Plaintext Recovery Attacks Against WPA/TKIP

Similar documents
Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Full Plaintext Recovery Attack on Broadcast RC4

TLS Security Where Do We Stand? Kenny Paterson

05 - WLAN Encryption and Data Integrity Protocols

Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Security in IEEE Networks

The Final Nail in WEP s Coffin

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Different attacks on the RC4 stream cipher

Configuring WEP and WEP Features

Securing Your Wireless LAN

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Network Encryption 3 4/20/17

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Plaintext-Recovery Attacks Against Datagram TLS

Configuring Cipher Suites and WEP

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Stream Ciphers. Stream Ciphers 1

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Wireless LAN Security. Gabriel Clothier

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Security and Authentication for Wireless Networks

What you will learn. Summary Question and Answer

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

Wireless Security i. Lars Strand lars (at) unik no June 2004

Analyzing Wireless Security in Columbia, Missouri

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Network Security. Security in local-area networks. Radboud University, The Netherlands. Spring 2017

Overview of Security

Physical and Link Layer Attacks

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Double-DES, Triple-DES & Modes of Operation

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

EXAM IN TTM4137 WIRELESS SECURITY

Wireless LANs: outline. wireless and WiFi security: WEP, i, WPA, WPA2. networking security wireless ad-hoc and mesh networks

Tel Aviv University. The Iby and Aladar Fleischman Faculty of Engineering

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Summary on Crypto Primitives and Protocols

Wireless Network Security Spring 2015

Securing a Wireless LAN

Wireless Network Security

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Lab Configure Enterprise Security on AP

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Chapter 24 Wireless Network Security

Secure Internet Communication

Stream Ciphers An Overview

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

Burglarproof WEP Protocol on Wireless Infrastructure

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA

Chapter 6 Contemporary Symmetric Ciphers

Configuring Wireless Security Settings on the RV130W

CSCE 715: Network Systems Security

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

COSC4377. Chapter 8 roadmap

Wireless Network Security Spring 2016

Wireless Networked Systems

CSC 4900 Computer Networks: Security Protocols (2)

HACKING & INFORMATION SECURITY Presents: - With TechNext

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Security Setup CHAPTER

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

Impact of New Highly Secure Scheme on Wireless Network Performance

Appendix E Wireless Networking Basics

Using Mobile Computers Lesson 12

Security of WiFi networks MARCIN TUNIA

Basic Wireless Settings on the CVR100W VPN Router

Cryptanalysis of IEEE i TKIP

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

FAQ on Cisco Aironet Wireless Security

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Wireless technology Principles of Security

Key Collisions of the RC4 Stream Cipher

PGP, Net Scanning, Wireless Network Security SPRING 2018: GANG WANG

Network Security. Thierry Sans

Private-Key Encryption

LESSON 12: WI FI NETWORKS SECURITY

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

What is Eavedropping?

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

Wireless Security Security problems in Wireless Networks

WPA-GPG: Wireless authentication using GPG Key

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

CITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule

On Symmetric Encryption with Distinguishable Decryption Failures

Cryptanalysis. Ed Crowley

Transcription:

Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London! The 21st International Workshop on Fast Software Encryption March 4th, 2014! jacob.schuldt@rhul.ac.uk

Agenda Introduction to WPA/TKIP Biases in the WPA/TKIP keystreams Plaintext recovery attack for the repeated plaintext setting Exploiting TSCs for improved attacks Concluding remarks/open problems 2

Introduction to WPA/TKIP!! Client IEEE encryption Access point!! Wireless traffic!! IEEE standards for wireless LAN encryption 1999: WEP (Wired Equivalent Privacy) 2003: WPA (WiFi Protected Access) 2004: WPA2 (WiFi Protected Access 2) 3

Introduction to WPA/TKIP WEP Badly broken: Key recovery attack based on RC4 weakness and construction of RC4 key from 24-but known IV and unknown, but fixed key 10k~20k packets needed for key recovery Proposed by IEEE as an intermediate solution WPA Allows reuse of the hardware implementing WEP Introduction of supposedly better per-frame RC4 key through the Temporal Key Integrity Protocol (TKIP) WPA2 Introduces a stronger cryptographic solution based on AES-CCM (Includes optional support for TKIP) 4

