dependence in iv related bytes of rc4 key enhances
play

Dependence in IV-related bytes of RC4 key enhances vulnerabilities - PowerPoint PPT Presentation

Nov 25, 2022 •427 likes •749 views

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian

  1. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian Statistical Institute, India FHNW, Windisch, Switzerland Chennai Mathematical Institute, India FSE 2014 London, 4 March 2014

  2. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA RC4 and WPA RC4 Stream Cipher Invented in 1987; simplest cipher to date. Several statistical weaknesses discovered. Still one of the most common ciphers in use. WPA Protocol Uses RC4 as the core cipher for encryption. Successor of WEP, which used RC4 as well. TKIP generates 16-byte RC4 key per frame.

  3. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Results on RC4

  4. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Statistical weaknesses in RC4 Significant biases in Z 2 = 0, Z 1 = v , Z r = 0, Z r = r , Z r = − r . Data – AlFardan et al., USENIX 2013 – On the Security of RC4 in TLS and WPA (http://www.isg.rhul.ac.uk/tls/)

  5. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Statistical weaknesses in RC4 Z 2 = 0 observation and proof Mantin and Shamir, 2001 Z 1 = v observation Mironov, 2002 proof Sen Gupta et al., 2012 Z r = 0 observation and proof Maitra et al., 2011 Z l = − l observation and proof Sen Gupta et al., 2011-12 Z xl = − xl observation and proof Isobe et al., 2013 Z r = r observation and proof Isobe et al., 2013 observation AlFardan et al., 2013

  6. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Result 1 : Proof of Z r = r � r − 3 Pr( Z r = r ) = 1 N + Pr( S 0 [1] = r ) · 1 � 1 − 1 � � 1 − r − 2 � � 1 − 2 N N N N

  7. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Beyond the initial 255 bytes RC4 ‘recycles’ after first 255 rounds We generally consider only up to initial 255 bytes General expectation – no significant bias after that Recent results indicate otherwise Z 256 = 0 observation Isobe et al., 2013 observation AlFardan et al., 2013 proof Sarkar et al., 2013 Z 257 = 0 observation Isobe et al., 2013 proof Sarkar et al., 2013

  8. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Result 2 : Bias in Z 259 Theorem The probability that the ( N + 3) -th keystream byte of RC4 is 3 is Pr( Z N +3 = 3) ≈ 1 N + 0 . 18 N 2 . Implication of this result – plaintext recovery attack on byte 259 may now use this single byte bias, instead of long-term biases.

  9. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Results on WPA

  10. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Motivation : IV-dependence in WPA Hi8(IV16) Lo8(IV16) 0 1 K[0] K[1] K[2] First three bytes of the 16-byte RC4 key of WPA/TKIP K [0] = (IV16 >> 8) & 0xFF K [1] = ((IV16 >> 8) | 0x20) & 0x7F K [2] = IV16 & 0xFF

  11. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Motivation : IV-dependence in WPA Hi8(IV16) Lo8(IV16) 0 1 K[0] K[1] K[2] First two bytes of the 16-byte RC4 key of WPA/TKIP K [0] and K [1] have at least 6 bits in common! K [0] + K [1] is always even, and can’t take all values either.

  12. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Observation : Distribution of K [0] + K [1] Known – Roos’ bias : S 0 [1] is biased towards K [0] + K [1] + 1.

  13. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Result : K [0] + K [1] − → S 0 [1] Known – Sen Gupta et al. : Distribution of Z 1 depends on S 0 [1].

  14. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Result : K [0] + K [1] − → S 0 [1] − → Z 1 This proves the experimental observation by AlFardan et al., 2013.

  15. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA WPA distinguisher based on Z 1 Event : Z 1 is even Probability in RC4 : = 0 . 4999946 = p Probability in WPA : = 0 . 5007041 = p (1 + q ) Thus, p = 0 . 4999946 ≈ 1 / 2 and q ≈ 0 . 001419 ≈ 0 . 363 / N Sample complexity : 1 / pq 2 ≈ 8 N 2 = 2 19 bytes. This result beats the best existing WPA distinguisher of Sepehrdad et al. (2011-12), which requires more than 2 40 samples.

