Written by Jacob Tan and Richard Duong
Demonstrate the vulnerabilities of CRC-32 and WEP protocol with the use of 2 different attacks:
- The packet-redirect attack which takes advantage of CRC32's linearity property to modify the destination of the ip header,
and tricks the Access Point into decrypting the packet before sending it off to the attacker.
- The "chop chop" attack which also takes advantage of CRC32's linearity property and as long as the Access Point returns an acknowledgement for whether the message was accepted or not, one could recover the plaintext by guessing the plaintext byte-by-byte.
Let's say Alice wants to send packets to Bob. Alice will follow these steps to attempt to securely send her packet to Bob.
- Alice generates a packet with an ip header and message
- Alice runs CRC on her current packet, and appends CRC to the end of her packet
- Alice generates a random IV, and generates a key with (WEP Password || IV)
- Alice uses this key to encrypt her packet, and then prefix the encrypted packet with the IV she used
- Alice sends this off to the Access Point
- Access Point receives and decrypts the packet using (WEP Password || IV) from the packet prefix
- Access Point calculates the CRC on the original packet and compares to the attached CRC to make sure nothing was modified
- Access Point sends the decrypted packet over to Bob
- Bob receives the packets
- Carol sets up an intermediate Access Point called CarolWEP
- CarolWEP stands in between Alice and the Access Point, which picks up Alice's packets
- CarolWEP modifies the destination in the packet, and sends it on to the Access Point
- Access Point receives and decrypts the packet using (WEP Password || IV) from the packet prefix
- Access Point calculates CRC and compares to attached CRC
- Access Point sends the decrypted packet over to Carol
- Carol receives the packet
CRC has a flaw because it modifies bytes in place to calculate the CRC checksum, which can be used to Carol's advantage.
Therefore CRC has a property where CRC(A) ⊕ CRC(B) = CRC(A ⊕ B) which can be used with XOR's self-inverse property.
Self-Inverse Property
0xFA ⊕ 0xFA = 0
Therefore, if I wanted to edit a message, and I know the specific location of the message, then I can overwrite
it with this property while still retaining the CRC checksum and maintaining packet validity.
Example Packet Attack
Assume all values are hexadecimal.
To execute this attack, we need to know 2 things:
- The location of the bytes we want to edit, in the example below, it's index 4 - 7
- The original byte values (we can assume the attacker knows where the packet should be delivered)
Let's assume for this example, the packet only has SRC and DEST, which are 4 bytes and in order respectively.
Carol can construct 2 packets that she can XOR the encryption and cancel out the underlying DEST bytes, and replace
it with her own destination. Cancelled values are prefixed with a - sign for demonstration purposes.
| AA | BB | CC | DD | -11 | -22 | -33 | -44 | |
| ⊕ | -00 | -00 | -00 | -00 | FF | FF | FF | FF |
| ⊕ | -00 | -00 | -00 | -00 | -11 | -22 | -33 | -44 |
| = | AA | BB | CC | DD | FF | FF | FF | FF |
This demonstration is done with a plaintext, but the same idea applies even with the WEP encryption as long
as the two conditions above are met. There is another intermediate step not mentioned here, but the CRC is
calculated for each buffer she uses, and XOR'ed on top of the CRC that is attached to the end of the packet.
We ran into an issue with our design with determining how we would forward packets to ip addresses.
So instead we came up with an alternative design:
- We map an ip address to a specific port e.g. alice's ip -> port 50000
- We will have Alice, CarolWEP, and AP as clients to send and transmit packets; CarolWEP, AP, Carol, and Bob as servers to receive packets
- We would have CarolWEP edit half the packets and send the received packets to AP, which would decrypt and send to the appropriate receivers.
This mapping of IPV4 addresses to ports has its flaws, we can't emulate CarolWEP utilizing the Man in the Middle attack because it cannot spoof itself
However it still demonstrates the attack on the encryption / packet validity over CRC32 and WEP Protocol very clearly.
| Entity | IPv4 | Port |
|---|---|---|
| Alice | 169.235.16.75 | 50000 |
| CarolWEP | 100.100.100.100 | 49500 |
| Access Point | 255.255.255.255 | 49000 |
| Bob | 141.212.113.199 | 48500 |
| Carol | 128.2.42.95 | 48000 |
This attack works if Carol is able to receive a response from the Access Point about dropped packets.
- Carol has to have access to the message + CRC(message)
- Carol starts by reverse engineering the CRC(message), and stepping backwards from it
- Let message' be when Carol chops off the last byte of the message
- From now on, we'll call Carol's updates crc
- Carol sets crc = crc ⊕ 0xFFFFFFFF
- Carol searches for a top byte table index match with the top byte of crc and stores that index as crc_index
- Carol sets crc = crc ⊕ table[crc_index]
- Carol shifts crc left 8 bits
- Carol is now looking for the last byte that matches CRC(message') ⊕ 0xFFFFFFFF
- Carol can find the last byte value from the message with: crc_index ⊕ last byte
The way CRC is calculated, is that it modifies byte by byte. As I add more bytes, the CRC expands to fit that extra byte.
So essentially each of the CRC calculations in each step before are all valid for those substrings.
So this attack works by working backwards for each CRC calculation on the substrings. When we reverse engineer the CRC
calculation, we look for the table index that was used before to calculate this current CRC. However the drawback is that
because the original CRC calculation shifts it over a byte, we essentially need to guess the last byte in the CRC substring
Luckily this is at most 256 guesses, and once we have that, we use ⊕'s commutative property and use the CRC last byte ⊕ table index
for the value of the last byte of the original message.