Air Snort Weak IV Attack

^IffTITITTITITl II III III II III II III IIIII III II III II III III II III II III III II III II Hi Cisco.com

Attack is based on Fluhrer/Mantin/Shamir paper

Initialization vector (IV) is 24-bit field that changes with each packet

RC4 Key Scheduling Algorithm creates IV from base key

Flaw in WEP implementation of RC4 allows creation of "weak" IVs that give insight into base key

More packets = more weak IVs = better chance to determine base key

To break key, hacker needs 100,000-1,000,000 packets

destaddr

src addr

IV

encrypted data

ICV

© 2003, Cisco Systems, Inc. All rights reserved. AWLF v3.1—9-60

The figure shown depicts a WEP encrypted frame. The first 24 bits of the frame are the Initialization Vector (IV). The purpose of the IV is to insure that the same plaintext data frame will never generate the same WEP encrypted data frame. The method of changing the IV is dependent upon vendor implementation (Cisco Aironet changes the IV on a per packet basis).

The IV is transmitted as plaintext and a user "sniffing" the WLAN could see the IV. When the same IV is used over and over with the same WEP key, a hacker could capture the frames and derive information about the data in the frame, as well as data about the network.

Using static WEP keys has proven to be highly vulnerable to this type of attack. This is why Cisco recommends that WLANs not use static WEP, and instead use the more advanced security features implementing 802.1X.

Cisco Aironet Access Point firmware includes features to improve RC4/WEP security by hashing WEP keys, thus protecting against weak initialization vectors.

Care must be taken when configuring the WLAN security to protect against this type of attack. Configuring the WEP key timeout on the authentication server does this. This will force wireless clients to re-authenticate, resulting in the generation of a new WEP key. The result of the shorter timeout period is that wireless clients do not use the same WEP key long enough for a hacker to capture the number of frames to hack the WEP key.

For more information on Cisco's response in the Berkeley paper go to: http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.htm

Because packet key is hash of IV and base key, IV no longer gives insight into base key

IV

base key

hash \

ivJ

base key

IV

1 RC4

i RC4

stream cipher no key hashing plaintext data

I i encrypted data

1 RC4

stream cipher key hashing

© 2003, Cisco Systems, Inc. All rights re

AWLF V3.1

Another advanced security feature on the Cisco Aironet devices is WEP Key hashing. When configured, a Cisco Aironet Access Point or Bridge protects against attack that focus on weak (or predictable) initialization vectors. Because the packet key is hash of the initialization vector and the base key, the initialization vector no longer gives insight into base key.

^^^^^^^^■milllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll!: Cisco.com

Hacker intercepts WEP-encrypted packet Hacker flips bits in packet and recalculates ICV CRC32 Hacker transmits to access point bit-flipped frame with known IV Because CRC32 is correct, access point accepts, forwards frame Layer 3 device rejects and sends predictable response Access point encrypts response and sends it to hacker Hacker uses response to derive key (stream cipher)

stream cipher predicted plain text

1234 message

{ i plain text cipher text stream cipher message -► XOR -► XXYYZZ -► XOR -► 1234

© 2003, Cisco Systems, Inc. All rights re

AWLF v3.1

Another WEP attack is the "bit flip" attack. In this type of attack, a hacker attempts to capture an encrypted message, flips (or tampers) the bits in the message, and then retransmits the message in the hope that the message is accepted as a valid message. If it is, then the access point is communicating with the hacker (instead of the legitimate user) and WLAN security has been compromised.

Sender adds MIC to packet stream cipher

WEP frame dest addr src addr

IV I encrypted data stream cipher

Recipient examines MIC; discards packet if MIC is not intact i

AWLF V3.1

© 2003, Cisco Systems, Inc. All rights re

AWLF V3.1

The Cisco Aironet Access Point includes a feature called Message Integrity Check (MIC). When configured it adds a few extra bytes to every packet before the packet is encrypted. The recipient of the packet will then decrypt the packet and examine the MIC. If the extra bytes are not intact, then the message has been tampered with and the recipient will then discard the message.

+1 0

Post a comment