Professional Documents
Culture Documents
and WPA2
What's hot
Guillaume Lehembre
Difficulty
E
ven when security measures are ena- where || is a concatenation operator and + is a
bled in Wi-Fi devices, a weak encryp- XOR operator. Clearly, the initialisation vector
tion protocol such as WEP is usually is the key to WEP security, so to maintain a de-
used. In this article, we will examine the weak- cent level of security and minimise disclosure
nesses of WEP and see how easy it is to crack the IV should be incremented for each packet
the protocol. The lamentable inadequacy of so that subsequent packets are encrypted with
WEP highlights the need for a new security different keys. Unfortunately for WEP security,
architecture in the form of the 802.11i standard, the IV is transmitted in plain text and the 802.11
so we will also take a look at the new standard’s standard does not mandate IV incrementation,
WPA and WPA2 implementations along with leaving this security measure at the option of
their first minor vulnerabilities and their integra-
tion into operating systems.
What you will learn...
R.I.P. WEP • the weaknesses of WEP encryption,
WEP (Wired Equivalent Privacy) was the de-
• a global overview of the 802.11i standard and
fault encryption protocol introduced in the first its commercial implementations: WPA and
IEEE 802.11 standard back in 1999. It is based WPA2,
on the RC4 encryption algorithm, with a secret • the basics of 802.1x,
key of 40 bits or 104 bits being combined with • the potential weaknesses of WPA and WPA2.
a 24-bit Initialisation Vector (IV) to encrypt the
plaintext message M and its checksum – the What you should know...
ICV (Integrity Check Value). The encrypted
message C was therefore determined using the • the basics of the TCP/IP and Wi-Fi protocols,
following formula: • you should have a basic knowledge of cryptog-
raphy.
C = [ M || ICV(M) ] + [ RC4(K || IV) ]
1 \
00:13:10:1F:9A:72 \
00:0C:F1:19:77:5C \
192.168.2.123 \
192.168.2.103 \
forge-arp.cap
802.11i
In January 2001, the i task group was
created in the IEEE to improve 802.11
data authentication and encryption
security. In April 2003, the Wi-Fi Al-
Figure 5. Phase 1: Agreeing on the security policy liance (an association for promoting
able using a suitable reader (we will packets. Here’s a spoofed ARP re- and certifying Wi-Fi) released a rec-
use tcpdump) – see Listing 4 for a quest sent by 192.168.2.123 (00:0C: ommendation in response to corpo-
sample ping exchanged between F1:19:77:5C) to 192.168.2.103: rate concerns on wireless security.
hosts. However, they were also aware that
Once the keystream has been # arpforge \ customers wouldn’t be willing to re-
captured, it is possible to fake any replay_dec-0916-114019.xor \ place their existing equipment.
blocks being 128 bits long. AES is is incremented by one for each sub-
About the author to CCMP what RC4 is to TKIP, but sequent MPDU.
Guillaume Lehembre is a French secu- unlike TKIP, which was intended to MIC computation uses the
rity consultant and has been working at accommodate existing WEP hard- CBC-MAC algorithm that encrypts
HSC (Hervé Schauer Consultants – ht- ware, CCMP isn't a compromise, a starting nonce block (computed
tp://www.hsc.fr) since 2004. During his but a new protocol design. CCMP from the Priority fields, MPDU
varied professional career he has dealt uses counter mode in conjunc- source address and incremented
with audits, studies and penetration tion with a message authentica- PN) and XORs subsequent blocks
tests, acquiring experience in wireless
tion method called Cipher Block to obtain a final MIC of 64 bits (the
security. He has also delivered public
Chaining (CBC-MAC) to produce final MIC is a 128-bit block, since
readings and published papers on se-
an MIC. the lower 64 bits are discarded).
curity. Guillaume can be contacted at:
Guillaume.Lehembre@hsc.fr Some interesting features The MIC is then appended to the
were also added, such as the plaintext data for AES encryption
use of a single key for encryption in counter mode. The counter is
and appends it to the MSDU prior and authentication (with different constructed from a nonce similar
to transmission. The MIC is calcu- initialisation vectors) or covering to the MIC one, but with an extra
lated from the source address (SA), non-encrypted data by the authen- counter field initialised to 1 and in-
destination address (DA), plaintext tication. The CCMP protocol adds cremented for each block.
