WEP has undergone major scrutiny and subsequently failed all three tenets of its original design. Under confidentiality, we explore the known plaintext attack, shar ed key authentication attack, double encryption attack, man-in-the-middle attack, and a dictionary attack. When looking at availability, we discuss a number of denial-of-service attacks that are mounted against wireless local area networks. Finally, when exploring integrity, we look at some message modification attacks.
Stream Cipher Attack
The first attack against the confidentiality of wireless WEP is the stream cipher attack. This attack is based on the work and subsequent article published by Fluhrer, Mantin, and Shamir (FSM). This attack is also the basis of the WEPCrack, Airsnort, BSD-AIR Tools, and many other WEP cracking tools. The attack works in a passive manner in which no one can detect that it is even taking place. This means that trying to find out if this attack is running is nearly impossible. This works because the device running the attack does not need to transmit; instead, it only needs to receive network traffic.
The attack works by taking advantage of a number of weak IV numbers that are used in the general sequence of WEP. These IVs are used as a mechanism to create a different key for each packet transmitted. There are about 9000 interesting IV numbers out of the available 16,777,216. The reasoning behind why these 9000 IV numbers are considered interesting is the fact that the IV has “FF” in the middle of the IV sequence. This IV sequence is defined as three groups of two hexadecimal digits separated by a colon. An example would look similar to the following: A3:4D:33. An interesting IV would have FF in middle and look like this: 3A:FF:5E. When one looks at any IP packet, one can see that RFC 1042 requires an 802.2 SNAP header. This header is 0×88; because one knows what the plaintext is as well as the encrypted portion of it, one can get information on the first key bit. How this works is that the FF comes out to all one digits in binary and when one takes the header portion, which in the SNAP header case is inserted into the data, one gets a piece of the frame in which one knows what the first couple of bytes are before and after they are encrypted. With this knowledge, one can perform what is called a cleartext cryptanalyst attack. Once that information is known, the process to get the next key bits becomes a guessing game; however, this guessing game has a high probability of correct guessing. At first, the guessing may only yield a 5 percent chance of a correct guess, although as more key bytes are exposed, the percentage of success rapidly increases. A more detailed explanation of the mathematics of how this is achieved is available in the article entitled “Weaknesses in the Key Scheduling Algorithm of RC4.”
Known Plaintext Attack
The known plaintext attack is similar to what the FSM attack uses as a starting point. This attack is possible when one knows or has access to the cleartext and the encrypted text of an information exchange. Having both the encrypted and unencrypted information allows one to perform this attack and subsequently derive a key.
When the text is originally encrypted, it performs an XOR operation that mixes the key with the data. This process is reversible from encrypted text to cleartext just as it is originally applied from cleartext to encrypted text. What this means is that the same process used to encrypt can also decrypt. When the text is broken down to binary, one can perform some binary math and compute the key that was used. One can see that the plaintext and key stream are broken down to binary, and binary math is performed to produce the ciphertext. If one were to place the ciphertext below the plaintext and perform the same operation, one would get the key stream. This is how the plaintext cryptanalysis attack works.
To see this attack in action, there are a couple of scenarios in which it might take place. All of the scenarios of this attack fulfill the two main requirements needed: one plaintext packet and its encrypted counterpart.
Once one has both packets, one can perform the operation detailed above and derive a key.
This first and most predominant scenario is the shared key authentication attack. Shared key authentication sends a cleartext packet and waits for its encrypted counterpart so it can verify it was encrypted with the correct key. Other methods of this attack are also achievable by looking for predictable IP traffic. For example, when a machine first boots up, it will attempt to log in to the network; this log-on sequence is known text. The first frames that are sent before the user or machine authenticates is the request to authenticate. There are many types of known traffic, such as DNS, Logon, DCHP, etc. All an attacker needs to do is understand when this type of traffic takes place. They can do this by assuming that a given number of frames will take place at certain times. Another option is that this attacker can be run on a number of frames; and when one looks like a normal non-encrypted packet, the process worked.
One of the last ways we are going to look at to perform this attack is to generate traffic. This is done by either sending ICMP, telnet, or any other known protocol. These attempts are only available to one who is already on the wired portion of the network. To get around that, one needs to look at another form of traffic — e-mail. To perform this method, one needs to know who a certain MAC address is and what their e-mail address is. This information can be sniffed out of the air from a hotspot or procured in a number of other ways. Once it is known, just send an e-mail and perform the attack on all traffic until the frame that contains some of the e-mail is captured and the attack succeeds. This could also be done by performing a companywide spam, although this will most likely be caught in a spam filter.
An example of how the shared key authentication attack works is outlined as follows:
1. Alice tries connecting to the network.
2. The access point sends out a cleartext challenge.
3. Alice takes the challenge packet, encrypts it with her WEP key, and sends it back to the access point.
4. Evil Bob extracts the IV (sent in the clear) and key by XORing the challenge with Alice’s response.
5. Now evil Bob tries connecting to the network.
6. The access point sends out a challenge string.
7. Now that evil Bob has derived the key from the plaintext cryptanalysis, he can correctly respond to the access point’s challenge.
8. Bob connects to the network.
Dictionary Building Attack
Another attack on WEP is the dictionary building attack. This is performed using the plaintext cryptanalysis attack discussed previously. Once this has been done, any frame with the same IV as the one previously cracked can also be cracked with the same key. This means one can perform the plaintext cryptanalysis attack on multiple frames until one has cracked everything in the IV space. This is not as big or as time consuming as one might think; it can be done with a 24-GB database. Once this has been accomplished, all the frames on the network are now seen by the attacker as cleartext. This will remain true until the WEP seed key is changed on all clients and access points.
Double Encryption Attack
The double encryption attack takes advantage of the fact that the same key is used to both encrypt and decrypt. To perform this attack, a frame must be captured out of the air that is considered important. Most likely, this frame will be something of value because one can only do this attack one frame at a time. After the frame has been identified, one must change the header to have a destination MAC address that is another wireless client. After this, the attacker must wait for the IV to reset to one minus the original IV. At this point, the attacker can replay the captured frame onto the airwaves. When the access point sees the frame with the expected IV, it will perform the encryption process, actually decrypting the frame instead of encrypting it. After the access point has performed the encryption process, it will forward the now cleartext frame across the air to the forged MAC address specified by the attacker.
Message Modification Attack
In the WEP process, the Integrity Check field (IC) is used to verify the message’s integrity. This 4-byte value can tell the access point if the frame had corruption or not. By default, an access point will drop a frame with a wrong IC without any logging. This is because of the large number of incorrect transmissions associated with wireless communications. Another issue with the IC is that it is independent of the master WEP key and the IV. Because of this independence, modification can easily take place.
To perform a message modification attack, the attacker must first capture an encrypted packet destined for a different subnet. This is so a router will have to examine the packet. After capturing an encrypted packet, the attacker must modify a single bit and attempt to resend it. Most likely, the modification will offset the IC and the packet will be dropped. After attempting a number of times, the bits that are flipped will make the IC correct again, although the packet itself will be unreadable.
The amazing thing about this is that the attacker can try many times without any logging or notification on behalf of the access point. Once the packet passes the access point’s IC check, it will go to the router; the router will see that the packet is malformed and send a predictable response back to the original sender. When this response comes across the airwaves, one will have the cleartext and associated encrypted text packet. This will give one what is required to perform cleartext cryptanalysis.
