How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

Similar documents
CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

Stream Ciphers. Stream Ciphers 1

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Information Security CS526

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

05 - WLAN Encryption and Data Integrity Protocols

Security in IEEE Networks

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Overview of Security

CE Advanced Network Security Wireless Security

Summary on Crypto Primitives and Protocols

Dismantling MIFARE Classic

Information Security CS526

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16

Chapter 6 Contemporary Symmetric Ciphers

Double-DES, Triple-DES & Modes of Operation

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Stream Ciphers An Overview

Lecture 1 Applied Cryptography (Part 1)

Cryptography [Symmetric Encryption]

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Cryptography and Network Security Chapter 7

Network Security Essentials Chapter 2

Practical Aspects of Modern Cryptography

Wireless Security Security problems in Wireless Networks

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

WarDriving. related fixed line attacks war dialing port scanning

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Analyzing Wireless Security in Columbia, Missouri

Securing Your Wireless LAN

Cracking HiTag2 Crypto

Computer Security: Principles and Practice

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Security: Cryptography

Symmetric Encryption. Thierry Sans

FAQ on Cisco Aironet Wireless Security

CSC 580 Cryptography and Computer Security

Security and Authentication for Wireless Networks

Network Security Essentials

CPSC 467b: Cryptography and Computer Security

Wireless LAN Security. Gabriel Clothier

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Full Plaintext Recovery Attack on Broadcast RC4

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

An Efficient Stream Cipher Using Variable Sizes of Key-Streams

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Security. Communication security. System Security

Physical and Link Layer Attacks

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Configuring the Client Adapter through the Windows XP Operating System

CITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Security Setup CHAPTER

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Computer Security CS 526

CPSC 467b: Cryptography and Computer Security

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Wireless Network Security Spring 2015

Wireless Network Security

CPSC 467b: Cryptography and Computer Security

Wireless Network Security Spring 2016

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography (Overview)

Wireless Security i. Lars Strand lars (at) unik no June 2004

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

CSC 474/574 Information Systems Security

David Wetherall, with some slides from Radia Perlman s security lectures.

T Cryptography and Data Security

CPSC 467: Cryptography and Computer Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CS 393/682 Network Security

Content of this part

T Cryptography and Data Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Computer Security 3/23/18

Configuring the Client Adapter through the Windows XP Operating System

Conditional Multiple Differential Attack on MiFare Classic

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Message Authentication Codes and Cryptographic Hash Functions

Encryption. INST 346, Section 0201 April 3, 2018

Symmetric Cryptography

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptanalysis. Ed Crowley

Secret Key Cryptography

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

The security of existing wireless networks

Cryptography Functions

Cryptography ThreeB. Ed Crowley. Fall 08

Dear John, Regards, Jaap-Henk

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

Symmetric Encryption 2: Integrity

Transcription:

How crypto fails in practice? CSS, WEP, MIFARE classic *Slides borrowed from Vitaly Shmatikov

Stream Ciphers One-time pad: Ciphertext(Key,Message)=Message Key Key must be a random bit sequence as long as message Idea: replace random with pseudo-random Use a pseudo-random number generator (PRNG) PRNG takes a short, truly random secret seed and expands it into a long random-looking sequence E.g., 128-bit seed into a 10 6 -bit pseudo-random sequence No efficient algorithm can tell this sequence from truly random Ciphertext(Key,Msg)=IV, Msg PRNG(IV,Key) Message processed bit by bit (unlike block cipher) slide 2

Stream Cipher Terminology The seed of a pseudo-random generator typically consists of initialization vector (IV) and key The key is a secret known only to the sender and the recipient, not sent with the ciphertext IV is usually sent with the ciphertext The pseudo-random bit stream produced by PRNG(IV,key) is referred to as the keystream Encrypt message by XORing with keystream ciphertext = message keystream slide 3

Properties of Stream Ciphers Usually very fast (faster than block ciphers) Used where speed is important: WiFi, DVD, RFID, VoIP Unlike one-time pad, stream ciphers do not provide perfect secrecy Only as secure as the underlying PRNG If used properly, can be as secure as block ciphers PRNG must be cryptographically secure slide 4

Using Stream Ciphers No integrity Associativity & commutativity: (M 1 PRNG(seed)) M 2 = (M 1 M 2 ) PRNG(seed) Need an additional integrity protection mechanism Known-plaintext attack is very dangerous if keystream is ever repeated Self-cancellation property of XOR: X X=0 (M 1 PRNG(seed)) (M 2 PRNG(seed)) = M 1 M 2 If attacker knows M 1, then easily recovers M 2 also, most plaintexts contain enough redundancy that can recover parts of both messages from M 1 M 2 slide 5

