Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases

Similar documents
Plaintext Recovery Attacks Against WPA/TKIP

TLS Security Where Do We Stand? Kenny Paterson

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Full Plaintext Recovery Attack on Broadcast RC4

Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS

05 - WLAN Encryption and Data Integrity Protocols

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Stream Ciphers. Stream Ciphers 1

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

COSC4377. Chapter 8 roadmap

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

A Surfeit of SSH Cipher Suites

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Information Security CS526

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Information Security CS526

TLS (TRANSPORT LAYER SECURITY) PROTOCOL

Cryptography and Network Security

Security in IEEE Networks

Security. Communication security. System Security

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

The Salsa20 Family of Stream Ciphers

Cipher Suite Configuration Mode Commands

Securing Your Wireless LAN

Overview of Security

Tel Aviv University. The Iby and Aladar Fleischman Faculty of Engineering

Findings for

Coming of Age: A Longitudinal Study of TLS Deployment

Transport Level Security

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Plaintext-Recovery Attacks Against Datagram TLS

CS 356 Internet Security Protocols. Fall 2013

Summary on Crypto Primitives and Protocols

Network Security Essentials Chapter 2

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

CSE 127: Computer Security Cryptography. Kirill Levchenko

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Design Of High Performance Rc4 Stream Cipher For Secured Communication

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Cryptography MIS

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Physical and Link Layer Attacks

Different attacks on the RC4 stream cipher

Stream Ciphers An Overview

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Overview of TLS v1.3 What s new, what s removed and what s changed?

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Private-Key Encryption

Secure Internet Communication

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography (Overview)

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Transport Layer Security

Double-DES, Triple-DES & Modes of Operation

(2½ hours) Total Marks: 75

Advanced security notions for the SSH secure channel: theory and practice

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Defeating All Man-in-the-Middle Attacks

Lecture 1 Applied Cryptography (Part 1)

Implementing Cryptography: Good Theory vs. Bad Practice

David Wetherall, with some slides from Radia Perlman s security lectures.

Content of this part

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Chapter 6 Contemporary Symmetric Ciphers

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

: Practical Cryptographic Systems March 25, Midterm

CSCE 715: Network Systems Security

Syrvey on block ciphers

Wireless LAN Security. Gabriel Clothier

Chapter 24 Wireless Network Security

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Data Integrity & Authentication. Message Authentication Codes (MACs)

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Wireless Network Security

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

Introduction to Cryptography. Lecture 3

Chapter 8 Web Security

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B

SSL/TLS. Pehr Söderman Natsak08/DD2495

EXAM IN TTM4137 WIRELESS SECURITY

Transcription:

Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp

Overview RC4 Attacking RC4 in TLS Big bias hunting: Attacking RC4 in WPA/TKIP Concluding remarks 2

RC4

RC4 Designed by Ron Rivest in late 1980s, became public in 1994. A byte-oriented stream cipher. Variable-length key. Elegant design, fast in software, very compact description, easy to implement. Widely adopted in secure communications protocols: TLS WEP WPA/TKIP Kerberos MPPE 4

RC4 RC4 State Byte permutation and indices i and j RC4 Key scheduling RC4 Keystream generation 5

Cryptanalysis of RC4 (Or: Isn t RC4 Broken Already?) Given its wide-spread use, RC4 has been subject to a lot of cryptanalysis. Biases in keystreams Key/state recovery attacks Related key attacks It s usage in WEP was completely broken, starting with [FMS01]. Full key-recovery attack now possible with 10k-20k packets [SVV11]. Many short-term and long-term biases in its keystreams have been identified. [FM00], [MS01], [M02], [M05], [MPS11], [SMPS11], Why then is it still so popular in applications? 6

Popularity of RC4 It s fast and easy to implement. It s hard to displace a widely-deployed algorithm without practical, demonstrated attacks. The WEP disaster can be argued as a special case, where the use of the algorithm was at fault, not the algorithm itself. Composition of key from long-term key and public counter enabled special attacks. Lack of practical, demonstrated attacks on common applications. 7

