Wireless LAN Security II:

WEP Attacks,
WPA and WPA2

Raj Jain
Washington University in Saint Louis
Saint Louis, MO 63130
Jain@cse.wustl.edu
Audio/Video recordings of this lecture are available at:
http://www.cse.wustl.edu/~jain/cse571-09/
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-1
 Overview

‰ Wireless Networking Attacks

‰ Wireless Protected Access (WPA)
‰ Wireless Protected Access 2 (WPA2)

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-2
 Wireless Networking Attacks
1. MAC Address Spoofing Attack
2. Disassociation and Deauthentication Attacks
3. Shared Key Authentication Attacks
4. Known Plaintext Attack
5. Reaction Attack
6. Message Modification Attack
7. Inductive Attack
8. Reuse IV Attack
9. WEP Key Attacks
10. FMS Attack
11. Dictionary Attack on LEAP
12. Rouge APs
13. Ad-Hoc Networking Issues
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-3
 MAC Address Spoofing Attack
‰ AP has list of MAC addresses that are allowed to
enter the network
‰ Attacker can sniff the MAC addresses and spoof it

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-4
 Disassociation and Deauthentication Attacks
‰ WiFi stations authenticate and then associate
‰ Anyone can send disassociate packets
‰ Omerta, http://www.wirelessve.org/entries/show/WVE-2005-
0053 simply sends disassociation for every data packet
‰ AirJack, http://802.11ninja.net includes essid_jack which
sends a disassociation packet and then listens for association
packets to find hidden SSIDs that are not broadcast
‰ fata_jack sends invalid authentication requests spoofing
legitimate clients causing the AP to disassociate the client
‰ Monkey_jack deauthenticates a victim and poses as the AP
when the victim returns (MitM)
‰ Void11, http://wirelessdefence.org/Contents/Void11Main.htm
floods authenticate requests to AP causing DoS
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-5
 Shared Key Authentication Attacks
‰ Authentication challenge is sent in clear
‰ XOR of challenge and response ⇒ keystream for the IV
‰ Can use the IV and keystream for false authentication
‰ Collect keystreams for many IVs
‰ 24b IV ⇒ 2 24 keystreams ⇒ 24 GB for 1500B packets
‰ Can store all possible keystreams and then use them to decrypt
any messages

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-6
 Known Plaintext Attack
‰ Wired attacker sends a message to wireless victim
‰ AP encrypts the message and transmits over the air
‰ Attacker has both plain text and encrypted text
⇒ keystream

Wired Net Wireless Net

Known Plain Text Cipher Text

keystream Xor Sniffer

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-7
 Reaction Attack
‰ ICV is a linear sum ⇒ Predictable
‰ Change a few bits and rebroadcast
⇒ TCP acks (short packets)
‰ Flip selected bits ⇒ Keystream bits are 0 or 1

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-8
 Message Modification Attack
‰ Change the destination address to attacker's wired
node
‰ Unencrypted packet will be delivered by the AP to the
wired node

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-9
 Inductive Attack
‰ If you know n bytes of keystream, you can find n+1st byte
‰ Send a ping request with 256 variations of the n+1st byte
‰ Whichever generates a response is the correct variation
Guessed Byte
Known keystream n bytes 1A
Xor Encrypted Guess
Ping packet n+1 bytes

Yes
Ping Response OK?
No
Packet silently dropped
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-10
 Reuse IV Attack
‰ If you have keystream for a particular IV, you can
keep using the same IV for which you have keystream

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-11
 WEP Key Attacks
‰ 40-bit key or 104-bit key generated by a well-known
pass-phrase algorithm
‰ wep_crack creats a table of keys for all dictionary
words and uses them to find the key
‰ wep_decrypt tries random 40-bit keys to decrypt
⇒ 2 20 attempts = 60 seconds
‰ Dictionary based pass-phrase take less than 1 seconds

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-12
 FMS Attack
‰ Scott Fluhrer, Itsik Mantin, and Adi Shamir
‰ Based on a weakness of the way RC4 initializes its matrix
‰ If a key is weak, RC4 keystream contains some portions of key
more than other combinations
‰ Statistically plot the distribution of parts of keystreams ⇒ Parts
of key
‰ WEPcrack, http://wepcrack.sourceforge.net sniffs the network
and analyzes the output using FMS to crack the keys
‰ AirSnort, http://airsnort.shmoo.com also sniffs and uses a part
of FMS to find the key
‰ bsd-airtools includes dwepdump to capture the packets and
dwepcrack to find the WEP key

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-13
 Dictionary Attack on LEAP
‰ LEAP uses MS-CHAP v1 for authentication
‰ Capture the challenge and response
‰ Brute force password attack

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-14
 Rouge APs
‰ AirSnarf, http://airsnarf.shmoo.com setups a rouge
AP and presents an authentication web page to the
user
‰ Can steal credit card numbers

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-15
 Ad-Hoc Networking Issues
‰ Computer-to-computer networking is allowed in XP
‰ Viruses and worms can be passed on if one of them is
infected and the other does not have a personal
firewall

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-16
 IEEE 802.11i Security Enhancement
‰ Strong message integrity check
‰ Longer Initialization Vector (48 bits in place of 24b)
‰ Key mixing algorithm to generate new per-packet keys
‰ Packet sequence number to prevent replay
‰ Extensible Authentication Protocol (EAP)
⇒ Many authentication methods. Default=IAKERB
‰ 802.1X Authentication with Pre-shared key mode or
managed mode with using RADIUS servers
‰ Mutual Authentication (Station-Key Distribution Center,
Station-Access Point)
‰ AP sends security options in probe response if requested
‰ Robust Security Network (RSN)
⇒ Stronger AES encryption (AES-CCMP)
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-17
 802.11 Security Protocol Stack

Station Access Point Authentication

Server
TLS TLS
EAP EAP
RADIUS RADIUS
TLS TLS TCP TCP
EAP EAP IP IP
802.11 802.11 802.3 802.3

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-18
 Wi-Fi Protected Access (WPA)
‰ Temporal Key Integrity Protocol (TKIP)
‰ Longer IV + Key mixing to get Per-Packet Key + MIC

‰ Use the same encryption (RC4) ⇒ Firmware upgrade

‰ All access points and subscribers need to use WPA

WPA+WEP ⇒ WEP
‰ Separate keys for authentication, encryption, and integrity
‰ 48b TKIP sequence counter (TSC) is used to generate IV and
avoid replay attack. Reset to 0 on new key and incremented.
‰ IV reuse is prevented by changing WEP key on IV recycling

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-19
 Temporal Key Integrity Protocol (TKIP)
‰ WEP: Same base key is used in all packets
‰ TKIP: New packet key is derived for each packet from source
address, 48b TKIP Seq counter, and 104b base key
24b 48b 48b 104b
IV Base Key Plain Text TA TSC Base Key

Hash

IV Packet Key

RC4 RC4

Stream Cipher XOR Stream Cipher

WEP Encrypted Data TKIP

Washington University in St. Louis CSE571S ©2009 Raj Jain
20-20
 TKIP Packet Format
MAC IV Res Ext Key Extended Data MIC ICV
Header IV ID IV
24b 5b 1b 2b 32b 64b 32b

TSC1 d TSC0 TSC2 TSC3 TSC4 TSC5

‰ Ext IV flag indicates if a longer IV is being used (and MIC is

present)
‰ d is designed to avoid weak keys
‰ TSC is reset to zero on key change and is never reused with the
same key ⇒ key is changed on TSC cycling
‰ MIC is per MSDU. While ICV is per MPDU, i.e., fragment
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-21
 RC4 Encryption Key
48b Trans Adr 80b TTAK Phase 2
Phase 1
128b Temporal
Key Mixing Key Mixing
Encryption Key

TSC IV d IV Per-packet key

32b 16b 8b 8b 8b 104b
RC4 Encryption Key
‰ Phase 1: Transmitters MAC address, TEK, and upper 32b of
the IV are hashed together using an S-Box to produce
80b TKIP mixed Transmit Address and Key (TTAK)
‰ Phase 2: Lower 16 bits of TSC and TTAK are hashed to
produce per-packet key
‰ d is a dummy byte designed to avoid weak keys.
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-22
 Message Integrity Check (MIC)
‰ Michael – A non-linear integrity check invented by Neil
Furguson. Designed for WPA.
‰ A separate 64b MIC key is derived from the master session key
‰ 64b Michael hash (MIC) is added to “MAC SDU”
‰ MIC is computed using a virtual header containing MAC
destination and source address, stop, padding
‰ Padding is added to make length a multiple of 4B

0x00 0x5A
SA DA Res Pri MAC User Data Stop Pad MIC
48b 48b 24b 8b 8b

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-23
 TKIP Transmission
Temporal Encryption Key MSDU MIC Key

Transmitter Address Michael MSDU+MIC

TSC Key Fragmentation

Mixing
CRC-32

MPDU ICV
Encryption Key
xor

RC4 Keystream MAC Hdr IV KID EIV MPDU+ICV

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-24
 WEP vs. WPA

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-25
 WPA2 (802.11i)
‰ Advanced Encryption Standard (AES)
⇒ Need hardware support
‰ Counter mode (CTR) is used for encryption (in place of RC4)
‰ Cipher Block Chaining Message Authentication Code (CBC-
MAC) is used for integrity (in place of Michael)
‰ CCM = CTR + CBC-MAC for confidentiality and integrity
‰ CCM Protocol (CCMP) header format is used (in place of
TKIP header)
‰ 48b Packet number (PN) is used to prevent replay attacks
‰ Secure fast handoff preauthentication
‰ Secure de-association and de-authentication
‰ Security for peer-to-peer communication (Ad-hoc mode)

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-26
 AES-CTR
‰ Advanced Encryption Standard (AES) in Counter Mode
‰ AES is a block cipher. It has many modes.
802.11i uses Counter-Mode for encryption
‰ Counter is incremented for each successive block processed.
‰ Counter is encrypted and then xor’ed with data.

