SLIDE 1
Mathy Vanhoef
Public PhD Defense
A Security Analysis of the WPA- TKIP and TLS Security Protocols
Data handled by computers:
2
Banking details Emails Messaging Adult websites Mobile devices Private files
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- - - PowerPoint PPT Presentation
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- - - PowerPoint PPT Presentation
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the
SLIDE 2
SLIDE 3
Goal of dissertation
3
Is the transmission of this data properly protected?
SLIDE 4
How is data transmitted?
4
Computer
Study security of network protocols used at:
- 1. Your wireless network
- 2. Your internet connection
Server Wireless router
SLIDE 5
How is data transmitted?
5
Computer
Study security of network protocols used at:
- 1. Your wireless network
- 2. Your internet connection
Server Wireless router
SLIDE 6
Wireless network security
6
Easy to intercept transmitted data
Computer Wireless router
Solution: pick password and use encryption!
SLIDE 7
Available cipher suites?
7
1999 2003 2004
WEP WPA-TKIP AES-CCMP
SLIDE 8
Available cipher suites?
8
1999 2003 2004
WEP Broken WPA-TKIP Acceptable AES-CCMP Secure
SLIDE 9
Is WPA-TKIP still used?
Usage in 2013: 66% support TKIP 19% support only TKIP
9
Need more arguments to kill TKIP!
SLIDE 10
Is WPA-TKIP still used?
Usage in 2016: 59% support TKIP 3% support only TKIP
10
Need more arguments to kill TKIP!
SLIDE 11
Discovered new attacks
11
- 1. Efficient Denial of Service
- 2. Forge arbitrary packets to client
- 3. Decrypt traffic towards client
In 2016, 59% of networks still are vulnerable!
SLIDE 12
Impact of attack
12
Computer Wireless router Website 2.2.2.2
Where is detijd.be?
unique address for every computer
SLIDE 13
Impact of attack
13
Computer Wireless router Website 2.2.2.2
detijd.be is at 2.2.2.2
unique address for every computer
SLIDE 14
Impact of attack
14
Computer Wireless router Website 2.2.2.2
Load detijd.be
SLIDE 15
Impact of attack
15
Computer Wireless router Attacker 4.4.4.4 Website 2.2.2.2
detijd.be is at 4.4.4.4
Load detijd.be
SLIDE 16
Impact of attack
16
Computer Wireless router Attacker 4.4.4.4 Website 2.2.2.2
detijd.be is at 4.4.4.4
Victim now contacts attacker to load detijd.be Load detijd.be
SLIDE 17
Conclusion
17
Use only AES-CCMP!
SLIDE 18
How is data transmitted?
18
Computer
Study security of network protocols used at:
- 1. Your wireless network
- 2. Your internet connection
Server Wireless router
SLIDE 19
Securing internet traffic
19
- Websites can be secured using HTTPS
- HTTPS is based on TLS
- Internally TLS can use AES, RC4,…
- Which one is widely used? Is it secure?
SLIDE 20
Is RC4 still used?
20
50% 30% 13%
0% 10% 20% 30% 40% 50% 60%
March 2013 Februari 2015 July 2015
In 2013 half of all TLS connections used RC4
SLIDE 21
RC4 encryption
21
Plaintext Ciphertext
Keystream RC4 Key Password123! RC4 56, 0, 234, 102, 41, …
SLIDE 22
RC4 encryption
22
Password123!
RC4
56, 0, 234, 102, …
- The numbers (keystream) should be random
- Not the case for RC4 due to biases!
SLIDE 23
RC4 encryption
23
Password123!
RC4
56, 0, 234, 102, …
- The numbers (keystream) should be random
- Not the case for RC4 due to biases!
≈
SLIDE 24
Why is this bad?
24
- Imagine only second keystream byte is used
≈
- When is zero is ‘rolled’, no encryption occurs
- Most frequent ciphertextbyte is the real value
SLIDE 25
25
SLIDE 26
26
After encryption, image is unrecognizable
SLIDE 27
27
?
RC4 biases Most frequent pixel value is the real value
SLIDE 28
28
?
Replace all pixels in block with most frequent value!
SLIDE 29
29
Try to recover rough outline using bigger blocks?
SLIDE 30
30
Try to recover rough outline using bigger blocks?
SLIDE 31
31
SLIDE 32
32
SLIDE 33
33
SLIDE 34
- Capture multiple encryptions!
- Combine with biases to recover all info:
How to recover details?
34
… …
SLIDE 35
35
SLIDE 36
36
SLIDE 37
37
SLIDE 38
38
SLIDE 39
39
SLIDE 40
- Capture multiple encryptions:
- Combine with biases to recover all info:
How to recover details?
40
… …
SLIDE 41
Summary: abusing RC4 biases
41
Encryption Multiple Encryptions Use Biases
SLIDE 42
Our contributions
42
We improved these techniques by:
- Also using other biases
- Generating a list of plaintext candidates
- Rapidly generating multiple encryptions
Using this we decrypt a HTTPS cookie.
SLIDE 43
Cookies are unique identifiers
43
Cookie Identity ae637f8c5 Mathy … … Get newsfeed Cookie: ae637f8c5 Browser Facebook
SLIDE 44
Cookies are unique identifiers
44
Cookie Identity ae637f8c5 Mathy … … Get newsfeed Cookie: ae637f8c5 Return newsfeed of Mathy Vanhoef Browser Facebook
SLIDE 45
Cookies are unique identifiers
45
Cookie Identity ae637f8c5 Mathy … … Get newsfeed Cookie: ae637f8c5 Return newsfeed of Mathy Vanhoef Browser Facebook
Included in all requests
SLIDE 46
Decrypting the cookie
46
Browser Facebook Attacker Cookie: ae637f8c5
- Generate many requests, use
biases to recover the cookie!
… …
Cookie: … Cookie: … Cookie: …
SLIDE 47
Decrypting 16-character cookie
47
Need one billion encryptions of cookie
Ciphertext copies times 227
SLIDE 48
Decrypting 16-character cookie
48
Need one billion encryptions of cookie Takes 75 hours with 4450 requests / second
Ciphertext copies times 227
SLIDE 49
Practical impact
49
In response, browsers disabled RC4:
Chrome: dropped support in v48 (20 Jan. 2016) Firefox: dropped support in v44 (26 Jan. 2016)
IE11: supports RC4
Edge: supports RC4 “will be disabled in forthcoming update”
SLIDE 50
Decrypting Cookies
50
SLIDE 51