh To: Subject: 615 PAPER 42 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII 802.11 uses RC4 with a secret key and a 24-bit initialization vector. This initialization vector is concatenated with the secret key to generate the keystream for a particular packet, and is sent in plain text. CRC-32 is used as a message integrity check. These papers demonstrate that CRC-32 is worthless as a MAC, and so packets are easily manipulated. A source of vulnerability in stream ciphers such as RC4 is the fact that encryption is performed by XORing the data with the pseudorandom keystream. For instance, if two messages are sent with the same keystream, and XOR'ed together, the keystream of the two messages are canceled out. If some plaintext is known, then part of the keystream can be recovered, and potentially used to generate encrypted messages. The fact that the encryption (XOR) and the CRC-32 are both linear functions allows a message to be modified by computing a CRC-32 for a bit vector describing the bits to be flipped, then XOR'ing this with some ciphertext. This means that snooped messages can be modified and subseqeuntly sent without knowledge of the secret key. This technique can be used to modify IP headers to redirect higher-level traffic to the Internet; these packets would be decrypted at the access point and then sent to the Internet in plaintext, thus allowing still more keystream to be recovered. Since the 802.11 standard does not impose restrictions on the reuse of an initialization vector (IV), once enough keystream for an IV is derived, then that IV can be reused for many more packets to inject arbitrary traffic into the network. 802.1x is a IEEE standard that provides a network security framework. It enforces access control to communications ports, allowing only authenticated traffic to inject arbitrary traffic across a bridge. However, it only provides one-way authentication (client to infrastructure), potentially leaving the protocol vulnerable to man-in-the-middle attacks. These attacks are in fact easy to generate, since control messages are not authenticated, and therefore race conditions and loosely-coupled state machines can be manipulated. For instance, a disassociate message sent from an attacker can force an authenticated node to poweroff, after which the attacker can spoof the now-disconnected node. It also appears to be possible for an attacker to force a node to believe that it has successfully authenticated, before the infrastructure initiates a higher level authentication handshake with the client. Due to lack of time and the requisite number theory and cryptography background, I did not read the key scheduling attack in depth. Given certain key patterns, both the initial permutation and some of the initial bits in the keystream have correlations with the key. Therefore, an attacker that knows the first few bytes of plaintext (possible with the redirection attacks, or by understanding the structure of protocol packets) can recover some of the initial keystream, and wait for an initialization vector that satisfies the special bit patterns to occur, thus allowing for the recovery of portions of the secret key. It is claimed that this process can be iterated to recover the complete key in time linear in the number of bits in the key, since recovery proceeds a byte at a time. From ag75@cornell.edu Thu Oct 24 05:21:51 2002 Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9O9Loh12269 for ; Thu, 24 Oct 2002 05:21:50 -0400 (EDT) Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by travelers.mail.cornell.edu (8.9.3/8.9.3) with SMTP id FAA13184 for ; Thu, 24 Oct 2002 05:21:48 -0400 (EDT) Date: Thu, 24 Oct 2002 05:21:48 -0400 (EDT) From: ag75@cornell.edu X-Sender: ag75@travelers.mail.cornell.edu To: egs@CS.Cornell.EDU Subject: 615 PAPER 42 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII The following were exploits of 802.1X presented in the papers: 1) Exploiting keystream reuse to read encrypted traffic. A well-known pitfall of stream ciphers is that encrypting two messages under the same IV and key can reveal information about both messages. If you have to ciphertexts, XORing them together causes the keystream to cancel out, and the result is the XOR of the two plaintexts. If the plaintext of one of the messages is known, the plaintext of the other is immediately obtainable. More generally, real-world plaintexts often have enough redundancy that one can recover both and plaintexts given only XOR of them. 2) Message Modification One consequence of the use of CRC is that it is relatively easy to figure out how to make controlled modifications to a ciphertext without disrupting the checksum. So, knowing only the original ciphertext and the desired plaintext difference, the attacker can change a message to whatever he wants. 3) Message Injection Once an attacker knows an IV along with its corresponding keystream sequence, he can reuse the keystream indefinitely and circumvent the WEP access control mechanism. 4) Authentication Spoofing A special case of the message injection attack can be used to defeat the shared-key authentication mechanism used by WEP. After intercepting a single authentication sequence using a particular key, the attacker can authenticate himself with that key indefinitely. 5) Message Decryption In an IP redirection attack, the idea is to sniff an encrypted packet off the air, and to modify it so that it has a new destination address: one the attacker controls. The access point will then decrypt the packet, and send the packet off to its new destination, where the attacker can read the packet, now in the clear. In a "reaction" attack, an attacker monitors the reaction of a recipient of a TCP packet and uses what he observes to infer information about the unknown plaintext. The attack relies on the fact that a TCP packet is accepted only if the TCP checksum is correct, and when it is accepted, an acknowledgement packet is sent in response. The presence or absence of an ACK packet will reveal one bit of information on the unknown plaintext. By repeating the attack many times, an attacker can learn almost all of the plaintext, and then deducing the few remaining unknown bits will be easy using classical techniques. 6) If the same secret key is used with numerous different initialization vectors, and the attacker can obtain the first word of RC output corresponding to each initialization vector, he can reconstruct the secret key with minimal effort. 7)The one-way authentication of the supplicant to the access point, can expose the supplicant to the potential Man-In-Middle attacks with an adversary acting as an access point to the supplicant and as a client to the network access point. 