How Random is Random? slide 6

Cryptographically Secure PRNG Next-bit test: given N bits of the pseudo-random sequence, predict (N+1) st bit Probability of correct prediction should be very close to 1/2 for any efficient adversarial algorithm (means what?) PRNG state compromise Even if the attacker learns the complete or partial state of the PRNG, he should not be able to reproduce the previously generated sequence or future sequence, if there ll be future random seed(s) Common PRNGs are not cryptographically secure slide 7

LFSR: Linear Feedback Shift Register Example: b 0 4-bit LFSR b 1 b 2 b 3 add to pseudo-random sequence For example, if the seed is 1001, the generated sequence is 1001101011110001001 Repeats after 15 bits (2 4-1) slide 8

Content Scrambling System (CSS) DVD encryption scheme from Matsushita and Toshiba Each player has its own PLAYER KEY (409 player manufacturers, each has its player key) Each DVD is encrypted with a disk-specific 40-bit DISK KEY This helps attacker verify his guess of disk key KEY DATA BLOCK contains disk key encrypted with 409 different player keys: Encrypt DiskKey (DiskKey) Encrypt PlayerKey1 (DiskKey) Encrypt PlayerKey409 (DiskKey) What happens if even a single player key is compromised? slide 9

Attack on CSS Decryption Scheme [Frank Stevenson] disk key 1 seeded in 1 st bit 16 key bits 24 key bits 1 seeded in 4 th bit LFSR-17 LFSR-25 invert carry + mod 256 Decrypted title key Encrypt DiskKey (DiskKey) stored on disk Encrypted title key Table-based mangling Given known 40-bit plaintext, repeat the following 5 times (once for each plaintext byte): guess the byte output by the sum of the two LFSRs; use known ciphertext to verify this takes O(2 8 ) For each guessed output byte, guess 16 bits contained in LFSR-17 this takes O(2 16 ) Clock out 24 bits out of LFSR-17, use subtraction to determine the corresponding output bits of LFSR-25 this reveals all of LFSR-25 except the highest bit Roll back 24 bits, try both possibilities this takes O(2) This attack takes O(2 25 ) Clock out 16 more bits out of both LFSRs, verify the key slide 10

DeCSS In CSS, disk key is encrypted under hundreds of different player keys including Xing, a software DVD player Reverse engineering the object code of Xing revealed its player key Every CSS disk contains the master disk key encrypted under Xing s key One bad player entire system is broken! Easy-to-use DeCSS software slide 11

DeCSS Aftermath DVD CCA sued Jon Lech Johansen ( DVD Jon ), one of DeCSS authors - eventually dropped Publishing DeCSS code violates copyright Underground distribution as haikus and T-shirts Court to address DeCSS T-Shirt: When can a T-shirt become a trade secret? When it tells you how to copy a DVD. - Wired News slide 12

RC4 Designed by Ron Rivest for RSA in 1987 Simple, fast, widely used SSL/TLS for Web security, WEP for wireless Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+s[i]) mod 256 swap(s[i],s[j]) output (S[i]+S[j]) mod 256 end loop slide 13

RC4 Initialization Divide key K into L bytes for i = 0 to 255 do S[i] := i j := 0 for i = 0 to 255 do j := (j+s[i]+k[i mod L]) mod 256 swap(s[i],s[j]) Key can be any length up to 2048 bits Generate initial permutation from key K To use RC4, usually prepend initialization vector (IV) to the key IV can be random or a counter RC4 is not random enough First byte of generated sequence depends only on 3 cells of state array S - this can be used to extract the key! To use RC4 securely, RSA suggests discarding first 256 bytes Fluhrer-Mantin- Shamir attack slide 14

802.11b Overview Standard for wireless networks (IEEE 1999) Two modes: infrastructure and ad hoc IBSS (ad hoc) mode BSS (infrastructure) mode slide 15

Access Point SSID Service Set Identifier (SSID) is the name of the access point By default, access point broadcasts its SSID in plaintext beacon frames every few seconds Default SSIDs are easily guessable Manufacturer s defaults: linksys, tsunami, etc. This gives away the fact that access point is active Access point settings can be changed to prevent it from announcing its presence in beacon frames and from using an easily guessable SSID But then every user must know SSID in advance slide 16

WEP: Wired Equivalent Privacy Special-purpose protocol for 802.11b Goals: confidentiality, integrity, authentication Intended to make wireless as secure as wired network Assumes that a secret key is shared between access point and client Uses RC4 stream cipher seeded with 24-bit initialization vector and 40-bit key Terrible design choice for wireless environment slide 17

Shared-Key Authentication Prior to communicating data, access point may require client to authenticate Access Point Client beacon probe request OR unauthenticated & unassociated challenge IV, challenge RC4(IV,K) authenticated & unassociated association request association response authenticated & associated Passive eavesdropper recovers RC4(IV,K), can respond to any subsequent challenge without knowing K slide 18

