Plaintext Recovery Attacks Against WPA/TKIP

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Plaintext Recovery Attacks Against WPA/TKIP"

Transcription

1 Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London! The 21st International Workshop on Fast Software Encryption March 4th, 2014!

2 Agenda Introduction to WPA/TKIP Biases in the WPA/TKIP keystreams Plaintext recovery attack for the repeated plaintext setting Exploiting TSCs for improved attacks Concluding remarks/open problems 2

3 Introduction to WPA/TKIP!! Client IEEE encryption Access point!! Wireless traffic!! IEEE standards for wireless LAN encryption 1999: WEP (Wired Equivalent Privacy) 2003: WPA (WiFi Protected Access) 2004: WPA2 (WiFi Protected Access 2) 3

4 Introduction to WPA/TKIP WEP Badly broken: Key recovery attack based on RC4 weakness and construction of RC4 key from 24-but known IV and unknown, but fixed key 10k~20k packets needed for key recovery Proposed by IEEE as an intermediate solution WPA Allows reuse of the hardware implementing WEP Introduction of supposedly better per-frame RC4 key through the Temporal Key Integrity Protocol (TKIP) WPA2 Introduces a stronger cryptographic solution based on AES-CCM (Includes optional support for TKIP) 4

5 Introduction to WPA/TKIP WPA was only intended as a temporary fix However, WPA is still in widespread use today Vanhoef-Piessens (2013) surveyed 6803 wireless networks: 19% 29% 71% 81% Permit WPA/TKIP Only allow WPA/TKIP This makes the continued analysis of WPA/TKIP worthwhile 5

6 Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TA : Sender Address (48 bits) TSC : TKIP Sequence Counter (48 bits) TK TSC TA Key mixing function RC4 RC4 keystream Payload MIC WPA Frame : Header Ciphertext 6

7 Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TA : Sender Address (48 bits) TSC : TKIP Sequence Counter (48 bits) TK TSC TA Key mixing function RC4 key: K0 K1 K2 104 bits 128 bits K0 K1 K2 = TSC1 = (TSC1 0x20) & 0x7f = TSC0 TSC0, TSC1 Two least significant bytes of TSC 7

8 Previous Attacks on WPA/TKIP Tews-Beck (2009): Rate-limited plaintext recovery Active attack based on chop-chop method for recovering plaintext Requires support for alternative QoS channels to by-pass anti-replay protection Rate-limited since correctness of plaintext guess is indicated by MIC verification failure, and only 2 failures per minute are tolerated! Sepehrdad-Vaudenay-Vuagnoux (2011): Statistical key recovery attack using 2 38 known plain texts and 2 96 operations 8

9 New Plaintext Recovery Attacks 9

10 RC4 with Random 128-bit Keys Recent work* has shown that RC4 with random 128-bit keys has significant biases in all of its initial keystream bytes Such biases enable plaintext recovery if sufficiently many encryptions of the same plaintext are available Uses simple Bayesian statistical analysis Applicable in multi-session or broadcast attack scenario * AlFardan-Berstein-Paterson-Poettering-Schuldt (2013); Isobe-Ohigashi-Watanabe-Morii (2013) 10

11 Plaintext Recovery Encryptions of plaintext under different keys Plaintext candidate byte Pr Zr : keystream byte at position r C1 C2 C3 r Pr Pr Pr Induced distribution on Zr combine with known distribution of Zr Ciphertext distribution at position 16 Probability Cn Pr Byte value [ ] Recovery algorithm: Compute most likely plaintext byte Likelihood of Pr being correct plaintext byte 11

12 Applications Technique successfully applied to RC4 as used in SSL/TLS by AlFardan- Bernstein-Paterson-Schuldt (2013) Attack realizable in TLS context using client-side Javascript, resulting in session cookie recovery (In practice, a version of the attack exploiting Fluhrer-McGrew double-byte biases is preferable)! Applicable to RC4 with WPA/TKIP keys? Every frame has a new key i.e. naturally close to the broadcast attack setting Repeated encryption of the same target plaintext still required WPA/TKIP specific biases? 12