8)There are 2 state machines: RSN and 802.1X. Their combined action dictates the state of authentication. Because of a lack of clear communication between these state machines and message authenticity, it is possible to perform a simple session hijacking taking advantage of the loose coupling. From smw17@cornell.edu Thu Oct 24 09:16:26 2002 Received: from cornell.edu (cornell.edu [132.236.56.6]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9ODGQh26445 for ; Thu, 24 Oct 2002 09:16:26 -0400 (EDT) Received: from cornell.edu (syr-24-161-107-202.twcny.rr.com [24.161.107.202]) by cornell.edu (8.9.3/8.9.3) with ESMTP id JAA19993 for ; Thu, 24 Oct 2002 09:16:24 -0400 (EDT) Message-ID: <3DB6A031.50109@cornell.edu> Date: Wed, 23 Oct 2002 09:12:17 -0400 From: Sean Welch User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Emin Gun Sirer Subject: 615 PAPER 42 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit The three papers describe a number of different attacks that are possible to overcome the security mechanisms in the 802.11 WEP standard, the 802.1X RSN security standard, and the RC4 stream cipher system itself. A combination of design and algorithmic flaws renders all three systems vulnerable to compromises in network security. 802.11b The security mechanism in 802.11b is WEP (Wired Equivalent Privacy). This mechanism combines the message itself with a simple checksum to form the plaintext message P. An iv (initialization vector) value is chosen, and is concatenated with the global secret key k to generate a pseudo-random stream. The ciphertext is formed by computing the exclusive or of the plaintext with the pseudo-random keystream. The iv is catenated with this ciphertext to form the transmitted message. Keystream reuse - A major flaw in the 802.11 security mechanism is the choice of keystream iv's. IV's need not be changed every packet (or at all), and indeed many cards will reset the IV to a fixed value at initialization, resulting in relatively frequent re-use of IV values. Once the IV has been reused, an attacker with some basic knowledge of the plaintext may use this knowledge to extract an (IV,RC4(v,k)) pair. Not only does such an attack compromise user confidentiality, it also permits near-arbitrary access by any host with an valid pair. Given that there is no standard for choosing an IV over time, the discovery of a single (IV,RC4) pair is sufficient to grant the attacking node complete access to the network, even without the secret key. Dictionary attacks - Once the Keystream reuse vulnerability is exploited, it also becomes possible over time to construct a dictionary of keystream values. Such a dictionary of sequences would be large, but given that the iv is only 24-bits, it is not unreasonable for a dedicated attacker. A node with sufficient resources to construct a decryption dictionary can quickly and efficiently read all traffic transmitted over the network, regardless of the actual size of the secret key; only the 24-bit IV matters in such an attack. Key Management - This is less of an attack in the physical sense, but a practical and social issue. The secret key necessary for access to the network in 802.11b must be distributed to each and every user desiring to access the network. The control of a single node in this scenario is sufficient to read all traffic in the node neighborhood, and compromising a single key exposes at least 25%, and often 100% (based on common useage) of the network to undesired access. Checksum Weakness - The checksum in 802.11b is not an authenticated function, but a simple CRC. This lack of authentication or encryption on the CRC block renders packets vulnerable to modification of both the data and the CRC in a manner not detectable by the recipient. Aside from the data integrity implications, this also allows an attacking node to perform other potential modifications, such as changing a destination address in flight to re-direct a packet to a controlled node. Such a redirection can be very useful in conjunction with a controlled node and a dictionary-type attack, as with a given plaintext, the (IV,RC4) cipherstream tuple is trivial to obtain. 802.1X 802.1X attempts to resolve the fundamental problems observed in the 802.11b WEP standard. To do so, a concept of authentication is used to ensure that the node is an allowed node. To do so, the access point communicates with a central authentication server. The major problem with 802.1X is that it implements only one-way authentication. A node with basic routing capabilities can implement a man-in-the-middle type attack simply by 'authenticating' the querying node and faking the appropriate MAC address. Similarly, a node may also hijack an active session by broadcasting a de-authentication message (again with fake information). This results in the correct node returning itself to a non-authenticated state but not the access point. At this point, a hostile node may pick up the orphaned connection for its own purpose. Both of these attacks defeat the goal of protection through authentication. RC4 RC4 - In addition to the fundamental vulnerabilities observed above, the RC4 stream cipher itself also suffers from some fundamental cryptographic weaknesses. The first weakness is a weakness specific to the initial key selection. Based on a choice of an initial weak key, it is possible to determine a number of bits in the initial pseudo-random sequence with a significant probability. This property permits significant reductions in the required effort to extract the secret key used to generate the pseudo-random sequence. The second weakness is specific to the case where the IV preceeds the secret key, as is the case in the WEP standard. In such a situation, the nature of the algorithm permits a chosen IV attack to reveal information about the secret key with low but significant probability. In the situation examined in the paper, a chosen IV attack consisting of 60 IV's has a 50% chance of revealing a word of the secret key. The structure of WEP is intrinsically vulnerable to this form of attack, and the authors specifically mention the WEP vulnerability in their work. From nbs24@cornell.edu Thu Oct 24 09:24:22 2002 Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9ODOMh28202 for ; Thu, 24 Oct 2002 09:24:22 -0400 (EDT) Received: by travelers.mail.cornell.edu (8.9.3/8.9.3) id JAA06183; Thu, 24 Oct 2002 09:24:20 -0400 (EDT) Date: Thu, 24 Oct 2002 09:24:20 -0400 (EDT) From: nbs24@cornell.edu Message-Id: <200210241324.JAA06183@travelers.mail.cornell.edu> To: egs@CS.Cornell.EDU Errors-To: nbs24@cornell.edu Reply-To: nbs24@cornell.edu MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: IMP/PHP3 Imap webMail Program 2.0.9 Sender: nbs24@cornell.edu X-Originating-IP: 64.185.145.94 Subject: 615 PAPER 42 Intercepting Mobile Communications: The Insecurity of 802.11 Paper exposes the security flaws that exist in the Wired Equivalent Privacy (WEP) protocol incorporated in 802.11 to protect the confidentiality of the user data from eavesdropping. WEP provides data confidentiality using the RC4 stream cipher