Plaintext Recovery Attacks Against WPA/TKIP
|
|
- Abner Jefferson
- 6 years ago
- Views:
Transcription
1 Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London! The 21st International Workshop on Fast Software Encryption March 4th, 2014!
2 Agenda Introduction to WPA/TKIP Biases in the WPA/TKIP keystreams Plaintext recovery attack for the repeated plaintext setting Exploiting TSCs for improved attacks Concluding remarks/open problems 2
3 Introduction to WPA/TKIP!! Client IEEE encryption Access point!! Wireless traffic!! IEEE standards for wireless LAN encryption 1999: WEP (Wired Equivalent Privacy) 2003: WPA (WiFi Protected Access) 2004: WPA2 (WiFi Protected Access 2) 3
4 Introduction to WPA/TKIP WEP Badly broken: Key recovery attack based on RC4 weakness and construction of RC4 key from 24-but known IV and unknown, but fixed key 10k~20k packets needed for key recovery Proposed by IEEE as an intermediate solution WPA Allows reuse of the hardware implementing WEP Introduction of supposedly better per-frame RC4 key through the Temporal Key Integrity Protocol (TKIP) WPA2 Introduces a stronger cryptographic solution based on AES-CCM (Includes optional support for TKIP) 4
5 Introduction to WPA/TKIP WPA was only intended as a temporary fix However, WPA is still in widespread use today Vanhoef-Piessens (2013) surveyed 6803 wireless networks: 19% 29% 71% 81% Permit WPA/TKIP Only allow WPA/TKIP This makes the continued analysis of WPA/TKIP worthwhile 5
6 Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TA : Sender Address (48 bits) TSC : TKIP Sequence Counter (48 bits) TK TSC TA Key mixing function RC4 RC4 keystream Payload MIC WPA Frame : Header Ciphertext 6
7 Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TA : Sender Address (48 bits) TSC : TKIP Sequence Counter (48 bits) TK TSC TA Key mixing function RC4 key: K0 K1 K2 104 bits 128 bits K0 K1 K2 = TSC1 = (TSC1 0x20) & 0x7f = TSC0 TSC0, TSC1 Two least significant bytes of TSC 7
8 Previous Attacks on WPA/TKIP Tews-Beck (2009): Rate-limited plaintext recovery Active attack based on chop-chop method for recovering plaintext Requires support for alternative QoS channels to by-pass anti-replay protection Rate-limited since correctness of plaintext guess is indicated by MIC verification failure, and only 2 failures per minute are tolerated! Sepehrdad-Vaudenay-Vuagnoux (2011): Statistical key recovery attack using 2 38 known plain texts and 2 96 operations 8
9 New Plaintext Recovery Attacks 9
10 RC4 with Random 128-bit Keys Recent work* has shown that RC4 with random 128-bit keys has significant biases in all of its initial keystream bytes Such biases enable plaintext recovery if sufficiently many encryptions of the same plaintext are available Uses simple Bayesian statistical analysis Applicable in multi-session or broadcast attack scenario * AlFardan-Berstein-Paterson-Poettering-Schuldt (2013); Isobe-Ohigashi-Watanabe-Morii (2013) 10
11 Plaintext Recovery Encryptions of plaintext under different keys Plaintext candidate byte Pr Zr : keystream byte at position r C1 C2 C3 r Pr Pr Pr Induced distribution on Zr combine with known distribution of Zr Ciphertext distribution at position 16 Probability Cn Pr Byte value [ ] Recovery algorithm: Compute most likely plaintext byte Likelihood of Pr being correct plaintext byte 11
12 Applications Technique successfully applied to RC4 as used in SSL/TLS by AlFardan- Bernstein-Paterson-Schuldt (2013) Attack realizable in TLS context using client-side Javascript, resulting in session cookie recovery (In practice, a version of the attack exploiting Fluhrer-McGrew double-byte biases is preferable)! Applicable to RC4 with WPA/TKIP keys? Every frame has a new key i.e. naturally close to the broadcast attack setting Repeated encryption of the same target plaintext still required WPA/TKIP specific biases? 12
13 Biases in WPA/TKIP Keystreams Recall that WPA/TKIP keys have additional structure compared to random keys: K0 = TSC1 K1 = (TSC1 0x20) & 0x7f K2 = TSC0 This structure leads to significant changes in the biases in the RC4 keystream compared to random keys 13
14 Biases in WPA/TKIP: Keystream Byte 1 and 17 Keystream byte 1 Keystream byte %' 0.395%' 0.394%' 0.394%' 0.393%' 0.392%' 0.393%' Probability* 0.391%' 0.390%' Probability* 0.392%' 0.391%' 0.389%' 0.388%' 0.390%' 0.387%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* 0.389%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* WPA/TKIP RC4 keys Random RC4 keys 14
15 Comparison with Biases for 128-bit Random RC4 Keys Random RC4 keys WPA/TKIP keys Byte value [ ] Byte value [ ] Position [ ] Position [ ] Color encoding: absolute strength of bias
