Wireless Security - Cracking WEP

Paladion
By Paladion

February 28, 2007

In the last issue, we took an in-depth look at the internals of WEP. We saw how exactly WEP was used to encrypt a short block of plain text. This time we'll look at WEP from the perspective of an adversary. What will an adversary see if he manages to capture a block of WEP encrypted data? What can he do with it? Can he use this data to compromise my network? These, among others are some of the questions that we'll be addressing in the course of this article. Without further delay let's see how an adversary goes about trying to crack WEP.

In the last issue, we took an in-depth look at the internals of WEP. We saw how exactly WEP was used to encrypt a short block of plain text. This time we'll look at WEP from the perspective of an adversary. What will an adversary see if he manages to capture a block of WEP encrypted data? What can he do with it? Can he use this data to compromise my network? These, among others are some of the questions that we'll be addressing in the course of this article. Without further delay let's see how an adversary goes about trying to crack WEP.

Why does an adversary need to crack WEP?

The administrator of ABC ISP has finally found out that someone has just downloaded over 10GB of music in a week. He's pretty sure it's not any of his regular users. As he's unable to track the rogue user he decides to implement WEP. WEP will allow a user to connect to the access point only if the user has the WEP key which he assigns to every valid user. Alice can now no longer access the Internet without having a key.

What does an adversary see?

Alice starts up her favorite wireless sniffer to capture some wireless packets. The sniffer immediately starts capturing packets. Alice however notices that the data in the packets are not in clear text, they're WEP encrypted. If Alice still wants to gain free Internet access she has to crack WEP.

Capturing sufficient data

The wireless sniffer continues to capture all traffic directed to the wireless access point. Alice knows that she needs to capture around 5000-10,000 WLAN packets to exploit the weaknesses that WEP has. She sets her sniffer to stop capturing packets after 12,000 packets. The most obvious question at this point is: Why 5000 – 10,000 packets?

If you recall we'd discussed that a WEP packet has an IV (initialization vector). The IV is attached to the start of the WEP packet and has a size of 24 bits. This means that the total number of possible IV's is 224 (Around 16 million). The IV however is decided randomly by the computer so the IV, instead of getting repeated every 16 million packets is repeated approximately every 5000-10,000 packets. This greatly reduces the waiting time of Alice as she gets the desired number of packets within a much smaller time interval.

Problems in WEP

Now Alice has her 12000 wireless packets. It's here that the actual weakness of WEP is exposed. The only component with a unique value for each WEP encrypted packet constructed is the IV. Alice has now captured 12,000 packets and in the process also captured packets which have the same IV; let's call this IV A.

One more piece of information that Alice does know is the plaintext; say X that will eventually be available to the user if the WEP encrypted text is decrypted using the correct WEP key.

Now Alice has three pieces of information: Plain text 1 using IV A, Cipher text 1 generated from the transmission of Plain text 1 with IV A, and Cipher text 2 generated in another packet with IV A. Alice knows that the key stream used to encrypt the plain text message can be determined if she knows the exact plain text and the exact cipher text obtained after encrypting it. After a quick analysis she comes up with a couple of useful equations:

Key stream = Cipher text 1 XOR Plaintext 1 --- (1)

Since Alice already knows Cipher text 1 and Plain text 1 she can calculate the Key stream used to encrypt Plain text 1.

Alice now notices that IV A has repeated itself in one of the packets. Immediately she draws a conclusion that the entire key stream used to encrypt the packet must be the same as the initial key stream. She quickly writes down the second equation:

Key stream = Cipher text 2 XOR Plaintext 2 --- (2)

Since the Key stream is the same Alice now concludes that:

Cipher text 1 XOR Plaintext 1 = Cipher text 2 XOR Plaintext 2 –-- (3)

Alice already knows Cipher text 1, Plain text 1 and Cipher text 2. All Alice needs to now do is to calculate the 4th variable; namely Plaintext 2. A quick calculation later Alice has the value of Plaintext 2 with her. Alice continues to capture numerous such plain text pairs over a period of time. Eventually all the IV's and thus the key streams repeat themselves and Alice can decrypt any traffic captured by her tireless sniffer.