MSDU and the appropriate TMK 16 bytes to the MPDU: 8 bytes The last protocol is WRAP,
(depending on the communication for the CCMP header and 8 bytes also based on AES, but using the
side, a different key is used for for the MIC. The CCMP header OCB (Offset Codebook Mode)
transmission and reception). is an unencrypted field included authenticated encryption scheme
CCMP is based on the AES between the MAC header and en- (encryption and authentication in a
(Advanced Encryption Standard) crypted data, including the 48-bit single computation). OCB was the
block cipher suite in its CCM mode PN (Packet Number = Extended first mode selected by the IEEE
of operation, with the key and IV) and Group Key KeyID. The PN 802.11i working group, but was even-
tually abandoned due to intellectual
property issues and possible licens-
On the Net ing fees. CCMP was then adopted as
• http://standards.ieee.org/getieee802/download/802.11i-2004.pdf – IEEE 802.11i mandatory.
standard,
• http://www.awprofessional.com/title/0321136209 – Real 802.11 Security Wi-Fi
WPA/WPA2
Protected Access and 802.11i (John Edney, William A. Arbaugh) – Addison Wesley weaknesses
– ISBN: 0-321-13620-9, While a number of minor weakness-
• http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm – An inductive chosen plaintext es have been discovered in WPA/
attack against WEP/WEP2 (Arbaugh), WPA2 since their release, none of
• http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf – Weaknesses in the Key them are too dangerous provided
Scheduling Algorithm of RC4 (Fluhrer, Mantin, Shamir),
simple security recommendations
• http://www.dachb0den.com/projects/bsd-airtools/wepexp.txt – h1kari optimiza-
are followed.
tion,
• http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf – Intercepting Mobile Com-
The most practical vulnerability
munications: The Insecurity of 802.11 (Borisov, Goldberg, Wagner), is the attack against WPA/WPA2’s
• http://airsnort.shmoo.com/ – AirSnort, PSK key. As already mentioned,
• http://www.cr0.net:8040/code/network/aircrack/ – Aircrack (Devine), the PSK provides an alternative to
• http://weplab.sourceforge.net/ – Weplab (Sanchez), 802.1x PMK generation using an
• http://www.Wi-Finetnews.com/archives/002452.html – WPA PSK weakness authentication server. It is a string of
(Moskowitz), 256 bits or a passphrase of 8 to 63
• http://new.remote-exploit.org/images/5/5a/Cowpatty-2.0.tar.gz – Cowpatty WPA- characters used to generate such a
PSK Cracking tools, string using a known algorithm: PSK
• http://byte.csc.lsu.edu/~durresi/7502/reading/p43-he.pdf – Analysis of the 802.11i
= PMK = PBKDF2(password, SSID,
4-Way Handshake (He, Mitchell),
SSID length, 4096, 256), where PB-
• http://www.cs.umd.edu/%7ewaa/1x.pdf – An initial security analysis of the IEEE
802.1X standard (Arbaugh, Mishra),
KDF2 is a method used in PKCS#5,
• http://support.microsoft.com/?kbid=893357 – WPA2 Update for Microsoft Win- 4096 is the number of hashes and
dows XP SP2, 256 is the length of the output. The
• http://hostap.epitest.fi/wpa_supplicant/ – wpa_supplicant, PTK is derived from the PMK using
• http://www.securityfocus.com/infocus/1814 – WEP: Dead Again, Part 1, the 4-Way Handshake and all infor-
• http://www.securityfocus.com/infocus/1824 – WEP: Dead Again, Part 2. mation used to calculate its value is
transmitted in plain text.
example did. The first step is to acti- The Michael Message Integrity management features for WPA,
vate monitor mode: Code also has known weaknesses WPA2 and WEP. Multiple networks
resulting from its design (forced can be declared with various en-
# airmon.sh start ath0 by the 802.11i task group). The cryption, key management and
security of Michael hinges on com- EAP methods – Listing 9 presents a
The next step discovers nearby net- munication being encrypted. While simple WPA2 configuration file. The
works and their associated clients cryptographic MICs are usually default location for the wpa_suppli-
(see Listing 7). designed to resist known plaintext cant configuration file is /etc/wpa_
This result could be interpreted attacks (where the attacker has a supplicant.conf, and the file should
as follows: one access point with plaintext message and its MIC), only be accessible to the root user.
