Académique Documents
Professionnel Documents
Culture Documents
11-01/230
Talk Outline
• Introduction
– WEP/WEP2
– IP
– Walker/Berkeley Attacks
• Attack Overview
• Attack Details
• Conclusions
WEP/WEP2
802.11 Hdr Data
Encapsulate Decapsulate
Observations
• Walker/Berkeley attacks require either:
– Depth and post analysis
– Cooperating agent for known plain text
• Can we do better?
Base Case
• Find initial pseudo random stream of size n.
– Identify DHCP Discover messages from
externals, e.g. size, and broadcast MAC
address.
• Known source (0.0.0.0), destination
(255.255.255.255), header info
• Allows the recovery of 24 bytes of pseudo random
stream: Let n = 24
Inductive Step
1. Create a datagram of size n-3 representing
an ARP request, UDP open, ICMP etc.
2. Compute ICV and append only the first
three bytes.
3. XOR with n bytes of pseudo random
stream.
4. Append last byte as the n+1 byte
Inductive Step
n-3 3
Data ICV
Iterate over
the 255
possibilities
802.11 IV Data ICV-1 byte
Hdr
n+1
Submission Slide 10 William Arbaugh, University of Maryland
May 2001 doc.: IEEE 802.11-01/230
Inductive Step
5. Now send datagram and wait for a response.
6. If no response, try another of the 254 remaining
possibilities.
7. If there is a response, then we know:
The n+1 byte was the last byte of the ICV, thus
we have matching plaintext and ciphertext
which gives us the n+1 byte of the
pseudorandom stream.
After Response
n-3 3
n+1
Data ICV byte plaintext
byte
Encrypted Data
n+1
byte pseudo
byte
n+1
Submission Slide 12 William Arbaugh, University of Maryland
May 2001 doc.: IEEE 802.11-01/230
Attack Cost
• Assume moderately aggressive attacker:
– ~100 attacker transmissions per second
– NOTE: ICV failures will not be passed to OS
and thus the attack is difficult to observe (failed
ICV counter not withstanding)
• 1.6 hours to recover 2300 byte MTU
regardless of IV and key size in worst case
• ~40 minutes in average case
Submission Slide 13 William Arbaugh, University of Maryland
May 2001 doc.: IEEE 802.11-01/230
WEP Costs
• 46 hours to build full dictionary of
<IV, pseudorandom> with one attacking
host (~35GB)
WEP2 Costs
• Prohibitive to build entire dictionary in
terms of space and time, but we don’t need
to do so.
• Because, we can still find enough
<IV,pseudorandom> pairs to find and
attack a vulnerable host on the LAN and
recover key actively, e.g. blind scans and
blind attacks.
Submission Slide 15 William Arbaugh, University of Maryland
May 2001 doc.: IEEE 802.11-01/230
Conclusions
• Fundamental problem is that both WEP and
WEP2 vulnerable to packet forgery.
• It’s easy to dismiss this attack (and the
Walker/Berkeley attacks) as “academic”.
However, it’s only a matter of time before
the attacks are implemented/scripted and
released …What then?