Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram - - PowerPoint PPT Presentation

plaintext recovery attacks against wpa tkip
SMART_READER_LITE
LIVE PREVIEW

Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram - - PowerPoint PPT Presentation

Oct 25, 2022 298 likes •689 views

Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London The 21st International Workshop on Fast Software Encryption March 4th, 2014 jacob.schuldt@rhul.ac.uk Agenda

slide-1
SLIDE 1

Plaintext Recovery Attacks Against WPA/TKIP

Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London

  • The 21st International Workshop on Fast Software Encryption

March 4th, 2014

  • jacob.schuldt@rhul.ac.uk
slide-2
SLIDE 2

Agenda

  • Introduction to WPA/TKIP
  • Biases in the WPA/TKIP keystreams
  • Plaintext recovery attack for the repeated plaintext setting
  • Exploiting TSCs for improved attacks
  • Concluding remarks/open problems

2

slide-3
SLIDE 3
  • IEEE standards for wireless LAN encryption
  • 1999: WEP (Wired Equivalent Privacy)
  • 2003: WPA (WiFi Protected Access)
  • 2004: WPA2 (WiFi Protected Access 2)

IEEE encryption

Introduction to WPA/TKIP

3

Client Access point

Wireless traffic

slide-4
SLIDE 4

Introduction to WPA/TKIP

  • Badly broken:
  • Key recovery attack based on RC4 weakness and construction
  • f RC4 key from 24-but known IV and unknown, but fixed key
  • 10k~20k packets needed for key recovery

  • Proposed by IEEE as an intermediate solution
  • Allows reuse of the hardware implementing WEP
  • Introduction of supposedly better per-frame RC4 key through

the Temporal Key Integrity Protocol (TKIP)
 


  • Introduces a stronger cryptographic solution based on AES-CCM
  • (Includes optional support for TKIP)


4

WEP WPA WPA2

slide-5
SLIDE 5
  • WPA was only intended as a temporary fix

  • However, WPA is still in widespread use today
  • Vanhoef-Piessens (2013) surveyed 6803 wireless networks:



 
 
 
 
 
 
 
 


  • This makes the continued analysis of WPA/TKIP worthwhile

Introduction to WPA/TKIP

5

29% 71% 81% 19% Permit WPA/TKIP Only allow WPA/TKIP

slide-6
SLIDE 6

Overview of WPA/TKIP Encryption

6

TK Key mixing function RC4 RC4 keystream

TK : Temporal key (128 bits) TSC : TKIP Sequence Counter (48 bits) TA : Sender Address (48 bits)

TSC TA

WPA Frame :

Payload Header Ciphertext

⊕ ⇒

MIC

slide-7
SLIDE 7

Overview of WPA/TKIP Encryption

7

RC4 key:

K0 K1 K2 104 bits

128 bits TK : Temporal key (128 bits) TSC : TKIP Sequence Counter (48 bits) TA : Sender Address (48 bits)

TK Key mixing function TSC TA

= TSC1 = (TSC1 | 0x20) & 0x7f = TSC0

K0 K1 K2

TSC0, TSC1 Two least significant bytes of TSC

slide-8
SLIDE 8

Previous Attacks on WPA/TKIP

  • Tews-Beck (2009):
  • Rate-limited plaintext recovery
  • Active attack based on chop-chop method for recovering plaintext
  • Requires support for alternative QoS channels to by-pass anti-replay protection
  • Rate-limited since correctness of plaintext guess is indicated by MIC verification

failure, and only 2 failures per minute are tolerated

  • Sepehrdad-Vaudenay-Vuagnoux (2011):
  • Statistical key recovery attack using 238 known plain texts and 296 operations

8

slide-9
SLIDE 9

9

New Plaintext Recovery Attacks

slide-10
SLIDE 10

RC4 with Random 128-bit Keys

  • Recent work* has shown that RC4 with random 128-bit keys has significant

biases in all of its initial keystream bytes


  • Such biases enable plaintext recovery if sufficiently many encryptions of the

same plaintext are available

  • Uses simple Bayesian statistical analysis
  • Applicable in multi-session or broadcast attack scenario