  16. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Recall : K [0] + K [1] − → S 0 [1] Known – Sen Gupta et al. : Distribution of S r − 1 [ r ] depends on S 0 .

  17. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Result : K [0] + K [1] − → S 0 [1] − → S r − 1 [ r ] Known – Sen Gupta et al. : Distribution of Z r depends on S r − 1 [ r ].

  18. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Result : K [0] + K [1] − → S 0 [1] − → S r − 1 [ r ] − → Z r This proves the experimental observation by AlFardan et al., 2013.

  19. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Observation : Bias in Z r = r Intuition : K [0] + K [1] − → S 0 [1] − → S r − 1 [ r ] − → ( Z r = r )

  20. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Broadcast attack on WPA

  21. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Motivation : Plaintext recovery Broadcast attack Same plaintext encrypted using multiple random keys. First studied in context of RC4 by Mantin and Shamir, 2001. Broadcast attack against RC4 Recovery of second byte – Mantin and Shamir, 2001. Recovery of first 256 bytes – Maitra et al., 2011. Plaintext recovery attack on RC4 – Isobe et al., 2013. Plaintext recovery attack on TLS – AlFardan et al., 2013. Plaintext recovery attack on WPA – Paterson et al., 2014.

  22. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Our idea : Use the known IV Existing approach Capture a number of ciphertext bytes in broadcast scenario. Use known biases of the form ( Z r = v ) to recover P r . Use all known biases in keystream to improve the recovery. Our approach Recall : K [0] , K [1] , K [2] are constructed from the IV. IV is public; hence K [0] , K [1] , K [2] are known in each case. Intuition : Plaintext recovery may be improved for WPA by exploiting the knowledge of the key bytes K[0] , K[1] , K[2].

  23. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Exploiting knowledge of K [0] , K [1] , K [2] Existing attacks use biases of keystream to absolute values. We explore correlations of keystream bytes with linear combinations of the known values K [0] , K [1] , K [2]. Goal : exploit biases of following form for broadcast attack Z r = a · K [0] + b · K [1] + c · K [2] + d r ∈ [1 , 257], a , b , c ∈ {− 1 , 0 , 1 } , d ∈ {− 3 , − 2 , − 1 , 0 , 1 , 2 , 3 }

  24. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Observation : Biases in Z r = − K [0] + K [1]

  25. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Observation : Biases in Z r = K [0] − K [1]

  26. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Observation : Biases in Z r = K [0] + K [1] + 1

  27. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Observation : Specific biases Byte Linear combinations Data − K [0] − K [1] 0.005338 Z 1 K [0] 0.004179 K [0] + K [1] + K [2] + 3 0.004633 K [0] + K [1] + 1 0.003760 K [0] − K [1] − 1 0.003905 K [2] + 3 0.003902 − K [0] − K [1] + K [2] + 3 0.003903 − 1 − K [0] − K [1] − K [2] 0.005303 Z 2 − K [1] − K [2] − 3 0.005314 K [1] + K [2] + 3 0.005315 K [0] + K [1] + K [2] + 3 0.002503 K [0] + K [1] + K [2] + 3 0.004405 Z 3 Z 256 − K [0] 0.004429 − K [1] 0.004036 − K [0] − K [1] 0.004094 Z 257

  28. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Broadcast attack on WPA Byte Biased event Samples 5 · 2 13 Z 1 Z 1 = − K [0] − K [1], Z 1 = K [0] + K [1] + K [2] + 3 2 14 Z 2 Z 2 = 0 2 19 Z 3 = K [0] + K [1] + K [2] + 3 Z 3 2 19 Z 256 = − K [0] Z 256 2 21 Z 257 = − K [0] − K [1] Z 257 Implication of this result Significant improvement in recovering bytes { 1 , 3 , 256 , 257 } . Existing works require around 2 30 samples for the same.