How WEP Works (IV, shared key) used as RC4 seed Must never be repeated (why?) There is no key update protocol, so security relies on never repeating IV 24 bits 40 bits CRC-32 checksum is linear in : if attacker flips some plaintext bits, he knows which bits of CRC to flip to produce the same checksum no integrity! IV sent in the clear Worse: changing IV with each packet is optional! slide 19

RC4 Is a Bad Choice for Wireless Stream ciphers require sender and receiver to be at the same place in the keystream Not suitable when packet losses are common WEP solution: a separate keystream for each packet (requires a separate seed for each packet) Can decrypt a packet even if a previous packet was lost But there aren t enough possible seeds! RC4 seed = 24-bit initialization vector + fixed key Assuming 1500-byte packets at 11 Mbps, 2 24 possible IVs will be exhausted in about 5 hours Seed reuse is deadly for stream ciphers slide 20

Recovering the Keystream Get access point to encrypt a known plaintext Send spam, access point will encrypt and forward it Get victim to send an email with known content With known plaintext, easy to recover keystream C M = (M RC4(IV,key)) M = RC4(IV,key) Even without knowing the plaintext, can exploit plaintext regularities to recover partial keystream Plaintexts are not random: for example, IP packet structure is very regular Not a problem if the keystream is not re-used slide 21

Keystream Will Be Re-Used In WEP, repeated IV means repeated keystream Busy network will repeat IVs often Many cards reset IV to 0 when re-booted, then increment by 1 expect re-use of low-value IVs If IVs are chosen randomly, expect repetition in O(2 12 ) due to birthday paradox Recover keystream for each IV, store in a table (KnownM RC4(IV,key)) KnownM = RC4(IV,key) Wait for IV to repeat, decrypt, enjoy plaintext (M RC4(IV,key)) RC4(IV,key) = M slide 22

It Gets Worse Misuse of RC4 in WEP is a design flaw with no fix Longer keys do not help! The problem is re-use of IVs, their size is fixed (24 bits) Attacks are passive and very difficult to detect Perfect target for the Fluhrer et al. attack on RC4 Attack requires known IVs of a special form WEP sends IVs in plaintext Generating IVs as counters or random numbers will produce enough special IVs in a matter of hours This results in key recovery (not just keystream) Can decrypt even ciphertexts whose IV is unique slide 23

Fixing the Problem Extensible Authentication Protocol (EAP) Developers can choose their own authentication method Passwords (Cisco EAP-LEAP), public-key certificates (Microsoft EAP-TLS), passwords OR certificates (PEAP), etc. 802.11i standard fixes 802.11b problems Patch (TKIP): still RC4, but encrypts IVs and establishes new shared keys for every 10 KBytes transmitted Use same network card, only upgrade firmware Deprecated by the Wi-Fi alliance Long-term: AES in CCMP mode, 128-bit keys, 48-bit IVs Block cipher in a stream cipher-like mode slide 24

Hacking MIFARE Chips Multi-year project on evaluating security of MIFARE cards at Radboud University in Holland http://www.ru.nl/ds/research/rfid/ MIFARE = a case study in how not to design cryptographic authentication systems The following slides are from Peter Van Rossum slide 25

MIFARE Chips Series of chips used in contactless smart cards Developed by NXP Semiconductors in the Netherlands Very common in transport payment cards MIFARE Classic: 80% of the market Over 1 billion sold, over 200 million in use slide 26

Memory Structure of the Card 0 1 2 3 uid, manufacturer data data data key A, access conditions, key B 0 4 5 6 7 data data data key A,access conditions, key B 64 blocks 16 sectors 1 60 61 62 63 data data data key A, access conditions, key B 15 48 bits 48 bits 16 bytes slide 27

LFSR Home-brewed filter function slide 28

Challenge-Response in CRYPTO1 Tag Reader uid auth(block) LFSR stream: Initial state of the LFSR is the key a i := k i i [0,47] pick nt nt pick nr Generated by PRNG {nr,ar} ar:=suc 64 (nt) Shift nt + uid into the LFSR a i+48 := L(a i,,a i+47 ) + nt i + uid i i [0,31] check ar at:=suc 96 (nr) {at} check at Shift nr into the LFSR a i+48 := L(a i,,a i+47 ) + nr i-32 i [32,63] After authentication, LFSR keeps shifting a i+48 := L(a i,,a i+47 ) i [64, ) auth. ok auth. ok Keystream: b i := f(a i+9,a i+11,,a i+47 ) i [32, ) slide 29

PRNG in CRYPTO1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Linear feedback shift register 16-bit internal state Period 2 16 1 = 65535 Feedback: L 16 (x 0,x 1,,x 15 ) := x 0 +x 2 +x 3 +x 5 Successor: suc(x 0,x 1,,x 31 ) := (x 1,x 2,,x 30,L 16 (x 16,x 17,,x 31 )) slide 30

Replay Attack [Gans, Hoepman, Garcia] Good challenge-response authentication requires some form of freshness in each session For example, timestamp or strong (pseudo)randomness MIFARE Classic: no clock + weak randomness Random challenges repeat a few times per hour Eavesdrop and record communication session When challenge repeats, send known plaintext, extract keystream, use it to decrypt recorded communication that used the same challenge slide 31

Extracting the Key from Reader 1. Acquire keystream Observe authentication à keystream 1 to 3 authentication sessions takes microseconds 2. Invert the filter function Keystream à internal state of LFSR Approx. 2 26 operations takes seconds 3. Roll back ( unshift ) the LFSR Internal state of LFSR at any time à seed (= key) Problem: bad PRNG design cryptographically secure PRNG should not allow rollback and recovery of the seed even if state is compromised slide 32

Acquiring Keystream Tag pick nt uid auth(block) nt Reader pick nr Intercepted communication: nt, {ar}, {at} visible to attacker {ar} = suc 64 (nt), {at} = suc 96 (nt) 64 keystream bits OR check ar {nr,ar} ar:=suc 64 (nt) Access to reader only: nt under attacker control {ar} = suc 64 (nt) visible to attacker 32 keystream bits at:=suc 96 (nt) {at} auth. ok check at auth. ok slide 33

Inverting the Filter Function # # # # # # # # # # # # # # # # # # # # keystream: 01100111100110110 #################### # ################### # ## ################## # 2 19 00000000000000000000 00000000000000000001 00000000000000000011 00000000000000000100 00000000000000000110 produces odd keystream 0 0 0000000000000000000 0 0 0000000000000000000 1 0 0000000000000000001 0 0000000000000000011 1 0 0000000000000000100 0 produces odd keystream 01 00 000000000000000000 1 00 000000000000000001 1 00 000000000000000111 0 00 000000000000000111 1 00 000000000000001000 produces odd keystream 010 Filter function only depends only on 20 odd bits of input easily inverted Compute odd bits of LFSR using table and deduce even bits (linear relation) OR Compute odd and even bits of LFSR using tables separately and combine tables slide 34

Rolling Back the LFSR Feedback: L(x 0,x 1,,x 47 ) := x 0 +x 5 +x 9 +x 10 +x 12 +x 14 +x 15 +x 17 +x 19 +x 24 +x 25 +x 27 +x 29 +x 35 +x 39 +x 41 +x 43 LFSR stream: Initial state of the LFSR is the key a i := k i i [0,47] Shift nt + uid into the LFSR a i+48 := L(a i,,a i+47 ) + nt i + uid i i [0,31] Shift nr into the LFSR a i+48 := L(a i,,a i+47 ) + nr i-32 i [32,63] After authentication, LFSR keeps shifting a i+48 := L(a i,,a i+47 ) i [64, ) Keystream: b i := f(a i+9,a i+11,,a i+47 ) i N Inverting feedback: R(x 1,,x 47, x 48 ) := x 5 +x 9 +x 10 +x 12 +x 14 +x 15 +x 17 +x 19 +x 24 +x 25 +x 27 +x 29 +x 35 +x 39 +x 41 +x 43 +x 48 R(x 1,,x 47,L(x 0,x 1,,x 47 )) = x 0 Inverting LFSR stream: Unshift LFSR until end of authentication a i = R(a i+1,,a i+48 ) i [64, ) Unshift nr from the LFSR a i = R(a i+1,,a i+48 ) + nr i-32 i [32,63] = R(a i+1,,a i+48 ) + {nr} i-32 + b i = R(a i+1,,a i+48 ) + {nr} i-32 + f(a i+9,,a i+47 ) Unshift nt + uid from the LFSR a i = R(a i+1,,a i+48 ) + nt i + uid i i [0,31] Key is the initial state of the LFSR k i = a i i [0,47] slide 35

Summary: Weaknesses of CRYPTO1 Stream cipher with 48-bit internal state Enables brute-force attack Weak 16-bit random number generator Enables chosen-plaintext attack and replay attack Keystream based on simple LFSR structure + weak one-way filter function Invert filter function à obtain state of LFSR Roll back LFSR à recover the key 64-bit keystream à recover unique key 32-bit keystream à 216 candidate keys slide 36

Extracting the Key (Card Only) Parity bit of plaintext is encrypted with the same bit of the keystream as the next bit of plaintext One-time pad is used twice If parity bit is wrong, encrypted error message is sent before authentication Opens the door to card-only guessing attacks (chosenplaintext, chosen-ciphertext) why? Wireless-only attack Recover secret key from the card in seconds Result: full cloning of the card slide 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback