Wireless LAN Security II: WEP Attacks, WPA and WPA2 Raj Jain Washington University in Saint Louis Saint Louis, MO 63130. Dictionary Attack on LEAP 12. Rouge APs 13.
By Security researchers have discovered security problems that let malicious users compromise the security of WLANs (wireless local area network) that use WEP (Wired Equivalent Privacy) — these, for instance:. Passive attacks to decrypt traffic: These are based on statistical analysis. Active attacks to inject new traffic from unauthorized mobile stations: These are based on known plaintext. Active attacks to decrypt traffic: These are based on tricking the access point.
Dictionary-building attacks: These are possible after analyzing enough traffic on a busy network. The biggest problem with WEP is when the installer doesn’t enable it in the first place.
Even bad security is generally better than no security. When people do use WEP, they forget to change their keys periodically. Having many clients in a wireless network — potentially sharing the identical key for long periods of time — is a well-known security vulnerability. If you keep your key long enough, someone can grab all the frames he needs to crack it. Can’t blame most access-point administrators for not changing keys — after all, the WEP protocol doesn’t offer any key management provisions.
But the situation is dangerous: When someone in your organization loses a laptop for any reason, the key could become compromised — along with all the other computers sharing the key. So it’s worth repeating. Shared keys can compromise a wireless network. As the number of people sharing the key grows, so does the security risk.
A fundamental tenet of cryptography is that the security of a system is largely dependent on the secrecy of the keys. Expose the keys and you expose the text. Share the key, and a cracker only has to crack it once. Moreover, when every station uses the same key, an eavesdropper has ready access to a large amount of traffic for analytic attacks. As if key management problems weren’t enough, you have other problems with the WEP algorithm.
Check out these bugbears in the WEP initialization vector:. The IV is too small and in cleartext. It’s a 24-bit field sent in the cleartext portion of a message. This 24-bit string, used to initialize the key stream generated by the RC4 algorithm, is a relatively small field when used for cryptographic purposes.
The IV is static. Reuse of the same IV produces identical key streams for the protection of data, and because the IV is short, it guarantees that those streams will repeat after a relatively short time (between 5 and 7 hours) on a busy network. The IV makes the key stream vulnerable. The 802.11 standard does not specify how the IVs are set or changed, and individual wireless adapters from the same vendor may all generate the same IV sequences, or some wireless adapters may possibly use a constant IV. As a result, hackers can record network traffic, determine the key stream, and use it to decrypt the ciphertext. The IV is a part of the RC4 encryption key. The fact that an eavesdropper knows 24-bits of every packet key, combined with a weakness in the RC4 key schedule, leads to a successful analytic attack that recovers the key after intercepting and analyzing only a relatively small amount of traffic.
Such an attack is so nearly a no-brainer that it’s publicly available as an attack script and as open-source code. WEP provides no cryptographic integrity protection. However, the 802.11 MAC protocol uses a non-cryptographic Cyclic Redundancy Check (CRC) to check the integrity of packets, and acknowledges packets that have the correct checksum.
The combination of non-cryptographic checksums with stream ciphers is dangerous — and often introduces vulnerabilities. The classic case?
You guessed it: WEP. There is an active attack that permits the attacker to decrypt any packet by systematically modifying the packet, and CRC sending it to the AP and noting whether the packet is acknowledged.
These kinds of attacks are often subtle, and it is now considered risky to design encryption protocols that do not include cryptographic integrity protection, because of the possibility of interactions with other protocol levels that can give away information about ciphertext. Only one of the problems listed above depends on a weakness in the cryptographic algorithm. Therefore substituting a stronger stream cipher will not help. For example, the vulnerability of the key stream is a consequence of a weakness in the implementation of the RC4 stream cipher — and that’s exposed by a poorly designed protocol. One flaw in the implementation of the RC4 cipher in WEP is the fact that the 802.11 protocol does not specify how to generate IVs. Remember that IVs are the 24-bit values that are pre-pended to the secret key and used in the RC4 cipher.
The IV is transmitted in plaintext. The reason we have IVs is to ensure that the value used as a seed for the RC4 PRNG is always different. RC4 is quite clear in its requirement that you should never, ever reuse a secret key. The problem with WEP is that there is no guidance on how to implement IVs. Microsoft uses the RC4 stream cipher in Word and Excel — and makes the mistake of using the same keystream to encrypt two different documents.
So you can break Word and Excel encryption by XORing the two ciphertext streams together to get the keystream to dropsout. Using the key stream, you can easily recover the two plaintexts by using letter-frequency analysis and other basic techniques. You’d think Microsoft would learn. But they made the same mistake in 1999 with the Windows NT Syskey. The key, whether it’s 64 or 128 bits, is a combination of a shared secret and the IV. The IV is a 24-bit binary number.
Do we choose IV values randomly? Do we start at 0 and increment by 1? Or do we start at 16,777,215 and decrement by 1? Most implementations of WEP initialize hardware using an IV of 0; and increment by 1 for each packet sent. Because every packet requires a unique seed for RC4, you can see that at higher volumes, the entire 24-bit space can be used up in a matter of hours.
Therefore we are forced to repeat IVs — and to violate RC4’s cardinal rule against ever repeating keys. Ask Microsoft what happens when you do. Statistical analysis shows that all possible IVs (224) are exhausted in about 5 hours. Then the IV re-initializes, starting at 0, every 5 hours.
I do not know if your question is about dictionary attacks in general, or dictionary attacks in the case of a WiFi network with password protection. For the general question of dictionary attacks: there are two kinds of dictionary attacks, the online attacks and the offline attacks. An offline attack is one such that the attacker got enough data to 'test' passwords on his own machines, at a rate which is limited only by whatever computational power he can muster. For instance, the attacker got a copy of the hash of a password. On the other hand, an online attack is one where the attacker must interact with an 'honest' system (one which knows the correct password, e.g. A target server, or the client itself) for each guess.
A password 'strength' can be measured by its, which is a way of stating how many values that password could have assumed. For instance, a password with '25 bits of entropy' is such that it has been chosen randomly (and uniformly) among a list of 2 25 possible passwords. The notion of entropy can be refined a bit in case the password selection process is not uniform: we say that a password has n bits of entropy if an attacker trying a list of potential passwords, in decreasing order of probability (i.e. Beginning by the most frequently chosen passwords), will hit the right password after an average of 2 n-1 trials.
Depending on your user base, you might have a bit of success at educating your users into choosing strong passwords, but it is not realistic to expect more than, say, about 32 bits of entropy (if you enforce too strong password selection rules, users will actively work against you, e.g. By writing passwords on stick-up notes or sharing passwords with other sites or other users). The first mitigation in the presence of offline attacks is to use a: the idea is to 'tweak' the password-verification data that the attacker can know with a publicly known value (the 'salt'), which is different for each password. This will not hinder an attacker bent on breaking a single password, but it will prevent cost sharing: if the attacker wants to break 10 passwords, it should cost him 10 times the cost of breaking one.
Precomputed tables, in particular the much hyped, are a specific case of cost sharing. A good salt is chosen randomly and uniformly with a good random generator, and stored along with the password hash. The second mitigation is to make password derivation expensive: you do not hash once, you hash ten thousand times. This makes normal password usage (for verification) 10000 times slower (but this can often be tolerated: we are talking about 10ms instead of 1µs) but also multiplies the work factor for the attacker by 10000 (which turns, say, a one-minute attack into a one-week attack).
Security is then achieved if 2 n-1 p.s where n is the password entropy, p is the ratio between the attacker's and the user's patience (e.g. If the attacker is ready to invest one week of effort and the user cannot wait for more than one second, the ratio is 7.86400 = 604800), and s is the ratio between the attacker's computing power and the normal system power (e.g. The attacker has 20 PC with big, and the normal system is a smartphone: this brings s in the range of 500 or 1000). Is the oft-recommended password hashing method, which combines a salt and a configurable number of iterations. A more thorough solution is to avoid offline dictionary attacks: you should not let an attacker get hold of any data which allows him to perform such an attack.
The Guide To Natural Light Portraiture & Retouching This tutorial is a comprehensive guide to achieve stunning portraits using only natural light in almost. This is the official trailer for the Guide To Natural Light Portraiture & Retouching with Dani Diamond. After sweating, crying and recording for countless hours, my. Natural light portraiture. Download The Natural Light Portraiture And Retouching Guide (Dani Diamond) torrent or any other torrent from Tutorials category. The Natural Light Portraiture And Retouching Guide Dani. Download The Natural Light Portraiture And Retouching. On Dani Diamond. Natural Light Portraiture With. Download The Natural Light Portraiture And Retouching Guide torrent or any other torrent from Tutorials category. Direct download via HTTP available as well.
In a Web/Internet context, this means that, for instance, you will perform authentication within a (something known as 'HTTPS'). You would still want to do good password hashing for password storage on the server, in case the attacker gains a read-only access to your database.
Another kind of protocol is: a cryptographic protocol which results in a shared key (suitable for subsequent symmetric encryption of data), with mutual authentication of client and server relatively to a password; this protocol can be played in full view of the attacker and it is still inherently resistant to offline dictionary attacks. The most recommended PAKE protocol is. If you can force the attacker to play things online, then you can thwart him by enforcing arbitrary limitations in the number of requests he may submit. The most extreme case is what smartcards do: after three wrong PIN, the card commits suicide.
Weaker rules (e.g. Refusing to process more than 10 guesses per minute) will already dispel most attackers. About WiFi: there are several which can be used in WiFi. In WEP and 'WPA-Personal' systems, authentication is called 'PSK' (pre-shared key): encryption and integrity checks will be performed with keys derived deterministically from the WiFi password. This gives plenty of data for an attacker who wishes to perform an offline dictionary attacks. Since the key derivation protocol does not include provisions for a high number of hashing iterations (after all, it must be implementable with 30$ home routers), dictionary attacks tend to be quite effective. So the only real defense here is to select big fat random passwords, so that the entropy is high.
With 'WPA-Enterprise', authentication is done through a generic layer called, which encapsulates messages for an underlying protocol; the base station is supposed to forward those messages to a server. There are many authentication protocols which are then applicable, some of which being of the PSK persuasion; but others are arguably stronger.
For instance, there is an EAP-EKE, which is a PAKE protocol, hence resilient to offline dictionary attacks; another one is EAP-TLS, which internally performs a full SSL/TLS handshake, and thus, potentially, may use. Thus, with WPA-Enterprise, you may use authentication protocols which tolerate passwords with relatively low entropy, but this depends on what the client and the base station will support.
A word to the wise: I only talk about the use of passwords in WiFi authentication. I do not claim that once authentication has been performed, the WiFi link is adequately secured. It is best to treat a WiFi link as an Internet-like link, subject to eavesdropping; the main goal of the authentication protocol is to deter attackers who want a free Internet access.