All your Wireless belongs to us

Similar documents
Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Overview of Security

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Stream Ciphers. Stream Ciphers 1

05 - WLAN Encryption and Data Integrity Protocols

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Different attacks on the RC4 stream cipher

The Final Nail in WEP s Coffin

Analyzing Wireless Security in Columbia, Missouri

Wireless Security Security problems in Wireless Networks

Hacking Encrypted Wireless Network

Security in IEEE Networks

Is Your Wireless Network Being Hacked?

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Nomadic Communications Labs. Alessandro Villani

Wireless LAN Security. Gabriel Clothier

Configuring WEP and WEP Features

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Nomadic Communications Labs

Lab Configure Enterprise Security on AP

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

What is Eavedropping?

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Security and Authentication for Wireless Networks

SAGEM Wi-Fi 11g USB ADAPTER Quick Start Guide

Gaining Access to encrypted networks

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Wireless Attacks and Countermeasures

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

WPA Migration Mode: WEP is back to haunt you

PGP, Net Scanning, Wireless Network Security SPRING 2018: GANG WANG

PMS 138 C Moto Black spine width spine width 100% 100%

How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

Securing Your Wireless LAN

WPA-GPG: Wireless authentication using GPG Key

Wireless Network Security Spring 2015

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16

Wireless Network Security

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Securing a Wireless LAN

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

FAQ on Cisco Aironet Wireless Security

Configuring a VAP on the WAP351, WAP131, and WAP371

Wireless Network Security Spring 2016

Cryptanalysis. Ed Crowley

Cryptography ThreeB. Ed Crowley. Fall 08

ATTACKS TO CRYPTOGRAPHY PROTOCOLS OF WIRELESS INDUSTRIAL COMMUNICATION SYSTEMS

ATTACKS TO CRYPTOGRAPHY PROTOCOLS OF WIRELESS INDUSTRIAL COMMUNICATION SYSTEMS

Using Mobile Computers Lesson 12

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

IEEE i and wireless security

Configuring the Client Adapter through Windows CE.NET

Configuring the Client Adapter through the Windows XP Operating System

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Physical and Link Layer Attacks

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Wireless Security i. Lars Strand lars (at) unik no June 2004

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Section 4 Cracking Encryption and Authentication

David Wetherall, with some slides from Radia Perlman s security lectures.

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Symmetric Encryption 2: Integrity

Introduction to information Security

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Security Setup CHAPTER

What you will learn. Summary Question and Answer

Configuring Cipher Suites and WEP

Wireless Security Setup Guide

Cryptography and Network Security

ClearPass QuickConnect 2.0

From wired internet to ubiquitous wireless internet

CS408 Cryptography & Internet Security

CE Advanced Network Security Wireless Security

Configuring Authentication Types

Chapter 8 Network Security

Configuring Wireless Security Settings on the RV130W

ACCESSDATA SUPPLEMENTAL APPENDIX

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Security of WiFi networks MARCIN TUNIA

Troubleshooting Microsoft Windows XP-based Wireless Networks in the Small Office or Home Office

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

PASSWORDS & ENCRYPTION

Wireless Security Setup Guide

LESSON 12: WI FI NETWORKS SECURITY

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

WPA SECURITY (Wi-Fi Protected Access) Presentation. Douglas Cheathem (csc Spring 2007)

Plaintext Recovery Attacks Against WPA/TKIP

WLAN Security. รศ. ดร. อน นต ผลเพ ม Asso. Prof. Anan Phonphoem, Ph.D.

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Wireless Network Security

EEC-682/782 Computer Networks I

Cryptographic Concepts


Full Plaintext Recovery Attack on Broadcast RC4

Transcription:

_ (in)security we trust _!! Grenoble INP Ensimag SecurIMAG 2012-03-01 All your Wireless belongs to us Description: 802.11 Wifi Security Lecturer: Guillaume Jeanne WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

Presentation : Guillaume Jeanne Parcours : Prepa MP* au lycée Claude-Fauriel (Saint-Etienne, 42) 1A ENSIMAG Why SecurIMAG? (the ultimate question) I've always been fascinated by computer security and how we could divert an object from its normal use. (hacking) Contact : guillaume.jeanne{(_a\.t_)}ensimag.fr 2

