Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London! The 21st International Workshop on Fast Software Encryption March 4th, 2014! jacob.schuldt@rhul.ac.uk
Agenda Introduction to WPA/TKIP Biases in the WPA/TKIP keystreams Plaintext recovery attack for the repeated plaintext setting Exploiting TSCs for improved attacks Concluding remarks/open problems 2
Introduction to WPA/TKIP!! Client IEEE encryption Access point!! Wireless traffic!! IEEE standards for wireless LAN encryption 1999: WEP (Wired Equivalent Privacy) 2003: WPA (WiFi Protected Access) 2004: WPA2 (WiFi Protected Access 2) 3
Introduction to WPA/TKIP WEP Badly broken: Key recovery attack based on RC4 weakness and construction of RC4 key from 24-but known IV and unknown, but fixed key 10k~20k packets needed for key recovery Proposed by IEEE as an intermediate solution WPA Allows reuse of the hardware implementing WEP Introduction of supposedly better per-frame RC4 key through the Temporal Key Integrity Protocol (TKIP) WPA2 Introduces a stronger cryptographic solution based on AES-CCM (Includes optional support for TKIP) 4
Introduction to WPA/TKIP WPA was only intended as a temporary fix However, WPA is still in widespread use today Vanhoef-Piessens (2013) surveyed 6803 wireless networks: 19% 29% 71% 81% Permit WPA/TKIP Only allow WPA/TKIP This makes the continued analysis of WPA/TKIP worthwhile 5
Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TA : Sender Address (48 bits) TSC : TKIP Sequence Counter (48 bits) TK TSC TA Key mixing function RC4 RC4 keystream Payload MIC WPA Frame : Header Ciphertext 6
Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TA : Sender Address (48 bits) TSC : TKIP Sequence Counter (48 bits) TK TSC TA Key mixing function RC4 key: K0 K1 K2 104 bits 128 bits K0 K1 K2 = TSC1 = (TSC1 0x20) & 0x7f = TSC0 TSC0, TSC1 Two least significant bytes of TSC 7
Previous Attacks on WPA/TKIP Tews-Beck (2009): Rate-limited plaintext recovery Active attack based on chop-chop method for recovering plaintext Requires support for alternative QoS channels to by-pass anti-replay protection Rate-limited since correctness of plaintext guess is indicated by MIC verification failure, and only 2 failures per minute are tolerated! Sepehrdad-Vaudenay-Vuagnoux (2011): Statistical key recovery attack using 2 38 known plain texts and 2 96 operations 8
New Plaintext Recovery Attacks 9
RC4 with Random 128-bit Keys Recent work* has shown that RC4 with random 128-bit keys has significant biases in all of its initial keystream bytes Such biases enable plaintext recovery if sufficiently many encryptions of the same plaintext are available Uses simple Bayesian statistical analysis Applicable in multi-session or broadcast attack scenario * AlFardan-Berstein-Paterson-Poettering-Schuldt (2013); Isobe-Ohigashi-Watanabe-Morii (2013) 10
Plaintext Recovery Encryptions of plaintext under different keys Plaintext candidate byte Pr Zr : keystream byte at position r C1 C2 C3 r Pr Pr Pr Induced distribution on Zr combine with known distribution of Zr 0.00395 Ciphertext distribution at position 16 Probability...... 0.00390625 Cn Pr 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Recovery algorithm: Compute most likely plaintext byte Likelihood of Pr being correct plaintext byte 11
Applications Technique successfully applied to RC4 as used in SSL/TLS by AlFardan- Bernstein-Paterson-Schuldt (2013) Attack realizable in TLS context using client-side Javascript, resulting in session cookie recovery (In practice, a version of the attack exploiting Fluhrer-McGrew double-byte biases is preferable)! Applicable to RC4 with WPA/TKIP keys? Every frame has a new key i.e. naturally close to the broadcast attack setting Repeated encryption of the same target plaintext still required WPA/TKIP specific biases? 12
Biases in WPA/TKIP Keystreams Recall that WPA/TKIP keys have additional structure compared to random keys: K0 = TSC1 K1 = (TSC1 0x20) & 0x7f K2 = TSC0 This structure leads to significant changes in the biases in the RC4 keystream compared to random keys 13
Biases in WPA/TKIP: Keystream Byte 1 and 17 Keystream byte 1 Keystream byte 17 0.395%' 0.395%' 0.394%' 0.394%' 0.393%' 0.392%' 0.393%' Probability* 0.391%' 0.390%' Probability* 0.392%' 0.391%' 0.389%' 0.388%' 0.390%' 0.387%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* 0.389%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* WPA/TKIP RC4 keys Random RC4 keys 14
Comparison with Biases for 128-bit Random RC4 Keys Random RC4 keys WPA/TKIP keys 255 0.5 255 0.5 224 224 0.4 0.4 192 192 Byte value [0...255] 160 128 96 0.3 0.2 Byte value [0...255] 160 128 96 0.3 0.2 64 64 0.1 0.1 32 32 0 1 32 64 96 128 160 192 224 256 0 0 1 32 64 96 128 160 192 224 256 0 Position [1...256] Position [1...256] Color encoding: absolute strength of bias 2 16 15
Comparison with Biases for 128-bit Random RC4 Keys 255 0.5 224 192 0.25 Byte value [0...255] 160 128 96 0 64-0.25 32 0 1 32 64 96 128 160 192 224 256 Position [1...256] -0.5 16
Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 17
Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 18
Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 19
Plaintext Recovery Rate 2 30 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 20
Exploiting TSCs 21
Exploiting TSC Information Again, recall the special structure of WPA/TKIP keys: K0 = TSC1 K1 = (TSC1 0x20) & 0x7f K2 = TSC0 Idea: identify and exploit (TSC0, TSC1)-specific biases Plaintext recovery attack based (TSC0, TSC1)-specific biases: 1. Group ciphertexts into 2 16 groups according to (TSC0, TSC1) value 2. Carry out likelihood analysis for each group using appropriate keystream distribution 3. Combine likelihoods across groups to recover plaintext 22
Existence of Large (TSC0, TSC1)-specific Biases (TSC0, TSC1) = (0x00, 0x00) 0.550%& 0.410%' 0.500%& 0.405%' 0.450%& Probability* 0.400%& 0.350%& Probability* 0.400%' 0.395%' 0.300%& 0.390%' 0.250%& 0& 32& 64& 96& 128& 160& 192& 224& 256& Byte*value* 0.385%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* Keystream byte 1 Keystream byte 17 (TSC0, TSC1)-specific RC4 keys RC4 keys with random (TSC0, TSC1) 23
Computational Requirements for (TSC0, TSC1)-specific Attack Problem: A very large number of keystreams are required to get an accurate estimate for the (TSC0, TSC1)-specific keystream distributions Minimum: Ideally: 2 32 keystreams per (TSC0, TSC1) pair 2 40 keystreams per (TSC0, TSC1) pair ~2 34 keystreams per core day 2 16 = 2 48 (TSC0, TSC1) pairs Keystreams 2 16 = 2 56 (TSC0, TSC1) pairs Keystreams = ~2 14 core days = ~2 22 core days 24
TSC0 Aggregation TSC1 is used to compute two key bytes; TSC0 only one: K0 = TSC1 K1 = (TSC1 & 0x20) 0x7f K2 = TSC0 Hence, we might expect significant biases to be strongly correlated with TSC1 Experiments confirm this Alternative plaintext recovery attack Group ciphertexts according to TSC1 and carry out likelihood analysis based on TSC1-specific keystream estimates Reduced required number of keystreams with a factor of 2 8 25
Location of Large TSC1 Specific Biases Byte value vs. position TSC1 vs. position 255 2 255 2 224 224 192 1.5 192 1.5 Byte value [0...255] 160 128 96 1 TSC1 [0...255] 160 128 96 1 64 0.5 64 0.5 32 32 0 1 32 64 96 128 160 192 224 256 0 0 1 32 64 96 128 160 192 224 256 0 Position [1...256] Position [1...256] Color encoding: absolute strength of largest bias 2 16 26
Plaintext Recovery Rate 2 20 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 27
Plaintext Recovery Rate 2 22 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 28
Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 29
Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 30
Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 31
Comparison of Plaintext Recovery Rates 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 32
Comparison of Average Plaintext Recovery Rate 100%# 80%# TSC1 specific attack Recovery(rate( 60%# 40%# Standard attack 20%# Dashed lines: Even positions 0%# 18# 20# 22# 24# 26# 28# 30# 32# Number(of(frames((log)( 33
Concluding Remarks/Open Problems 34
Concluding Remarks Plaintext recovery for WPA/TKIP is possible for the first 256 plaintext bytes, provided that sufficiently many independent encryptions of the same plaintext are available Security is far below the expected level of protection implied by the 128-bit key Suitable targets for attack might include fixed but unknown fields in encapsulated protocol headers or HTTP traffic via client-side Javascript Our attack complements known attacks on WPA/TKIP: Passive rather than active (cf. Tews-Beck) Ciphertext-only rather than known-plaintext (cf. Sepehrdad et al.) Moderate amounts of ciphertext and computation But requires repeated encryption of plaintext 35
Open Problems Explain all the observed bias behaviour Some progress has already been made by SenGupta-Maitra-Meier-Paul-Sarkar (next talk!) Not essential for our plaintext recovery attack, but important for deeper understanding of RC4 in WPA/TKIP and for developing new attacks! Carry out larger scale keystream bias computation over all (TSC0,TSC1) values and investigate how much improvement over our TSC0-aggregated attack is possible Study other real-world applications of RC4 in which keys are changed frequently and/or have additional structure 36
Questions? 37