13 Biases in WPA/TKIP Keystreams Recall that WPA/TKIP keys have additional structure compared to random keys: K0 = TSC1 K1 = (TSC1 0x20) & 0x7f K2 = TSC0 This structure leads to significant changes in the biases in the RC4 keystream compared to random keys 13

14 Biases in WPA/TKIP: Keystream Byte 1 and 17 Keystream byte 1 Keystream byte %' 0.395%' 0.394%' 0.394%' 0.393%' 0.392%' 0.393%' Probability* 0.391%' 0.390%' Probability* 0.392%' 0.391%' 0.389%' 0.388%' 0.390%' 0.387%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* 0.389%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* WPA/TKIP RC4 keys Random RC4 keys 14

15 Comparison with Biases for 128-bit Random RC4 Keys Random RC4 keys WPA/TKIP keys Byte value [ ] Byte value [ ] Position [ ] Position [ ] Color encoding: absolute strength of bias

16 Comparison with Biases for 128-bit Random RC4 Keys Byte value [ ] Position [ ]

17 Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 17

18 Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 18

19 Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 19

20 Plaintext Recovery Rate 2 30 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 20

21 Exploiting TSCs 21

22 Exploiting TSC Information Again, recall the special structure of WPA/TKIP keys: K0 = TSC1 K1 = (TSC1 0x20) & 0x7f K2 = TSC0 Idea: identify and exploit (TSC0, TSC1)-specific biases Plaintext recovery attack based (TSC0, TSC1)-specific biases: 1. Group ciphertexts into 2 16 groups according to (TSC0, TSC1) value 2. Carry out likelihood analysis for each group using appropriate keystream distribution 3. Combine likelihoods across groups to recover plaintext 22

23 Existence of Large (TSC0, TSC1)-specific Biases (TSC0, TSC1) = (0x00, 0x00) 0.550%& 0.410%' 0.500%& 0.405%' 0.450%& Probability* 0.400%& 0.350%& Probability* 0.400%' 0.395%' 0.300%& 0.390%' 0.250%& 0& 32& 64& 96& 128& 160& 192& 224& 256& Byte*value* 0.385%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* Keystream byte 1 Keystream byte 17 (TSC0, TSC1)-specific RC4 keys RC4 keys with random (TSC0, TSC1) 23

24 Computational Requirements for (TSC0, TSC1)-specific Attack Problem: A very large number of keystreams are required to get an accurate estimate for the (TSC0, TSC1)-specific keystream distributions Minimum: Ideally: 2 32 keystreams per (TSC0, TSC1) pair 2 40 keystreams per (TSC0, TSC1) pair ~2 34 keystreams per core day 2 16 = 2 48 (TSC0, TSC1) pairs Keystreams 2 16 = 2 56 (TSC0, TSC1) pairs Keystreams = ~2 14 core days = ~2 22 core days 24

25 TSC0 Aggregation TSC1 is used to compute two key bytes; TSC0 only one: K0 = TSC1 K1 = (TSC1 & 0x20) 0x7f K2 = TSC0 Hence, we might expect significant biases to be strongly correlated with TSC1 Experiments confirm this Alternative plaintext recovery attack Group ciphertexts according to TSC1 and carry out likelihood analysis based on TSC1-specific keystream estimates Reduced required number of keystreams with a factor of

26 Location of Large TSC1 Specific Biases Byte value vs. position TSC1 vs. position Byte value [ ] TSC1 [ ] Position [ ] Position [ ] Color encoding: absolute strength of largest bias

27 Plaintext Recovery Rate 2 20 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 27

28 Plaintext Recovery Rate 2 22 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 28

29 Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 29

30 Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 30

31 Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 31

32 Comparison of Plaintext Recovery Rates 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 32

33 Comparison of Average Plaintext Recovery Rate 100%# 80%# TSC1 specific attack Recovery(rate( 60%# 40%# Standard attack 20%# Dashed lines: Even positions 0%# 18# 20# 22# 24# 26# 28# 30# 32# Number(of(frames((log)( 33

34 Concluding Remarks/Open Problems 34

35 Concluding Remarks Plaintext recovery for WPA/TKIP is possible for the first 256 plaintext bytes, provided that sufficiently many independent encryptions of the same plaintext are available Security is far below the expected level of protection implied by the 128-bit key Suitable targets for attack might include fixed but unknown fields in encapsulated protocol headers or HTTP traffic via client-side Javascript Our attack complements known attacks on WPA/TKIP: Passive rather than active (cf. Tews-Beck) Ciphertext-only rather than known-plaintext (cf. Sepehrdad et al.) Moderate amounts of ciphertext and computation But requires repeated encryption of plaintext 35

36 Open Problems Explain all the observed bias behaviour Some progress has already been made by SenGupta-Maitra-Meier-Paul-Sarkar (next talk!) Not essential for our plaintext recovery attack, but important for deeper understanding of RC4 in WPA/TKIP and for developing new attacks! Carry out larger scale keystream bias computation over all (TSC0,TSC1) values and investigate how much improvement over our TSC0-aggregated attack is possible Study other real-world applications of RC4 in which keys are changed frequently and/or have additional structure 36

37 Questions? 37

Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases

Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Overview RC4 Attacking RC4 in TLS Big bias

More information

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS Mathy Vanhoef and Frank Piessens, KU Leuven USENIX Security 2015 RC4 Intriguingly simple stream cipher WEP WPA-TKIP SSL / TLS PPP/MPPE And

More information

Full Plaintext Recovery Attack on Broadcast RC4

Full Plaintext Recovery Attack on Broadcast RC4 11 March, 2013 FSE 2013 @ Singapore Full Plaintext Recovery Attack on Broadcast RC4 Takanori Isobe () Toshihiro Ohigashi (Hiroshima University) Yuhei Watanabe () Masakatu Morii () Target Broadcast setting

More information

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis CS-435 Lecture preview 802.11 Security IEEE

More information

The Final Nail in WEP s Coffin

The Final Nail in WEP s Coffin 1/19 The Final Nail in WEP s Coffin Andrea Bittau 1 Mark Handley 1 Joshua Lackey 2 May 24, 2006 1 University College London. 2 Microsoft. Wired Equivalent Privacy 2/19 WEP is the 802.11 standard for encryption.

More information

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017 Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview

More information

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities Wireless Security Comp Sci 3600 Security Outline 1 2 3 Wired versus wireless Endpoint Access point Figure 24.1 Wireless Networking Components Locations and types of attack Outline 1 2 3 Wired Equivalent

More information

Securing Your Wireless LAN

Securing Your Wireless LAN Securing Your Wireless LAN Pejman Roshan Product Manager Cisco Aironet Wireless Networking Session Number 1 Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP

More information

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014 Network Security Security in local-area networks Radboud University Nijmegen, The Netherlands Autumn 2014 Announcement Exercise class (werkcollege) time and room changed: Friday, 15:30-17:30, in LIN 8

More information

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma Temporal Key Integrity Protocol: TKIP Tim Fielder University of Tulsa Tulsa, Oklahoma History IEEE released the first 802.11 specification back in 1997 The Wired Equivalent Privacy (WEP) authentication/encryption

More information

Configuring WEP and WEP Features

Configuring WEP and WEP Features CHAPTER 9 This chapter describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check (MIC), and Temporal Key Integrity Protocol (TKIP). This chapter contains these sections: Understanding

More information

Network Security. Security in local-area networks. Radboud University, The Netherlands. Spring 2017

Network Security. Security in local-area networks. Radboud University, The Netherlands. Spring 2017 Network Security Security in local-area networks Radboud University, The Netherlands Spring 2017 A two-slide intro to networking I Command on tyrion: netcat -lp 51966 Command on arya: echo "Hi tyrion"

More information

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005 Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks

More information

Configuring Cipher Suites and WEP

Configuring Cipher Suites and WEP 10 CHAPTER This chapter describes how to configure the cipher suites required to use WPA authenticated key management, Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), and broadcast

More information

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017 KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress (CCC), 27 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure that

More information

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014 Network Security Security in local-area networks Radboud University Nijmegen, The Netherlands Autumn 2014 Announcement Exercise class (werkcollege) time and room changed: Friday, 15:30-17:30, in LIN 8

More information

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018 KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure that s secure? Seems so! No attacks

More information

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018 KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat IL, 24 January 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned

More information

Security and Authentication for Wireless Networks

Security and Authentication for Wireless Networks University of New Orleans ScholarWorks@UNO University of New Orleans Theses and Dissertations Dissertations and Theses 5-21-2004 Security and Authentication for 802.11 Wireless Networks Michel Getraide

More information

Wireless LAN Security. Gabriel Clothier

Wireless LAN Security. Gabriel Clothier Wireless LAN Security Gabriel Clothier Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group

More information

Double-DES, Triple-DES & Modes of Operation

Double-DES, Triple-DES & Modes of Operation Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES

More information

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder. Outline 18-759: Wireless Networks Lecture 10: 802.11 Management Peter Steenkiste Departments of Computer Science and Electrical and Computer Engineering Spring Semester 2016 http://www.cs.cmu.edu/~prs/wirelesss16/

More information

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography Principles of Information Security, Fourth Edition Chapter 8 Cryptography Learning Objectives Upon completion of this material, you should be able to: Chronicle the most significant events and discoveries

More information

Secure Internet Communication

Secure Internet Communication Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange

More information

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner Analysis of 802.11 Security or Wired Equivalent Privacy Isn t Nikita Borisov, Ian Goldberg, and David Wagner WEP Protocol Wired Equivalent Privacy Part of the 802.11 Link-layer security protocol Security

More information

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Outline Network Security EECE 412 Link & end-to-end protocols SSL/TLS WPA Copyright 2004 Konstantin Beznosov 2 Networks Link and End-to-End Protocols

More information

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step RC4 RC4 1 RC4 Invented by Ron Rivest o RC is Ron s Code or Rivest Cipher A stream cipher Generate keystream byte at a step o Efficient in software o Simple and elegant o Diffie: RC4 is too good to be true

More information

Chapter 6 Contemporary Symmetric Ciphers

Chapter 6 Contemporary Symmetric Ciphers Chapter 6 Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and

More information

Wireless Network Security

Wireless Network Security Wireless Network Security Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

More information

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED Part V ECHONET Lite System Design Guidelines i 2011 (2012) ALL RIGHTS RESERVED The specifications published by the ECHONET Consortium are established without regard to industrial property rights (e.g.,

More information

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz, Benedikt Gierlichs KU Leuven, imec - COSIC CARDIS 2017 Once upon a time... 14 November 2017 Benedikt Gierlichs - DPA on

More information

Wireless LANs: outline. wireless and WiFi security: WEP, i, WPA, WPA2. networking security wireless ad-hoc and mesh networks

Wireless LANs: outline. wireless and WiFi security: WEP, i, WPA, WPA2. networking security wireless ad-hoc and mesh networks Wireless LANs: outline wireless 802.11 and WiFi. 802.11 security: WEP, 802.11i, WPA, WPA2. networking security wireless ad-hoc and mesh networks ISM bands to operate most radios, a license is needed from

More information

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA Journal of Computer Science Original Research Paper CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE 802.11i): A Comparison with DES and RSA 1 Velayutham, R. and 2 D. Manimegalai

More information

Wireless Networked Systems

Wireless Networked Systems Wireless Networked Systems CS 795/895 - Spring 2013 Lec #5: Medium Access Control High Throughput, Security Tamer Nadeem Dept. of Computer Science High Throughput Networks (802.11n) Slides adapted from

More information

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher Nishith Sinha Mallika Chawda Kishore Bhamidipati Assistant Professor ABSTRACT RC4 is one of the most widely used stream

More information

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91 Stream ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 91 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 92 Stream Cipher Suppose you want to encrypt

More information

Private-Key Encryption

Private-Key Encryption Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 32 Outline 1 Historical Ciphers 2 Probability Review 3 Security Definitions: Perfect Secrecy 4 One Time Pad (OTP) 2

More information

Securing a Wireless LAN

Securing a Wireless LAN Securing a Wireless LAN This module describes how to apply strong wireless security mechanisms on a Cisco 800, 1800, 2800, or 3800 series integrated services router, hereafter referred to as an access

More information

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT 1 MANIKANDAN.G, 2 MANIKANDAN.R, 3 RAJENDIRAN.P, 4 KRISHNAN.G, 5 SUNDARGANESH.G 1 Assistant Professor, School of Computing, SASTRA University,

More information

Is Your Wireless Network Being Hacked?

Is Your Wireless Network Being Hacked? The ITB Journal Volume 9 Issue 1 Article 5 2008 Is Your Wireless Network Being Hacked? Paul King Ivan Smyth Anthony Keane Follow this and additional works at: http://arrow.dit.ie/itbj Part of the Computer

More information

COSC4377. Chapter 8 roadmap

COSC4377. Chapter 8 roadmap Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7

More information

Security of WiFi networks MARCIN TUNIA

Security of WiFi networks MARCIN TUNIA Security of WiFi networks MARCIN TUNIA Agenda 1. Wireless standards 2. Hidden network and MAC filtering protection bypassing 3. Encryption independent attacks 4. Attacks on WEP 5. Attacks on WPA/WPA2 6.

More information

Implementing Cryptography: Good Theory vs. Bad Practice

Implementing Cryptography: Good Theory vs. Bad Practice Implementing Cryptography: Good Theory vs. Bad Practice Viet Pham Information Security Group, Department of Mathematics Royal Holloway, University of London Outline News report What is cryptography? Why

More information

Burglarproof WEP Protocol on Wireless Infrastructure

Burglarproof WEP Protocol on Wireless Infrastructure Association for Information Systems AIS Electronic Library (AISeL) PACIS 2006 Proceedings Pacific Asia Conference on Information Systems (PACIS) 2006 Burglarproof WEP Protocol on Wireless Infrastructure

More information

HACKING & INFORMATION SECURITY Presents: - With TechNext

HACKING & INFORMATION SECURITY Presents: - With TechNext HACKING & INFORMATION SECURITY Presents: - With TechNext We Are The Speakers Sudarshan Pawar Cer.fied Security Expert(C.S.E.) Cer.fied Informa.on Security Specialist (C.I.S.S.) Security Xplained (TechNext

More information

Cryptanalysis of IEEE i TKIP

Cryptanalysis of IEEE i TKIP Cryptanalysis of IEEE 802.11i TKIP Finn Michael Halvorsen Olav Haugen Master of Science in Communication Technology Submission date: June 2009 Supervisor: Stig Frode Mjølsnes, ITEM Co-supervisor: Martin

More information

Network Security Essentials

Network Security Essentials Network Security Essentials Applications and Standards Third Edition William Stallings Chapter 2 Symmetric Encryption and Message Confidentiality Dr. BHARGAVI H. GOSWAMI Department of Computer Science

More information

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry,, David Wagner Presented by Paul Ruggieri 1 Introduction What is TinySec? Link-layer security architecture

More information

CUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS

CUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS CUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS George W. Dinolt, James Bret Michael, Nikolaos Petrakos, Pantelimon Stanica Short-range (Bluetooth) and to so extent medium-range (WiFi) wireless

More information

Cryptanalysis. Ed Crowley

Cryptanalysis. Ed Crowley Cryptanalysis Ed Crowley 1 Topics Cryptanalysis History Modern Cryptanalysis Characterization of Cryptanalysis Attacks Attack Types 2 Cryptanalysis Science of cracking ciphers and codes, decoding secrets,

More information

Block Cipher Operation. CS 6313 Fall ASU

Block Cipher Operation. CS 6313 Fall ASU Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES

More information

Appendix E Wireless Networking Basics

Appendix E Wireless Networking Basics Appendix E Wireless Networking Basics This chapter provides an overview of Wireless networking. Wireless Networking Overview The FWG114P v2 Wireless Firewall/Print Server conforms to the Institute of Electrical

More information

WPA Migration Mode: WEP is back to haunt you

WPA Migration Mode: WEP is back to haunt you Black Hat USA 2010 WPA Migration Mode: WEP is back to haunt you Leandro Meiners (lmeiners@coresecurity.com / @gmail.com) Diego Sor (dsor@coresecurity.com / diegos@gmail.com) Page 1 WPA Migration Mode:

More information

Impact of New Highly Secure Scheme on Wireless Network Performance

Impact of New Highly Secure Scheme on Wireless Network Performance International Journal of Computer Applications (975 8887) Impact of New Highly Secure Scheme on Wireless Network 82.11 Performance Brijesh Singh Yadav UPRVUNL Lucknow, U.P. (India) Parul Yadav Amity University,

More information

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp 2013 Summer Camp: Wireless LAN Security Exercises 2013 JMU Cyber Defense Boot Camp Questions Have you used a wireless local area network before? At home? At work? Have you configured a wireless AP before?

More information

FAQ on Cisco Aironet Wireless Security

FAQ on Cisco Aironet Wireless Security FAQ on Cisco Aironet Wireless Security Document ID: 68583 Contents Introduction General FAQ Troubleshooting and Design FAQ Related Information Introduction This document provides information on the most

More information

Security Setup CHAPTER

Security Setup CHAPTER CHAPTER 8 This chapter describes how to set up your bridge s security features. This chapter contains the following sections: Security Overview, page 8-2 Setting Up WEP, page 8-7 Enabling Additional WEP

More information

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Frequently Asked Questions WPA2 Vulnerability (KRACK) Frequently Asked Questions WPA2 Vulnerability (KRACK) Release Date: October 20, 2017 Document version: 1.0 What is the issue? A research paper disclosed serious vulnerabilities in the WPA and WPA2 key

More information

WPA-GPG: Wireless authentication using GPG Key

WPA-GPG: Wireless authentication using GPG Key Università degli Studi di Bologna DEIS WPA-GPG: Wireless authentication using GPG Key Gabriele Monti December 9, 2009 DEIS Technical Report no. DEIS-LIA-007-09 LIA Series no. 97 WPA-GPG: Wireless authentication

More information

Wireless Networking WiFi Standards 802.11a 5GHz 54MB 802.11b 2.4 GHz 11MB 802.11g 2.4GHz 52MB 802.11n 2.4/5GHz 108MB 802.11b The 802.11b standard has a maximum raw data rate of 11 Mbit/s, and uses

More information

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc. The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0 Xirrus, Inc. March 8, 2011 Copyright Xirrus, Inc. 2011. May be reproduced only in its original entirety [without revision]. Page 1 TABLE

More information

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some 3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption

More information

Wireless Security Security problems in Wireless Networks

Wireless Security Security problems in Wireless Networks Wireless Security Security problems in Wireless Networks Security of Wireless Networks Wireless networks are everywhere more and more electronic devices are becoming wireless However, ensuring security

More information

Weaknesses in HENKOS Stream Cipher

Weaknesses in HENKOS Stream Cipher Weaknesses in HENKOS Stream Cipher Prasanth Kumar Thandra and S.A.V. Satya Murty Indira Gandhi Centre for Atomic Research, Kalpakkam, Tamilnadu 603102. R Balasubramanian, Institute of Mathematical Sciences,

More information

Cryptanalysis of RC4(n, m) Stream Cipher

Cryptanalysis of RC4(n, m) Stream Cipher Cryptanalysis of RC4(n, m) Stream Cipher Mohammad Ali Orumiehchiha 1, Josef Pieprzyk 1, Elham Shakour 2 and Ron Steinfeld 3 1 Center for Advanced Computing, Algorithms and Cryptography, Department of Computing,

More information

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved. 1 Session Number Denver Tech Days 2002 WLAN Security Mike Morrato System Engineer Cisco Systems April 10, 2002 2 Agenda Past security methods in Wireless LANs The problem with 802.11 - Wireless Insecurity

More information

The Launch GDS can be updated via a wireless internet connection as well as by USB or cat5 cable.

The Launch GDS can be updated via a wireless internet connection as well as by USB or cat5 cable. LAUNCH Wifi Setup Procedure The Launch GDS can be updated via a wireless internet connection as well as by USB or cat5 cable. If you are in a wifi hotspot or have an open network available simply choose

More information

Findings for

Findings for Findings for 198.51.100.23 Scan started: 2017-07-11 12:30 UTC Scan ended: 2017-07-11 12:39 UTC Overview Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 80/tcp

More information

On the Applicability of Distinguishing Attacks Against Stream Ciphers

On the Applicability of Distinguishing Attacks Against Stream Ciphers On the Applicability of Distinguishing Attacks Against Stream Ciphers Greg Rose, Philip Hawkes QUALCOMM Australia {ggr, phawkes}@qualcomm.com Abstract. We demonstrate that the existence of distinguishing

More information

Statistical Analysis of the Alleged RC4 Keystream Generator

Statistical Analysis of the Alleged RC4 Keystream Generator Statistical Analysis of the Alleged RC4 Keystream Generator Scott R. Fluhrer and David A. McGrew Cisco Systems, Inc. 170 West Tasman Drive, San Jose, CA 95134 {sfluhrer, mcgrew}@cisco.com Abstract. The

More information

Security in Data Link Protocols

Security in Data Link Protocols Security in 802.11 Data Link Protocols Gianluca Dini!"#$%&'(&)*+"+*",-.&/"001)*(',2.3-'*" University of Pisa, Italy Via Diotisalvi 2, 56100 Pisa gianluca.dini@ing.unipi.it!"#$%&#'()*(+(#,-.,#./$#0(1&2*,$#32%')(4#1./#

More information

Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC. Pierre-Alain Fouque Symmetric Crypto MAC Pierre-Alain Fouque Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However,

More information

Authenticated Encryption

Authenticated Encryption 18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:

More information

Advanced Security and Mobile Networks

Advanced Security and Mobile Networks Advanced Security and Mobile Networks W.Buchanan (1) 9. GSM/3G Unit 7: Mobile Networks. Wireless. Security. Mobile IP. Mobile Agents. Spread spectrum. Military/Emergency Networks 8. Ad-hoc 7. Mobile Networks

More information

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Integrity & Authentication. Message Authentication Codes (MACs) Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran

More information

IPSec. Overview. Overview. Levente Buttyán

IPSec. Overview. Overview. Levente Buttyán IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet

More information

Message authentication codes

Message authentication codes Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher

More information

Chapter 17. Wireless Network Security

Chapter 17. Wireless Network Security Chapter 17 Wireless Network Security IEEE 802.11 IEEE 802 committee for LAN standards IEEE 802.11 formed in 1990 s, to develop a protocol & transmission specifications for wireless LANs (WLANs) Demand

More information

EXAM - PW Certified Wireless Security Professional (CWSP) Buy Full Product.

EXAM - PW Certified Wireless Security Professional (CWSP) Buy Full Product. CWNP EXAM - PW0-204 Certified Wireless Security Professional (CWSP) Buy Full Product http://www.examskey.com/pw0-204.html Examskey CWNP PW0-204 exam demo product is here for you to test the quality of

More information

Network Security Chapter 8

Network Security Chapter 8 Network Security Chapter 8 Cryptography Symmetric-Key Algorithms Public-Key Algorithms Digital Signatures Management of Public Keys Communication Security Authentication Protocols Email Security Web Security

More information

The following chart provides the breakdown of exam as to the weight of each section of the exam.

The following chart provides the breakdown of exam as to the weight of each section of the exam. Introduction The CWSP-205 exam, covering the 2015 objectives, will certify that the successful candidate understands the security weaknesses inherent in WLANs, the solutions available to address those

More information

Overview of TLS v1.3 What s new, what s removed and what s changed?

Overview of TLS v1.3 What s new, what s removed and what s changed? Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Solution Architect / Principal Design Engineer. On Worldpay ecommerce Payment Gateways. Based in Cambridge, UK.

More information

ECE 646 Lecture 8. Modes of operation of block ciphers

ECE 646 Lecture 8. Modes of operation of block ciphers ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.

More information

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

A Configuration Protocol for Embedded Devices on Secure Wireless Networks A Configuration Protocol for Embedded Devices on Secure Wireless Networks Larry Sanders lsanders@ittc.ku.edu 6 May 2003 Introduction Wi-Fi Alliance Formally Wireless Ethernet Compatibility Alliance (WECA)

More information

Configuring the Radio Network

Configuring the Radio Network CHAPTER 4 This chapter describes the procedures for configuring the bridge s radio network. Here s what you ll find in this chapter: Using the Configuration Radio Menu, page 4-2 Establishing an SSID (Ssid),

More information

CS263: Wireless Communications and Sensor Networks

CS263: Wireless Communications and Sensor Networks CS263: Wireless Communications and Sensor Networks Matt Welsh Lecture 5: The 802.11 Standard October 7, 2004 2004 Matt Welsh Harvard University 1 All about 802.11 Today's Lecture CSMA/CD MAC and DCF WEP

More information

Wireless# Guide to Wireless Communications. Objectives

Wireless# Guide to Wireless Communications. Objectives Wireless# Guide to Wireless Communications Chapter 8 High-Speed WLANs and WLAN Security Objectives Describe how IEEE 802.11a networks function and how they differ from 802.11 networks Outline how 802.11g

More information

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Integrity & Authentication. Message Authentication Codes (MACs) Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran

More information

Security in Data Link Protocols

Security in Data Link Protocols Security in 802.11 Data Link Protocols Gianluca Dini Dept. of Ingegneria dell Informazione University of Pisa, Italy Via Diotisalvi 2, 56100 Pisa gianluca.dini@ing.unipi.it If you believe that any security

More information

The IPsec protocols. Overview

The IPsec protocols. Overview The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () (c) Levente Buttyán (buttyan@crysys.hu) Overview

More information

CS Protocol Design. Prof. Clarkson Spring 2017

CS Protocol Design. Prof. Clarkson Spring 2017 CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,

More information

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,

More information

Error Oracle Attacks on CBC Mode:

Error Oracle Attacks on CBC Mode: Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? Chris J. Mitchell Technical Report RHUL MA 2005 7 30 April 2005 Royal Holloway University of London Department of Mathematics

More information

Configuring a WLAN for Static WEP

Configuring a WLAN for Static WEP Restrictions for Configuring Static WEP, page 1 Information About WLAN for Static WEP, page 1 Configuring WPA1+WPA2, page 3 Restrictions for Configuring Static WEP The OEAP 600 series does not support

More information

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No.

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No. A Division of Cisco Systems, Inc. GHz 2.4 802.11g WIRELESS Wireless-G USB Network Adapter User Guide Model No. WUSB54G Copyright and Trademarks Specifications are subject to change without notice. Linksys

More information

GHz g. Wireless A+G. User Guide. Notebook Adapter. Dual-Band. Dual-Band WPC55AG a. A Division of Cisco Systems, Inc.

GHz g. Wireless A+G. User Guide. Notebook Adapter. Dual-Band. Dual-Band WPC55AG a. A Division of Cisco Systems, Inc. A Division of Cisco Systems, Inc. Dual-Band 5 GHz 802.11a + GHz 2.4 802.11g WIRELESS Dual-Band Wireless A+G Notebook Adapter User Guide Model No. WPC55AG Copyright and Trademarks Specifications are subject

More information

From wired internet to ubiquitous wireless internet

From wired internet to ubiquitous wireless internet WlanSmartcard.org Technical Committee Wireless LAN A primer guide. Paris, February 5 th Pascal.Urien@enst.fr From wired internet to ubiquitous wireless internet 1 Classical intranet. Network access is

More information

Computer Networks Security: intro. CS Computer Systems Security

Computer Networks Security: intro. CS Computer Systems Security Computer Networks Security: intro CS 166 - Computer Systems Security A very easy network 3/14/16 Computer Networks: Intro 2 Two philosophers example Translator Language Translator Engineer Communication

More information

CIT 380: Securing Computer Systems. Network Security Concepts

CIT 380: Securing Computer Systems. Network Security Concepts CIT 380: Securing Computer Systems Network Security Concepts Topics 1. Protocols and Layers 2. Layer 2 Network Concepts 3. MAC Spoofing 4. ARP 5. ARP Spoofing 6. Network Sniffing Protocols A protocol defines

More information

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS How to Set Up a Secure Home Wireless Network What you don t know about setting up a home wireless network can hurt you. 2008 APCUG Convention Session Tom Jones, P.E., RCDD-NTS CQS-CWLSS AGENDA Some Terms

More information