BSSID 00:13:10:1F:9A:72 is using Michael is vulnerable to such at- The wpa_supplicant daemon
WPA encryption on channel 1 with tacks since it is invertible. Given a should first be launched with root
the SSID hakin9demo and one cli- single known message and its MIC privileges in debug mode (-dd op-
ent, identified by MAC 00:0C:F1: value, it is possible to discover the tion), with the right driver support (in
19:77:5C address are associated secret MIC key, so keeping the MIC our example it is the -D madWi-Fi op-
and authenticated on this wireless value secret is critical. The final tion to support the Atheros chipset),
network (meaning that the 4-Way known weakness is a theoretical the name of the interface (-i option,
Handshake has already been done attack possibility against the WPA’s in our case it is ath0) and a path to
for this client). Temporal Key Hash, involving the configuration file (-c option):
Once the target network has reduced attack complexity (from
been found, capture should be ∂128 to ∂105) under certain circum- # wpa_supplicant
launched on the correct channel to stances (knowledge of several RC4 -D madWi-Fi
avoid missing desired packets while keys). -dd -c /etc/wpa_supplicant.conf
scanning other channels: WPA/WPA2 are also subject -i ath0
to vulnerabilities affecting others
# airodump ath0 wpa-psk 1 802.11i standard mechanisms, such All theoretical steps described above
as attacks with 802.1X message are output in debug mode (AP asso-
Legitimate clients should then be spoofing (EAPoL Logoff, EAPoL ciation, 802.1X authentication, 4-Way
dissociated, forcing them to initiate Start, EAP Failure etc.), first de- Handshake etc.). Once everything is
a new association and allowing us scribed by William A. Arbaugh and working, wpa_supplicant should be
to capture 4-Way Handshake mes- Arunesh Mishra and possible due to run in daemon mode (replace the -dd
sages. Aireplay is also used for this lack of authentication. Last but not option with -B).
attack and will dissociate the select- least, it’s important to note that using On Macintosh, WPA2 is support-
ed client with the specified BSSID by the WPA/WPA2 protocol provides ed with the release of the 4.2 update
sending a fake dissociation request: no protection against attacks on un- to Apple AirPort software: AirPort
derlying technologies, such as radio Extreme-enabled Macintoshes, Air-
# aireplay -0 1 -a <BSSID> frequency jamming, DoS through Port Extreme Base Station and the
-c <client_mac> ath0 802.11 violations, de-authentication, AirPort Express.
de-association etc.
The final step is to launch a dictionary Summary
attack using Aircrack (see Listing 8). WPA/WPA2 OS It is clear that WEP encryption does
Figure 15 presents the results. implementation not provide sufficient wireless net-
The other main WPA weakness is On Windows, WPA2 support is not work security and can only be used
a Denial of Service possibility during built-in. An update for Windows XP with higher-level encryption solutions
the 4-Way Handshake. Changhua SP2 (KB893357) was released on (such as VPNs). WPA is a secure so-
He and John C. Mitchell noticed 29 April 2005, adding WPA2 and im- lution for upgradable equipment not
that the first message of the 4- proving network detection (see Fig- supporting WPA2, but WPA2 will
Way Handshake isn’t authenticated ure 16). Other Microsoft operating soon be the standard for wireless
and each client has to store every systems have to use an external sup- security. Do not forget to put your
first message until they receive a plicant (commercial or open source, wireless equipment in a filtered zone
valid third (signed) message, leav- such as wpa_supplicant – the Win- and keep a wire connection handy
ing the client potentially vulnerable dows version is experimental). for mission-critical networks – radio
to memory exhaustion. By spoofing On Linux and *BSD, wpa_sup- frequency jamming and low-level at-
the first message sent by the access plicant was ready for WPA2 when tacks (violation of 802.11 standard,
point, an attacker can perform a DoS the 802.11i standard came out. The false de-association etc.) can still be
on the client if it possible for several external supplicant supports a large devastating. l
simultaneous sessions to exist. number of EAP methods and key