but is still vulnerable to passive and active attacks in relatively short amounts of time using moderate resources. The problem with RC4 is in its keystream reuse: encrypting two messages under the same public key and secret key can reveal information about the messages. However, WEP only recommends that the public IV (which is only 24 bits wide) be changed after every packet. WEP provides message authentication using a CRC-32 checksum. The problem with CRC is that they are only designed to detect random errors in a message and are not resilient against malicious attacks. The authors show that it is possible to decrypt an encrypted message by tricking the access point to do the decryption using IP redirection or monitoring the reaction of a recipient of a TCP packet and inferring information about the unknown plaintext. The authors propose the following countermeasures: viewing the wireless network as a threat and placing it outside the organization firewall, and improving the key management of a wireless installation. Weaknesses in the Key Scheduling Algorithm of RC4 This paper exposes the design flaws in the RC4 key scheduling algorithm, which derives the initial state from a variable size key, that is used in WEP as described in the first paper. The first weakness comes from the use of a small part of the secret key to derive a large portion of the initial key scheduling algorithm output. The second consists of the observation that when the same secret part of the key is used with numerous different exposed values, an attacker can rederive the secret part with relatively little effort. An Initial Security Analysis of the IEEE 802.1X Standard The IEEE 802.1X Standard, a cornerstone for the new Robust Security Network (RSN), was proposed to provide strong authentication, access control and key management for the insecure 802.11. This paper exposes two security flaws that exist in the 802.1X standard (session hijacking and the establishment of man-in-the-middle). RSN provides per-packet authenticity and integrity between the back-end server and the authenticator, scalability, flexibility, access control and one-way authentication. However, a design flaw exists in the asymmetrical treatment of supplicants and authenticators in the state machines allowing an attacker to forge authentication packets on behalf of the authenticator, launching an MIM attack. Since higher-layer authentication takes place after RSN association/reassociation, there exists the separate RSN and 802.1X state machines, whose combined action determines the state of authentication. However, because of a lack of communication between the two state machines, session hijacking can occur. The authors propose the following countermeasures: a per-packet authenticity and integrity in 802.11 data and management frames, authenticity in the 802.1X messages themselves and a peer-to-peer based authentication built into the RSN framework. Nana B. Sam From tmroeder@CS.Cornell.EDU Thu Oct 24 10:38:45 2002 Received: from dhcp98-88.cs.cornell.edu (dhcp98-88.cs.cornell.edu [128.84.98.88]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OEcjh14089 for ; Thu, 24 Oct 2002 10:38:45 -0400 (EDT) Received: (from tmroeder@localhost) by dhcp98-88.cs.cornell.edu (8.11.6/8.11.6) id g9OEawr16734; Thu, 24 Oct 2002 10:36:58 -0400 From: Thomas Roeder MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15800.1418.59553.518725@dhcp98-88.cs.cornell.edu> Date: Thu, 24 Oct 2002 10:36:58 -0400 To: Emin Gun Sirer Subject: 615 PAPER #42 X-Mailer: VM 7.07 under Emacs 21.2.1 The three papers that we were to read today summarize the attacks that can be brought against 802.11. The first paper discusses the weaknesses of WEP, which is a protocol meant to protect the user of the radio waves from passive eavesdropping attacks. As it turns out, however, WEP is vulnerable to both passive and active attacks. WEP uses RC4 and checksumming to create ciphertext that is then sent out on the air to be decrypted by the recipient. Unfortunately, even with long keys, there are attacks which can be used effectively against it. The first attack they discuss is keystream reuse: given that the IV is eventually reused, an attacker can use this knowledge to reconstruct XOR-ed plaintext, which, using several techniques, he can then extract well know text from. So WEP fails the eavesdropping tests along one front. The next complaint is that WEP does not truly prove authenticity; that is that an attacker can modify any message with another arbitrary message and escape checksum detection. Given knowledge of the complete plaintext of a message, the attacker can do replay attacks indefinitely with arbitrary messages, allowing injection of messages into the network. Messages can also be decrypted by exploiting the access point's knowledge of the secret keys. If a packet is intercepted that you want to transmit, then modify it to be sent out along the wired network to a computer that you control. I note in passing that at least some of the variants of this attack will be detected on the wired network or by a firewall. Furthermore, reaction attacks can be used to get 1 bit of information about the plaintext of message at a time. The attacker uses TCP and ACKs to see if a modified message was correct. The next weakness is that of the Key Scheduling Algorithm in RC4. The idea of the attack is that there are certain keys which behave poorly under RC4, and there is a small but real possibility that by analysis of the first few words of a stream, an attacker can get significant information about the key used to encrypt the message. This leads to obvious attacks against WEP, again, since it uses RC4 with a prepended initialization vector in plaintext. The final paper examines two flaws in 802.1X, which can be used to generate man-in-the-middle and hijacking attacks. The problems which give rise to these attacks are in the Robust Security Network architecture proposed by the IEEE. The man-in-the-middle attack works by pretending to be the authenticator to the supplicant and a client to the authenticator. The hijacking attack works by sending a disassociation message to a client and taking over their session. One of the significant flaws that has been addressed here is the lack of machine state synchronization, which means that the attacker has more freedom in constructing attacks. In RSN, the main problems are the lack of per-packet authenticity and integrity, allowing the attacker to construct simple attacks against a supplicant. In general, the papers above show that 802.11 is vulnerable to wide range of attacks, and is in now way secure. From kwalsh@CS.Cornell.EDU Thu Oct 24 10:45:54 2002 Received: from duke.cs.duke.edu (duke.cs.duke.edu [152.3.140.1]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OEjrh16033 for ; Thu, 24 Oct 2002 10:45:53 -0400 (EDT) Received: from localhost (moe.cs.duke.edu [152.3.140.74]) by duke.cs.duke.edu (8.9.3/8.9.3) with ESMTP id KAA06607 for ; Thu, 24 Oct 2002 10:45:52 -0400 (EDT) From: kwalsh@CS.Cornell.EDU Received: from 132.236.225.147 ( [132.236.225.147]) as user walsh@imap.cs.duke.edu by login.cs.duke.edu with HTTP; Thu, 24 Oct 2002 10:45:52 -0400 Message-ID: <1035470752.3db807a00fb18@login.cs.duke.edu> Date: Thu, 24 Oct 2002 10:45:52 -0400 To: egs@CS.Cornell.EDU Subject: 615 PAPER 42 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 132.236.225.147 Intercepting Mobile Communications: The Insecurity of 802.11 Weaknesses in the Key Scheduling Algorithm of RC4 An Initial Security Analysis of the IEEE 802.1X Standard These papers highlight the difficulty of security in general, and more specificially the dificulty of security-by-committee. The first two papers discuss the deployed 802.11 security mechanisms (WEP) and it's weaknesses. The last looks at the next-generation 802.1X secuity framework meant to address the flaws in the existing system. Intercepting Mobile Communications presents several weaknesses and flaws in the deployed Wired-Equivalent Privacy system, ranging from obscure to almost comical. WEP uses a secret key with a visible IV as the RC4 key. The resulting bitstream is xored with the data packets. First, several practical implementation and design considerations allow for IV reuse (ie, cards reset IV=0 at initialization and then increment by 1 each frame). If the plaintext of any packet is known, the bistream can be recovered (just xor with the known plaintext) and used to decrpyt later packets with the same IV, or inject new packets by reusing the same bitstream indefinitely. A number of obvious tricks are available for detirmining the plaintext, including tricking the victim into sending a particular packet. This technique is especially useful for gaining unauthorized access. The WEP access control mechanism is as follows: the base station sends a clear-text challenge to a node. The node then responds with the encrypted challenge, thus providing exactly the opportunity for a listener to obtain a valid bitstream (which can then be used to authenticate with the base station). This weakness is incomprehensibly obvious. Other attacks are detailed, such as the ability to easily modify encrypted packet data and simultaneously patch the encypted CRC without ever having to decrypt the packet. The second paper examines the key scheduling algorithm in RC4. Basically, keys of length divisible by a power of two are found to be weak. It goes almost without saying that WEP uses exactly such a key length. The weakness is manifested in a predictable patters in the keystream, especially when a portion of the key is known (and, by mere coincidence, the IV portion of the key used by WEP is always known). An attacker with knowledge of the plaintext can leverage this weakness into discovering the key itself, if enough IV/key encryptions are collected. The remaining paper looks at the Robust Security Network (RSN) framework, an amalgamation of 802.11 and 802.1X security systems. The architecture is somewhat more robust to attack, but still leaves open obvious attacks. One such attack is the Man-in-Middle attack: since authentication is entirely one-way, a hostile node can interpose between legitamate authenticators and the access point. Worse, the state on the mobile node and at the access point are only loosely bound. After a node authenticates, a hostile node can send it a de- authentication packet, leaving the mobile node unauthenticated and the access point authenitcated. The hostile node is then free to impersonate the mobile node, using the open and authenticated access port. From bd39@cornell.edu Thu Oct 24 10:48:01 2002 Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OEm0h16267 for ; Thu, 24 Oct 2002 10:48:00 -0400 (EDT) Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by travelers.mail.cornell.edu (8.9.3/8.9.3) with SMTP id KAA24983 for ; Thu, 24 Oct 2002 10:47:58 -0400 (EDT) Date: Thu, 24 Oct 2002 10:47:58 -0400 (EDT) From: bd39@cornell.edu X-Sender: bd39@travelers.mail.cornell.edu To: egs@CS.Cornell.EDU Subject: 615 PAPER 42 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII These three papers outlined weaknesses in different aspects of security used over 802.11: the encryption algorithm RC4, the encryption protocol WEP and the authentication protocol of 802.1x. Security is a huge concern in wireless networks because it is much easier to obtain physical access than in traditional wired networks. Overall, the papers show that 802.11b sercurity is presently very weak, and needs drastic improvement at all levels. * Intercepting Mobile Communications: Insecurity of 802.11 * This paper deals with several aspects of the 802.11 protocol which render the WEP encryption protocol insecure and prone to attack. WEP is the encryption protocol used to encrypt packets sent between STA and BS in an infrastructure 802.11 network. WEP: Attaches a checksum of the data packet, then encrypts the packet by xor'ing it with RC4 with a secret key and a IV (init. vector). The IV and encrypted payload is then sent. Confidentiality: The xor of the plaintext of two encrypted messages can be obtained by intercepting the two messages encoded with similar IV's. This can be used to build a dictionary used to obtain the plaintext of ecrypted by storing IV,message pairs, and performing standard analysis. The reuse of lower numbered IV's and the small size of IV contributes to the ease of this attack. The static nature of the WEP keys also contribute to this problem. If keys changed frequently, then this attack would be less effective. Authenticity: Because of the construction of the using xor, it is possible to modify the message, either replacing a known plaintext with an arbitrary message, or performing an arbitrary change to a ciphertext. This because CRC, RC4 is linear, so can be easily changed. Modification of the packet can also be used to redirect (duplicate) packets through the BS to obtain unencrypted messages. Access Control: Using a known ciphertext, it is possible to derive the keystream used with a certain IV and send arbitrary messages. The authentication message can be spoofed easily using this method, because the plaintext is made available in the challenge. The weaknesses exposed by this paper are rather frightening, because of the ease with which the attacks could be implemented. It seems that WEP needs a complete overhaul. One of the main problems is that each word in the encrypted message corresponded directly with a word in the plaintext, and that there was no other mechanism to identify the messages as being authentic. The reuse of IV's and static nature of the shared secret was also another problem. * Initial Security Analysis of IEEE 802.1X Standard * This paper describes the basic structure of 802.1x authentication protocol, which is used to authenticate nodes with a base station. The paper points out a design flaw which can be exploited to standard Man in the Middle and Session HiJacking attacks. 802.1x has an lack of mutual authentication. Because of the state transitions, node immediately transition to having authenticated the identity of a base station without any sort of tests. This can be exploited to be a man in the middle attack, where an attacker spoofs the BS response. Also, because there is no clear coordination between connectivity and authentication, the authenticated session could be hijacked by spoofing a disconnect to the node, and using the session initiated by the node for the attacker's own purposes. The main faults in the protocol are the lack of ways of authenticating management packets and lack of mutual authentication. * Weakness of RC4 * In this paper, the authors point out methods to reduce the time required to obtain an RC4 key, and make it more feasible that a brute force attack will be able to crack RC4 encrypted information. The main observation is that certain weak keys make a few selected bits in the RC4 key contribute to large portion of bits in the starting permutation of the cryptographic algorithm, which is translated into the specific permutations of the intial words encrypted by the PRGA. Also, using a known portion of a key concatenated with a secret key, it is computationally feasible to obtain the rest of the secret key through an iterative process that scales linear to the length of the secret key. The implications of this is that WEP keys are insecure on the level of the encryption algorithm used, and that increases in key length (from 40 to 104 bits) do not increase the strength of the RC4 by much at all. From vrg3@cornell.edu Thu Oct 24 11:01:01 2002 Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OF11h19636 for ; Thu, 24 Oct 2002 11:01:01 -0400 (EDT) Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by travelers.mail.cornell.edu (8.9.3/8.9.3) with SMTP id LAA03740 for ; Thu, 24 Oct 2002 11:00:59 -0400 (EDT) Date: Thu, 24 Oct 2002 11:00:59 -0400 (EDT) From: vrg3@cornell.edu X-Sender: vrg3@travelers.mail.cornell.edu To: egs@CS.Cornell.EDU Subject: 615 PAPER 42 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII The first paper presents two exploitable security holes in the Wired Equivalency Protocol. The first is the reuse of keystreams. One of WEP's goals is to prevent an adversary from knowing the contents of transmitted packets. This is done by encrypting using a private shared secret and a public initialization vector. Assuming that the shared secret stays constant, any time more than one message is sent with the same IV, an attacker has a chance to compromise confidentiality. The IV is only 24 bits, which means that a busy access point is likely to have no choice but to repeat IVs in less than half a day. This is worsened by several facts: if an IV is randomly selected, the birthday paradox says IVs will repeat after only 5000 packets; the 802.11 standard does not even require that IVs change; and many wireless cards always initialize the IV to zero and increment by ones. If an attacker has two ciphertexts encrypted with the same IV and knows the plaintext contents of one, he can know the plaintext contents of the other. It is not far-fetched for an adversary to know the contents of some packet; he may be aware of the login prompt or welcome message of a particular machine or he might send users an email or spam. Or, on certain access points which allow both WEP and non-WEP communication, he can just send a plaintext broadcast. The second hole in WEP is the relatively weak CRC checksum performed to authenticate messages. An attacker can tamper with a message because the CRC is linear. For example, if he turns one bit on, he just needs to turn another corresponding bit off. The second paper presents weaknesses in the key scheduling algorithm of RC4. They discovered that there are a large number of keys which are weak, meaning that much of the encryption done depends only on a small part of the key. They then demonstrated an exploit of this fact; with WEP, which relies on RC4, you can actually determine much of the shared secret required for complete access to the network. The third paper presents weaknesses in the IEEE 802.1X standard. 802.1X is part of the Robust Security Network standard. The paper shows how RSN would be vulnerable to two types of attacks. The first is session hijacking. An adversarial node can forge a disassociation message from the access point to a client. This client will then believe it is no longer associated with the access point, while the access point will believe it is still associated. The adversary can then assume the now-defunct client's hardware address and assume control of the connection. The second attack is the man-in-the-middle attack; because the authentication is asymmetrical (nodes authenticate to the access point but not vice versa), an adversarial node can pretend to be the access point and allow a new node to authenticate with it. This way, all traffic to and from the node will pass through the adversary. From adam@graphics.cornell.edu Thu Oct 24 11:10:56 2002 Received: from bach.graphics.cornell.edu (bach.graphics.cornell.edu [128.84.247.50]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OFAuh21863 for ; Thu, 24 Oct 2002 11:10:56 -0400 (EDT) Received: from envy.graphics.cornell.edu (envy.graphics.cornell.edu [128.84.247.206]) by bach.graphics.cornell.edu (8.12.1/8.12.1) with ESMTP id g9OFAo0k094501 for ; Thu, 24 Oct 2002 11:10:50 -0400 (EDT) Date: Thu, 24 Oct 2002 11:10:31 -0400 (EDT) From: Adam Kravetz To: egs@CS.Cornell.EDU Subject: 615 paper 42 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII A summary of attacks against 802.* Message Modification - since the WEP checksum is a linear function of the message, meaning that controlled changes can be made to a message and replace the original message. Message Injection - If an attacker knows some plaintext and the ciphertext he can reveal the keystream. The keystream can be reused to inject arbitrary data into the network using the same IV. This is possible because WEP checksums are an unkeyed function of the message. Further IV values are reusable under 802.11 so once an IV is known it can be reused indefinitely. Authentication Spoofing - using the same exploit as message injection. An attacker only needs to hear a "challenge" sent in plaintext by a base station and a response by a mobile station. Using this he can recover the keystream and since all authentication responses are of the same length, this keystream can work for the new challenge. Message Decryption through IP redirection - Modify encrypted packets to have a destination which the attacker controls. Let the AP decrypt the packet and send it to the modified destination. Caveat, the IP checksum has to match the updated IP, apply trivial math formula if the original IP address is knwown. Reaction Attack - Look for a TCP stream startup, knowing the predictable Syn, ACK nature of TCP one can identify TCP ACK (by packet size), get an encrypted message of unknown body, change the C to C' and adjust CRC accorndingly. We see if this recipient sends back an ACK meaning that it had a vaild TCP checksum. This gives us 1 bit of information about the original message, using clever tech to generate C'. We can do this many times to get more and more info about encrypted plaintext and deduce the rest of the at some point. Man-in-middle attack - A classic spoof. An EAP success is sent to a legitimate address, the adversary spoofs the AP's Mac. Legitimate users sends data to adversary, adversay gains network access. Session Hijacking - This classic wired spoof can also be applied to 802.11. A legitimate authentication happens, the adversary disassociates the MAC of the victims computer, the sender is still in authenticated mode, while the receiver is unassociated state. The adversary can now gain network access through MAC spoofing. DOS Attacks: -802.11 management frames contain no authentication element so spoofing them is possible causing supplicant to be disconnected. Can be used even w/ WEP enabled. -EAP Failure messages can be spoofed by using AP's MAC address to an authenticated supplicant. EAP Failures are valid for 60 seconds, so sending a continous message (say every 50 seconds), should disconnect a user -EAPOL logoff, EAPOL Start Message Spoofing use a MIM setup a simple spoofed message can cause an authenticated client to get logged off. Adversary spoofs a EAPOL Logoff to the AP, can also work at MAC level. -AP overflow. Kill the Ap off by making too many authentication requests. Randomize a mac make a request and fill the queue for authentications. From mp98@cornell.edu Thu Oct 24 11:14:09 2002 Received: from postoffice.mail.cornell.edu (postoffice.mail.cornell.edu [132.236.56.7]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OFE9h22166 for ; Thu, 24 Oct 2002 11:14:09 -0400 (EDT) Received: from cornell.edu (r109493.resnet.cornell.edu [128.253.240.252]) by postoffice.mail.cornell.edu (8.9.3/8.9.3) with ESMTP id LAA16907 for ; Thu, 24 Oct 2002 11:14:08 -0400 (EDT) From: mp98@cornell.edu Date: Thu, 24 Oct 2002 11:14:07 -0400 Mime-Version: 1.0 (Apple Message framework v546) Content-Type: text/plain; charset=US-ASCII; format=flowed Subject: 615 Paper 42 To: egs@CS.Cornell.EDU Content-Transfer-Encoding: 7bit Message-Id: <3D9D8178-E763-11D6-B280-003065EE5F0A@cornell.edu> X-Mailer: Apple Mail (2.546) Intercepting Mobile Communications: This paper details flaws in the 802.11 WEP protocol. Even with 128 bit encryption, they argue, there are flaws in the system. IV collisions are possible while key updates are rare, leading to the vulnerability of keystream reuse. Many implementations choose IV's in a rather poor way. In addition the 24 bit size of the IV is too short. Also, most installations use a single key for their entire network, which gives many points of compromise. In addition, because the checksum is linear, it offers no protection against modification. We can use this modification to redirect traffic to ourselves from the accesspoint, who will decrypt it for us. Since the checksum does not depend on the keys, an attacker can reuse a known keystream (which they can obtain through any known plaintext attack) to inject many packets (the packets will all use the same IV, of course). This also makes secure authentication a joke in WEP, since overhearing someone else's authentication gives us a known plaintext. RC4: This paper describes two main weaknesses in RC4: 1) That there exist weak keys for whom a small number of key bits determine a large number of output bits. And 2) Knowledge of some parts of the key can reveal the secret bits of the key by examining the output of the keystream. The details of the math are unimportant. What is important is that with knowledge of the IV for a keystream, an attacker can begin to determine bits of the rest of the key. Since IV are sent in the clear, by collecting a few (well, a few million) WEP packets, one could determine the key for the network. 802.1X Security Analysis: This paper analyzes a modification to 802.11 for the Robust Security Network which involves mixing it with a new standard called 802.1X. 802.1X is an authentication medium that may be combined with 802.11, using challenge and response authentication. The Authenticator and the back end server are separated in this protocol. However, since the supplicant in the protocol does not ask the authenticator to authenticate itself, attackers may pretend to be access points and use the EAP responses of the victim to authenticate itself with the authenticator: A Man-in-the-Middle attack. Furthermore, since a node may be authenticated while being dissociated from its MAC, an attacker may send an 802.11 dissociation message and then associate itself with the MAC address, allowing an attacker to hijack the session. From mvp9@cornell.edu Thu Oct 24 11:56:40 2002 Received: from cornell.edu (cornell.edu [132.236.56.6]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OFueh02836 for ; Thu, 24 Oct 2002 11:56:40 -0400 (EDT) Received: from zoopark.cornell.edu (syr-24-58-46-186.twcny.rr.com [24.58.46.186]) by cornell.edu (8.9.3/8.9.3) with ESMTP id LAA23304 for ; Thu, 24 Oct 2002 11:56:40 -0400 (EDT) Message-Id: <5.1.0.14.2.20021024115543.00ab46c8@postoffice.mail.cornell.edu> X-Sender: mvp9@postoffice.mail.cornell.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 24 Oct 2002 11:56:31 -0400 To: egs@CS.Cornell.EDU From: mike polyakov Subject: 615 PAPER 42 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed The three papers reviewed discuss the 802.11 and a modification, 802.1X from the security aspect, with Fluhrer et al paper focusing on the RC4 encryption algorithm used by WEP in 802.11. Security holes of various sizes are shown in each either from the cryptographic point of view or the protocol that implements those crypto algorithms. Problems with a protocol key/IV reuse, single-way authentication are usually easier both to understand and exploit, often requiring much fewer resources. It turns out that WEP has a host of problems. The IV string, which is concatenated with the secret key to produce the key stream is particularly problematic. Not only is it specified to be short enough such that IV's are reused often (24bits is mandated by WEP), the source of the IV is often predictable and insecure (i.e. many implementations start the string counter at 0 and thus its easy to collect many messages with the same IV). Moreover, the protocol allows the IV to be reused in a session. Collecting enough messages with the same IV can allow an attacker to decrypt any ciphertext. Further, knowledge of a plaintext allows one to calculate another plaintext encrypted with the same key/IV pair since RC4 is a stream cipher. A second major class of problems involves the authentication of the user the authenticator simply sends a challenge to be encrypted, and then compares the response to a locally encrypted version. This allows access to an encryption machine to any attacker a bounty of plaintext/ciphertext pairs. The final strike is the use of CRC for data integrity. Because it isn't keyed, and is linear, CRC allows modifications to a ciphertext (without decryption) to go unnoticed. This can also be used for reaction attacks checking if something has been successfully decrypted by watching a reaction of the authenticator. The difficulty of changing keys, and the resulting reuse of a single key by many stations contributes to the horrible weakness of this protocol (who designed this to be "secure"??) It turns out that the next stage, 802.1X is also quite troubled. Although there is a level of indirection that performs authentication, and traffic is split into two ports, one for data, one for authentication, many problems arise. One is the decoupling of state machines of security and connectivity allowing session hijacking. Although MAC checks are used per packet for data, a great improvement over WEP, not using them for management frames allows man in the middle attacks. Making authentication symmetric (so that the AP has to authenticate itself to the supplicant) would solve many problems. Since it's not clear from the paper if RC4 is still used for encryption, some of the old problems may remain. The Fluhrer et al paper discusses more elaborate attacks on RC4 where classes of weak keys are identified. Further, by compiling a large number of messages one can deduce parts of the key (though this may require knowledge of some of the bits of key beforehand). The weakness arises in part through a correlation between ciphertext and key that is preserved by RC4 in many cases. It is also often possible to determine if a string is encrypted or random, but its not clear how that would be applicable to 802.11 and WEP. While these results are devastating overall, the exploits to which they lead are more expensive than the ones already identified against WEP, but will be useful against better protocols. From mtp22@cornell.edu Thu Oct 24 12:03:07 2002 Received: from postoffice2.mail.cornell.edu (postoffice2.mail.cornell.edu [132.236.56.10]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OG37h03979 for ; Thu, 24 Oct 2002 12:03:07 -0400 (EDT) Received: from narnia (syr-24-58-57-15.twcny.rr.com [24.58.57.15]) by postoffice2.mail.cornell.edu (8.9.3/8.9.3) with SMTP id MAA03027 for ; Thu, 24 Oct 2002 12:02:26 -0400 (EDT) Content-Type: text/plain; charset="iso-8859-1" From: Matt Piotrowski Reply-To: mtp22@cornell.edu To: egs@CS.Cornell.EDU Subject: 615 Paper 42 Date: Thu, 24 Oct 2002 12:03:03 -0400 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <02102411591000.00167@narnia> Content-Transfer-Encoding: 8bit The paper, "An Initial Security Analysis of the 802.1X Standard", describes a few attacks on the protocol. One of these is a session hijacking attack, where an attacker can take over the flow of communication from a valid user. This attack is based on the lack of integrity in 802.1X management frames. Another attack is a man-in-the-middle attack, where an attacker can get in between a user and an access point and intercept all communication. This attack is based on authentication having a one-way nature. In the paper, "Intercepting Mobile Communications: The Insecurity of 802.11", there are flaws pointed out in 802.* related to dictionary attacks and data modification. The paper points out that using the stream cipher method used by 802.*, you have to be extremely careful not to reuse the same IV's with the same key. However, there are no requirements that forbid this in 802.*, only recommendations. Another problem pointed out in this paper is the use of CRC's to verify the integrity of a message. CRC's are not safe against a purposeful attacker; they were designed to prevent against random modifications of the data. There are secure ways of verifying the integrity of data, such as HMAC, and the paper recommends their use. In the paper, "Weaknesses in the Key Scheduling Algorithm of RC4", a couple of flaws are pointed out in the RC4 stream cipher used by 802.*. One concerns the use of weak keys that allow future states to be predicted with high probability. The other more serious flaw has to do with the way the cryptography is done. In one mode, a secret key and a public IV are used. If they are not combined in the right way, an attacker can XOR known text with the result to discover the secret key. Once the secret key is known, the privacy of the data is completely compromised. From linga@CS.Cornell.EDU Thu Oct 24 14:19:05 2002 Received: from snoball.cs.cornell.edu (snoball.cs.cornell.edu [128.84.96.54]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9OIJ5h02748 for ; Thu, 24 Oct 2002 14:19:05 -0400 (EDT) Received: from localhost (linga@localhost) by snoball.cs.cornell.edu (8.11.3/8.11.3/C-3.2) with ESMTP id g9OIJ4F28363 for ; Thu, 24 Oct 2002 14:19:04 -0400 (EDT) Date: Thu, 24 Oct 2002 14:19:04 -0400 (EDT) From: Prakash Linga To: Emin Gun Sirer Subject: 615 PAPER 42 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII security attacks on 802.X In 802.11 networks, WEP protocol is used for link-layer security. Goals of this protocol are mainly: Confidentiality, Access Control, Data Integrity. A secret key k is shared between communicating parties to enable secret communication. Encryption of message M: First check sum c(M) is appended to message M to get plaintext P;Then RC4 algorithm is used with initialization vector v and secret key k to generate a key stream RC4(v, k);Cipher text C is obtained by xor-ing the plain text P and key stream RC4(v, k). IV v is also transmitted along with the cipher text. Decryption is the reverse of encryption. The three papers we studied argue that 802.* fail to achieve the above design goals using the algorithm described above. The following attacks were described: -WEP does not prohibit reuse of IV. Encrypting two messages M1 and M2 using the same v and k can reveal info about both the messages (the attacker can infer P1 xor P2). So if he knows one of the messages he can find the other. Also real-world plain texts have enough redundancy to help recover both P1 and P2 given P1 xor P2. If we have a lot of cipher texts generates using same v and k our problem becomes easier as we have greater samples (using frequency analysis etc). Partial and contextual information information about plain texts also makes our problem easier. Given that v is 24-bit, reuse of v is highly probable. -Once plain text is obtained using above method or by some other means, the keystream can be obtained by xoring P with C. So we can collect pairs and use this to obtain the secret key. -Most installations use a single key for an entire network. This makes it easier to find the key: greater number of people sharing a secret easier it is to find the secret; same key increases the probability of an IV collision (more so because IV is just 24-bit). -Message modification without fear of detection is an easy task. Here we exploit the fact that checksum is linear and so are stream ciphers like RC4. Given cipher text C encrypting message M, to modify message to M'=M+D, we can obtain the cipher text C' corresponding to M' by: C' = C xor . -Message injection: If the attacker knows the plaintext corresponding to some cipher text and v, then he can find the key stream corresponding to this v. Using this key stream and v he can encrypt any message he wants to without triggering any alarms at the receiver. This is again feasible because WEP allows reuse of v's. -Authentication spoofing: An attacker can obtain a key stream and the correspondign v as explained above. Using this he can respond to a challenge (128-bit message) from the access point by encrypting it using the key stream. So the attacker can authenticate himself indefinitely. -Message Decryption: Here the attacker tries to trick the access point to do the decrypting for him (Here the WEP access point acts as an IP router and we are assuming connectivity to the internet). One way to do this is to change the destination address of a packet to one which the attacker controls. So the access point will accept this packet and will do the decryption for you (you will receive the plain text). -Reaction attacks: This works only when WEP is used to protect TCP packets. Attack is based on the fact that TCP requires ACK to be sent as soon as a packet is accepted. ACK packets are easily identifiable by their size without requiring decryption. Attack involves flipping bits so that the checksum remains unchanged and check whether the packet is accepted or rejected. This reveals one bit of information about the plain text. Trying this repeatedly will give enough information to find the plain text. -ManInMiddle attack: 802.1* state machines only provide one-way authentication (supplicant is authenticated to the access-point). This enables a ManInMiddle attack where the attacker acts as an access point to the supplicant and a client to the access point. Access-points are treated as trusted entities which is not a good thing to do. -Session Hijacking: Combined action of state machines RSN and 802.1* dictates the state of authentication. But these state machines are loosely coupled in the sense that there is lack of clear communication and message authenticity between them. Taking advantage of this a simple session hijack can be done. -A passive related-key cipher-text only attack is possible which can be used to find an arbitrarily long key in a negligible amont of time. This attack works for both 24-bit v (as in the original 802.*) or 128-bit v (as in the modified 802.*). There are two attacks described in the paper- related-key attack based on invariance weakness: time-complexity of this method grows upwards with key length; related-key attack based on known IV weakness: time complexity of this attack is independent of key length. From shafat@CS.Cornell.EDU Thu Oct 24 23:42:29 2002 Received: from exchange.cs.cornell.edu (exchange.cs.cornell.edu [128.84.97.8]) by sundial.cs.cornell.edu (8.11.3/8.11.3/M-3.10) with ESMTP id g9P3gSh21923 for ; Thu, 24 Oct 2002 23:42:28 -0400 (EDT) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Subject: 615 PAPER 42 Date: Thu, 24 Oct 2002 23:42:28 -0400 Message-ID: <47BCBC2A65D1D5478176F5615EA7976D134FB4@opus.cs.cornell.edu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: 615 PAPER 42 Thread-Index: AcJ72Ip1w59EG60kTDKBUeytXDHB7Q== From: "Syed Shafat Zaman" To: "Gun Sirer" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by sundial.cs.cornell.edu id g9P3gSh21923 The paper titled "Intercepting Mobile Communications: The Insecurity of 802.11" describes the WEP (Wired Equivalent Privacy) Protocol, and its various design shortcomings that leave 802.11 networks vulnerable to different types of attacks. WEP is used in 802.11 networks to protect link-layer data during wireless communications. It creates the plaintext by concatenating a checksum c(M) and the message M. The plaintext is then encrypted using RC4 which uses a 24-bit wide initialization vector (IV) and a secretly shared 40-bit key to generate the ciphertext. The paper also mentions the three main design goals of WEP: confidentiality, access control and data integrity. It then proceeds to show how none of these goals are fully achieved with the current implementation of WEP. The first major problem is the reuse of IVs. Given two ciphertexts generated with the same IV, it is possible to deduce the corresponding plaintexts. The 802.11 specifications presently do not even require that new IVs are used with every packet. In addition, since a single key is used by many users in the network, it also gives attackers sufficient time to do their analysis from a practical point of view. The linear CRC checksum functions currently used in WEP also allows attackers to modify messages in transit, or inject rogue messages into networks. These open up a whole range of possibility for the attacker who can then fool a legitimate access point in the network to decrypt and forward a packet to an attacker controlled address. The second paper presents two major weaknesses in the key scheduling algorithm of RC4, which is widely used in the deployment of WEP over wireless networks. The first weakness refers to a general class of weak keys wherein a small part of a key is sufficient to determine a large amount of initial permutations with high probability. The second weakness has to do with the secret key shared among all the addresses in a network and is exposed with every packet encrypted using RC4. The paper shows that this allows an attacker to derive the key with very little work, regardless of the length of key (40 bits or 104 bits as in WEP2). The final paper, "An Initial Security Analysis of the IEEE 802.1X Standard", addresses the newly proposed Robust Security Network (RSN), which is a security architecture for 802.11, and presents two types of attacks that can be successfully carried out with the proposed version of RSN due to its design flaws. More specifically, RSN does not provide a mutual authentication system. A simple Man-in-the-Middle (MIM) attack can be executed by an adversary by forging a "success" packet on behalf of the authenticator, and getting all network traffic from a legitimate supplicant. The second type of attack, Session Hijacking, leverages this MIM attack by sending a "MAC disassociate" to a legal supplicant and using its MAC address to gain network connectivity. In the end, the paper proposes a number of changes to improve authenticity and integrity of RSN.