  29. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Summary of contributions Biases in RC4 Proof for Z r = r , observed by Isobe et al., 2013. Observation and proof of bias in Z 259 = 3. Biases in WPA Proof for Z 1 = v , observed by AlFardan et al., 2013. Significantly improved WPA distinguisher with complexity 2 19 . Proof for Z r = 0, observed by AlFardan et al., 2013. IV-dependence in WPA Correlation of keystream bytes to first three bytes of RC4 key. Larger biases in WPA than the known absolute biases. Improved plaintext recovery of some bytes in WPA.

  30. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Thank You!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Control-dependence Analysis 2 Control-dependence Analysis 1. Introduction (motivation, overview)

Control-dependence Analysis 2 Control-dependence Analysis 1. Introduction (motivation, overview)

Class 4 Basic Analyses (4) Assign (see Schedule for links) Readings Control/program-dependence analysis Static single assignment and control dependence Problem Set 2: due 9/1/09 1 Control-dependence Analysis 2

254 views • 12 slides
Dependence patterns related to the BMAP Rosa E. Lillo, Joanna Rodr guez, Pepa Ram

Dependence patterns related to the BMAP Rosa E. Lillo, Joanna Rodr guez, Pepa Ram

Dependence patterns related to the BMAP Rosa E. Lillo, Joanna Rodr guez, Pepa Ram rez-Cobo Department of Statistics Universidad Carlos III de Madrid The Ninth International Conference on Matrix-Analytic Methods in Stochastic Models

753 views • 46 slides
Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25

Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25

Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25 Outline 1 Self-alignment 2 Bitwise operators 3 Bit-fields 4 Endianness (Bytes, bits, etc.,) 2 / 25 Self-alignment of primitive types int i; short s;

594 views • 25 slides
Linear dependence and independence Linear dependence 1 Definition (linear (in)dependence) Let {

Linear dependence and independence Linear dependence 1 Definition (linear (in)dependence) Let {

L INEAR A LGEBRA Berkant Ustao glu CRYPTOLOUNGE . NET Linear dependence and independence Linear dependence 1 Definition (linear (in)dependence) Let { v 1 , v 2 , . . . , v k } be a set of vectors. If v k = a 1 v 1 + a 2

382 views • 25 slides
Information Representation

Information Representation

Information Representation Bytes & Letters More Bytes Bits & Bytes Bit ( ) the smallest unit of storage Everything in a computer is 0s and

967 views • 43 slides
Measuring Dependence and Conditional Dependence with Kernels Kenji Fukumizu The Institute of

Measuring Dependence and Conditional Dependence with Kernels Kenji Fukumizu The Institute of

Measuring Dependence and Conditional Dependence with Kernels Kenji Fukumizu The Institute of Statistical Mathematics, Japan June 25, 2014. ICML 2014, Causality Workshop 1 2 Introduction Dependence Measures Dependence measures and

950 views • 32 slides
Spatial dependence HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET UNIVERSITY OF HELSINKI

Spatial dependence HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET UNIVERSITY OF HELSINKI

Spatial dependence HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET UNIVERSITY OF HELSINKI Everything is related to everything else, but nearby things are more related than distant things Spatial Data Mining This is usually true even for spatially

391 views • 5 slides
Bits and Bytes At the smallest scale in the computer, information is stored as bits and bytes. In

Bits and Bytes At the smallest scale in the computer, information is stored as bits and bytes. In

Bits and Bytes At the smallest scale in the computer, information is stored as bits and bytes. In this section, we'll look at how that works. Bit Bit, like an atom, the smallest unit of storage A bit stores just a 0 or 1 "In the

302 views • 9 slides
IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger

IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger

IP Fragmentation and Reassembly IP datagrams can be up to 65,535 bytes much larger than most networks can transmit in one packet Each network type defines maximum transmission unit (MTU) maximum number of bytes that can be

1.01k views • 23 slides
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 Subhamoy Maitra ,

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 Subhamoy Maitra ,

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 Subhamoy Maitra , ISI, Kolkata Goutam Paul , Jadavpur University, Kolkata Roadmap Introduction Related Work and Contribution Bias in the Permutation

531 views • 36 slides
CSSE132 Introduc0on to Computer Systems 2 : Bits and bytes

CSSE132 Introduc0on to Computer Systems 2 : Bits and bytes

Adapted from Carnegie Mellon 15-213 CSSE132 Introduc0on to Computer Systems 2 : Bits and bytes March 5, 2013 1 Today: Bits and Bytes How is Linux going?

397 views • 29 slides
C/C++ review bits & bytes Same bits, different interpretation What is the value of

C/C++ review bits & bytes Same bits, different interpretation What is the value of

CSC209 Fall 2001 C/C++ review bits & bytes Same bits, different interpretation What is the value of 11111111 ? it depends on the type (unsigned) char 1 byte = 8 bits, (unsigned) Unsigned: 255 short int 2 bytes =

255 views • 12 slides
More refined representations Control dependence graph Problem: control-flow edges in CFG

More refined representations Control dependence graph Problem: control-flow edges in CFG

More refined representations Control dependence graph Problem: control-flow edges in CFG overspecify evaluation Program dependence graph (PDG): order data dependence graph + control dependence graph (CDG) [Ferrante, Ottenstein, & Warren,

260 views • 5 slides
PSI and Big Data Jiannong Cao Department of Computing Hong Kong Polytechnic University Big Data

PSI and Big Data Jiannong Cao Department of Computing Hong Kong Polytechnic University Big Data

OGCIO Seminar on PSI/Data.One PSI and Big Data Jiannong Cao Department of Computing Hong Kong Polytechnic University Big Data TB ( 10 12 bytes) PB ( 10 15 bytes) EB ( 10 18 bytes) ZB ( 10 21 bytes) ... The World creates about 2.5EB

706 views • 23 slides
Depth dependence with the first two KM3NeT/ARCA Detection Units Martijn Jongen Nikhef, Amsterdam

Depth dependence with the first two KM3NeT/ARCA Detection Units Martijn Jongen Nikhef, Amsterdam

Depth dependence with the first two KM3NeT/ARCA Detection Units Martijn Jongen Nikhef, Amsterdam 13 July 2017 International Cosmic Ray Conference Busan, South-Korea Related posters [1] K. Melis, In-Situ Calibration of KM3NeT [2] M. Colomer,

684 views • 20 slides
Professional Development Topic 4: Dependence and Change Prof Nick Taylor Department of Computer

Professional Development Topic 4: Dependence and Change Prof Nick Taylor Department of Computer

15/04/2015 Professional Development Topic 4: Dependence and Change Prof Nick Taylor Department of Computer Science Heriot-Watt University Content Technology and Society Bi-directional influences Computer-related Risks Safety

290 views • 17 slides
Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology R&D Center Mitsubishi Electric Corporation February 23 2009, FSE 2009 In this presentation we talk about A colliding key pair of RC4

359 views • 15 slides
Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob

Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob

Hybrid Heterogeneous Electric Vehicle Routing Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob Puchinger 1 , Richard Hartl 3 1 AIT Austrian Institute of Technology 2 PUC-Rio Pontifical Catholic

701 views • 44 slides
Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI

Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI

Beyond the Solr Eclipse Building blazing fast Drupal 8 search with Solr and no code TANAY SAI Technical Services Manager Acquia India www.tanay.co.in @saitanay JAYAKRISHNAN JAYABAL Technical Architect Acquia India @jayakrishnanjay

585 views • 32 slides
where validation means correct modeling Gergely Mezei, Zoltn Theisz, Dniel Urbn, Sndor

where validation means correct modeling Gergely Mezei, Zoltn Theisz, Dniel Urbn, Sndor

The bicycle challenge in DMLA, where validation means correct modeling Gergely Mezei, Zoltn Theisz, Dniel Urbn, Sndor Bcsi Budapest University of Technology and Economics Department of Automation and Applied Informatics Multi 2018

473 views • 15 slides
Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall:

Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall:

Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall: defini.ons of encryp.on Perfect secrecy CPA security CCA security Today Prac.cal construc.ons 9/9/2009 598MAN Applied Cryptography

490 views • 28 slides
Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

799 views • 61 slides
Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

603 views • 37 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides

More recommend