Post on 19-Dec-2015
Chalmers University of Technology
Wireless security timeline
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
WEPintroduced
WPAintroduced
FMS attack on WEP
ChopChop attack on
WEP
Fragmentation attack onWEP
PTW attack on WEP
Beck and Tews attack on WEP
and WPA
Message falsification
attack on WPA
Attack on TKIP
WPA2introduced
Chalmers University of Technology
RC4
• Was developed by Ron Rivest in 1987
• “Rivest Cipher 4”• Most widely used
stream cipher• Used in i.e. SSL,
WEP, WPA and TLS• Was secret until 1994
when it was leaked
for i from 0 to 255S[i] := i
endforl := keylengthj := 0for i from 0 to 255
j := (j + S[i] + key[i mod l]) mod 256 swap(&S[i],&S[j])
endfori := 0j := 0while GeneratingOutput:
i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(&S[i],&S[j])output S[(S[i]+S[j]) mod 256]
endwhile
Chalmers University of Technology
Key Scheduling Algorithm (KSA)
• Initializes the state• Permutes array S
based on key K• Array S controls the
secret state• S is later used to
generate stream
for i from 0 to 255S[i] := i
endforl := K.lengthj := 0for i from 0 to 255
j := (j + S[i] + K[i mod l]) mod 256swap(&S[i], &S[j])
endfor
Chalmers University of Technology
KSA example
S = 0 1 2 3 4 5 6 7
5 3K =
for i from 0 to 7j := (j + S[i] + K[i mod l]) mod 8swap(&S[i],&S[j])
endfor
i
i
j
05 52 6 37 450 03 14
Chalmers University of Technology
Pseudo Random Generation Algorithm (PRGA)
• Generates a stream of pseudo random numbers
• The state array is updated each iteration
i := 0j := 0while GeneratingOutput:
i := (i + 1) mod 256 j := (j+S[i]) mod 256swap(&S[i],&S[j])output S[(S[i]+S[j]) mod 256]
endwhile
Chalmers University of Technology
PRGA example
S =
i
j
2 6 7 5 03 14
while GeneratingOutput:i := (i + 1) mod 8j := (j+S[i]) mod 8swap(&S[i],&S[j])output S[(S[i]+S[j]) mod 8]
endwhile
47 31
Chalmers University of Technology
Question
What problem might we encounter if the same key is used to encrypt multiple messages?
Chalmers University of Technology
Wired Equivalent Privacy (WEP)
• Introduced in November 1997• Comes in 64-bit and 128-bit strength• Uses initialization vectors to deal with the
problem of key reuse• Not meant to be secure (!)• Adds Integrity Control Value (ICV) to the
message to verify its correctness
Chalmers University of Technology
WEP Initialization Vector (IV)
• Prepended to the key • Sent in plaintext along
with the message• Only 3 bytes – reused
every 224 message• Reduces key size by
24 bits (!)– 64 bit = 40 bit– 128 bit = 104 bit
+
=
IV
Key
Dynamic key
Chalmers University of Technology
Fluhrer, Mantin and Shamir attack
• Found a group of weak IV’s– IV’s with format X + 3 || 255 || Y– If X=0, there is a 5 % chance that the first
number generated will be K[0] for any Y– Same holds for respectively for 0X13
• The first encrypted byte of all packets is the SNAP header which is known to be 170 or AA in hexadecimal form
Chalmers University of Technology
Example
KSA Loop i j S[0] S[1] S[2] S[3] S[12]
1 0 0 0 1 2 3 12
2 1 3 3 1 2 0 12
3 2 2593 3 0 2 1 12
4 3 12 3 0 12 1 2
5 4 ? 3 0 12 ? 2
IV = [ 3, 255, 7 ] K = [ 3, 255, 7, ?, ?, ?, ?, ? ]
1. C[0] = 165 = 15 1702. j = S[i] = S[1] = 03. S[ S[i] + S[j] ] = S[ S[1] + S[0] ] = S[3] = C[0] 170 = 154. j = j + S[i] + K[i] = 12 + S[3] + K[3] = 12 + 1 + K[3] = 15 K[3] = 2
Chalmers University of Technology
Statistics
0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 2400
2
4
6
8
10
12
14
Series 1
Series 1
Chalmers University of Technology
Limitations
• Have to collect ~1 000 000-4 000 000 packets to get enough IV’s
• Could take 2-4 weeks to collect• Weak IV’s no longer used• Have since then been optimized and new
attacks have been found• Can now be broken in less than 60 seconds
Chalmers University of Technology
ChopChop attack
• Truncates the message by one byte and xor with X– If ICV control succeeds, the truncated byte is X
P' + ICV(P') = ( P + ICV(P) ) xor ( Mod + ModCRC(Mod) )
• Decreases time of finding the key to ~30 minutes
Chalmers University of Technology
Wi-fi Protected Access (WPA)
• Built around WEP to fix its flaws and provide backward compatibility
• Temporal Key Integrity Protocol (TKIP) introduced to deal with key scheduling problems
Chalmers University of Technology
Temporal Key Integrity Protocol (TKIP)
• Adds a new Message Integrity Check (MIC) generated using Michael algorithm
• Michael is insecure, but this was handled by countermeasures in TKIP
• Replay protection, slows down attacks but do not prevent them
Chalmers University of Technology
Becks and Tews attack
• Attacks a TKIP• A modified version of the ChopChop attack• Truncates the message by one byte and xor
last byte with X– If ICV control fails nothing happens, increment X– If ICV control succeeds, then MIC control will fail and
an error message will be sent, the truncated byte is X
• Limited to networks with QoS enabled
Chalmers University of Technology
Wireless security timeline
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
WEPintroduced
WPAintroduced
FMS attack on WEP
ChopChop attack on
WEP
Fragmentation attack onWEP
PTW attack on WEP
Beck and Tews attack on WEP
and WPA
Message falsification
attack on WPA
Attack on TKIP
WPA2introduced
Chalmers University of Technology
Additional reading
• Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4
• Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)
• Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin• Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less
than 60 seconds• Beck, M., Tews, E.: Practical attacks against WEP and WPA• Halvorsen, F., Haugen, O., Eian, M., Mjølsnes, S.: An improved attack
on TKIP• Ohigashi, T., Morii, M.: A practical message falsification attack on
WPA