16 Comparison with Biases for 128-bit Random RC4 Keys Byte value [ ] Position [ ]
17 Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 17
18 Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 18
19 Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 19
20 Plaintext Recovery Rate 2 30 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 20
21 Exploiting TSCs 21
22 Exploiting TSC Information Again, recall the special structure of WPA/TKIP keys: K0 = TSC1 K1 = (TSC1 0x20) & 0x7f K2 = TSC0 Idea: identify and exploit (TSC0, TSC1)-specific biases Plaintext recovery attack based (TSC0, TSC1)-specific biases: 1. Group ciphertexts into 2 16 groups according to (TSC0, TSC1) value 2. Carry out likelihood analysis for each group using appropriate keystream distribution 3. Combine likelihoods across groups to recover plaintext 22
23 Existence of Large (TSC0, TSC1)-specific Biases (TSC0, TSC1) = (0x00, 0x00) 0.550%& 0.410%' 0.500%& 0.405%' 0.450%& Probability* 0.400%& 0.350%& Probability* 0.400%' 0.395%' 0.300%& 0.390%' 0.250%& 0& 32& 64& 96& 128& 160& 192& 224& 256& Byte*value* 0.385%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* Keystream byte 1 Keystream byte 17 (TSC0, TSC1)-specific RC4 keys RC4 keys with random (TSC0, TSC1) 23
24 Computational Requirements for (TSC0, TSC1)-specific Attack Problem: A very large number of keystreams are required to get an accurate estimate for the (TSC0, TSC1)-specific keystream distributions Minimum: Ideally: 2 32 keystreams per (TSC0, TSC1) pair 2 40 keystreams per (TSC0, TSC1) pair ~2 34 keystreams per core day 2 16 = 2 48 (TSC0, TSC1) pairs Keystreams 2 16 = 2 56 (TSC0, TSC1) pairs Keystreams = ~2 14 core days = ~2 22 core days 24
25 TSC0 Aggregation TSC1 is used to compute two key bytes; TSC0 only one: K0 = TSC1 K1 = (TSC1 & 0x20) 0x7f K2 = TSC0 Hence, we might expect significant biases to be strongly correlated with TSC1 Experiments confirm this Alternative plaintext recovery attack Group ciphertexts according to TSC1 and carry out likelihood analysis based on TSC1-specific keystream estimates Reduced required number of keystreams with a factor of
26 Location of Large TSC1 Specific Biases Byte value vs. position TSC1 vs. position Byte value [ ] TSC1 [ ] Position [ ] Position [ ] Color encoding: absolute strength of largest bias
27 Plaintext Recovery Rate 2 20 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 27
28 Plaintext Recovery Rate 2 22 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 28
29 Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 29
30 Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 30
31 Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 31
32 Comparison of Plaintext Recovery Rates 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 32
33 Comparison of Average Plaintext Recovery Rate 100%# 80%# TSC1 specific attack Recovery(rate( 60%# 40%# Standard attack 20%# Dashed lines: Even positions 0%# 18# 20# 22# 24# 26# 28# 30# 32# Number(of(frames((log)( 33
34 Concluding Remarks/Open Problems 34
35 Concluding Remarks Plaintext recovery for WPA/TKIP is possible for the first 256 plaintext bytes, provided that sufficiently many independent encryptions of the same plaintext are available Security is far below the expected level of protection implied by the 128-bit key Suitable targets for attack might include fixed but unknown fields in encapsulated protocol headers or HTTP traffic via client-side Javascript Our attack complements known attacks on WPA/TKIP: Passive rather than active (cf. Tews-Beck) Ciphertext-only rather than known-plaintext (cf. Sepehrdad et al.) Moderate amounts of ciphertext and computation But requires repeated encryption of plaintext 35
36 Open Problems Explain all the observed bias behaviour Some progress has already been made by SenGupta-Maitra-Meier-Paul-Sarkar (next talk!) Not essential for our plaintext recovery attack, but important for deeper understanding of RC4 in WPA/TKIP and for developing new attacks! Carry out larger scale keystream bias computation over all (TSC0,TSC1) values and investigate how much improvement over our TSC0-aggregated attack is possible Study other real-world applications of RC4 in which keys are changed frequently and/or have additional structure 36
37 Questions? 37
Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases
Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Overview RC4 Attacking RC4 in TLS Big bias
More informationAll Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS
All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS Mathy Vanhoef and Frank Piessens, KU Leuven USENIX Security 2015 RC4 Intriguingly simple stream cipher WEP WPA-TKIP SSL / TLS PPP/MPPE And
More informationFull Plaintext Recovery Attack on Broadcast RC4
11 March, 2013 FSE 2013 @ Singapore Full Plaintext Recovery Attack on Broadcast RC4 Takanori Isobe () Toshihiro Ohigashi (Hiroshima University) Yuhei Watanabe () Masakatu Morii () Target Broadcast setting
More informationTLS Security Where Do We Stand? Kenny Paterson
TLS Security Where Do We Stand? Kenny Paterson (based on joint work with Nadhem AlFardan, Dan Bernstein, Bertram Poettering, Jacob Schuldt) Information Security Group Outline TLS and the TLS Record Protocol
More information05 - WLAN Encryption and Data Integrity Protocols
05 - WLAN Encryption and Data Integrity Protocols Introduction 802.11i adds new encryption and data integrity methods. includes encryption algorithms to protect the data, cryptographic integrity checks
More informationAttacks Only Get Better: Password Recovery Attacks Against RC4 in TLS
Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Christina Garman Kenny Paterson Thyla van der Merwe Johns Hopkins University Royal Holloway, University of London 12 August 2015 Attacks
More informationCS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis
CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis CS-435 Lecture preview 802.11 Security IEEE
More informationSecurity in IEEE Networks
Security in IEEE 802.11 Networks Mário Nunes, Rui Silva, António Grilo March 2013 Sumário 1 Introduction to the Security Services 2 Basic security mechanisms in IEEE 802.11 2.1 Hidden SSID (Service Set
More informationThe Final Nail in WEP s Coffin
1/19 The Final Nail in WEP s Coffin Andrea Bittau 1 Mark Handley 1 Joshua Lackey 2 May 24, 2006 1 University College London. 2 Microsoft. Wired Equivalent Privacy 2/19 WEP is the 802.11 standard for encryption.
More informationKey Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview
More informationWireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities
Wireless Security Comp Sci 3600 Security Outline 1 2 3 Wired versus wireless Endpoint Access point Figure 24.1 Wireless Networking Components Locations and types of attack Outline 1 2 3 Wired Equivalent
More informationDifferent attacks on the RC4 stream cipher
Different attacks on the RC4 stream cipher Andreas Klein Ghent University Dept. of Pure Mathematics and Computer Algebra Krijgslaan 281 - S22 9000 Ghent Belgium Overview The RC4 algorithm Overview The
More informationConfiguring WEP and WEP Features
CHAPTER 9 This chapter describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check (MIC), and Temporal Key Integrity Protocol (TKIP). This chapter contains these sections: Understanding
More informationSecuring Your Wireless LAN
Securing Your Wireless LAN Pejman Roshan Product Manager Cisco Aironet Wireless Networking Session Number 1 Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP
More informationTemporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma
Temporal Key Integrity Protocol: TKIP Tim Fielder University of Tulsa Tulsa, Oklahoma History IEEE released the first 802.11 specification back in 1997 The Wired Equivalent Privacy (WEP) authentication/encryption
More informationImproved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018
Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview
More informationNetwork Encryption 3 4/20/17
The Network Layer Network Encryption 3 CSC362, Information Security most of the security mechanisms we have surveyed were developed for application- specific needs electronic mail: PGP, S/MIME client/server
More informationManaging and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer
Managing and Securing Computer Networks Guy Leduc Chapter 7: Securing LANs Computer Networking: A Top Down Approach, 7 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2016. (section 8.8) Also
More informationPlaintext-Recovery Attacks Against Datagram TLS
Information Security Group Royal Holloway, University of London 6th Feb 2012 Contents 1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6 Results
More informationConfiguring Cipher Suites and WEP
10 CHAPTER This chapter describes how to configure the cipher suites required to use WPA authenticated key management, Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), and broadcast
More informationNetwork Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014
Network Security Security in local-area networks Radboud University Nijmegen, The Netherlands Autumn 2014 Announcement Exercise class (werkcollege) time and room changed: Friday, 15:30-17:30, in LIN 8
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationStream Ciphers. Stream Ciphers 1
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.
More informationKRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress (CCC), 27 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure that
More informationCryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers
Cryptography Dr. Michael Schneider michael.schneider@h-da.de Chapter 10: Pseudorandom Bit Generators and Stream Ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Random and Pseudorandom
More informationWireless LAN Security. Gabriel Clothier
Wireless LAN Security Gabriel Clothier Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group
More informationKRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure that s secure? Seems so! No attacks
More informationOutline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.
Outline 18-759: Wireless Networks Lecture 10: 802.11 Management Peter Steenkiste Departments of Computer Science and Electrical and Computer Engineering Spring Semester 2016 http://www.cs.cmu.edu/~prs/wirelesss16/
More informationSecurity and Authentication for Wireless Networks
University of New Orleans ScholarWorks@UNO University of New Orleans Theses and Dissertations Dissertations and Theses 5-21-2004 Security and Authentication for 802.11 Wireless Networks Michel Getraide
More informationWhat you will learn. Summary Question and Answer
What you will learn General overview of 802.11 Authentication Methods WEP Overview Key Hierarchy Encryption/Decryption WPA Overview Key Hierarchy Encryption/Decryption WPA2 Overview Encryption/Decryption
More informationKRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018
KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat IL, 24 January 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned
More informationWireless Security i. Lars Strand lars (at) unik no June 2004
Wireless Security - 802.11i Lars Strand lars (at) unik no June 2004 802.11 Working Group 11 of IEEE 802 'Task Groups' within the WG enhance portions of the standard: 802.11 1997: The IEEE standard for
More informationAnalyzing Wireless Security in Columbia, Missouri
Analyzing Wireless Security in Columbia, Missouri Matthew Chittum Clayton Harper John Mixon Johnathan Walton Abstract The current state of wireless security in most areas can be estimated based on trends
More informationNetwork Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014
Network Security Security in local-area networks Radboud University Nijmegen, The Netherlands Autumn 2014 Announcement Exercise class (werkcollege) time and room changed: Friday, 15:30-17:30, in LIN 8
More informationLink & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Outline Network Security EECE 412 Link & end-to-end protocols SSL/TLS WPA Copyright 2004 Konstantin Beznosov 2 Networks Link and End-to-End Protocols
More informationRC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step
RC4 RC4 1 RC4 Invented by Ron Rivest o RC is Ron s Code or Rivest Cipher A stream cipher Generate keystream byte at a step o Efficient in software o Simple and elegant o Diffie: RC4 is too good to be true
More informationNetwork Security. Security in local-area networks. Radboud University, The Netherlands. Spring 2017
Network Security Security in local-area networks Radboud University, The Netherlands Spring 2017 A two-slide intro to networking I Command on tyrion: netcat -lp 51966 Command on arya: echo "Hi tyrion"
More informationOverview of Security
Overview of 802.11 Security Bingdong Li Present for CPE 601 2/9/2011 Sources: 1 Jesse Walker (Intel) & 2. WinLab 1 Agenda Introduction 802.11 Basic Security Mechanisms What s Wrong? Major Risks Recommendations
More informationPhysical and Link Layer Attacks
Physical and Link Layer Attacks CMSC 414 November 1, 2017 Attenuation Physical links are subject to attenuation Copper cables have internal resistance, which degrades signal over large distances Fiber
More informationAnalysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner
Analysis of 802.11 Security or Wired Equivalent Privacy Isn t Nikita Borisov, Ian Goldberg, and David Wagner WEP Protocol Wired Equivalent Privacy Part of the 802.11 Link-layer security protocol Security
More informationDouble-DES, Triple-DES & Modes of Operation
Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationAttacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016
Attacks on SSL/TLS Applied Cryptography Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016 Timeline of attacks on SSL/TLS 2/41 SSLstrip 2010 2011 2012 2013 2014 2015 2016 BEAST POODLE
More informationCsci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.
WEP Weakness Csci388 Wireless and Mobile Security Access Control:, EAP, and Xiuzhen Cheng cheng@gwu.edu 1. IV is too short and not protected from reuse 2. The per packet key is constructed from the IV,
More informationEXAM IN TTM4137 WIRELESS SECURITY
English Norwegian University of Science and Technology Department of Telematics EXAM IN TTM4137 WIRELESS SECURITY Contact person: Professor Danilo Gligoroski. (Tel. 95089319). Date of exam: December 04,
More informationWireless LANs: outline. wireless and WiFi security: WEP, i, WPA, WPA2. networking security wireless ad-hoc and mesh networks
Wireless LANs: outline wireless 802.11 and WiFi. 802.11 security: WEP, 802.11i, WPA, WPA2. networking security wireless ad-hoc and mesh networks ISM bands to operate most radios, a license is needed from
More informationTel Aviv University. The Iby and Aladar Fleischman Faculty of Engineering
Tel Aviv University The Iby and Aladar Fleischman Faculty of Engineering The Zandman-Slaner School of Graduate Studies Estimating Closeness to the Uniform Distribution on RC4 Keystream Bytes using Property
More informationPrinciples of Information Security, Fourth Edition. Chapter 8 Cryptography
Principles of Information Security, Fourth Edition Chapter 8 Cryptography Learning Objectives Upon completion of this material, you should be able to: Chronicle the most significant events and discoveries
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #7 More WiFi Security 2015 Patrick Tague 1 Class #7 Continuation of WiFi security 2015 Patrick Tague 2 Device Private WiFi Networks AP Local AAA
More informationSecuring a Wireless LAN
Securing a Wireless LAN This module describes how to apply strong wireless security mechanisms on a Cisco 800, 1800, 2800, or 3800 series integrated services router, hereafter referred to as an access
More informationWireless Network Security
Wireless Network Security Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationWiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake
WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy Vanhoef - @vanhoefm imec-distrinet, KU Leuven Black Hat, 27 July 2017 Introduction More and more Wi-Fi network
More informationLab Configure Enterprise Security on AP
Lab 8.5.4.1 Configure Enterprise Security on AP Estimated Time: 30 minutes Number of Team Members: Students will work in teams of two. Objective In this lab, students will demonstrate an understanding
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationChapter 24 Wireless Network Security
Chapter 24 Wireless Network Security Wireless Security Key factors contributing to higher security risk of wireless networks compared to wired networks include: o Channel Wireless networking typically
More informationSecure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED
Part V ECHONET Lite System Design Guidelines i 2011 (2012) ALL RIGHTS RESERVED The specifications published by the ECHONET Consortium are established without regard to industrial property rights (e.g.,
More informationBurglarproof WEP Protocol on Wireless Infrastructure
Association for Information Systems AIS Electronic Library (AISeL) PACIS 2006 Proceedings Pacific Asia Conference on Information Systems (PACIS) 2006 Burglarproof WEP Protocol on Wireless Infrastructure
More informationDiscovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy Vanhoef, Domien Schepers, Frank Piessens imec-distrinet, KU Leuven Asia CCS 2017 Introduction More and more Wi-Fi
More informationCCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA
Journal of Computer Science Original Research Paper CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE 802.11i): A Comparison with DES and RSA 1 Velayutham, R. and 2 D. Manimegalai
More informationChapter 6 Contemporary Symmetric Ciphers
Chapter 6 Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and
More informationConfiguring Wireless Security Settings on the RV130W
Article ID: 5021 Configuring Wireless Security Settings on the RV130W Objective Wireless networking operates by sending information over radio waves, which can be more vulnerable to intruders than a traditional