10

* AlFardan-Berstein-Paterson-Poettering-Schuldt (2013); Isobe-Ohigashi-Watanabe-Morii (2013)

slide-11
SLIDE 11

Plaintext Recovery

11

C1 C2 C3 Cn ... r Pr Pr Pr Pr

⊕ ⊕ ⊕ ⊕

... Induced distribution on Zr combine with known distribution of Zr

0.003878 0.00390625 0.00395 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Probability Byte value [0...255] Ciphertext distribution at position 16

Likelihood of Pr being 
 correct plaintext byte Recovery algorithm: 
 Compute most likely plaintext byte Encryptions of plaintext 
 under different keys Plaintext candidate 
 byte Pr Zr : keystream byte at position r

slide-12
SLIDE 12

Applications

  • Technique successfully applied to RC4 as used in SSL/TLS by AlFardan-

Bernstein-Paterson-Schuldt (2013)

  • Attack realizable in TLS context using client-side Javascript, resulting in session

cookie recovery

  • (In practice, a version of the attack exploiting Fluhrer-McGrew double-byte biases

is preferable)

  • Applicable to RC4 with WPA/TKIP keys?
  • Every frame has a new key i.e. naturally close to the broadcast attack setting
  • Repeated encryption of the same target plaintext still required
  • WPA/TKIP specific biases?

12

slide-13
SLIDE 13

Biases in WPA/TKIP Keystreams

  • Recall that WPA/TKIP keys have additional structure compared to random

keys:
 
 
 
 
 


  • This structure leads to significant changes in the biases in the RC4 keystream

compared to random keys

13

= TSC1 = (TSC1 | 0x20) & 0x7f = TSC0

K0 K1 K2

slide-14
SLIDE 14

Biases in WPA/TKIP: Keystream Byte 1 and 17

14

0.387%' 0.388%' 0.389%' 0.390%' 0.391%' 0.392%' 0.393%' 0.394%' 0.395%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Probability* Byte*value* 0.389%' 0.390%' 0.391%' 0.392%' 0.393%' 0.394%' 0.395%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Probability* Byte*value*

Keystream byte 1 Keystream byte 17 Random RC4 keys WPA/TKIP RC4 keys

slide-15
SLIDE 15

Comparison with Biases for 128-bit Random RC4 Keys

15

32 64 96 128 160 192 224 255 1 32 64 96 128 160 192 224 256 Byte value [0...255] Position [1...256] 0.1 0.2 0.3 0.4 0.5 32 64 96 128 160 192 224 255 1 32 64 96 128 160 192 224 256 Byte value [0...255] Position [1...256] 0.1 0.2 0.3 0.4 0.5

WPA/TKIP keys Random RC4 keys Color encoding: absolute strength of bias × 216

slide-16
SLIDE 16

Comparison with Biases for 128-bit Random RC4 Keys

16

32 64 96 128 160 192 224 255 1 32 64 96 128 160 192 224 256 Byte value [0...255] Position [1...256]

  • 0.5
  • 0.25

0.25 0.5

slide-17
SLIDE 17

Plaintext Recovery Rate 224 Frames

17

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-18
SLIDE 18

Plaintext Recovery Rate 226 Frames

18

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-19
SLIDE 19

Plaintext Recovery Rate 228 Frames

19

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-20
SLIDE 20

Plaintext Recovery Rate 230 Frames

20

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-21
SLIDE 21

Exploiting TSCs

21

slide-22
SLIDE 22

Exploiting TSC Information

22

  • Again, recall the special structure of WPA/TKIP keys:



 
 
 
 


  • Idea: identify and exploit (TSC0, TSC1)-specific biases

  • Plaintext recovery attack based (TSC0, TSC1)-specific biases:
  • 1. Group ciphertexts into 216 groups according to (TSC0, TSC1) value
  • 2. Carry out likelihood analysis for each group using appropriate keystream

distribution

  • 3. Combine likelihoods across groups to recover plaintext

= TSC1 = (TSC1 | 0x20) & 0x7f = TSC0

K0 K1 K2

slide-23
SLIDE 23

RC4 keys with random (TSC0, TSC1)

Existence of Large (TSC0, TSC1)-specific Biases

23

0.250%& 0.300%& 0.350%& 0.400%& 0.450%& 0.500%& 0.550%& 0& 32& 64& 96& 128& 160& 192& 224& 256& Probability* Byte*value*