Outline 802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo 3

Reminder of French Law Art.323-1 «Le fait d accéder ou de se maintenir, frauduleusement, dans tout ou partie d un système de traitement automatisé de données est puni de deux ans d emprisonnement et de 30 000 euros d amende. Lorsqu il en est résulté soit la suppression ou la modification de données contenues dans le système, soit une altération du fonctionnement de ce système, la peine est de trois ans d emprisonnement et de 45 000 euros d amende.» 4

802.11b, Wired Equivalent Privacy (WEP) 802.11: a (1999), b(1999), g(2003), n (2009) Security (1999): Data encryption: Wireless Equivalent Privacy WEP Authentication: o Shared Key Authentication SKA (WEP is used during authentication) o Open System Authentication (no authentication occurs) Beginning: 40bits keys (U.S. law), WEP2 : 104bits Severely criticized for its lack of security 5

WEP, How it works? Emission Message M (unencrypted) M Control Function : CRC32 (to check integrity) M CRC(M) RC4 Encryption : IV (Initialization vector) (24 bits) + WEP key (104 bits) RC4( )= IV WEP Key RC4(Seed) 6

WEP, How it works? Emission RC4(Seed) M CRC(M) = IV (24 bits) encrypted message C 7

WEP, How it works? Reception exactly the same thing! retrieves the IV, concatenates it with wep key, encrypt with RC4, xor with the encrypted message. calculates the checksum and check it. RC4( IV WEP Key ) = RC4(Seed) encrypted message C = M 8

Shared Key Authentication SKA Four Way Handshake using the WEP password (secret key) 9

Outline 802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo WPA - Changes - WPA Security Problems 1/ dictionary attack - Demo 10

WEP, Security problems 1/ Reuse the byte sequence 1/ Reuse the byte sequence Principle: A = M1 RC4(Seed) B = M2 RC4(Seed) A B = M1 RC4(Seed) M2 RC4(Seed) = M1 M2 If you know M1, you can deduce M2 : (and vice versa) M2 = M1 M2 M1 11

WEP, Security problems 1/ Reuse the byte sequence Question : how to know M1? easy; M1 is a internet packet. known structure. social engineering : send an email; contents will be encrypted by the wep key BUT The aim of the IV is to encrypt the packets differently, then the principle explained above will not work except if the same IV is reused! It s easy to detect because IVs are not encrypted. 12

WEP, Security problems 1/ Reuse the byte sequence You shall not reuse the same IV! But IVs are only 24 bits so IVs are necessarily reused. There is a 50% chance IV will be reused after 4823 packets! 13

Annex : Birthday Paradox Problem : how many people are needed in order that the probability of 2 of them being born on the same day is 1/2? Only 23 Explanations : (this is not a lie! ) (23*22)/2=253 pairs failure rate for each pair : 1-1/365=99,726% (1-1/365)^253=49,9% => 50,1% success 14

Annex : Birthday Paradox table 15 n p(n) 10 11.7% 20 41.1% 23 50.1% 30 70.6% 50 97.0% 57 99.0% 100 99.99997% 200 99.99999999999999 99999999999998% 300 (100 (6 10 80 ))% 350 (100 (3 10 129 ))% 365 366 100% (100 (1.45 10 155 ))%

WEP, Security problems 1/ Reuse the byte sequence Application here ½ (4823 x 4822 ) = 11 628 253 pairs failure rate for each pair : 1- ½^24 [1-(½^24)]^ 11 628 253 = 50,00% 50% success 4,823s (8Mbit/s, 1ko) 16

Outline 802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo 17

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack 2/ Fluhrer, Mantin and Shamir attack The most famous WEP attack. published in a 2001 paper titled Weaknesses in the Key Scheduling Algorithm of RC4 (1) implemented in AirSnort and Aircrack. exploits the weaknesses of the RC4 key generation algorithm and IVs. 18

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack RC4 key generation algorithm Generate two tables S and K of a size of 256 bytes Initialize the table S by the integers from 0 to 255 (state table) Fill-in the table K with the secret key Pseudo-randomly permute the table S using the secret key Pseudo-randomly permute the table S with itself Xor the sequence obtained of the table S with the flow of data 19