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationEnhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher
Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher Nishith Sinha Mallika Chawda Kishore Bhamidipati Assistant Professor ABSTRACT RC4 is one of the most widely used stream
More informationHow crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov
How crypto fails in practice? CSS, WEP, MIFARE classic *Slides borrowed from Vitaly Shmatikov Stream Ciphers One-time pad: Ciphertext(Key,Message)=Message Key Key must be a random bit sequence as long
More informationCOSC4377. Chapter 8 roadmap
Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7
More informationWireless Network Security Spring 2016
Wireless Network Security Spring 2016 Patrick Tague Class #7 WiFi Security 1 Announcements Please do HW#2 in using the stable OMNET++ 4.6, not the beta version. Porting has proven difficult... Form project
More informationWireless Networked Systems
Wireless Networked Systems CS 795/895 - Spring 2013 Lec #5: Medium Access Control High Throughput, Security Tamer Nadeem Dept. of Computer Science High Throughput Networks (802.11n) Slides adapted from
More informationCSC 4900 Computer Networks: Security Protocols (2)
CSC 4900 Computer Networks: Security Protocols (2) Professor Henry Carter Fall 2017 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication
More informationHACKING & INFORMATION SECURITY Presents: - With TechNext
HACKING & INFORMATION SECURITY Presents: - With TechNext We Are The Speakers Sudarshan Pawar Cer.fied Security Expert(C.S.E.) Cer.fied Informa.on Security Specialist (C.I.S.S.) Security Xplained (TechNext
More informationOnce upon a time... A first-order chosen-plaintext DPA attack on the third round of DES
A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz, Benedikt Gierlichs KU Leuven, imec - COSIC CARDIS 2017 Once upon a time... 14 November 2017 Benedikt Gierlichs - DPA on
More informationSecurity Setup CHAPTER
CHAPTER 8 This chapter describes how to set up your bridge s security features. This chapter contains the following sections: Security Overview, page 8-2 Setting Up WEP, page 8-7 Enabling Additional WEP
More informationNetwork Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol
Bibliography General principles about Radius server Bibliography Network System Radius Protocol Claude Duvallet University of Le Havre Faculty of Sciences and Technology 25 rue Philippe Lebon - BP 540
More informationVulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal
Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal Lazaridis Ioannis, Pouros Sotirios, Veloudis Simeon DEI College, Thessaloniki, Greece Abstract: This paper presents
More informationImpact of New Highly Secure Scheme on Wireless Network Performance
International Journal of Computer Applications (975 8887) Impact of New Highly Secure Scheme on Wireless Network 82.11 Performance Brijesh Singh Yadav UPRVUNL Lucknow, U.P. (India) Parul Yadav Amity University,
More informationAppendix E Wireless Networking Basics
Appendix E Wireless Networking Basics This chapter provides an overview of Wireless networking. Wireless Networking Overview The FWG114P v2 Wireless Firewall/Print Server conforms to the Institute of Electrical
More informationUsing Mobile Computers Lesson 12
Using Mobile Computers Lesson 12 Objectives Understand wireless security Configure wireless networking Use Windows mobility controls Synchronize data Use BitLocker Drive Encryption Use remote network connections
More informationSecurity of WiFi networks MARCIN TUNIA
Security of WiFi networks MARCIN TUNIA Agenda 1. Wireless standards 2. Hidden network and MAC filtering protection bypassing 3. Encryption independent attacks 4. Attacks on WEP 5. Attacks on WPA/WPA2 6.
More informationBasic Wireless Settings on the CVR100W VPN Router
Basic Wireless Settings on the CVR100W VPN Router Objective A Wireless Local Area Network (WLAN) utilizes radio communication to connect wireless devices to a LAN. An example is a Wi-Fi hotspot at a cafe.
More informationCryptanalysis of IEEE i TKIP
Cryptanalysis of IEEE 802.11i TKIP Finn Michael Halvorsen Olav Haugen Master of Science in Communication Technology Submission date: June 2009 Supervisor: Stig Frode Mjølsnes, ITEM Co-supervisor: Martin
More informationAN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT
AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT 1 MANIKANDAN.G, 2 MANIKANDAN.R, 3 RAJENDIRAN.P, 4 KRISHNAN.G, 5 SUNDARGANESH.G 1 Assistant Professor, School of Computing, SASTRA University,
More informationStream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91
Stream ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 91 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 92 Stream Cipher Suppose you want to encrypt
More informationFAQ on Cisco Aironet Wireless Security
FAQ on Cisco Aironet Wireless Security Document ID: 68583 Contents Introduction General FAQ Troubleshooting and Design FAQ Related Information Introduction This document provides information on the most
More informationThe Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.
The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0 Xirrus, Inc. March 8, 2011 Copyright Xirrus, Inc. 2011. May be reproduced only in its original entirety [without revision]. Page 1 TABLE
More informationWireless technology Principles of Security
Wireless technology Principles of Security 1 Wireless technologies 2 Overview This module provides an introduction to the rapidly evolving technology of wireless LANs (WLANs). WLANs redefine the way the
More informationKey Collisions of the RC4 Stream Cipher
Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Information Technology R&D Center Mitsubishi Electric Corporation 5-1-1 Ofuna Kamakura Kanagawa 247-8501, Japan Matsui.Mitsuru@ab.MitsubishiElectric.co.jp
More informationPGP, Net Scanning, Wireless Network Security SPRING 2018: GANG WANG
PGP, Net Scanning, Wireless Network Security SPRING 2018: GANG WANG Outline Pretty Good Privacy Network Scanning (ZMap) Wifi Security More on Email Security Security problem: Spoofing PGP (pretty good
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 32 Outline 1 Historical Ciphers 2 Probability Review 3 Security Definitions: Perfect Secrecy 4 One Time Pad (OTP) 2
More informationLESSON 12: WI FI NETWORKS SECURITY
LESSON 12: WI FI NETWORKS SECURITY Raúl Siles raul@taddong.com Founder and Security Analyst at Taddong Introduction to Wi Fi Network Security Wireless networks or Wi Fi networks IEEE 802.11 Standards Information
More informationTinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry,, David Wagner Presented by Paul Ruggieri 1 Introduction What is TinySec? Link-layer security architecture
More informationWhat is Eavedropping?
WLAN Security What is Eavedropping? War Driving War Driving refers to someone driving around with a laptop and an 802.11 client card looking for an 802.11 system to exploit. War Walking Someone walks
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 8 Announcements Reminder: Project 1 is due on tonight by midnight. Midterm 1 will be held next Thursday, Feb. 8th. Example midterms
More informationWireless Security Security problems in Wireless Networks
Wireless Security Security problems in Wireless Networks Security of Wireless Networks Wireless networks are everywhere more and more electronic devices are becoming wireless However, ensuring security
More informationWPA-GPG: Wireless authentication using GPG Key
Università degli Studi di Bologna DEIS WPA-GPG: Wireless authentication using GPG Key Gabriele Monti December 9, 2009 DEIS Technical Report no. DEIS-LIA-007-09 LIA Series no. 97 WPA-GPG: Wireless authentication
More information2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp
2013 Summer Camp: Wireless LAN Security Exercises 2013 JMU Cyber Defense Boot Camp Questions Have you used a wireless local area network before? At home? At work? Have you configured a wireless AP before?
More informationCITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule
1 next CITS3002 help3002 CITS3002 schedule The IEEE-802.11 Wireless LAN protocol We'll next examine devices implementing the IEEE-802.11 family of wireless networking protocols, and get an appreciation
More informationOn Symmetric Encryption with Distinguishable Decryption Failures
On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul Degabriele, Kenny Paterson, and Martijn Stam FSE - 12th Mar 2013 Outline Distinguishable Decryption Failures
More informationCryptanalysis. Ed Crowley
Cryptanalysis Ed Crowley 1 Topics Cryptanalysis History Modern Cryptanalysis Characterization of Cryptanalysis Attacks Attack Types 2 Cryptanalysis Science of cracking ciphers and codes, decoding secrets,
More information