Keystream byte 1

0.385%' 0.390%' 0.395%' 0.400%' 0.405%' 0.410%' 0' 32' 64' 96' 128' 160' 192' 224' 256' Probability* Byte*value*

Keystream byte 17 (TSC0, TSC1) = (0x00, 0x00) (TSC0, TSC1)-specific RC4 keys

slide-24
SLIDE 24

Computational Requirements for (TSC0, TSC1)-specific Attack

  • Problem:
  • A very large number of keystreams are required to get an accurate estimate for

the (TSC0, TSC1)-specific keystream distributions

24

232

keystreams per (TSC0, TSC1) pair

216

(TSC0, TSC1) pairs

× = 248

Keystreams Minimum:

240

keystreams per (TSC0, TSC1) pair

216

(TSC0, TSC1) pairs

× = 256

Keystreams Ideally:

~234

keystreams per core day

= ~214

core days

= ~222

core days

slide-25
SLIDE 25

TSC0 Aggregation

  • TSC1 is used to compute two key bytes; TSC0 only one:



 
 
 
 
 


  • Hence, we might expect significant biases to be strongly correlated with TSC1
  • Experiments confirm this

  • Alternative plaintext recovery attack
  • Group ciphertexts according to TSC1 and carry out likelihood analysis based on

TSC1-specific keystream estimates

  • Reduced required number of keystreams with a factor of 28

25

= TSC1 = (TSC1 & 0x20) | 0x7f = TSC0

K0 K1 K2

slide-26
SLIDE 26

Location of Large TSC1 Specific Biases

26

32 64 96 128 160 192 224 255 1 32 64 96 128 160 192 224 256 TSC1 [0...255] Position [1...256] 0.5 1 1.5 2 32 64 96 128 160 192 224 255 1 32 64 96 128 160 192 224 256 Byte value [0...255] Position [1...256] 0.5 1 1.5 2

Byte value vs. position TSC1 vs. position Color encoding: absolute strength of largest bias × 216

slide-27
SLIDE 27

Plaintext Recovery Rate 220 Frames

27

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-28
SLIDE 28

Plaintext Recovery Rate 222 Frames

28

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-29
SLIDE 29

Plaintext Recovery Rate 224 Frames

29

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-30
SLIDE 30

Plaintext Recovery Rate 226 Frames

30

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-31
SLIDE 31

Plaintext Recovery Rate 228 Frames

31

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-32
SLIDE 32

Comparison of Plaintext Recovery Rates 224 Frames

32

0%# 20%# 40%# 60%# 80%# 100%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Recovery(rate( Byte(posi/on(

slide-33
SLIDE 33

Comparison of Average Plaintext Recovery Rate

33

0%# 20%# 40%# 60%# 80%# 100%# 18# 20# 22# 24# 26# 28# 30# 32# Recovery(rate( Number(of(frames((log)(

Standard attack TSC1 specific attack Dashed lines: Even positions

slide-34
SLIDE 34

Concluding Remarks/Open Problems

34

slide-35
SLIDE 35

Concluding Remarks

  • Plaintext recovery for WPA/TKIP is possible for the first 256 plaintext bytes, provided

that sufficiently many independent encryptions of the same plaintext are available


  • Security is far below the expected level of protection implied by the 128-bit key

  • Suitable targets for attack might include fixed but unknown fields in encapsulated

protocol headers or HTTP traffic via client-side Javascript


  • Our attack complements known attacks on WPA/TKIP:
  • Passive rather than active (cf. Tews-Beck)
  • Ciphertext-only rather than known-plaintext (cf. Sepehrdad et al.)
  • Moderate amounts of ciphertext and computation
  • But requires repeated encryption of plaintext

35

slide-36
SLIDE 36

Open Problems

  • Explain all the observed bias behaviour
  • Some progress has already been made by SenGupta-Maitra-Meier-Paul-Sarkar

(next talk!)

  • Not essential for our plaintext recovery attack, but important for deeper

understanding of RC4 in WPA/TKIP and for developing new attacks

  • Carry out larger scale keystream bias computation over all (TSC0,TSC1) values and

investigate how much improvement over our TSC0-aggregated attack is possible


  • Study other real-world applications of RC4 in which keys are changed frequently

and/or have additional structure

36

slide-37
SLIDE 37

Questions?

37