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack The attack Some IVs provide information about the secret key via their first byte, these IVs are called low IVs and are of the form (A+3, N-1, X) (3 bytes) where : A is the byte of the key to attack N = 256 because RC4 is modulo 256 X is between 0 and 255 For each byte of the key, there are 256 low IVs. 20

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack The first byte of a 802.11b packet matches the SNAP header and it is almost always 0xAA. output = 0xAA FirstByte Now you can attack, here is the algorithm : (KSA) begin ksa(with int keylength, with byte K[keylength]) for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + K[i mod keylength]) mod 256 swap(s[i],s[j]) endfor End 21

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack Explanation: First Key Byte : low IVs (A=0) [3,15,2,1,2,3,4,5] (mod 16) K[] = S[] = KSA : 3 15 2 X X X X X 3 15 2 X X X X X 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1) i=0, j=0+0+3=3, S[] = 2) i =1, j=3+1+15=3, S[] = 3) i=2, j=3+2+2=7, S[] = 3 1 2 0 3 0 2 1 4 5 3 0 7 1 4 5 6 2 8 9 10 11 12 13 14 15 First byte = output j S[i] = 9 7 1 = 1 22

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack Second Byte, [4,15,9,1,2,3,4,5] K[] = S[] = 4 15 9 1 X X X X 4 15 9 1 X X X X 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 KSA : 1) j=4, S[]= 2) j=4, S[]= 3) j=15,s[]= 4) j=3, S[]= 4 0 0 1 15 2 23 SecurIMAG - title - author - date Second Byte = 6 3 1 = 2

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack but in reality : a 5% chance that the byte is true (for 1 IV) => repeat this for several IVs (X varies) 24

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack Consequences Ability to modify the packets (integrity loss) Ability to authenticate «Solutions» increasing the size of the WEP key (and/or the possible space of the IV) is not enough (B day paradox) we should rely on another kind of cipher (eg: block cipher, see WPA) 25

WEP, Security problems 2/ Fluhrer, Mantin and Shamir attack Furthermore Breaking 104 bit WEP in less than 60 seconds (2) In 2007, Erik Tews, Andrei Pychkine, and Ralf-Philipp Weinmann were able to extend Klein's 2005 attack and optimize it for usage against WEP. With the new attack it is possible to recover a 104-bit WEP key with probability 50% using only 40,000 captured packets. 26

DEMO 27

Outline 802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo 28

802.11i, Wi-Fi Protected Access (WPA & WPA2) WPA became available around 1999. WPA2 around 2004 Following serious weaknesses researchers had found in the previous system (WEP). Changes: Temporary Key Integrity Protocol (TKIP) o still RC4 but:128 bits key/packet o rekeying mechanism (frequently change, avoiding collisions) o the ICV field is replaced by a MICHAEL integrity check (64 bits) sequence number for each packet (replay protection) AES (block cipher), optionnal in WPA o Mandatory in WPA2 29

WPA, Security problems dictionary attack Dictionary attack test all the words in a dictionary It s the only wpa attack which allows to recover the key existing in aircrack Concretely you should disconnect a station from the network and you then capture the packet it sends to reconnect (Handshake) Then you can launch the attack 30

Problem 1 : Storage dictionaries are very heavy to store 5 characters key (uppercase lowercase numbers): 458 Mo 10 characters key : 8392993 To 63 characters key : 5,25e+99 Po 31

Problem 1 : Solution generate the dictionary on the fly! Crunch (3.2) http://sourceforge.net/projects/crunch-wordlist/ /pentest/passwords/crunch/./crunch 10 10 0123456789abc[ ]xyz o wordlist.txt Pipe on aircrack 32

Problem 2 : Time Dictionary attack is very long Time = O(n²) double the length => time will be squared Question : how to speed up the attack? 33

Accelerate the attack ElcomSoft Distributed Password Recovery (3) Support for NVIDIA CUDA cards, ATI Radeon and Tableau TACC1441 hardware accelerators. Allows up to 64 CPUs or CPU cores and up to 32 GPUs per processing node Distributed password recovery over LAN, Internet or both. 34 SecurIMAG - title - author - date

Accelerate the attack Application family Microsoft Office 2007 Microsoft Office 2007 Microsoft Office 2010 Microsoft Office XP/2003 Microsoft Office 97/2000 Microsoft Office 97/2000 35 SecurIMAG - title - author - date Applications Word, Excel, PowerPoint, Project Extensions.DOCX,.XLSX,.PPTX, Type of recovery password Password types file opening password Access.ACCDB password file opening password Word, Excel, Access, PowerPoint Word, Excel, PowerPoint.DOCX,.XLSX,.PPTX.DOC,.XLS,.PPT password file opening password password "open" password only Word, Excel.DOC,.XLS password "open" password only Word, Excel.DOC,.XLS key "open" password only - guaranteed decryption Hardware Acceleration NVIDIA ATI Tableau NVIDIA ATI Tableau

OpenDoc word processing (text) documents.odt,.ott,.sxw,.stw password NVIDIA OpenDoc spreadsheets.ods,.ots,.sxc,.stc password NVIDIA OpenDoc OpenDoc OpenDoc presentations graphics/drawing formulae, mathematical equations.odp,.otp,.sxi,.sti.odg,.otg,.sxd,.std password password NVIDIA NVIDIA.ODF,.SXM password NVIDIA Microsoft Money.MNY password Intuit Quicken 1.QDF password PGP and Open-Key Passwords PGP and Open-Key Passwords PGP zip archives 1.PGP password PGP secret key rings.skr password

Adobe Acrobat PDF PDF with 256-bit encryption.pdf password "user" and "owner" password Adobe Acrobat PDF PDF with 128-bit encryption.pdf password "user" and "owner" password Adobe Acrobat PDF PDF with 40-bit encryption.pdf password "user" and "owner" password Adobe Acrobat PDF PDF with 40-bit encryption.pdf key "user" passw ord - guaranteed decryption System Passwords Microsoft Windows NT, 2000, XP, 2003, Vista password logon passwords (LM/NTLM) NVIDIA 2 System Passwords Microsoft Windows password SYSKEY startup passwords System Passwords Microsoft Windows 37 SecurIMAG - title - author - date password DCC (Domain Cached Credentials) passwords NVIDIA 2

System Passwords UNIX password users passwords System Passwords Wireless networks Password WPA and WPA2 passwords NVIDIA ATI Tableau iphone/ipo d/ipad backup itunes password NVIDIA ATI Tableau BlackBerry backup BlackBerry Desktop Software (old).ipd,.bbb password AES-NI 3 Mozilla, FireFox, Thunderbird password master passwords BlackBerry backup BlackBerry Desktop Software (6.0+ for Windows, 2.0+ for Mac) password NVIDIA ATI Tableau Apple iwork Pages, Numbers, Keynote.pages,.numbers,.key password password to open 38

Performance comparison 10x faster on Nvidia 8800GT than on Core2Duo 3,3Ghz 39

But it is relative 5 characters WPA key brut force attack: 1 day and 18 hours vs 16 days and 4 hours 10 characters WPA key brut force attack: 1 551 683 291 days (4251 millennium) a WPA2 key can have 63 characters 40

Full CUDA on Backtrack CUDA natively used by Backtrack (and more particularly crunch and aircrack) http://www.offensive-security.com/ documentation/backtrack-4-cuda- guide.pdf 41

WPA & WPA2 Conclusion How to improve the attack : Use Rainbow tables here 120Go hash of LanManager of Windows: http://www.korben.info/userfiles/file/hak5_rtables_lm_ all_1-7.torrent How to protect yourselves : Use key > 10 characters Use special characters Change the default password 42

Annex : Rainbow table 43

DEMO 44

References (1) http://aboba.drizzlehosting.com/ieee/rc4_ksaproc.pdf http://en.wikipedia.org/wiki/fluhrer,_mantin_and_shamir_ attack http://en.wikipedia.org/wiki/rc4 http://en.wikipedia.org/wiki/birthday_problem Jon Erickson Hacking: The Art of Exploitation (2) Breaking 104 bit WEP in less than 60 seconds :http://eprint.iacr.org/2007/120.pdf http://jwis2009.nsysu.edu.tw/location/paper/a%20practica l%20message%20falsification%20attack%20on%20wpa.pdf (3) http://www.elcomsoft.com/edpr.html 45

References http://www.offensivesecurity.com/documentation/backtrack-4-cuda-guide.pdf http://sourceforge.net/projects/crunch-wordlist/ 46

Questions? 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback