25

Let's say I have a wireless network that is password protected.

What procedures can an intruder take to gain access to my wireless network, or at least be able to decipher the packets I am sending into something understandable? How long would such a method take?

For example, how exactly does aircrack gain access?

This related question is about what happens once an attacker knows the password: I'm interested in how they get the password.

Quillion
  • 1,134
  • 5
  • 16
  • 25

2 Answers2

41

First of all that would entirely depend on the encryption used by the access point. There are several types of possible encryption. Mostly on consumer wireless access points these are:

  • WEP
  • WPA
  • WPA2
  • WPS

WEP

Let's first dive into WEP. WEP was the first algorithm used to secure wireless access points. Unfortunately it was discovered that WEP had some serious flaws. In 2001, 3 researchers working at Berkeley produced a paper named "(In)Security of the WEP algorithm". They found the following flaws in WEP:

  • Passive attacks to decrypt traffic based on statistical analysis.
  • Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.
  • Active attacks to decrypt traffic, based on tricking the access point.

  • Dictionary-buildingattack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic.

An excerpt from their paper about the technical problems with WEP:

WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext.

This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others.

WEP has defenses against both of these attacks. To ensure that a packet has not been modified in transit, it uses an Integrity Check (IC) field in the packet. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The IV is also included in the packet. However, both of these measures are implemented incorrectly, resulting in poor security.

The integrity check field is implemented as a CRC-32 checksum, which is part of the encrypted payload of the packet. However, CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.

The initialization vector in WEP is a 24-bit field, which is sent in the cleartext part of a message. Such a small space of initialization vectors guarantees the reuse of the same key stream. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours. (The amount of time may be even smaller, since many packets are smaller than 1500 bytes.) This allows an attacker to collect two ciphertexts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext. Worse, when the same key is used by all mobile stations, there are even more chances of IV collision. For example, a common wireless card from Lucent resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same time will provide an abundance of IV collisions for an attacker. (Worse still, the 802.11 standard specifies that changing the IV with each packet is optional!)

Some other interesting reading material can be found at aircrack-ng.org.

WPA

The second one is WPA. WPA was originally meant as a wrapper to WEP which tackles the insecurities caused by WEP. It was actually never meant as a security standard but just as a quick fix until WPA2 became available.

There are two modes in which it can operate:

WPA generally uses Temporal Key Integrity Protocol (TKIP). TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance as a solution to replace WEP without requiring the replacement of legacy hardware. This was necessary because the breaking of WEP had left WiFi networks without viable link-layer security, and a solution was required for already deployed hardware. TKIP is not an encryption algorithm, but it's used to make sure that every data packet is sent with a unique encryption key.

From the aircrack-ng.org paper

TKIP implements a more sophisticated key mixing function for mixing a session key with an initialization vector for each packet. This prevents all currently known related key attacks because every byte of the per packet key depends on every byte of the session key and the initialization vector. Additionally, a 64 bit Message Integrity Check (MIC) named MICHAEL is included in every packet to prevent attacks on the weak CRC32 integrity protection mechanism known from WEP. To prevent simple replay attacks, a sequence counter (TSC) is used which allows packets only to arrive in order at the receiver.

There are two attacks known against TKIP:

  • Beck-Tews attack
  • Ohigashi-Morii attack (which is an improvement on the Beck-Tews attack)

However both of these attacks only could decrypt small portions of data, compromising confidentiality. What they can't give you is access to the network. To give you an idea of how much data can be recovered, a single ARP frame would take around 14-17 minutes to get the plain text.

The only attack know, besides flaws in firmware of some routers, is bruteforcing the WPA key. Generally the key is generated as follows:

Key = PBKDF2(HMAC−SHA1,passphrase, ssid, 4096, 256)

Considering this algorithm is meant to prevent hashed passwords from being broken it can take a huge amount of time. The only reasonable attack would be to use a dictionary attack (hence it is important to use long passwords containing characters, numbers and letters).

Also note that you need to change your SSID to something very random. Rainbow tables have been generated for the top 1000 used SSIDs.

WPA also supports AES (which can be used instead of RC4). This would still imply that TKIP-MIC is used.

WPA2

WPA2 supports the same modes as WPA, except that it does not use TKIP but CCMP for cryptograhic encapsulation.

CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM) of the AES standard. This is used to replace TKIP for message confidentiality.

However some access points can still be configured to use both TKIP and CCMP. This was done because otherwise people were required to upgrade their hardware.

Extensions

WPS

Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard that attempts to allow easy establishment of a secure wireless home network. It allowed easy security for home users but still using the more secure WPA rather than WEP. WPS should never be used as there is a great design flaw in it. WPS generates 'by the push of a buton' a PIN code which can be entered by the user. The idea behind this was to increase usability. This poses a problem: the amount of possibilities is reduced to 10.000.000 which any computer can crunch through quite rapidly, even when using PBKDF2.

EAP

EAP is used for WPA(2)-Enterprise and is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined. Some have their own flaws however considering the vast amount of possibilities I suggest looking them up yourself.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • 1
    WPA (version 1) can use AES instead of TKIP too, although not all hardware and software combinations support it. I am not sure what the difference between WPA-AES and WPA2-AES is, but I think it has to do with key management. I do know from personal experience that my first generation PSP can do WPA-AES, but cannot do WPA2 (of either type) – Rod MacPherson Aug 26 '13 at 14:53
  • WOW thanks :) the amount of info is huge and this is exactly what I wanted to know – Quillion Aug 26 '13 at 14:57
  • 1
    It doesn't use aes instead of tkip it uses aes instead of rc4. Tkip is still used when wpa aes is in use. – Lucas Kauffman Aug 26 '13 at 17:44
3

It depends on the exact encryption being used on the network, but for WEP (which is the easiest to break) it takes only minutes. The most common attack is the Fluhrer, Mantin and Shamir attack which involves looking for reused IVs(initialization vectors) which can potentially be used to reverse engineer parts of the key. They are supposed to be unique, but for the short IV that WEP uses, they are repeated frequently.

Since part of the WEP SNAP header is known at the beginning of each block, for certain IV's, if the attacker knows the first byte of the key stream, they can determine the next byte of the key from the one they last knew. So the attack starts out only knowing what the beginning of the WEP SNAP packet will be, but each time it is seen for a particular type of IV, the next key byte can be learned. This can produce an entire 16 byte key very rapidly on a busy network since the only thing needed is for the necessary IVs to be used by the network.

If the network isn't busy enough there are some ways to trick the network in to communicating more as well which can help recover a key, though these more aggressive approaches could potentially be detected.

The flaws section on Wikipedia's WEP page also has more in-depth information about the attack as it applies to WEP and what speeds have been accomplished when.

For WPA, it's a little more complicated. It is less inherently weak, but several attacks generally prove successful. The first is a rainbow table attack against the password for the network. Any weak password based WEP key can easily be broken from a rainbow table as salting is not unique for a given SSID as part of the key derivation.

There are also weaknesses in Wifi Protected Setup that can allow for the WPS pin to be recovered. With WPS, they only use 7 digits of the pin and each half is validated separately, so you only have to guess a 3 digit and a 4 digit number to get access.

There are a few other specialized attacks on WPA too which are described in much more detail on the Wikipedia page for WPA.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • I thought salting was used for WPA? As to my understanding the salt used by WPA is the SSID of the AP? – Lucas Kauffman Aug 26 '13 at 14:35
  • So I looked it up, actually there are rainbow tables for the top 1000 used SSIDs. So technically it still uses a salt. – Lucas Kauffman Aug 26 '13 at 14:48
  • @LucasKauffman - good point, I had forgotten about that as I didn't really consider it salting as it isn't unique, but it is worth mentioning it makes it slightly more difficult, though not too much. I updated my answer accordingly. – AJ Henderson Aug 26 '13 at 15:09