Attacking RC4 in TLS Joint work with Nadhem AlFardan, Daniel J. Bernstein, Bertram Poettering and Jacob C.N. Schuldt

Broadcast Attack Setting Introduced by Mantin-Shamir in 2001. Imagine a fixed but unknown plaintext P is encrypted many times under RC4 using different keys K i. Attack recovers bytes of P by exploiting biases in RC4 keystreams. Different from usual setting: recover K from many (P,C) pairs. 9

Broadcast Attack Example Example: Mantin-Shamir bias: Pr[Z 2 = 0x00] 1/128 But C r = P r Z r. So C 2 = P 2 with probability 1/128. Hence, with enough encryptions, can recover P 2 directly from C 2. Just take the most common value of C 2 as estimate for P 2! Does the attack extend to other bytes of plaintext? Is the attack really applicable to RC4 in TLS? How many ciphertexts are needed for reliable plaintext recovery? 10

Single-byte Biases in the RC4 Keystream [Mantin-Shamir 2001]: Zi = value of i-th keystream byte [Mironov 2002]: Described distribution of Z 1 (bias away from 0, sine-like distribution) [Maitra-Paul-Sen Gupta 2011]: for 3 r 255 [Sen Gupta-Maitra-Paul-Sarkar 2011]: l = keylength 11

Complete Single-byte Keystream Distributions Approach in [ABPPS13]: Based on the output from 2 45 random independent 128-bit RC4 keys, estimate the keystream byte distributions for the first 256 bytes...... Z1 Z2 Z3... This computation revealed many new biases in the RC4 keystream. (Some of these were independently discovered and exploited in [IOWM13]. ) 12

Probability Keystream Distribution at Position 1 0.003950 0.003906 0.003878 Byte value 13

Probability Keystream Distribution at Position 2 0.003950 0.003906 0.003878 Byte value 14

Probability Keystream Distribution at Position 3 0.003950 0.003906 0.003878 Byte value 15

Probability Keystream Distribution at Position 4 0.003950 0.003906 0.003878 Byte value 16

Probability Keystream Distribution at Position 5 0.003950 0.003906 0.003878 Byte value 17

Probability Keystream Distribution at Position 6 0.003950 0.003906 0.003878 Byte value 18

Probability Keystream Distribution at Position 7 0.003950 0.003906 0.003878 Byte value 19

Probability Keystream Distribution at Position 8 0.003950 0.003906 0.003878 Byte value 20

Probability Keystream Distribution at Position 9 0.003950 0.003906 0.003878 Byte value 21

Probability Keystream Distribution at Position 10 0.003950 0.003906 0.003878 Byte value 22

Probability Keystream Distribution at Position 11 0.003950 0.003906 0.003878 Byte value 23

Probability Keystream Distribution at Position 12 0.003950 0.003906 0.003878 Byte value 24

Probability Keystream Distribution at Position 13 0.003950 0.003906 0.003878 Byte value 25

Probability Keystream Distribution at Position 14 0.003950 0.003906 0.003878 Byte value 26

Probability Keystream Distribution at Position 15 0.003950 0.003906 0.003878 Byte value 27

Probability Keystream Distribution at Position 16 0.003950 0.003906 0.003878 Byte value 28

Probability Keystream Distribution at Position 17 0.003950 0.003906 0.003878 Byte value 29

Probability Keystream Distribution at Position 18 0.003950 0.003906 0.003878 Byte value 30

Probability Keystream Distribution at Position 19 0.003950 0.003906 0.003878 Byte value 31

Probability Keystream Distribution at Position 20 0.003950 0.003906 0.003878 Byte value 32

Probability Keystream Distribution at Position 21 0.003950 0.003906 0.003878 Byte value 33

Probability Keystream Distribution at Position 22 0.003950 0.003906 0.003878 Byte value 34

Probability Keystream Distribution at Position 23 0.003950 0.003906 0.003878 Byte value 35

Probability Keystream Distribution at Position 24 0.003950 0.003906 0.003878 Byte value 36

Probability Keystream Distribution at Position 25 0.003950 0.003906 0.003878 Byte value 37

Probability Keystream Distribution at Position 26 0.003950 0.003906 0.003878 Byte value 38

Probability Keystream Distribution at Position 27 0.003950 0.003906 0.003878 Byte value 39

Probability Keystream Distribution at Position 28 0.003950 0.003906 0.003878 Byte value 40

Probability Keystream Distribution at Position 29 0.003950 0.003906 0.003878 Byte value 41

Probability Keystream Distribution at Position 30 0.003950 0.003906 0.003878 Byte value 42

Probability Keystream Distribution at Position 31 0.003950 0.003906 0.003878 Byte value 43

Probability Keystream Distribution at Position 32 0.003950 0.003906 0.003878 Byte value 44

All the Biases 45

Broadcast Attack for RC4 in TLS Is the attack really applicable to RC4 in TLS? How is the RC4 algorithm actually used in TLS? How much TLS traffic is actually encrypted using RC4? How can we ensure that the same plaintext is repeatedly encrypted under different keys? What is a good target for the repeated plaintext? Can we ensure the target plaintext aligns with the positions where the keystream biases are present? How can we deal with the fact that there are multiple biases in each keystream position Z r? 46

Broadcast Attack for RC4 in TLS Is the attack really applicable to RC4 in TLS? How is the RC4 algorithm actually used in TLS? How much TLS traffic is actually encrypted using RC4? How can we ensure that the same plaintext is repeatedly encrypted under different keys? What is a good target for the repeated plaintext? How can we deal with the fact that there are multiple biases in each keystream position Z r? 47

Use of RC4 in TLS SQN HDR Application Data MAC Application Data MAC tag RC4 Keystream HDR Ciphertext 48 MAC Encrypt HMAC-MD5, HMAC-SHA1, HMAC-SHA256 CBC-AES128, CBC-AES256, CBC-3DES, RC4-128

Use of RC4 in TLS Fresh 128-bit key for RC4 for each TLS connection. The key is derived from the TLS master secret and nonces exchanged in the TLS Handshake Protocol run between TLS Client and Server. Different key in each direction on secure channel. Think of it as a random 128-bit value. All bytes of RC4 keystream are used. But the first 36 bytes (roughly) are used to encrypt unpredictable messages. The TLS Handshake Finished messages. So the Mantin-Shamir bias is not exploitable in this application 49

Rate of RC4 Usage in TLS In the face of the BEAST and Lucky 13 attacks on CBC-based ciphersuites in TLS, switching to RC4 was a recommended mitigation. Use of RC4 in the wild: ICSI Certificate Notary Jan. 2013 survey of 16 billion TLS connections: Approx. 50% protected via RC4 ciphersuites 50

Broadcast Attack for RC4 in TLS Is the attack really applicable to RC4 in TLS? How is the RC4 algorithm actually used in TLS? How much TLS traffic is actually encrypted using RC4? How can we ensure that the same plaintext is repeatedly encrypted under different keys? What is a good target for the repeated plaintext? How can we deal with the fact that there are multiple biases in each keystream position Z r? 51

How the Web Works badsite.com Cookie for goodsite.com browser TLS secure channel goodsite.com 52

How the Web Works Target plaintext is an HTTP secure cookie for goodsite.com. Browser Same Origin Policy prevents direct access to cookie. JavaScript running in the browser from badsite.com gives attacker the repeated plaintext capability. The cookie is added automatically to every HTTP request sent from the browser. JavaScript can pad requests in various ways to control exact position of the cookie. Attacker needs to force a new TLS connection for each HTTP request. Can do this by having active MITM component closing TCP connection via TCP RST or sequence of TCP FIN/ACK messages. 53

Broadcast Attack for RC4 in TLS Is the attack really applicable to RC4 in TLS? How is the RC4 algorithm actually used in TLS? How much TLS traffic is actually encrypted using RC4? How can we ensure that the same plaintext is repeatedly encrypted under different keys? What is a good target for the repeated plaintext? How can we deal with the fact that there are multiple biases in each keystream position Z r? 54

Plaintext Recovery for TLS-RC4 We use an optimal statistical procedure based on Bayes theorem. This automatically deals with the presence of multiple biases in the keystream bytes. [IOWM14] used a sub-optimal procedure relying only on the largest bias in each position (and did not consider in detail the applicability to TLS). 55

... Details of Statistical Analysis Let c denote the n-vector of ciphertext bytes in position r. We wish to maximise Pr[P=p C=c]. Bayes theorem: Pr[P=p C=c] = Pr[C=c P=p].Pr[P=p]/Pr[C=c] = Pr[Z=c (p,p,,p)].pr[p=p]/pr[c=c] C1 C2 C3 Cn r Pr[C=c] is independent of the choice of p. For simplicity, assume Pr[P=p] is constant. Then to maximise Pr[P=p C=c] over all choices of p, we simply need to maximise the expression: 56 Pr[Z=c (p,p,,p)].

Details of Statistical Analysis To maximise Pr[P=p C=c] over all choices of p, we simply need to maximise the expression: Pr[Z=c (p,p,,p)]. Formally, this is the likelihood of the keystream bytes Z=c (p,p,,p). Let q = (q 00, q 01,, q FF ) denote the vector of keystream byte probabilities in position r. Let n x be the number of occurrences of byte value x in Z=c (p,p,,p). Then: Pr[Z=c (p,p,,p)] = Attack: compute this expression for each candidate p and output the value of p giving the maximum value. n 00 n 01 q 00 q 01 q FF n FF 57

Success Probability 2 20 Connections 58

Success Probability 2 21 Connections 59

Success Probability 2 22 Connections 60

Success Probability 2 23 Connections 61

Success Probability 2 24 Connections 62

Success Probability 2 25 Connections 63

Success Probability 2 26 Connections 64

Success Probability 2 27 Connections 65

Success Probability 2 28 Connections 66

Success Probability 2 29 Connections 67

Success Probability 2 30 Connections 68

Success Probability 2 31 Connections 69

Success Probability 2 32 Connections 70

Current Status of RC4 in TLS Snapshot from ICSI Certificate Notary Project: 71

Comments Amount of TLS-RC4 traffic is declining, but not as quickly as we might hope. ICSI: from 50% to ~33%. SSL Pulse: 81% of 150k sites surveyed still support RC4. Security Pitfalls: 1% of 400k sites support only RC4! But attacks only get better with time Double-byte bias attack in [ABPPS13] more ciphertexts, but single connection, so faster overall. Exploitation of known plaintext distributions. Ranking of plaintext candidates e.g. for password recovery, only need password to be in top T candidates. IT S TIME TO STOP USING RC4 IN TLS! 72

Big bias hunting in Amazonia: Attacking RC4 in WPA/TKIP Joint work with Bertram Poettering and Jacob C.N. Schuldt

Introduction to WPA/TKIP WEP, WPA, WPA2 are all IEEE standards for wireless LAN encryption under the 802.11 family. WEP (1999) is considered to be badly broken Beginning with [FMS01], now roughly 10k-20k packets needed for key recovery. Other attacks on integrity, authentication. WPA/TKIP was proposed by IEEE in 2003 as an intermediate solution. Allow reuse of same hardware, firmware-only upgrade. Hence only limited changes to WEP design were possible. Introduction of supposedly stronger per-frame keys (TKIP: Temporal Key Integrity Protocol). 74

Introduction to WPA/TKIP WPA was only intended as a temporary fix. WPA2 (2004) introduces a strong cryptographic solution based on AES-CCM. But WPA is still in widespread use today. Vanhoef-Piessens (2013): 71% of 6803 networks surveyed still permit WPA/TKIP; 19% allowed only WPA/TKIP. Significant previous analysis of WPA in [TB09], [SVV11]. 75

Overview of WPA/TKIP Encryption TK (Temporal Key): 128 bits, used to protect many consecutive frames. TSC (TKIP Sequence Counter) : 48 bits, incremented for each frame sent. TA (Transmitter Address): 48 bits, MAC address of sender. TK TSC TA Mixing 16 byte key RC4 76 RC4 keystream

WPA/TKIP Key Mixing Function TK TSC TA Mixing K 0 K 1 K 2 13 bytes K 0 = TSC 1 K 1 = (TSC 1 OR 0x20) AND 0x7f K 2 = TSC 0 (TSC 0 and TSC 1 are the two least significant bytes of TSC) 77

Exploiting TSC Information We can immediately apply previous statistical attacks to WPA/TKIP, with quite some success. Using keystream distributions for random keys having WPA/TKIP structure. See full version of [ABPPS13] for details. But recall that WPA/TKIP keys have additional structure: K 0 = TSC 1 K 1 = (TSC 1 OR 0x20) AND 0x7f K 2 = TSC 0 Recall also that the TSC value is transmitted in clear as part of the WPA/TKIP frame. 78

Exploiting TSC Information Idea: There may be even larger keystream biases that arise for specific (TSC 0,TSC 1 ) values; these could disappear when aggregating over all (TSC 0,TSC 1 ) values. Exploitation in plaintext recovery attack: Bin available ciphertexts into 2 16 bins according to (TSC 0,TSC 1 ) value. Carry out likelihood analysis in each bin using bin-specific keystream distribution. Multiply likelihoods across bins to compute plaintext likelihoods. Similar (but different) ideas were developed in [SMMPS14]. 79

Probability* Probability* Confirming Existence of Large (TSC 0,TSC 1 ) specific Biases 0.550%& 0.540%& 0.500%& 0.500%& 0.450%& 0.400%& 0.350%& 0.460%& 0.420%& 0.300%& 0.380%& 0.250%& 0& 32& 64& 96& 128& 160& 192& 224& 256& Byte*value* 0.340%& 0& 32& 64& 96& 128& 160& 192& 224& 256& Byte*value* Output byte 1, (TSC 0,TSC 1 ) = (0x00,0x00) Output byte 33, (TSC 0,TSC 1 ) = (0x00,0x00) Blue: TSC-specific biases Red: fully aggregated WPA/TKIP biases 80

Exploiting TSC Information Problem: This approach requires a large number of keystreams to get accurate estimates for each of the 2 16 different (TSC 0,TSC 1 )-specific keystream distributions. At a minimum, we would like to use at least 2 32 keystreams for each (TSC 0,TSC 1 ) value, hence 2 48 in total. With our local computing setup, computing 2 24 keystreams for each of the 2 16 (TSC 0,TSC 1 ) values required 2 6 core days of computation. This computation did indicate the presence of many new biases. Desired computation would then need 2 14 core days. 81

TSC 0 Aggregation TSC 1 is used in computing two key bytes; TSC 0 in only one: K 0 = TSC 1 K 1 = (TSC 1 OR 0x20) AND 0x7f K 2 = TSC 0 Hence we may expect biases to depend more strongly on TSC 1 than on TSC 0. So we could ignore TSC 0 and look only at how biases depend on TSC 1. Effectively, we would then be aggregating biases over TSC 0. We call this TSC 0 aggregation In the plaintext recovery attack, we would then use only 2 8 bins instead of 2 16. And we d need 2 8 times fewer keystreams for estimating distributions. Our first attack applied to WPA/TKIP can then be seen as the variant where we aggregate over both TSC 0 and TSC 1, using just 1 bin. We call this full aggregation. 82

Recovery(rate( Plaintext recovery based on TSC 0 aggregation: 2 20 frames 100%# 80%# 60%# 40%# 20%# 83 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/ on(

Recovery(rate( Plaintext recovery based on TSC 0 aggregation: 2 22 frames 100%# 80%# 60%# 40%# 20%# 84 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/ on(

Recovery(rate( Plaintext recovery based on TSC 0 aggregation: 2 24 frames 100%# 80%# 60%# 40%# 20%# 85 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/ on(

Recovery(rate( Plaintext recovery based on TSC 0 aggregation: 2 26 frames 100%# 80%# 60%# 40%# 20%# 86 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/ on(

Recovery(rate( Plaintext recovery based on TSC 0 aggregation: 2 28 frames 100%# 80%# 60%# 40%# 20%# 87 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/ on(

Recovery(rate( Plaintext recovery with TSC 0 aggregation (blue) compared to full aggregation (red): 2 24 frames 100%# 80%# 60%# 40%# 20%# 88 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/ on(

Performance of Single-byte Plaintext Recovery Attacks 89 Red: basic attack (full aggregation); blue: TSC 0 aggregation. Solid line: average over all 256 posns; dotted line: average over odd posns

Big-bias Hunting We then obtained a grant from the UK government enabling us to compute accurate per (TSC 0,TSC 1 ) keystream distributions. We used Amazon EC2 to carry out large-scale single-byte and double-byte keystream distribution computations. 90 For first 512 positions of keystreams in each case. Single-byte: 2 32 keystreams per (TSC 0,TSC 1 ) value, 2 48 in total. Double-byte: 2 30 keystreams per (TSC 0,TSC 1 ) value, 2 46 in total. Total computation was about 63 virtual core years. Approximately 5% of computation involved in RSA-768 sieving step. (Or just 1% of the latest EPFL computations!)

Big-bias Hunting We exploited the inherent parallelism in the problem. We used, in both computations, 256 c3.x8large instances in parallel. 8192 virtual cores, mapping onto 4096 Intel Xeon 2.8GHz processors. Essentially, an entire Amazon EC2 data centre. Boto (Python) + Ubuntu 13.10 + OpenSSL + careful cache optimisations. Running cost: $614 per hour (+ 20% tax). Make very sure your code is correct before executing it! 91 Make sure to terminate instances as soon as computation is done!

Big-bias Hunting: Single-Byte Computation Single-byte computation ran for 32 hours, or 30 virtual core years, and cost approximately $20k. Produced dataset consisting of 2 16 x 2 9 x 2 8 32-bit integers. One counter per (TSC 0,TSC 1 ), per position, and per keystream byte value. 32GB of distribution data in total. 92

Big-bias Hunting: Double-Byte Computation Double-byte computation ran for 35 hours, or 33 virtual core years, and cost approximately $23k. Produced dataset consisting of 2 16 x 2 9 x 2 16 32-bit integers. One counter per (TSC 0,TSC 1 ), per position, and per pair of keystream byte values. 8TB in total, storage cost of $410 per month on EC2. Data transfer to our local RAID was charged at $0.12 per GB, $983 in total. We used bbcp tool developed by experimental physicists; 48 hours at 50MB per second. 93

Performance of Single-byte Plaintext Recovery Attacks 94 Red: basic attack (full aggregation); blue: TSC 0 aggregation. Solid line: average over all 256 posns; dotted line: average over odd posns

Performance of Single-byte Plaintext Recovery Attacks 95 Red: basic attack (full aggregation); blue: TSC 0 aggregation; green: no aggregation. Solid line: average over all 256 posns; dotted line: average over odd posns

WPA/TKIP Closing Remarks Plaintext recovery for WPA/TKIP is possible for the first 256 bytes of frames, provided sufficiently many independent encryptions of the same plaintext are available. Security is far below the level implied by the 128-bit key TK. Suitable targets for attack might include fixed but unknown fields in encapsulated protocol headers. Targeting HTTP traffic via client-side Javascript also possible, as in TLS attacks. 96

Concluding Remarks

Concluding Remarks RC4 is still widely used for performance and legacy reasons. Don t underestimate the power of inertia. Broadcast attacks can be made practical. Interesting statistical questions arise. As a community, we should work more on making our attacks practical and maximising their real-world impact. This requires understanding of and interaction with that real world! 99

Thank Yous My thanks to: The Asiacrypt 2014 program chairs and general chairs for the invitation and for their hospitality. My co-authors Bertram Poettering and Jacob Schuldt. My additional co-authors on [ABPPS13] Nadhem AlFardan and Dan Bernstein. Martin Albrecht, Jon Hart and Adrian Thomas at RHUL for their assistance with sourcing, building and maintaining our local computing infrastructure and for help in managing AWS. EPSRC and the UK government for funding our adventures in Amazonia. 100

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback