Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Christina Garman Kenny Paterson Thyla van der Merwe Johns Hopkins University Royal Holloway, University of London 12 August 2015 Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 1/ 19
Motivation Despite AlFardan-Bernstein-Paterson-Poettering-Schuldt (USENIX 2013), RC4 usage stood at 35% of TLS connections ICSI$Notary$Sta+s+cs$[Dec.,$2014]$ h9p://notary.icsi.berkeley.edu/$ Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 2/ 19
Motivation Despite AlFardan-Bernstein-Paterson-Poettering-Schuldt (USENIX 2013), RC4 usage stood at 35% of TLS connections Can we strengthen these attacks? Passwords are widely used for authentication and the fact that they are not uniformly distributed may give us a boost Get RC4 closer to the point where it needs to be abandoned! Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 2/ 19
RC4 in TLS h:p tcp Applica7on Transport Internet Data Link TLS C S ClientHello(,[RC4, ]) Handshake protocol ServerHello(,RC4) K u, K d... K u, K d ClientFinshed C r = P r Z r. ServerFinshed Record protocol (encrypted with RC4, keys K u and K d ) Integrity, HMAC- SHA1 36 protected FINISHED bytes applica7on data... Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 3/ 19
RC4 Biases 255 INFILE using 1:2:(max(min(4194304*$3,1.0),-1.0)) 1 224 Byte value, Position 2 [0...255] 192 160 128 96 64 0.5 0-0.5 32 0 0 32 64 96 128 160 192 224 255 Byte value, Position 1 [0...255] -1 Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 4/ 19
Attack Setting First described by Mantin and Shamir in 2001 A fixed plaintext, P, is encrypted multiple times under independent RC4 keys, K i P,#K 1# P,#K S# Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 5/ 19
Plaintext Recovery via Bayesian Analysis We want to maximize (for a position in the plaintext stream r): Pr(X = x C = c) X is the random variable corresponding to a plaintext byte, x C is the random variable corresponding to a vector of ciphertext bytes Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 6/ 19
Plaintext Recovery via Bayesian Analysis Using Bayes Theorem: Pr(X = x C = c) = = Pr(C = c X = x) Pr(X = x) Pr(C = c) Pr(C = c X = x) Pr(X = x) x X Pr(C = c X = x ) Pr(X = x ) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 6/ 19
Plaintext Recovery via Bayesian Analysis So we actually want to maximize this: Pr(C = c X = x) Pr(X = x) However, and it suffices to maximize: Pr(C = c X = x) = Pr(Z = z) Pr(X = x) Pr(Z = z) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 6/ 19
Plaintext Recovery via Bayesian Analysis C1( C2( encryp7ons(of(fixed(byte(( under(different(keys( r"" byte(candidate(( (x(" x" x" yields(induced(distribu7on(on( keystream(bytes(z r" combine(with(known(distribu7on( C3( x" CS(...(( x"...(( Combine(with(a"priori"plaintext( distribu7on(( Recovery(algorithm:(( Compute(most(likely(byte(by(( considering(all(byte(possibili7es( ( a"posteriori"likelihood(of(x(being(( correct(byte( Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 7/ 19
Attacking Cookies [ABPPS13] C1( C2( encryp7ons(of(fixed(byte(( under(different(keys( r"" byte(candidate(( (x(" x" x" yields(induced(distribu7on(on( keystream(bytes(z r" combine(with(known(distribu7on( C3( x" CS(...(( x"...(( assume(a"priori"plaintext( distribu7on(uniform( Recovery(algorithm:(( Compute(most(likely(byte(by(( considering(all(byte(possibili7es( ( Repeat(for(all(bytes(of(the(cookie( a"posteriori"likelihood(of(x(being(( correct(byte( ((256(posi7ons,(2 34 (encryp7ons,(2000(hrs!( Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 8/ 19
Attacking Passwords Widely used for authentication on the web, NOT uniformly distributed RockYou leak of 32 million passwords in 2009, about 14 million unique, 123456 most popular Have a priori information from leaked datasets Multiple bytes, not just one... Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 9/ 19
Attacking Passwords For n bytes we want to maximize Pr(X = x) Pr(Z = z) where X is the random variable corresponding to a vector of plaintext bytes, x = (x 0, x 1,..., x n 1 ) Z is the random variable corresponding to the matrix of keystream bytes?? Pr(Z = z)?? Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 10/ 19
Attacking Passwords For n bytes we want to maximize Pr(X = x) Pr(Z = z) where X is the random variable corresponding to a vector of plaintext bytes, x = (x 0, x 1,..., x n 1 ) Z is the random variable corresponding to the matrix of keystream bytes?? Pr(Z = z)?? Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 10/ 19
Approximations Pr(Z%=%z)%% A"ack&1:&& Assume&keystream&bytes&behave& independently& &use&single6byte&probabili8es& (product&distribu8on)& A"ack&2:&& Assume&keystream&byte&is&influenced&only&by& byte&directly&adjacent&to&it& &use&double6&and& single6byte&probabili8es& (Picture of the double-byte biases, 2 44 keystreams, 4800 core-days) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 11/ 19
Approximations Pr(Z%=%z)%% A"ack&1:&& Assume&keystream&bytes&behave& independently& &use&single6byte&probabili8es& (product&distribu8on)& A"ack&2:&& Assume&keystream&byte&is&influenced&only&by& byte&directly&adjacent&to&it& &use&double6&and& single6byte&probabili8es& (Picture of the double-byte biases, 2 44 keystreams, 4800 core-days) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 11/ 19
Approximations encryp8ons(of(fixed(password(( under(different(keys( r,"r+1,,"r+n11" password(candidate(( (x(=(x 0",x 1",,"x n " yields(induced(distribu8on(on( keystream(bytes(z r,z r+1,,z r+n11"" C1( C2( x 0,"x 1,","x n " x 0,"x 1,","x n " combine(with(known(distribu8on( C3( x 0,"x 1,","x n " CS(...(( x 0,"x 1,","x n "...(( approximate!using!known!! distribu:on! combine(with(a"priori"password( distribu8on(!recovery!algorithm:!( (Compute(most(likely(password(from(((( (dic8onary(of(n(passwords( a"posteriori"likelihood(of(x(being(( correct(password( Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 12/ 19
What s different? n bytes instead of one T attempts before lockout dictionary of size N single-byte vs double-byte estimator Base64 or ASCII r starting position S ciphertexts guessing attacks Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 13/ 19
Simulation Results Use a dictionary built from RockYou leak dataset to attack Singles.org dataset More realistic but limits our success rate Default parameters, n = 6, T = 5, S = 2 20, 2 22,..., 2 28 Success rate based on 256 experiments Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 14/ 19
Simulation Results Single-byte vs double-byte, n = 6, T = 5 Success Rate 1 0.8 0.6 0.4 db, 2 20 db, 2 22 db, 2 24 db, 2 26 db, 2 28 sb, 2 20 sb, 2 22 sb, 2 24 sb, 2 26 sb, 2 28 0.2 0 0 64 128 192 256 Starting Position Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 15/ 19
Simulation Results T vs success rate, n = 6, r = 133 - double-byte and guessing log 2 (T) 25 20 15 10 2 14 2 16 2 18 2 20 2 22 2 24 2 26 2 28 optimal guessing 5 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Recovery Rate Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 16/ 19
Practical Validation Applicable to BasicAuth and IMAP We need multiple, independent encryptions of the password We need the password to be encrypted at a favourable position Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 17/ 19
Practical Validation r = 133! www.evil.com! PW! PW = 123456! TLS channel! www.good.com! Resumption latency of 250ms, 2 26, 6 parallel connections, 776 hours (at 100ms, 312 hours) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 18/ 19
Closing Remarks Made use of a generally applicable Bayesian inference technique Strengthened the results of AlFardan et al., good recovery rates at 2 26 vs. 2 34 ciphertexts and an attack time of 312 vs. 2000 hours ICSI$Notary$Sta+s+cs$[Jul./Aug.,$2015]$ h=p://notary.icsi.berkeley.edu/$ 12.8% of TLS connections make use of RC4 Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 19/ 19
Closing Remarks Made use of a generally applicable Bayesian inference technique Strengthened the results of AlFardan et al., good recovery rates at 2 26 vs. 2 34 ciphertexts and an attack time of 312 vs. 2000 hours DEC$ 2015$ FEB$ MAR$ JULY$ NOW$ Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 19/ 19
Closing Remarks Made use of a generally applicable Bayesian inference technique Strengthened the results of AlFardan et al., good recovery rates at 2 26 vs. 2 34 ciphertexts and an attack time of 312 vs. 2000 hours DEC$ 2015$ FEB$ MAR$ JULY$ NOW$ We need to stop using RC4! Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 19/ 19