Introduction to WPA/TKIP WPA was only intended as a temporary fix However, WPA is still in widespread use today Vanhoef-Piessens (2013) surveyed 6803 wireless networks: 19% 29% 71% 81% Permit WPA/TKIP Only allow WPA/TKIP This makes the continued analysis of WPA/TKIP worthwhile 5

Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TA : Sender Address (48 bits) TSC : TKIP Sequence Counter (48 bits) TK TSC TA Key mixing function RC4 RC4 keystream Payload MIC WPA Frame : Header Ciphertext 6

Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TA : Sender Address (48 bits) TSC : TKIP Sequence Counter (48 bits) TK TSC TA Key mixing function RC4 key: K0 K1 K2 104 bits 128 bits K0 K1 K2 = TSC1 = (TSC1 0x20) & 0x7f = TSC0 TSC0, TSC1 Two least significant bytes of TSC 7

Previous Attacks on WPA/TKIP Tews-Beck (2009): Rate-limited plaintext recovery Active attack based on chop-chop method for recovering plaintext Requires support for alternative QoS channels to by-pass anti-replay protection Rate-limited since correctness of plaintext guess is indicated by MIC verification failure, and only 2 failures per minute are tolerated! Sepehrdad-Vaudenay-Vuagnoux (2011): Statistical key recovery attack using 2 38 known plain texts and 2 96 operations 8

New Plaintext Recovery Attacks 9

RC4 with Random 128-bit Keys Recent work* has shown that RC4 with random 128-bit keys has significant biases in all of its initial keystream bytes Such biases enable plaintext recovery if sufficiently many encryptions of the same plaintext are available Uses simple Bayesian statistical analysis Applicable in multi-session or broadcast attack scenario * AlFardan-Berstein-Paterson-Poettering-Schuldt (2013); Isobe-Ohigashi-Watanabe-Morii (2013) 10

Plaintext Recovery Encryptions of plaintext under different keys Plaintext candidate byte Pr Zr : keystream byte at position r C1 C2 C3 r Pr Pr Pr Induced distribution on Zr combine with known distribution of Zr 0.00395 Ciphertext distribution at position 16 Probability...... 0.00390625 Cn Pr 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Recovery algorithm: Compute most likely plaintext byte Likelihood of Pr being correct plaintext byte 11

Applications Technique successfully applied to RC4 as used in SSL/TLS by AlFardan- Bernstein-Paterson-Schuldt (2013) Attack realizable in TLS context using client-side Javascript, resulting in session cookie recovery (In practice, a version of the attack exploiting Fluhrer-McGrew double-byte biases is preferable)! Applicable to RC4 with WPA/TKIP keys? Every frame has a new key i.e. naturally close to the broadcast attack setting Repeated encryption of the same target plaintext still required WPA/TKIP specific biases? 12

Biases in WPA/TKIP Keystreams Recall that WPA/TKIP keys have additional structure compared to random keys: K0 = TSC1 K1 = (TSC1 0x20) & 0x7f K2 = TSC0 This structure leads to significant changes in the biases in the RC4 keystream compared to random keys 13

Biases in WPA/TKIP: Keystream Byte 1 and 17 Keystream byte 1 Keystream byte 17 0.395%' 0.395%' 0.394%' 0.394%' 0.393%' 0.392%' 0.393%' Probability* 0.391%' 0.390%' Probability* 0.392%' 0.391%' 0.389%' 0.388%' 0.390%' 0.387%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* 0.389%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* WPA/TKIP RC4 keys Random RC4 keys 14

Comparison with Biases for 128-bit Random RC4 Keys Random RC4 keys WPA/TKIP keys 255 0.5 255 0.5 224 224 0.4 0.4 192 192 Byte value [0...255] 160 128 96 0.3 0.2 Byte value [0...255] 160 128 96 0.3 0.2 64 64 0.1 0.1 32 32 0 1 32 64 96 128 160 192 224 256 0 0 1 32 64 96 128 160 192 224 256 0 Position [1...256] Position [1...256] Color encoding: absolute strength of bias 2 16 15

Comparison with Biases for 128-bit Random RC4 Keys 255 0.5 224 192 0.25 Byte value [0...255] 160 128 96 0 64-0.25 32 0 1 32 64 96 128 160 192 224 256 Position [1...256] -0.5 16

Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 17

Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 18

Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 19

Plaintext Recovery Rate 2 30 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 20

