mobicom

mobicomInterceptingMobileCommunications:TheInsecurityof802.11NikitaBorisovUCBerkeleynikitab@cs.berkeley.eduIanGoldbergZero-KnowledgeSystemsian@zeroknowledge.comDavidWagnerUCBerkeleydaw@cs.berkeley.eduABSTRACTThe802.11standardforwirelessnetworksincludesaWiredEquiv-alentPrivacy(WEP)protocol,usedtoprotectlink-layercommuni-cationsfromeavesdroppingandotherattacks.Wehavediscoveredseveralserioussecurityflawsintheprotocol,stemmingfrommis-applicationofcryptographicprimitives.Theflawsleadtoanum-berofpracticalattacksthatdemonstratethatWEPfailstoachieveitssecuritygoals.Inthispaper,wediscussindetaileachoftheflaws,theunderlyingsecurityprincipleviolations,andtheensuingattacks.1.INTRODUCTIONInrecentyears,theproliferationoflaptopcomputersandPDA’shascausedanincreaseintherangeofplacespeopleperformcom-puting.Atthesametime,networkconnectivityisbecominganincreasinglyintegralpartofcomputingenvironments.Asare-sult,wirelessnetworksofvariouskindshavegainedmuchpopu-larity.Butwiththeaddedconvenienceofwirelessaccesscomenewproblems,nottheleastofwhichareheightenedsecuritycon-cerns.Whentransmissionsarebroadcastoverradiowaves,inter-ceptionandmasqueradingbecomestrivialtoanyonewitharadio,andsothereisaneedtoemployadditionalmechanismstoprotectthecommunications.The802.11standard[15]forwirelessLANcommunicationsintro-ducedtheWiredEquivalentPrivacy(WEP)protocolinanattempttoaddressthesenewproblemsandbringthesecuritylevelofwire-lesssystemsclosertothatofwiredones.TheprimarygoalofWEPistoprotecttheconfidentialityofuserdatafromeavesdropping.WEPispartofaninternationalstandard;ithasbeenintegratedbymanufacturersintotheir802.11hardwareandiscurrentlyinwidespreaduse.Unfortunately,WEPfallsshortofaccomplishingitssecuritygoals.Despiteemployingthewell-knownandbelieved-secureRC4[16]1in[17].MessageCRCPlaintextKeystream=RC4(v,k)XORFigure1:EncryptedWEPFrame.Wewillconsistentlyusethetermmessage(symbolically,)torefertotheinitialframeofdatatobeprotected,thetermplaintext()torefertotheconcatenationofmessageandchecksumasitispresentedtotheRC4encryptionalgorithm,andthetermciphertext()torefertotheencryptionoftheplaintextasitistransmittedovertheradiolink.TodecryptaframeprotectedbyWEP,therecipientsimplyre-versestheencryptionprocess.First,heregeneratesthekeystreamandXORsitagainsttheciphertexttorecovertheinitialplaintext:Next,therecipientverifiesthechecksumonthedecryptedplaintextbysplittingitintotheform,re-computingthecheck-sum,andcheckingthatitmatchesthereceivedchecksum.Thisensuresthatonlyframeswithavalidchecksumwillbeacceptedbythereceiver.2.1SecurityGoalsTheWEPprotocolisintendedtoenforcethreemainsecuritygoals[15]:Confidentiality:ThefundamentalgoalofWEPistopreventca-sualeavesdropping.Accesscontrol:Asecondgoaloftheprotocolistoprotectaccesstoawirelessnetworkinfrastructure.The802.11standardincludesanoptionalfeaturetodiscardallpacketsthatarenotproperlyencryptedusingWEP,andmanufacturersadvertisetheabilityofWEPtoprovideaccesscontrol.Dataintegrity:Arelatedgoalistopreventtamperingwithtrans-mittedmessages;theintegritychecksumfieldisincludedforthispurpose.Inallthreecases,theclaimedsecurityoftheprotocol“reliesonthedifficultyofdiscoveringthesecretkeythroughabrute-forceattack”[15].ThereareactuallytwoclassesofWEPimplementation:classicWEP,asdocumentedinthestandard,andanextendedversionde-velopedbysomevendorstoprovidelargerkeys.TheWEPstandardspecifiestheuseof40-bitkeys,sochosenbecauseofUSGovern-mentrestrictionsontheexportoftechnologycontainingcryptogra-phy,whichwereineffectatthetimetheprotocolwasdrafted.Thiskeylengthisshortenoughtomakebrute-forceattackspracticaltoindividualsandorganizationswithfairlymodestcomputingre-sources[3,8].However,itisstraightforwardtoextendtheprotocoltouselargerkeys,andseveralequipmentmanufacturersofferaso-called“128-bit”version(whichactuallyuses104-bitkeys,despiteitsmisleadingname).Thisextensionrendersbrute-forceattacksimpossibleforeventhemostresourcefulofadversariesgivento-day’stechnology.Nonetheless,wewilldemonstratethatthereareshortcutattacksonthesystemthatdonotrequireabrute-forceat-tackonthekey,andthuseventhe128-bitversionsofWEParenotsecure.Intheremainderofthispaper,wewillarguethatnoneofthethreesecuritygoalsareattained.First,weshowpracticalattacksthatal-loweavesdropping.Then,weshowthatitispossibletosubverttheintegritychecksumfieldandtomodifythecontentsofatransmit-tedmessage,violatingdataintegrity.Finally,wedemonstratethatourattackscanbeextendedtoinjectcompletelynewtrafficintothenetwork.Anumberoftheseresults(particularlytheIVreuseweaknessesdescribedinSection3)havebeenanticipatedinearlierindepen-dentworkbySimonet.al[19]andbyWalker[24].TheseriousflawsintheWEPchecksum(seeSection4),however,tothebestofourknowledgehavenotbeenreportedbefore.Afterourworkwascompleted,Arbaughet.alhavefoundseveralextensionsthatmaymaketheseweaknessesevenmoredangerousinpractice[2,1].2.2AttackPracticalityBeforedescribingtheattacks,wewouldliketodiscussthefea-sibilityofmountingtheminpractice.Inadditiontothecrypto-graphicconsiderationsdiscussedinthesectionstofollow,acom-monbarriertoattacksoncommunicationsubsystemsisaccesstothetransmitteddata.Despitebeingtransmittedoveropenradiowaves,802.11trafficrequiressignificantinfrastructuretointercept.Anattackerneedsequipmentcapableofmonitoring2.4GHzfre-quenciesandunderstandingthephysicallayerofthe802.11proto-col;foractiveattacks,itisalsonecessarytotransmitatthesamefrequencies.Asignificantdevelopmentcostforequipmentmanu-facturersliesincreatingtechnologiesthatcanreliablyperformthistask.Assuch,theremightbetemptationtodismissattacksrequiringlink-layeraccessasimpractical;forinstance,thiswasoncees-tablishedpracticeamongthecellularindustry.However,suchapositionisdangerous.First,itdoesnotsafeguardagainsthighlyresourcefulattackerswhohavetheabilitytoincursignificanttimeandequipmentcoststogainaccesstodata.Thislimitationises-peciallydangerouswhensecuringacompany’sinternalwirelessnetwork,sincecorporateespionagecanbeahighlyprofitablebusi-ness.Second,thenecessaryhardwaretomonitorandinject802.11traf-ficisreadilyavailabletoconsumersintheformofwirelessEth-ernetinterfaces.Allthatisneededistosubvertittomonitorandtransmitencryptedtraffic.Weweresuccessfullyabletocarryoutpassiveattacksusingoff-the-shelfequipmentbymodifyingdriversettings.Activeattacksappeartobemoredifficult,butnotbeyondreach.ThePCMCIAOrinococardsproducedbyLucentallowtheirfirmwaretobeupgraded;aconcertedreverse-engineeringeffortshouldbeabletoproduceamodifiedversionthatallowsinject-ingarbitrarytraffic.Thetimeinvestmentrequiredisnon-trivial;however,itisaone-timeeffort—theroguefirmwarecanthenbepostedonawebsiteordistributedamongstundergroundcircles.Therefore,webelievethatitwouldbeprudenttoassumethatmoti-vatedattackerswillhavefullaccesstothelinklayerforpassiveandevenactiveattacks.FurthersupportingourpositionaretheWEPdocumentsthemselves.Theystate:“Eavesdroppingisafamiliarproblemtousersofothertypesofwirelesstechnology”[15,p.61].Wewillnotdiscussthedifficultiesoflinklayeraccessfurther,andfocusoncryptographicpropertiesoftheattacks.3.THERISKSOFKEYSTREAMREUSEWEPprovidesdataconfidentialityusingastreamciphercalledRC4.Streamciphersoperatebyexpandingasecretkey(or,asinthecaseofWEP,apublicIVandasecretkey)intoanarbitrarilylong“keystream”ofpseudorandombits.EncryptionisperformedbyXORingthegeneratedkeystreamwiththeplaintext.DecryptionconsistsofgeneratingtheidenticalkeystreambasedontheIVandsecretkeyandXORingitwiththeciphertext.Awell-knownpitfallofstreamciphersisthatencryptingtwomes-sagesunderthesameIVandkeycanrevealinformationaboutbothmessages:If=and=then==Inotherwords,XORingthetwociphertexts(and)togethercausesthekeystreamtocancelout,andtheresultistheXORofthetwoplaintexts().Thus,keystreamreusecanleadtoanumberofattacks:asaspecialcase,iftheplaintextofoneofthemessagesisknown,theplaintextoftheotherisimmediatelyobtainable.Moregenerally,real-worldplaintextsoftenhaveenoughredundancythatonecanrecoverbothandgivenonly;thereareknowntechniques,forexample,forsolvingsuchplaintextXORsbylookingfortwoEn-glishtextsthatXORtothegivenvalue[7].Moreover,ifwehaveciphertextsthatallreusethesamekeystream,wehavewhatisknownasaproblemofdepth.Readingtrafficindepthbe-comeseasierasincreases,sincethepairwiseXORofeverypairofplaintextscanbecomputed,andmanyclassicaltechniquesareknownforsolvingsuchproblems(e.g.,frequencyanalysis,drag-gingcribs,andsoon)[20,22].Notethattherearetwoconditionsrequiredforthisclassofattackstosucceed:Theavailabilityofciphertextswheresomeportionofthekeystreamisusedmorethanonce,andPartialknowledgeofsomeoftheplaintexts.Topreventtheseattacks,WEPusesaper-packetIVtovarythekeystreamgenerationprocessforeachframeofdatatransmitted.WEPgeneratesthekeystreamasafunctionofboththesecretkey(whichisthesameforallpackets)andapublicini-tializationvector(whichvariesforeachpacket);thisway,eachpacketreceivesadifferentkeystream.TheIVisincludedintheun-encryptedportionofthetransmissionsothatthereceivercanknowwhatIVtousewhenderivingthekeystreamfordecryption.TheIVisthereforeavailabletoattackersaswell2,butthesecretkeyremainsunknownandmaintainsthesecurityofthekeystream.Theuseofaper-packetIVwasintendedtopreventkeystreamreuseattacks.Nonetheless,WEPdoesnotachievethisgoal.WedescribebelowseveralrealistickeystreamreuseattacksonWEP.First,wediscusshowtofindinstancesofkeystreamreuse;then,weshowhowtoexploittheseinstancesbytakingadvantageofpartialinfor-mationonhowtypicalplaintextsareexpectedtobedistributed.Findinginstancesofkeystreamreuse.OnepotentialcauseofkeystreamreusecomesfromimproperIVmanagement.Notethat,sincethesharedsecretkeygenerallychangesveryrarely,reuseofIV’salmostalwayscausesreuseofsomeoftheRC4keystream.SinceIV’sarepublic,duplicateIV’scanbeeasilydetectedbytheattacker.Therefore,anyreuseofoldIVvaluesexposesthesystemtokeystreamreuseattacks.WecallsuchareuseofanIVvaluea“collision”.TheWEPstandardrecommends(butdoesnotrequire)thattheIVbechangedaftereverypacket.However,itdoesnotsayanythingelseabouthowtoselectIV’s,and,indeed,someimplementationsdoitpoorly.TheparticularPCMCIAcardsthatweexaminedresettheIVto0eachtimetheywerere-initialized,andthenincrementedtheIVbyoneforeachpackettransmitted.Thesecardsre-initializethemselveseachtimetheyareinsertedintothelaptop,whichcanbeexpectedtohappenfairlyfrequently.Consequently,keystreamscorrespondingtolow-valuedIV’swerelikelytobereusedmanytimesduringthelifetimeofthekey.Evenworse,theWEPstandardhasarchitecturalflawsthatexposeallWEPimplementations—nomatterhowcautious—toseriousrisksofkeystreamreuse.TheIVfieldusedbyWEPisonly24bitswide,nearlyguaranteeingthatthesameIVwillbereusedformultiplemessages.Aback-of-the-envelopecalculationshowsthatabusyaccesspointsending1500bytepacketsandachievinganaverage5Mbpsbandwidth(thefulltransmissionrateis11Mbps)willexhausttheavailablespaceinlessthanhalfaday.Evenforlessbusyinstallations,apatientattackercanreadilyfindduplicates.BecausetheIVlengthisfixedat24bitsinthestandard,thisvul-nerabilityisfundamental:nocompliantimplementationcanavoidit.Implementationdetailscanmakekeystreamreuseoccurevenmorefrequently.Animplementationthatusesarandom24-bitIVforeachpacketwillbeexpectedtoincurcollisionsaftertransmittingjust5000packets3,whichisonlyafewminutesoftransmission.Worseyet,the802.11standarddoesnotevenrequirethattheIVbechangedwitheverypacket,soanimplementationcouldreusethesameIVforallpacketswithoutriskingnon-compliance!Exploitingkeystreamreusetoreadencryptedtraffic.OncetwoencryptedpacketsthatusethesameIVarediscovered,variousmethodsofattackcanbeappliedtorecovertheplaintext.Iftheplaintextofoneofthemessagesisknown,itiseasytoderivethecontentsoftheotheronedirectly.Therearemanywaystoobtainplausiblecandidatesfortheplain-text.ManyfieldsofIPtrafficarepredictable,sinceprotocolsusewell-definedstructuresinmessages,andthecontentsofmessagesarefrequentlypredictable.Forexample,loginsequencesarequiteuniformacrossmanyusers,andsothecontents—forexample,thePassword:promptorthewelcomemessage—maybeknowntotheattackerandthususableinakeystreamreuseattack.Asanotherexample,itmaybepossibletorecognizeaspecificsharedlibrarybeingtransferredfromanetworkedfilesystembyanalyzingtrafficpatternsandlengths;thiswouldprovidealargequantityofknownplaintextsuitableforuseinakeystreamreuseattack.Therearealsoother,sneakier,waystoobtainknownplaintext.Itispossibletocauseknownplaintexttobetransmittedby,forexample,sendingIPtrafficdirectlytoamobilehostfromanInternethostundertheattacker’scontrol.Theattackermayalsosende-mailtousersandwaitforthemtocheckitoverawirelesslink.Sendingspame-mailmightbeagoodmethodofdoingthiswithoutraisingtoomanyalarms.Sometimes,obtainingknownplaintextinthiswaymaybeevensimpler.Oneaccesspointwetestedwouldtransmitbroadcastpack-etsinbothencryptedandunencryptedform,whentheoptiontocontrolnetworkaccesswasdisabled.Inthisscenario,anattackerwithaconforming802.11interfacecantransmitbroadcaststotheaccesspoint(theywillbeaccepted,sinceaccesscontrolisturnedoff)andobservetheirencryptedformastheyarere-transmitted.Indeed,thisisunavoidableonasubnetthatcontainsamixtureofWEPclientswithandwithoutsupportforencryption:sincebroad-castpacketsmustbeforwardedtoallclients,thereisnowaytoavoidthistechniqueforgatheringknownplaintext.Finally,weremindthereaderthatevenwhenknownplaintextisnotavailable,someanalysisisstillpossibleifaneducatedguessaboutthestructureoftheplaintextscanbemade,asnotedearlier.3.1DecryptionDictionariesOncetheplaintextforaninterceptedmessageisobtained,eitherthroughanalysisofcollidingIV’s,orthroughothermeans,theat-tackeralsolearnsthevalueofthekeystreamusedtoencryptthemessage.ItispossibletousethiskeystreamtodecryptanyothermessagethatusesthesameIV.Overtime,theattackercanbuildatableofthekeystreamscorrespondingtoeachIV.Thefulltablehasmodestspacerequirements—perhaps1500bytesforeachofthepossibleIV’s,orroughly24GB—soitisconceivablethatadedicatedattackercan,aftersomeamountofeffort,accumulateenoughdatatobuildafulldecryptiondictionary,especiallywhenoneconsidersthelowfrequencywithwhichkeysarechanged(seeSection3.2).Theadvantagetotheattackeristhat,oncesuchata-bleisavailable,itbecomespossibletoimmediatelydecrypteachsubsequentciphertextwithverylittlework.Ofcourse,theamountofworknecessarytobuildsuchadictionaryrestrictsthisattacktoonlythemostpersistentattackerswhoarewillingtoinvesttimeandresourcesintodefeatingWEPsecurity.ItcanbearguedthatWEPisnotdesignedtoprotectfromsuchattackers,sincea40-bitkeycanbediscoveredthroughbrute-forceinarelativelyshortamountoftimewithmoderateresources[3,8].However,manufacturershavealreadybeguntoextendWEPtosupportlargerkeys,andthedictionaryattackiseffectiveregardlessofkeysize.(Thesizeofthedictionarydependsnotonthesizeofthekey,butonlyonthesizeoftheIV,whichisfixedbythestandardat24bits.)Further,thedictionaryattackcanbemademorepracticalbyex-ploitingthebehaviorofPCMCIAcardsthatresettheIVto0eachtimetheyarereinitialized.SincetypicaluseofPCMCIAcardsin-cludesreinitializationatleastonceperday,buildingadictionaryforonlythefirstfewthousandIV’swillenableanattackertodecryptmostofthetrafficdirectedtowardstheaccesspoint.Inaninstalla-tionwithmany802.11clients,collisionsinthefirstfewthousandIV’swillbeplentiful.3.2KeyManagementThe802.11standarddoesnotspecifyhowdistributionofkeysistobeaccomplished.Itreliesonanexternalmechanismtopopulateaglobally-sharedarrayof4keys.Eachmessagecontainsakeyidentifierfieldspecifyingtheindexinthearrayofthekeybeingused.Thestandardalsoallowsforanarraythatassociatesauniquekeywitheachmobilestation;however,thisoptionisnotwidelysupported.Inpractice,mostinstallationsuseasinglekeyforanentirenetwork.Thispracticeseriouslyimpactsthesecurityofthesystem,sinceasecretthatissharedamongmanyuserscannotstayverywellhid-den.Somenetworkadministratorstrytoamelioratethisproblembynotrevealingthesecretkeytoendusers,butratherconfiguringtheirmachineswiththekeythemselves.This,however,yieldsonlyamarginalimprovement,sincethekeysarestillstoredontheusers’computers.Asanecdotalevidence,weknowofagroupofgradu-atestudentswhoreverse-engineeredthenetworkkeymerelyfortheconvenienceofbeingabletouseunsupportedoperatingsystems.Thereuseofasinglekeybymanyusersalsohelpsmaketheattacksinthissectionmorepractical,sinceitincreaseschancesofIVcol-lision.Thechanceofrandomcollisionsincreasesproportionallytothenumberofusers;evenworse,PCMCIAcardsthatresettheIVto0eachtimetheyarereinitializedwillallreusekeystreamscorrespondingtoasmallrangeoflow-numberedIV’s.Also,thefactthatmanyuserssharethesamekeymeansthatitisdifficulttoreplacecompromisedkeymaterial.Sincechangingakeyrequireseverysingleusertoreconfiguretheirwirelessnetworkdrivers,suchupdateswillbeinfrequent.Inpractice,weexpectthatitmaybemonths,orevenlonger,betweenkeychanges,allowinganattackermoretimetoanalyzethetrafficandlookforinstancesofkeystreamreuse.3.3SummaryTheattacksinthissectiondemonstratethattheuseofstreamci-phersisdangerous,becausethereuseofkeystreamcanhavedevas-tatingconsequences.Anyprotocolthatusesastreamciphermusttakespecialcaretoensurethatkeystreamnevergetsreused.Thispropertycanbedifficulttoenforce.TheWEPprotocolcon-tainsvulnerabilitiesdespitethedesigners’apparentknowledgeofthedangersofkeystreamreuseattacks.Norisitthefirstprotocoltofallpreytostream-cipher-basedattacks;see,forexample,theanalysisofanearlierversionoftheMicrosoft ppt 关于艾滋病ppt课件精益管理ppt下载地图下载ppt可编辑假如ppt教学课件下载triz基础知识ppt Pprotocol[18].Inlightofthis,aprotocoldesignershouldgivecarefulconsidera-tiontothecomplicationsthattheuseofstreamciphersaddstoaprotocolwhenchoosinganencryptionalgorithm.4.MESSAGEAUTHENTICATIONTheWEPprotocolusesanintegritychecksumfieldtoensurethatpacketsdonotgetmodifiedintransit.Thechecksumisimple-mentedasaCRC-32checksum,whichispartoftheencryptedpay-loadofthepacket.WewillarguebelowthataCRCchecksumisinsufficienttoensurethatanattackercannottamperwithamessage:itisnotacrypto-graphicallysecureauthenticationcode.CRC’saredesignedtode-tectrandomerrorsinthemessage;however,theyarenotresilientagainstmaliciousattacks.Aswewilldemonstrate,thisvulnerabil-ityofCRCisexacerbatedbythefactthatthemessagepayloadisencryptedusingastreamcipher.4.1MessageModificationFirst,weshowthatmessagesmaybemodifiedintransitwithoutdetection,inviolationofthesecuritygoals.WeusethefollowingpropertyoftheWEPchecksum:PROPERTY1.TheWEPchecksumisalinearfunctionofthemessage.Bythis,wemeanthatchecksummingdistributesovertheXORop-eration,i.e.,forallchoicesofand.ThisisageneralpropertyofallCRCchecksums.Oneconsequenceoftheabovepropertyisthatitbecomespossibletomakecontrolledmodificationstoaciphertextwithoutdisruptingthechecksum.Let’sfixourattentiononaciphertextwhichwehaveinterceptedbeforeitcouldreachitsdestination:Weassumethatcorrespondstosomeunknownmessage,sothat(1)Weclaimthatitispossibletofindanewciphertextthatdecryptsto,whereandmaybechosenarbitrarilybytheattacker.Then,wewillbeabletoreplacetheoriginaltransmissionwithournewciphertextbyspoofingthesource,andupondecryption,therecipientwillobtainthemodifiedmes-sagewiththecorrectchecksum.Allthatremainsistodescribehowtoobtainfromsothatdecryptstoinsteadof.Thekeyobservationistonotethatstreamciphers,suchasRC4,arealsolinear,sowecanreordermanyterms.Wesuggestthefollowingtrick:XORthequantityagainstbothsidesofEquation1abovetogetanewci-phertext:Inthisderivation,weusedthefactthattheWEPchecksumislinear,sothat.Asaresult,wehaveshownhowtomodifytoobtainanewciphertextthatwilldecryptto.Thisimpliesthatwecanmakearbitrarymodificationstoanen-cryptedmessagewithoutfearofdetection.Thus,theWEPcheck-sumfailstoprotectdataintegrity,oneofthethreemaingoalsoftheWEPprotocol(seeSection2.1).Noticethatthisattackcanbeappliedwithoutfullknowledgeof:theattackeronlyneedstoknowtheoriginalciphertextandthedesiredplaintextdifference,inordertocalculate.Forexample,toflipthefirstbitofamessage,theat-tackercanset.Thisallowsanattackertomodifyapacketwithonlypartialknowledgeofitscontents.4.2MessageInjectionNext,weshowthatWEPdoesnotprovidesecureaccesscontrol.WeusethefollowingpropertyoftheWEPchecksum:PROPERTY2.TheWEPchecksumisanunkeyedfunctionofthemessage.Asaconsequence,thechecksumfieldcanalsobecomputedbytheadversarywhoknowsthemessage.ThispropertyoftheWEPintegritychecksumallowsthecircum-ventionofaccesscontrolmeasures.Ifanattackercangetaholdofanentireplaintextcorrespondingtosometransmittedframe,hewillthenabletoinjectarbitrarytrafficintothenetwork.AswesawinSection3,knowledgeofboththeplaintextandciphertextrevealsthekeystream.Thiskeystreamcansubsequentlybereusedtocreateanewpacket,using