SlideShare a Scribd company logo

WEP/WPA attacks

Download as PPTX, PDF
H
Huda Seyam

The WEP protocol was introduced with the original 802.11 standards as a means to provide authentication and encryption to wireless LAN implementations. WPA, became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard

Technology
1 of 15
WEP/WPA Attacks Huda Seyam 21/12/2019
2 What is the WEP protocol? • Stand for “Wired Equivalent Privacy” or “Wireless Encryption Protocol” • The WEP protocol was introduced with the original 802.11 standard as a means to provide authentication and encryption to wireless LAN implementations.
3 WEP Authentication • Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication. • the WEP key is used for authentication in a four-step challenge-response handshake: 1. The client sends an authentication request to the Access Point. 2. The Access Point replies with a clear-text challenge. 3. The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request. 4. The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply. • After the authentication and association, the pre-shared WEP key is also used for encrypting the data frames using RC4.
4
5 WEP Encryption • It is based on the Rivest Cipher 4 (RC4) stream cypher with a Pre-shared Secret Key (PSK) of 40 or 104 bits, depending on the implementation. A 24-bit pseudorandom Initialization Vector (IV) is concatenated with the pre-shared key to generate the per-packet keystream used by RC4 for the actual encryption and decryption process. Thus, the resulting keystream could be 64 or 128 bits long. • In the encryption phase, the keystream is encrypted with the XOR cypher with the plaintext data to obtain the encrypted data. While in the decryption phase, the encrypted data is XOR-encrypted with the keystream to obtain the plaintext data. The encryption process is shown in the following diagram.
WEP Encryption 6
Why WEP is weak ? 7 • No key management – One key for all • IV is just 24 bits and transmitted as clear text – 24 bit keys allow for around 16.7 million possibilities. Sounds a lot, but on a busy network this number can be achieved in a few hours • IV values can be reused – In fact the standard does not specify that the value needs to change at all. Reusing keys is a major cryptographic weakness in any security system – If enough frames are collected based on the same IV, anyone can determine the shared values among them, that is the keystream or the shared secret key. • No standard procedure for IV generation • First few key stream bytes are predictable in RC4 algorithm with weak IVs
FMS attacks on WEP • The first well-known attack against WEP was the Floorer, Manton, and Shamir (FMS) attack back in 2001. The FMS attack relies on the way WEP generates the keystreams and on the fact that it also uses weak IV to generate weak keystreams, making it possible for an attacker to collect a sufficient number of packets encrypted with these keys, to analyze them, and recover the key. • The number of IVs to be collected to complete the FMS attack is about 250,000 for 40-bit keys and 1,500,000 for 104-bit keys. • The FMS attack has been enhanced by Kurek, improving its performance. 8
PTW attacks on WEP • In 2007, Pushkin, Taws, and Weinman (PTW) extended Andreas Klein’s research and improved the FMS attack, significantly reducing the number of IVs needed to successfully recover the WEP key. • Indeed, the PTW attack does not rely on weak IVs such as the FMS attack does and is very fast and effective. It is able to recover a 104- bit WEP key with a success probability of 50% using less than 40,000 frames and with a probability of 95% with 85,000 frames. • The PTW attack is the default method used by Aircrack-ng to crack WEP keys. 9
ARP Request replay attacks on WEP • Both FMS and PTW attacks need to collect quite a large number of frames to succeed and can be conducted passively, sniffing the wireless traffic on the same channel of the target AP and capturing frames. The problem is that, in normal conditions, we will have to spend quite a long time to passively collect all the necessary packets for the attacks, especially with the FMS attack. • To accelerate the process, the idea is to reinject frames in the network to generate traffic in response so that we can collect the necessary IVs more quickly. A type of frame that is suitable for this purpose is the ARP request because the AP broadcasts it, each time with a new IV. As we are not associated with the AP, if we send frames to it directly, they are discarded and a de-authentication frame is sent. Instead, we can capture ARP requests from associated clients and retransmit them to the AP. • This technique is called the ARP Request Replay attack and is also adopted by Aircrack-ng for the implementation of the PTW attack. 10
chop-chop attack A chop-chop attack works by taking one byte of data from a WEP encrypted packet, substituting values for that byte, and recalculating the encryption checksum. The modified packets are then sent to an access point, which simply discards them until a valid checksum is eventually substituted by the attacker 11
12 What is the WPA protocol? • Stands for "Wi-Fi Protected Access“ • Wi-Fi Protected Access (WPA), became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128- bit keys used in the WEP system. • WPA included message integrity checks (to determine if an attacker had captured/altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that was radically more secure than the fixed key system used by WEP. The TKIP encryption standard was later superseded by Advanced Encryption Standard (AES).
13 Back and Taws’ Attack • Released in 2008, exploits weakness in TKIP, allowing an attacker to decrypt ARP packets and to inject traffic into a network, enabling a DoS or ARP poisoning. • Attack “requires” Quality of Service (QoS) to be enabled (practical aspect). That allows several channels to be used. Each channel has its own TSC (TKIP Sequence Counter). Channel 0 holds most of the traffic, other channels will have lower TSC. Attack requires Key Renewal Interval to be longer than 15 min (time needed to decrypt an ARP packet). 1. Attacker de-authenticates a station, then captures ARP packet. 2. Next, he’ll perform a modified Chop-chop attack to recover ICV (Integrity Check Value) and MIC (Message Integrity Check )of the packet. 3. With that, attacker needs to guess the last part of the packet, IP address. 4. Finally, he reverses MICHAEL algorithm and get MIC key. With that he can now inject custom packet into the network.
14 WPA Attacks • Ohigashi-Morii Attack – From 2009, an improvement of the Beck-Tews attack on WPA- TKIP, more efficient for all modes of WPA and not just those with QoS features. • Michael Attack – In 2010, Beck found that if the internal state of Michael reaches a certain point, the Michael algorithm resets. With that, an attacker can inject some text in a packet, add a string that resets Michael algorithm. Packet is changed but the Michael’s result remains correct. Apparently, requirements of this attack are even tighter compared to “Beck and Tews”.
15 References • https://hub.packtpub.com/what-we-can-learn- attacks-wep-protocol/ • https://en.wikipedia.org/wiki/Wired_Equivalent_Pr ivacy • https://www.youtube.com/watch?v=lmXSWnZ7b_M • https://www.cyberpunk.rs/wireless-security- protocols-wep-wpa-wpa2-and-wpa3

Recommended

Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyNapier University
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptographyPerfect Training Center
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 

Recommended

Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyNapier University
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptographyPerfect Training Center
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)farazvirk554
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptxPradeepKumar728006
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark TutorialCoursenvy.com
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
WEP
WEPWEP
WEPSudeep Kulkarni
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)akruthi k
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 

More Related Content

What's hot

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)farazvirk554
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptxPradeepKumar728006
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 

What's hot (20)

malware analysis
malware analysismalware analysis
malware analysis
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptx
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Network security
Network securityNetwork security
Network security
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark Tutorial
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
WEP
WEPWEP
WEP
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 

Similar to WEP/WPA attacks

Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)akruthi k
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?Tom Isaacson
 
Wireless Security.ppt
Wireless Security.pptWireless Security.ppt
Wireless Security.pptNotSure11
 
Wireless Security.ppt
Wireless Security.pptWireless Security.ppt
Wireless Security.pptMavaz
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11bguestd7b627
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSreekanth GS
 
DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting Shah Sheikh
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and securityAdel Zalok
 
Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Securityprachi67
 

Similar to WEP/WPA attacks (20)

Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?
 
Wireless Security.ppt
Wireless Security.pptWireless Security.ppt
Wireless Security.ppt
 
Wireless Security.ppt
Wireless Security.pptWireless Security.ppt
Wireless Security.ppt
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Aircrack
AircrackAircrack
Aircrack
 
Wpa vs Wpa2
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
 
chapter 8.ppt
chapter 8.pptchapter 8.ppt
chapter 8.ppt
 
DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and security
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
 
KRACK attack
KRACK attackKRACK attack
KRACK attack
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Wpa3
Wpa3Wpa3
Wpa3
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
 
802.11i
802.11i802.11i
802.11i
 

More from Huda Seyam

Blockchain Development Kit
Blockchain Development KitBlockchain Development Kit
Blockchain Development KitHuda Seyam
 
Traffic Sign Detection
Traffic Sign Detection Traffic Sign Detection
Traffic Sign Detection Huda Seyam
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallHuda Seyam
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
Poisson Distribution
Poisson DistributionPoisson Distribution
Poisson DistributionHuda Seyam
 
Security Policy
Security PolicySecurity Policy
Security PolicyHuda Seyam
 
Course registration system
Course registration systemCourse registration system
Course registration systemHuda Seyam
 
Network security situational awareness
Network security situational awarenessNetwork security situational awareness
Network security situational awarenessHuda Seyam
 
Wireless Site Survey
Wireless Site SurveyWireless Site Survey
Wireless Site SurveyHuda Seyam
 
Image compression
Image compressionImage compression
Image compressionHuda Seyam
 
Speech Recognition
Speech Recognition Speech Recognition
Speech Recognition Huda Seyam
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
Software prototyping
Software prototyping Software prototyping
Software prototyping Huda Seyam
 

More from Huda Seyam (14)

Blockchain Development Kit
Blockchain Development KitBlockchain Development Kit
Blockchain Development Kit
 
Traffic Sign Detection
Traffic Sign Detection Traffic Sign Detection
Traffic Sign Detection
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense Firewall
 
Poisson Distribution
Poisson DistributionPoisson Distribution
Poisson Distribution
 
Docker
DockerDocker
Docker
 
Security Policy
Security PolicySecurity Policy
Security Policy
 
Course registration system
Course registration systemCourse registration system
Course registration system
 
Network security situational awareness
Network security situational awarenessNetwork security situational awareness
Network security situational awareness
 
Wireless Site Survey
Wireless Site SurveyWireless Site Survey
Wireless Site Survey
 
Image compression
Image compressionImage compression
Image compression
 
Speech Recognition
Speech Recognition Speech Recognition
Speech Recognition
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Software prototyping
Software prototyping Software prototyping
Software prototyping
 

Recently uploaded

Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

WEP/WPA attacks

  • 2. 2 What is the WEP protocol? • Stand for “Wired Equivalent Privacy” or “Wireless Encryption Protocol” • The WEP protocol was introduced with the original 802.11 standard as a means to provide authentication and encryption to wireless LAN implementations.
  • 3. 3 WEP Authentication • Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication. • the WEP key is used for authentication in a four-step challenge-response handshake: 1. The client sends an authentication request to the Access Point. 2. The Access Point replies with a clear-text challenge. 3. The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request. 4. The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply. • After the authentication and association, the pre-shared WEP key is also used for encrypting the data frames using RC4.
  • 4. 4
  • 5. 5 WEP Encryption • It is based on the Rivest Cipher 4 (RC4) stream cypher with a Pre-shared Secret Key (PSK) of 40 or 104 bits, depending on the implementation. A 24-bit pseudorandom Initialization Vector (IV) is concatenated with the pre-shared key to generate the per-packet keystream used by RC4 for the actual encryption and decryption process. Thus, the resulting keystream could be 64 or 128 bits long. • In the encryption phase, the keystream is encrypted with the XOR cypher with the plaintext data to obtain the encrypted data. While in the decryption phase, the encrypted data is XOR-encrypted with the keystream to obtain the plaintext data. The encryption process is shown in the following diagram.
  • 7. Why WEP is weak ? 7 • No key management – One key for all • IV is just 24 bits and transmitted as clear text – 24 bit keys allow for around 16.7 million possibilities. Sounds a lot, but on a busy network this number can be achieved in a few hours • IV values can be reused – In fact the standard does not specify that the value needs to change at all. Reusing keys is a major cryptographic weakness in any security system – If enough frames are collected based on the same IV, anyone can determine the shared values among them, that is the keystream or the shared secret key. • No standard procedure for IV generation • First few key stream bytes are predictable in RC4 algorithm with weak IVs
  • 8. FMS attacks on WEP • The first well-known attack against WEP was the Floorer, Manton, and Shamir (FMS) attack back in 2001. The FMS attack relies on the way WEP generates the keystreams and on the fact that it also uses weak IV to generate weak keystreams, making it possible for an attacker to collect a sufficient number of packets encrypted with these keys, to analyze them, and recover the key. • The number of IVs to be collected to complete the FMS attack is about 250,000 for 40-bit keys and 1,500,000 for 104-bit keys. • The FMS attack has been enhanced by Kurek, improving its performance. 8
  • 9. PTW attacks on WEP • In 2007, Pushkin, Taws, and Weinman (PTW) extended Andreas Klein’s research and improved the FMS attack, significantly reducing the number of IVs needed to successfully recover the WEP key. • Indeed, the PTW attack does not rely on weak IVs such as the FMS attack does and is very fast and effective. It is able to recover a 104- bit WEP key with a success probability of 50% using less than 40,000 frames and with a probability of 95% with 85,000 frames. • The PTW attack is the default method used by Aircrack-ng to crack WEP keys. 9
  • 10. ARP Request replay attacks on WEP • Both FMS and PTW attacks need to collect quite a large number of frames to succeed and can be conducted passively, sniffing the wireless traffic on the same channel of the target AP and capturing frames. The problem is that, in normal conditions, we will have to spend quite a long time to passively collect all the necessary packets for the attacks, especially with the FMS attack. • To accelerate the process, the idea is to reinject frames in the network to generate traffic in response so that we can collect the necessary IVs more quickly. A type of frame that is suitable for this purpose is the ARP request because the AP broadcasts it, each time with a new IV. As we are not associated with the AP, if we send frames to it directly, they are discarded and a de-authentication frame is sent. Instead, we can capture ARP requests from associated clients and retransmit them to the AP. • This technique is called the ARP Request Replay attack and is also adopted by Aircrack-ng for the implementation of the PTW attack. 10
  • 11. chop-chop attack A chop-chop attack works by taking one byte of data from a WEP encrypted packet, substituting values for that byte, and recalculating the encryption checksum. The modified packets are then sent to an access point, which simply discards them until a valid checksum is eventually substituted by the attacker 11
  • 12. 12 What is the WPA protocol? • Stands for "Wi-Fi Protected Access“ • Wi-Fi Protected Access (WPA), became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128- bit keys used in the WEP system. • WPA included message integrity checks (to determine if an attacker had captured/altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that was radically more secure than the fixed key system used by WEP. The TKIP encryption standard was later superseded by Advanced Encryption Standard (AES).
  • 13. 13 Back and Taws’ Attack • Released in 2008, exploits weakness in TKIP, allowing an attacker to decrypt ARP packets and to inject traffic into a network, enabling a DoS or ARP poisoning. • Attack “requires” Quality of Service (QoS) to be enabled (practical aspect). That allows several channels to be used. Each channel has its own TSC (TKIP Sequence Counter). Channel 0 holds most of the traffic, other channels will have lower TSC. Attack requires Key Renewal Interval to be longer than 15 min (time needed to decrypt an ARP packet). 1. Attacker de-authenticates a station, then captures ARP packet. 2. Next, he’ll perform a modified Chop-chop attack to recover ICV (Integrity Check Value) and MIC (Message Integrity Check )of the packet. 3. With that, attacker needs to guess the last part of the packet, IP address. 4. Finally, he reverses MICHAEL algorithm and get MIC key. With that he can now inject custom packet into the network.
  • 14. 14 WPA Attacks • Ohigashi-Morii Attack – From 2009, an improvement of the Beck-Tews attack on WPA- TKIP, more efficient for all modes of WPA and not just those with QoS features. • Michael Attack – In 2010, Beck found that if the internal state of Michael reaches a certain point, the Michael algorithm resets. With that, an attacker can inject some text in a packet, add a string that resets Michael algorithm. Packet is changed but the Michael’s result remains correct. Apparently, requirements of this attack are even tighter compared to “Beck and Tews”.
  • 15. 15 References • https://hub.packtpub.com/what-we-can-learn- attacks-wep-protocol/ • https://en.wikipedia.org/wiki/Wired_Equivalent_Pr ivacy • https://www.youtube.com/watch?v=lmXSWnZ7b_M • https://www.cyberpunk.rs/wireless-security- protocols-wep-wpa-wpa2-and-wpa3