‰ Counter can be Message

started at a arbitrary 1 2 3 4 5 Counter
value. AES Encryption
E E E E E
‰ Repeating blocks
give different cipher XOR
text Cipher text
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-27
 AES/CBC-MAC
‰ Cipher-Block Chaining mode is used to produced a
message authentication code
… Message
+ + … + + XOR

E E E … E E AES Encryption

… Cipher text

MAC

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-28
 CCMP Packet Format
MAC PN0 Res Res Ext Key PN2..PN5 Data MIC
Header PN1 IV ID
16b 8b 5b 1b 2b 32b 64b
CCMP Header (64b)

‰ Additional authentication data (AAD) is included in

MAC calculation

Frame Duration Adr 1 Adr 2 Adr 3 Seq Adr 4 QoS

Control Control Control
16b 16b 48b 48b 48b 16b 48b 16b
‰ Some bits of frame control and seq control are zeroed
out and duration is not included in AAD
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-29
 802.11i Key Hierarchy
4-way
Handshake

Pairwise Supplicant Authenticator

Master Key nonce nonce
256b
Pseudorandom
function (SHA-1)
CCMP:
EAPOL Key EAPOL Key Temporal Key
Confirmation Key Encryption Key (CCMP)
128b 128b 128b
TKIP:
EAPOL Key EAPOL Key Temporal MIC from MIC to
Confirmation Key Encryption Key Encryption Key AP Key AP Key
128b 128b 128b 64b 64b
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-30
 Security Problems Addressed
‰ No MAC address spoofing: MAC address included in both
Michael MIC and CCMP MAC
‰ No replay: Each message has a sequence number (TSC in TKIP
and PN in CCMP)
‰ No dictionary based key recovery: All keys are computer
generated binary numbers
‰ No keystream recovery: Each key is used only once in TKIP.
No keystream in CCMP.
‰ No FMS Weak Key Attack: Special byte in IV in TKIP
prevents weak keys. Also, keys are not reused.
‰ No rouge APs: Mutual authentication optional. Some APs
provide certificates.
‰ Not Addressed: DoS attack using disassociation or
deauthentication attack. Mgmt frames are still not encrypted.
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-31
 Summary

‰ WEP is a good training ground for security attacks

Almost all components are weak
‰ TKIP provides a quick way to upgrade firmware and fix many
of the flaws => WPA
‰ CCMP adds a stronger AES encryption and message integrity
check but requires new hardware => WPA2
‰ Key management is provided by RADIUS, EAP, and 802.1x
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-32
 Acronyms
‰ AES Advanced Encryptions Standard
‰ AP Access Point
‰ CCM CTR + CBC-MAC
‰ CTR Counter Model
‰ CBC-MAC Cipher Block Chaining and Message
Authentication Code
‰ CCMP CTR + CBC-MAC Protocol
‰ EAP Extensible Authentication Protocol
‰ FMS Fluhrer, Mantin, and. Shamir
‰ ICV Integrity Check Value
‰ IV Initialization Vector
‰ LEAP Lightweight EAP
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-33
 Acronyms (Cont)
‰ MAC Media Access Control
‰ MAC Message Authentication Code
‰ MIC Message Integrity Check
‰ PN Packet Number
‰ RADIUS Remote Authentication of Dial-in Users Service
‰ RC4 Ron's Code #4
‰ TCP Transmission Control Protocol
‰ TEK Temporal Encryption Key
‰ TKIP Temporal Key Integrity Protocol
‰ TSCTKIP Sequence Counter
‰ WEP Wireless Equivalency Protocol
‰ WPA Wireless Protected Access
Washington University in St. Louis CSE571S ©2009 Raj Jain
20-34
 Reading Assignment
‰ NIST, “Establishing Wireless Robust Security
Networks: A Guide to 802.11i,”
http://csrc.nist.gov/publications/nistpubs/800-
97/SP800-97.pdf

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-35
 References
The following books are on 2-hour reserve at the
WUSTL Olin Library:
‰ J. Edney and W.A. Arbaugh, “Real 802.11 Security:
Wi-Fi Protected Access and 802.11i,” Addison-
Wesley, 2004, 481 pp., ISBN:0321156209
‰ Krishna Shankar, et al, "Cisco Wireless LAN
Security," Cisco Press, 2005, 420 pp,
ISBN:1587051540
‰ See also, 802.11 Security links,
http://www.wardrive.net/security/links

Washington University in St. Louis CSE571S ©2009 Raj Jain

20-36