Exploiting TSCs 21

Exploiting TSC Information Again, recall the special structure of WPA/TKIP keys: K0 = TSC1 K1 = (TSC1 0x20) & 0x7f K2 = TSC0 Idea: identify and exploit (TSC0, TSC1)-specific biases Plaintext recovery attack based (TSC0, TSC1)-specific biases: 1. Group ciphertexts into 2 16 groups according to (TSC0, TSC1) value 2. Carry out likelihood analysis for each group using appropriate keystream distribution 3. Combine likelihoods across groups to recover plaintext 22

Existence of Large (TSC0, TSC1)-specific Biases (TSC0, TSC1) = (0x00, 0x00) 0.550%& 0.410%' 0.500%& 0.405%' 0.450%& Probability* 0.400%& 0.350%& Probability* 0.400%' 0.395%' 0.300%& 0.390%' 0.250%& 0& 32& 64& 96& 128& 160& 192& 224& 256& Byte*value* 0.385%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* Keystream byte 1 Keystream byte 17 (TSC0, TSC1)-specific RC4 keys RC4 keys with random (TSC0, TSC1) 23

Computational Requirements for (TSC0, TSC1)-specific Attack Problem: A very large number of keystreams are required to get an accurate estimate for the (TSC0, TSC1)-specific keystream distributions Minimum: Ideally: 2 32 keystreams per (TSC0, TSC1) pair 2 40 keystreams per (TSC0, TSC1) pair ~2 34 keystreams per core day 2 16 = 2 48 (TSC0, TSC1) pairs Keystreams 2 16 = 2 56 (TSC0, TSC1) pairs Keystreams = ~2 14 core days = ~2 22 core days 24

TSC0 Aggregation TSC1 is used to compute two key bytes; TSC0 only one: K0 = TSC1 K1 = (TSC1 & 0x20) 0x7f K2 = TSC0 Hence, we might expect significant biases to be strongly correlated with TSC1 Experiments confirm this Alternative plaintext recovery attack Group ciphertexts according to TSC1 and carry out likelihood analysis based on TSC1-specific keystream estimates Reduced required number of keystreams with a factor of 2 8 25

Location of Large TSC1 Specific Biases Byte value vs. position TSC1 vs. position 255 2 255 2 224 224 192 1.5 192 1.5 Byte value [0...255] 160 128 96 1 TSC1 [0...255] 160 128 96 1 64 0.5 64 0.5 32 32 0 1 32 64 96 128 160 192 224 256 0 0 1 32 64 96 128 160 192 224 256 0 Position [1...256] Position [1...256] Color encoding: absolute strength of largest bias 2 16 26

Plaintext Recovery Rate 2 20 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 27

Plaintext Recovery Rate 2 22 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 28

Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 29

Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 30

Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 31

Comparison of Plaintext Recovery Rates 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 32

Comparison of Average Plaintext Recovery Rate 100%# 80%# TSC1 specific attack Recovery(rate( 60%# 40%# Standard attack 20%# Dashed lines: Even positions 0%# 18# 20# 22# 24# 26# 28# 30# 32# Number(of(frames((log)( 33

Concluding Remarks/Open Problems 34

Concluding Remarks Plaintext recovery for WPA/TKIP is possible for the first 256 plaintext bytes, provided that sufficiently many independent encryptions of the same plaintext are available Security is far below the expected level of protection implied by the 128-bit key Suitable targets for attack might include fixed but unknown fields in encapsulated protocol headers or HTTP traffic via client-side Javascript Our attack complements known attacks on WPA/TKIP: Passive rather than active (cf. Tews-Beck) Ciphertext-only rather than known-plaintext (cf. Sepehrdad et al.) Moderate amounts of ciphertext and computation But requires repeated encryption of plaintext 35

Open Problems Explain all the observed bias behaviour Some progress has already been made by SenGupta-Maitra-Meier-Paul-Sarkar (next talk!) Not essential for our plaintext recovery attack, but important for deeper understanding of RC4 in WPA/TKIP and for developing new attacks! Carry out larger scale keystream bias computation over all (TSC0,TSC1) values and investigate how much improvement over our TSC0-aggregated attack is possible Study other real-world applications of RC4 in which keys are changed frequently and/or have additional structure 36

Questions? 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback