plaintext recovery attacks against wpa tkip
play

Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram - PowerPoint PPT Presentation

Oct 25, 2022 •298 likes •684 views

Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London The 21st International Workshop on Fast Software Encryption March 4th, 2014 jacob.schuldt@rhul.ac.uk Agenda

  1. Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London � The 21st International Workshop on Fast Software Encryption March 4th, 2014 � jacob.schuldt@rhul.ac.uk

  2. Agenda • Introduction to WPA/TKIP • Biases in the WPA/TKIP keystreams • Plaintext recovery attack for the repeated plaintext setting • Exploiting TSCs for improved attacks • Concluding remarks/open problems � 2

  3. Introduction to WPA/TKIP � Client Access point � IEEE encryption � Wireless traffic � � � • IEEE standards for wireless LAN encryption • 1999: WEP (Wired Equivalent Privacy) • 2003: WPA (WiFi Protected Access) • 2004: WPA2 (WiFi Protected Access 2) � 3

  4. 
 Introduction to WPA/TKIP • Badly broken: WEP • Key recovery attack based on RC4 weakness and construction of RC4 key from 24-but known IV and unknown, but fixed key • 10k~20k packets needed for key recovery 
 • Proposed by IEEE as an intermediate solution WPA • Allows reuse of the hardware implementing WEP • Introduction of supposedly better per-frame RC4 key through the Temporal Key Integrity Protocol (TKIP) 
 • Introduces a stronger cryptographic solution based on AES-CCM WPA2 • (Includes optional support for TKIP) 
 � 4

  5. 
 
 
 
 
 
 
 
 
 Introduction to WPA/TKIP • WPA was only intended as a temporary fix 
 • However, WPA is still in widespread use today • Vanhoef-Piessens (2013) surveyed 6803 wireless networks: 
 19% 29% 71% 81% Permit WPA/TKIP Only allow WPA/TKIP • This makes the continued analysis of WPA/TKIP worthwhile � 5

  6. ⇒ Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TSC : TKIP Sequence Counter (48 bits) TA : Sender Address (48 bits) TK TSC TA Key mixing function RC4 RC4 keystream ⊕ Payload MIC WPA Frame : Header Ciphertext � 6

  7. Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TSC : TKIP Sequence Counter (48 bits) TA : Sender Address (48 bits) TK TSC TA Key mixing function RC4 key: K 0 K 1 K 2 104 bits 128 bits = TSC 1 K 0 TSC 0 , TSC 1 = (TSC 1 | 0x20) & 0x7f K 1 Two least significant bytes of TSC = TSC 0 K 2 � 7

  8. Previous Attacks on WPA/TKIP • Tews-Beck (2009): • Rate-limited plaintext recovery • Active attack based on chop-chop method for recovering plaintext • Requires support for alternative QoS channels to by-pass anti-replay protection • Rate-limited since correctness of plaintext guess is indicated by MIC verification failure, and only 2 failures per minute are tolerated � • Sepehrdad-Vaudenay-Vuagnoux (2011): • Statistical key recovery attack using 2 38 known plain texts and 2 96 operations � 8

  9. New Plaintext Recovery Attacks � 9

  10. RC4 with Random 128-bit Keys • Recent work* has shown that RC4 with random 128-bit keys has significant biases in all of its initial keystream bytes 
 • Such biases enable plaintext recovery if su ffi ciently many encryptions of the same plaintext are available • Uses simple Bayesian statistical analysis • Applicable in multi-session or broadcast attack scenario * AlFardan-Berstein-Paterson-Poettering-Schuldt (2013); Isobe-Ohigashi-Watanabe-Morii (2013) � 10

  11. ⇒ Plaintext Recovery Encryptions of plaintext 
 Plaintext candidate 
 Z r : keystream byte under di ff erent keys byte P r at position r r Induced C 1 P r ⊕ distribution on Z r C 2 P r ⊕ combine with known distribution of Z r C 3 P r ⊕ Ciphertext distribution at position 16 0.00395 ... ... Probability 0.00390625 C n P r ⊕ 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Likelihood of P r being 
 Recovery algorithm: 
 correct plaintext byte Compute most likely plaintext byte � 11

  12. Applications • Technique successfully applied to RC4 as used in SSL/TLS by AlFardan- Bernstein-Paterson-Schuldt (2013) • Attack realizable in TLS context using client-side Javascript, resulting in session cookie recovery • (In practice, a version of the attack exploiting Fluhrer-McGrew double-byte biases is preferable) � • Applicable to RC4 with WPA/TKIP keys? • Every frame has a new key i.e. naturally close to the broadcast attack setting • Repeated encryption of the same target plaintext still required • WPA/TKIP specific biases? � 12

  13. 
 
 
 
 
 Biases in WPA/TKIP Keystreams • Recall that WPA/TKIP keys have additional structure compared to random keys: 
 = TSC 1 K 0 = (TSC 1 | 0x20) & 0x7f K 1 = TSC 0 K 2 • This structure leads to significant changes in the biases in the RC4 keystream compared to random keys � 13

  14. Biases in WPA/TKIP: Keystream Byte 1 and 17 Keystream byte 1 Keystream byte 17 0.395%' 0.395%' 0.394%' 0.394%' 0.393%' 0.393%' 0.392%' Probability* Probability* 0.391%' 0.392%' 0.390%' 0.391%' 0.389%' 0.390%' 0.388%' 0.387%' 0.389%' 0' 32' 64' 96' 128' 160' 192' 224' 256' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* Byte*value* WPA/TKIP RC4 keys Random RC4 keys � 14

  15. Comparison with Biases for 128-bit Random RC4 Keys Random RC4 keys WPA/TKIP keys 0.5 0.5 255 255 224 224 0.4 0.4 192 192 160 160 Byte value [0...255] Byte value [0...255] 0.3 0.3 128 128 0.2 0.2 96 96 64 64 0.1 0.1 32 32 0 0 0 0 1 32 64 96 128 160 192 224 256 1 32 64 96 128 160 192 224 256 Position [1...256] Position [1...256] Color encoding: absolute strength of bias × 2 16 � 15

  16. Comparison with Biases for 128-bit Random RC4 Keys 0.5 255 224 192 0.25 160 Byte value [0...255] 128 0 96 64 -0.25 32 0 -0.5 1 32 64 96 128 160 192 224 256 Position [1...256] � 16

  17. Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 17

  18. Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 18

  19. Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 19

  20. Plaintext Recovery Rate 2 30 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 20

  21. Exploiting TSCs � 21

  22. 
 
 
 
 
 Exploiting TSC Information • Again, recall the special structure of WPA/TKIP keys: 
 = TSC 1 K 0 = (TSC 1 | 0x20) & 0x7f K 1 = TSC 0 K 2 • Idea: identify and exploit (TSC 0 , TSC 1 )-specific biases 
 • Plaintext recovery attack based (TSC 0 , TSC 1 )-specific biases: 1. Group ciphertexts into 2 16 groups according to (TSC 0 , TSC 1 ) value 2. Carry out likelihood analysis for each group using appropriate keystream distribution 3. Combine likelihoods across groups to recover plaintext � 22

  23. Existence of Large (TSC 0 , TSC 1 )-specific Biases (TSC 0 , TSC 1 ) = (0x00, 0x00) 0.550%& 0.410%' 0.500%& 0.405%' 0.450%& 0.400%' Probability* Probability* 0.400%& 0.395%' 0.350%& 0.390%' 0.300%& 0.250%& 0.385%' 0& 32& 64& 96& 128& 160& 192& 224& 256& 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* Byte*value* Keystream byte 1 Keystream byte 17 (TSC 0 , TSC 1 )-specific RC4 keys RC4 keys with random (TSC 0 , TSC 1 ) � 23

  24. Computational Requirements for (TSC 0 , TSC 1 )-specific Attack • Problem: • A very large number of keystreams are required to get an accurate estimate for the (TSC 0 , TSC 1 )-specific keystream distributions 2 32 × 2 16 = 2 48 = ~2 14 Minimum: core days keystreams per (TSC 0 , TSC 1 ) Keystreams (TSC 0 , TSC 1 ) pair pairs 2 40 × 2 16 = 2 56 = ~2 22 Ideally: core days keystreams per (TSC 0 , TSC 1 ) Keystreams (TSC 0 , TSC 1 ) pair pairs ~2 34 keystreams per core day � 24

  25. 
 
 
 
 
 
 TSC 0 Aggregation • TSC 1 is used to compute two key bytes; TSC 0 only one: 
 = TSC 1 K 0 = (TSC 1 & 0x20) | 0x7f K 1 = TSC 0 K 2 • Hence, we might expect significant biases to be strongly correlated with TSC 1 • Experiments confirm this 
 • Alternative plaintext recovery attack • Group ciphertexts according to TSC 1 and carry out likelihood analysis based on TSC 1 -specific keystream estimates • Reduced required number of keystreams with a factor of 2 8 � 25

  26. Location of Large TSC 1 Specific Biases Byte value vs. position TSC 1 vs. position 2 2 255 255 224 224 192 1.5 192 1.5 160 160 Byte value [0...255] TSC1 [0...255] 128 128 1 1 96 96 64 0.5 64 0.5 32 32 0 0 0 0 1 32 64 96 128 160 192 224 256 1 32 64 96 128 160 192 224 256 Position [1...256] Position [1...256] Color encoding: absolute strength of largest bias × 2 16 � 26

  27. Plaintext Recovery Rate 2 20 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 27

  28. Plaintext Recovery Rate 2 22 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 28

  29. Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias Schulz, Adrian Loch, Matthias Hollick Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias

607 views • 22 slides
Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

1 / 22 Introduction SAC 2012 Cryptanalysis of the Kindle Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . .

556 views • 29 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3 ciphertext as numbers: 28 17 17 ciphertext: C R R Groupwork 1. Log into our discord server. 2. Leave yourself muted on the main zoom call; I

434 views • 31 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1 , O guzhan Ersoy 2 , Ferhat Karako c 1 1 T 2 Bo UB ITAK-B ILGEM-UEKAE gazi ci University ASIACRYPT 2016, Hanoi, VIETNAM 1/27

860 views • 28 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41 Outlines 1

603 views • 59 slides
Fast Correlation Attacks and Linear Codes Lauri Tarkkala November 25, 2004 1

Fast Correlation Attacks and Linear Codes Lauri Tarkkala November 25, 2004 1

Fast Correlation Attacks and Linear Codes Lauri Tarkkala November 25, 2004 1 Brief Recap: Stream ciphers Let P be the set of plaintext symbols. Let K be the set of keystream symbols. Let C be the set of ciphertext

332 views • 16 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
A parameter identification problem in stochastic homogenization William Minvielle CERMICS,

A parameter identification problem in stochastic homogenization William Minvielle CERMICS,

An introduction to homogenization Setting Least square formulation A parameter identification problem in stochastic homogenization William Minvielle CERMICS, cole des Ponts ParisTech, Matherials research-team, INRIA Rocquencourt

390 views • 38 slides
C u r s i n g C o m p i l e r s S t e p h a n B e r g m a n n O c

C u r s i n g C o m p i l e r s S t e p h a n B e r g m a n n O c

C u r s i n g C o m p i l e r s S t e p h a n B e r g m a n n O c t o b e r 2 0 1 7 < s b e r g > b t w , I t h i n k I ' l l d o a p r o s a n d c o n s o f

598 views • 15 slides
High Order Error Inhibiting Schemes for Differential Equations Adi Ditkowski Department of

High Order Error Inhibiting Schemes for Differential Equations Adi Ditkowski Department of

Outline Introduction Ordinary Differential Equations. Examples The Heat Equations Postprocessing Summary High Order Error Inhibiting Schemes for Differential Equations Adi Ditkowski Department of Applied Mathematics Tel Aviv University

911 views • 54 slides
Landau-gauge gluon and ghost propagators from gauge-invariant Schwinger-Dyson equations Joannis

Landau-gauge gluon and ghost propagators from gauge-invariant Schwinger-Dyson equations Joannis

Landau-gauge gluon and ghost propagators from gauge-invariant Schwinger-Dyson equations Joannis Papavassiliou Departament of Theoretical Physics and IFIC, University of Valencia CSIC, Spain Quarks and Hadrons in Strong QCD, St. Goar,

408 views • 21 slides
Recent Results on AE in WPA Kenny Paterson , Bertram

Recent Results on AE in WPA Kenny Paterson , Bertram

Recent Results on AE in WPA Kenny Paterson , Bertram Poettering, Jacob Schuldt Information Security Group Overview Introduction to WPA/TKIP Biases in

804 views • 49 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Modeling and Analysis of Biological Systems Ashish Tiwari Tiwari@csl.sri.com Computer Science

Modeling and Analysis of Biological Systems Ashish Tiwari Tiwari@csl.sri.com Computer Science

Modeling and Analysis of Biological Systems Ashish Tiwari Tiwari@csl.sri.com Computer Science Laboratory SRI International Menlo Park CA 94025 http://www.csl.sri.com/tiwari Part of the work described here is in collaboration with

945 views • 28 slides
Disclosure of Uterine Sarcomas Marisa R. Nucci, M.D. I have nothing to disclose Associate

Disclosure of Uterine Sarcomas Marisa R. Nucci, M.D. I have nothing to disclose Associate

Recent Developments in the Diagnosis Disclosure of Uterine Sarcomas Marisa R. Nucci, M.D. I have nothing to disclose Associate Professor of Pathology Division of Womens and Perinatal Pathology Department of Pathology Brigham and

744 views • 30 slides

More recommend