From: Ethan Phelps-Goodman (ethanpg@cs.washington.edu)
Date: Tue Nov 23 2004 - 11:17:00 PST
The Insecurity of 802.11
Borisov et. Al.
This paper presents several serious security flaws in the 802.11 WEP
protocol. The Wired Equivalent Privacy (WEP) protocol is intended to data
confidentiality, access control, and data integrity for 802.11 wireless
LANs. Although built on the secure RC4 cipher, misapplication of the
cryptographic primitives leads to moderately practical attacks on all three
goals of the protocol. The first attack relies on the fact that the cipher
is used to generate a pseudo-random string that is used as a one time pad.
The stream is generated by the secret key and a 24-bit initialization
vector. If the initialization vector is ever repeated, then the pad will
repeat, and the plaintext can be inferred with well-known methods. This is
made even easier by the fact that chosen plaintext attacks are trivial--the
attacker can send a packet from the outside internet to a host in the
encrypted LAN. With only 24-bits, a moderately busy access point is likely
to repeat the initialization vector around every 24 hours, and poor
implementations may repeat the pad much more frequently. The reuse of
initialization vectors means once a single pad is known, it can be reused
indefinitely, allowing the attacker to inject arbitrary traffic.
This attack was known at the time the protocol was written, and should have
been addressed. An even more inexplicable failure is in the message
integrity checksum. Since the checksum is a linear function, and the
encryption is simply xor, the data and checksum may be changed arbitrarily
in the ciphertext without breaking message integrity checks. This attack can
be used to carefully change the destination IP address of a packet, causing
the access point to send the data unencrypted to an arbitrary internet host.
There is also a related attack on TCP packets that uses the presence of an
ACK to infer information about a modified packet. This attack can give
enough information to decrypt the ciphertext and therefore learn that
keystream.
Overall, the WEP fails miserably in the presence of a determined attacker,
making it inappropriate for protecting corporate networks. There is also the
human problem of key management: if every one of your users knows the secret
key, it isn't going to be secret for long. On the other hand, the exploits
are probably too involved to be run by an amateur hacker, so WEP is probably
sufficient for preventing your neighbors from using your home network. The
details of the attacks are very interesting, but the points to take away
from a networks perspective are in the Lessons section at the end. Their
first point about protocol design is "don't do it." Designing new protocols
is exceedingly difficult to get right, and there are many past solutions
that can be reused. Second, the point to the lack of peer review in the
security field as a major problem in standards adoption.
Ethan
This archive was generated by hypermail 2.1.6 : Tue Nov 23 2004 - 11:17:05 PST