SECURITY ATTACKS ON DIFFERENT Wi-Fi PROTOCOLS
Prof.S. O. Rajankar
Dept. of Electronics and Telecommunication
Sinhgad College Of Engineering,
Vadgaon(Bk.), Pune-41,India
Abstract—This paper describes different attacks that are possible on Wi-Fi protocols. It mostly concentrates on attacks on WEP and WPA as they are most popular protocols. The third protocol is WPA 2 which is similar to WPA except for some changes. This paper is a study for the project of designing a software for Wi-Fi audit.
Keywords- WEP, WPA, Packet building attacks, Key Recovery attacks
I.INTRODUCTION
The security in Wi-Fi networks is a very important subject, because nowadays Wi-Fi networks are extensively used. Although there are numerous protocols suggested for Wi-Fi security, they fail to protect against various attacks due to lack of upgradation. So to secure the wi-fi that is deployed, first it has to be checked for the vulnerability of it to the various types of attacks that are popular and are subjected to happen at present. Also the owner of Wi-Fi need to know what type of security measures he is currently provided with and what type of security measures he needs to incorporate in his Wi-Fi settings to ensure that the deployed Wi-Fi is secure against various attacks that may happen in the current scenario. For this Attacks on Wi-Fi networks are important to be deeply studied. In this seminar the two prominently used Wi-Fi protocols and attacks on them are studied.
There are total three protocols that are deployed on the Wi-Fi:
1. WEP(Wired Equivalent Privacy)
2. WPA(Wireless Protected Access)
Mr. Nachiket Ketkar
Dept. of Electronics and Telecommunication
Sinhgad College Of Engineering,
Vadgaon(Bk.), Pune-41,India
.3 WPA2(Wireless Protected Access 2)
Out of these WEP is mostly used protocol and thus many attacks are developed against it. Though it is vulnerable, it is still widely used because of its simplicity. The third protocol i.e. WPA2 is similar to WPA in most ways only a small difference makes it more secure than WPA. Attacks on WPA and WPA2 are almost same with a more computational complexity and less probability of success. So in this seminar, only WEP and WPA are focused.
Aim of this paper is to study the attacks on WEP and WPA and to see how WPA is better than WEP. Also the seminar covers topics such as encryption and decryption techniques used in these protocols so it also covers the primary knowledge of the protocols.
II. ATTACKS ON WEP
A. Key recovery attacks
1. FMS attack
Fluhrer, Mantin and Shamir published the first key recovery attack on WEP in 2001. Their attack is based on the following ideas: An attacker who listens passively to the traffic of a WEP protected network can record a lot of encrypted packets including the initialization vectors used for these packets. Because the first bytes of the plaintext of most packets are easily predictable, the attacker is able to recover the first bytes of the keystreams used to encrypt these packets. The initialization vector is transmitted unprotected with the packets, so the attacker initially also knows the first 3 bytes of the per packet key for all packets. All following bytes of the per packet key are the same for all packets, but are initially unknown to the attacker.
This attack uses weaknesses in RC4. If four conditions hold, he can then perform a manipulation on RC4 that allows him to guess with a five percent probability a byte of the key. Using a system of vote, he can guess a probable key and test it. If the key is not correct, he will try another likely correct key and try again. To be more specific, the attack works as follow: As the attacker knows the first l bytes of the per packet key, he can simulate the l first steps of RC4-KSA.
The attack needs 4,000,000 to 6,000,000 packets to succeed with a success probability of at least 50%, depending on the exact environment and implementation .The reason for this is that the resolved condition holds only for a small amount of randomly chosen initialization vectors.
2.Korek Attack
KoreK posted an implementation of an advanced WEP attack tool to the netstumbler.org-forum. Basically this was an advanced version of the FMS attack. FMS uses a correlation between the first x bytes of the pre-shared key, the first byte of the key-stream and the x + 1 byte of the pre-shared key. The Korek attack uses several similar correlations, including some that were previously discuss in public, the one from the original FMS paper and several ones that were found by KoreK himself. The attack follows the same pattern as the FMS attack: Correlations between the first x pre-shared key bytes, the first two bytes of the key-stream and the byte x + 1 of the pre-shared key are used to gather votes for different values for the different bytes. The result is a decision tree that allows the attacker to obtain the presahred key with a trial and error method. With the additional correlations the number of packets with unique IVs necessary for a 50% success chance is reduced to about 700000.
In 2004, a person under the pseudonym KoreK posted an implementation of an advanced WEP cracking tool in an internet forum. KoreK used 16 additional correlations between the first l bytes of an RC4 key, the first two bytes of the generated keystream, and the next keybyte K[l]. Most of these correlations have been found by KoreK himself, a few had been discussed in public before. KoreK assigned names like A u15 or A s13 to these attacks, the original FMS attack is called A s5 1 here. Nearly all correlations found by KoreK use the approach that the first or second byte of the keystream reveals the value of jl+1 under some conditions, if 2-4 values in S have a special constellation and are not changed during the remaining RC4-KSA after step l + 1. An interesting exception is the A_negative correlation, which doesn’t vote for a certain value of K[l]. Instead a value can be excluded from the list of possible candidates for K[l], which can be seen as a negative vote for K[l]. The overall attack structure is the same decision tree based approach as for the FMS attack and let the attacker find the key faster.. The number of captured packets is reduced to about 700,000 for 50% success probability. Again, the exact numbers depend on the exact environment and the implementation and parameters used for the attack. One important factor is if the initialization vectors are generated by a PRNG algorithm or if they are generated sequentially by a counter.
3.Klein’s attack
In 2006, Klein showed a improved way of attacking RC4 and WEP which does not depend on any weak IV . The advantage of this attack is the small number of packets required for the recovery of the WEP key compared with the FMS attack and the Korek attack.
Klein’s attack is formed by the KSA and PRGA rewinding. The attacker will then collect the probed values for K[i], and finally select the one with the highest vote. Note that to retrieve the secret key byte K[i], this attack must successfully recover the previous bytes K[3],...,K[i − 2],K[i − 1]. Thus this attack has to execute iteratively to retrieve the whole WEP key. However this approach has a significant disadvantage. If a wrong key byte is guessed by the attack by mistake, the whole WEP key will be probably mis-recovered due to the key byte dependency. Thus, this attack has a problem of the key byte dependency to retrieve the WEP key.
4. PTW attack
To solve the Klein’s computational problem, Tews, Wein- mann and Pyshkin proposed an attack which is reduced the dependency among WEP bytes. Thus this attack can independently recover the sum of the WEP key bytes.
We describe the flow of the PTW attack. To begin with, the PTW attack estimates the internal state by only IV (Klein’s attack uses IV and the previous WEP key bytes), and approximates this internal state as a later internal state. After that it executes the KSA and PRGA rewinding as same as Klein’s attack to retrieve the sum of the WEP key bytes.
This attack can retrieve the sum of the WEP key bytes by using IV and the keystream Z1 to Z15. Furthermore, the success probability recovering the whole WEP key would increase by utilizing the keystream Z16 to Z31, because it can increase the number of vote counts. However the success probability of the PTW function decreases even if it guessed the correct previous key byte. To solve this problem, Teramura et al. proposed the TeAM-OK attack.
B. Packet Building attacks
1.Chopchop attack
The Chopchop Attack The chopchop attack (www.aircrack-ng.org/doku.php? id=korek_chopchop) exploits WEP encryption by determining the PSK through trial and error, rather than mathematically or cryptographically. Figure 2 diagrams the attack. The chopchop attack uses the access point (AP) to decipher wireless Address Resolution Protocol (ARP) packets. The attack chops off the packet’s last byte and assumes that the encrypted byte is 0. The attack corrects the packet on the basis of a guess of 0, re-encrypts it, and sends it to the AP. If the guess is correct, the AP retransmits the packet because the attack is using a multicast packet. In this case, the attacker knows the guess was correct. If the AP drops the packet, the attacker guesses 1 and restarts the process. Consequently, the attacker can capture a WEP encrypted frame and replay it multiple times to decipher the payload one byte at a time. Attackers can decode small ARP frames in 10 to 20 seconds without breaking the WEP key.
Fig.1 chopchop attack
2. Fragmentation attack
Though a "fragmentation issue" had already been mentioned before, the first practical Fragmentation attack [1] was released in 2005 by Bittau et al. in a paper called "The final nail in WEP con". The attack works as follow: At first, the attacker needs to eavesdrop a packet. As all packet send in a 802.11 network have similar headers, the attacker can know/guess the first 8 bytes of clear text. By XORing these 8 bytes with the 8 corresponding bytes of cipher text we obtain 8 bytes of keystream for a specific IV. Those 8 bytes of keystream cannot be used to send a whole packet on the network (it would be ridiculously small). But the WEP protocol allows to send a single packet in up to 16 fragments. Therefore, we can use the 8 bytes of keystream we know to broadcast a packet containing 64 bytes of know text in 16 fragments. (We can only have 64 bytes of known text because each fragment needs its 4 bytes long CRC32 checksum). When the AP receives those 16 fragments, it will decipher them, combine them into a single packet, encrypt it and send it back on the network. This packet is 68 bytes long (64 bytes of known text and 4 bytes ICV). With a XOR, the attacker has now 68 bytes of keystream for a given IV. By repeating this process, the attacker can get up to 1500 bytes of keystream for a IV. When knowing 1500 bytes of keystream for a given IV, it is easy to get 1500 bytes of keystream for other IVs by simply sending a broadcast packet of 1500 bytes to the AP. The AP will then relay this packet, but encrypted with a new IV.
As C ⊕ M = K the attacker can get the keystream for other IVs and build a dictionary, allowing him to decipher every single packet on the network, and also to create traffic.
3.Coolface attack
The Coolface attack uses the second mode of WEP-authentication: Shared key. As opposed to the Open System authentication, the client has to resolve a challenge to be connected. The AP sends to the client a challenge, and the client will send back the encrypted challenge. If it is correct, the AP accepts the connection. It is a new opportunity for the attacker, who can get both a plain- and an encrypted text. To switch from Open System to Shared key mode, the attacker can begin a denial of service against the AP and then usurpate the AP's identity, thus enabling the Shared key authentication. Repeating this operation, the attacker builds an IV-dictionary very fast !
4. Google replay attack
The Google Replay Attack is based on the fact that any lambda user with an access to the internet will do a Google search. A lot of web users have the URL http://www.google.com as home page. It means the Google logo, a 7330-byte- image, is downloaded every time. With this data, an attacker can easily recover a part of the keystream, knowing plain- and encrypted text. The main difficulty for the attacker is to know exactly at which moment the client will download the Google logo. He has to study the structure of TCP/IP packets, and to wait for a packet which size is exactly 7330 bytes.
II ATTACKS ON WPA
1. Beck and Tews' Improved Attack on RC4
In 2008 Beck and Tews released an attack on WPA. This is not a key recovery attack, but still exploits weaknesses in TKIP to allow the attacker to decrypt ARP packets and to inject traffic into a network, even allowing him to perform a DoS (Denial of Service) or an ARP poisoning. In order to be practical, the attack requires the Quality of Service (QoS) to be enabled. The QoS is a feature of WPA standard that allows several channels to be used. Each channel has its own TSC. As channel 0 is used for most of the traffic, it will be possible to inject valid packets in other channels were the TSC will likely be lower. The attack also requires the Key Renewal Interval to be longer than 15 minutes (the time needed to decrypt an ARP packet with this attack). The attack works as follow: First, the attacker deauthenticates a station (STA). Then, the attacker can capture an ARP packet. He will then perform a modified Chopchop attack to recover the Integrity Check Value (ICV) and MIC of the packet. When this is done, the attacker will have to guess the last part of the packet: the IP addresses. Eventually, he reverses the MICHAEL algorithm and gets the MIC key. Knowing the keystream and the MIC key, the attacker can now inject custom packets into the network, but only on channels with a lower TSC. The reason why a modified version of Chopchop must be used is that the attack has to bypass the MIC countermeasure. The modified Chopchop attack works as follow: The attack works as an AP sending data to a STA. It chops off the last byte of a packet as the regular Chopchop attack does. When the correct byte is guessed, the ICV of the truncated packet is correct, but the MIC is not. This will cause the STA to send a MIC failure report. So when the attacker receives a MIC failure report, he knows that his guess was correct. Then, he has to wait for a minute in order to prevent the MIC countermeasure from triggering. Eventually, he can chop off a new byte, etc. Nevertheless, this attack has limitations: the TSC limits the number of packets that can be injected into the network from 3 to 15 per QoS channel.