If the IV was always unique and never repeated itself it would mean that the key stream would never repeat itself. If the key stream never repeated itself Alice would not be able to construct Equation 3 at all. If Equation 3 couldn't be constructed at all then Alice would never be able to crack WEP, at least not that easily. Alice can now, over a period of time obtain the exact key used by all valid users to connect to the WAP. Once she gets the key, she can revisit the good old days of unlimited downloading whenever she wants.

Obtaining known plaintext

So Alice has cracked WEP. A question that will be at the top of your minds right now would be: “Where did Alice get the initial known plain text from in the first place?”

There are a couple of ways in which Alice can get her hands on some known plain text.

If she's already on the ISP LAN the she could construct and send some packets whose plain text she already knows. The packet would then be WEP encrypted and she would now have a known plain text -cipher text pair. This attack could be extended a bit further if Alice continuously sends known plain text packets to the WAP. Eventually her constructed packets will contain a key stream with a repeated IV. The flip side to this kind of an attack is that an alert administrator might notice a lot of dummy packets flooding the network and try and investigate further.

If Alice isn't on the ISP LAN then she's going to have to make a guess about what plain text might be going to the WAP. Unfortunately, this isn't too tough either. Almost every packet sent over the WLAN includes a value known as a SNAP header. This value (0xaa) is almost always the first plaintext byte that is WEP encrypted to produce the first cipher text byte. This eventually gives Alice a sufficient number of plain text – cipher text pairs to try and obtain the authentication key for the WAP.

Automation = Simplicity

If Alice had to sit and scroll through all those 12,000 packets she'd probably decide to pay the ISP and get a valid account. Unfortunately though from a security perspective there's plenty of tools that accept a sniffer output as input and scan for weak IV's and even deduce the WAP authentication key. So Alice just needs to know how to learn to use all those freely available tools to her advantage. Let's quickly run through a few tools which are extremely useful for Alice as well as the overworked administrator of the ISP across the street incase he wants to check his network's security.

We've been talking of wireless sniffers all through this article. The most popular sniffer around that's in use is Ethereal which supports sniffing on a wide variety of platforms. Another very popular sniffer is Kismet which has client server architecture. The admin can start up Kismet on a test machine and connect to it to check the progress. Kismet provides output in formats which are very easy for data analysis and WEP cracking. The best WEP cracking tool is Airsnort. It places the installed WNIC in promiscuous mode, and starts to capture data. It also supports cracking WEP keys as it is capturing data. WEPCrack is a bundle of Perl scripts which acts on captured WEP encrypted data and extracts the WEP key from the same. We won't go into the details of any of these tools as descriptions of all of them are available online.

Alternatives

So we've arrived at a conclusion that you can't really trust WEP if you're serious about wireless security. An alternative to WEP is Wi-Fi Protected Access (WPA). The primary drawback for WEP is the static key that it uses to allow all clients to access the WAP. The other drawback is the relatively small size of the IV (24 bits).

WPA assigns a separate key for each client who wants to connect to the access point. Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). WPA also uses the Temporal Key Integrity Protocol (TKIP) which dynamically changes keys as the system is used, along with a 48 bit IV and a Message Integrity Code (MIC). TKIP hashes the IV values, which are sent as plaintext, with the WPA key to form the RC4 traffic key. The MIC is similar to the function that CRC plays in WEP except that it is 8 bits in size and encrypted along with the rest of the frame. The MIC used in WPA also includes a frame counter, which prevents replay attacks being executed.

Unfortunately, WPA is not compatible with all existing WAP's nor are firmware upgrades that easily available. Hence buying new wireless hardware that supports WPA might become mandatory.

An even newer standard WPA2, uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) based on AES along with the MIC previously used.

Conclusion

We've taken a whirlwind tour over the last 2 months about how WEP works and how it can be compromised. We also looked at a couple of alternatives to WEP and their drawbacks. We can conclude that if an enterprise uses WEP it isn't really secure and they should plan on gradually migrating their entire enterprise to WPA. It might not be feasible to purchase brand new wireless hardware right away, specially incase there are multiple access points deployed in a number of places. Incase you have WAP's which support WPA; plans should be made to migrate them as soon as possible.

Apart from implementing WPA and securing your access points do make sure that all your operational and physical security policies are implemented and properly followed.

Finally try and connect your wireless access point on the outside interface of your company firewall. That way, even if Alice does manage to crack WEP/WPA she won't be able to compromise the rest of your corporate network using it as a stepping stone.

References


Tags: Technical

About

Paladion