Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram - PowerPoint PPT Presentation

Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London � The 21st International Workshop on Fast Software Encryption March 4th, 2014 � jacob.schuldt@rhul.ac.uk

Agenda • Introduction to WPA/TKIP • Biases in the WPA/TKIP keystreams • Plaintext recovery attack for the repeated plaintext setting • Exploiting TSCs for improved attacks • Concluding remarks/open problems � 2

Introduction to WPA/TKIP � Client Access point � IEEE encryption � Wireless traffic � � � • IEEE standards for wireless LAN encryption • 1999: WEP (Wired Equivalent Privacy) • 2003: WPA (WiFi Protected Access) • 2004: WPA2 (WiFi Protected Access 2) � 3


 Introduction to WPA/TKIP • Badly broken: WEP • Key recovery attack based on RC4 weakness and construction of RC4 key from 24-but known IV and unknown, but fixed key • 10k~20k packets needed for key recovery 
 • Proposed by IEEE as an intermediate solution WPA • Allows reuse of the hardware implementing WEP • Introduction of supposedly better per-frame RC4 key through the Temporal Key Integrity Protocol (TKIP) 
 • Introduces a stronger cryptographic solution based on AES-CCM WPA2 • (Includes optional support for TKIP) 
 � 4


 
 
 
 
 
 
 
 
 Introduction to WPA/TKIP • WPA was only intended as a temporary fix 
 • However, WPA is still in widespread use today • Vanhoef-Piessens (2013) surveyed 6803 wireless networks: 
 19% 29% 71% 81% Permit WPA/TKIP Only allow WPA/TKIP • This makes the continued analysis of WPA/TKIP worthwhile � 5

⇒ Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TSC : TKIP Sequence Counter (48 bits) TA : Sender Address (48 bits) TK TSC TA Key mixing function RC4 RC4 keystream ⊕ Payload MIC WPA Frame : Header Ciphertext � 6

Overview of WPA/TKIP Encryption TK : Temporal key (128 bits) TSC : TKIP Sequence Counter (48 bits) TA : Sender Address (48 bits) TK TSC TA Key mixing function RC4 key: K 0 K 1 K 2 104 bits 128 bits = TSC 1 K 0 TSC 0 , TSC 1 = (TSC 1 | 0x20) & 0x7f K 1 Two least significant bytes of TSC = TSC 0 K 2 � 7

Previous Attacks on WPA/TKIP • Tews-Beck (2009): • Rate-limited plaintext recovery • Active attack based on chop-chop method for recovering plaintext • Requires support for alternative QoS channels to by-pass anti-replay protection • Rate-limited since correctness of plaintext guess is indicated by MIC verification failure, and only 2 failures per minute are tolerated � • Sepehrdad-Vaudenay-Vuagnoux (2011): • Statistical key recovery attack using 2 38 known plain texts and 2 96 operations � 8

New Plaintext Recovery Attacks � 9

RC4 with Random 128-bit Keys • Recent work* has shown that RC4 with random 128-bit keys has significant biases in all of its initial keystream bytes 
 • Such biases enable plaintext recovery if su ffi ciently many encryptions of the same plaintext are available • Uses simple Bayesian statistical analysis • Applicable in multi-session or broadcast attack scenario * AlFardan-Berstein-Paterson-Poettering-Schuldt (2013); Isobe-Ohigashi-Watanabe-Morii (2013) � 10

⇒ Plaintext Recovery Encryptions of plaintext 
 Plaintext candidate 
 Z r : keystream byte under di ff erent keys byte P r at position r r Induced C 1 P r ⊕ distribution on Z r C 2 P r ⊕ combine with known distribution of Z r C 3 P r ⊕ Ciphertext distribution at position 16 0.00395 ... ... Probability 0.00390625 C n P r ⊕ 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Likelihood of P r being 
 Recovery algorithm: 
 correct plaintext byte Compute most likely plaintext byte � 11

Applications • Technique successfully applied to RC4 as used in SSL/TLS by AlFardan- Bernstein-Paterson-Schuldt (2013) • Attack realizable in TLS context using client-side Javascript, resulting in session cookie recovery • (In practice, a version of the attack exploiting Fluhrer-McGrew double-byte biases is preferable) � • Applicable to RC4 with WPA/TKIP keys? • Every frame has a new key i.e. naturally close to the broadcast attack setting • Repeated encryption of the same target plaintext still required • WPA/TKIP specific biases? � 12


 
 
 
 
 Biases in WPA/TKIP Keystreams • Recall that WPA/TKIP keys have additional structure compared to random keys: 
 = TSC 1 K 0 = (TSC 1 | 0x20) & 0x7f K 1 = TSC 0 K 2 • This structure leads to significant changes in the biases in the RC4 keystream compared to random keys � 13

Biases in WPA/TKIP: Keystream Byte 1 and 17 Keystream byte 1 Keystream byte 17 0.395%' 0.395%' 0.394%' 0.394%' 0.393%' 0.393%' 0.392%' Probability* Probability* 0.391%' 0.392%' 0.390%' 0.391%' 0.389%' 0.390%' 0.388%' 0.387%' 0.389%' 0' 32' 64' 96' 128' 160' 192' 224' 256' 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* Byte*value* WPA/TKIP RC4 keys Random RC4 keys � 14

Comparison with Biases for 128-bit Random RC4 Keys Random RC4 keys WPA/TKIP keys 0.5 0.5 255 255 224 224 0.4 0.4 192 192 160 160 Byte value [0...255] Byte value [0...255] 0.3 0.3 128 128 0.2 0.2 96 96 64 64 0.1 0.1 32 32 0 0 0 0 1 32 64 96 128 160 192 224 256 1 32 64 96 128 160 192 224 256 Position [1...256] Position [1...256] Color encoding: absolute strength of bias × 2 16 � 15

Comparison with Biases for 128-bit Random RC4 Keys 0.5 255 224 192 0.25 160 Byte value [0...255] 128 0 96 64 -0.25 32 0 -0.5 1 32 64 96 128 160 192 224 256 Position [1...256] � 16

Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 17

Plaintext Recovery Rate 2 26 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 18

Plaintext Recovery Rate 2 28 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 19

Plaintext Recovery Rate 2 30 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 20

Exploiting TSCs � 21


 
 
 
 
 Exploiting TSC Information • Again, recall the special structure of WPA/TKIP keys: 
 = TSC 1 K 0 = (TSC 1 | 0x20) & 0x7f K 1 = TSC 0 K 2 • Idea: identify and exploit (TSC 0 , TSC 1 )-specific biases 
 • Plaintext recovery attack based (TSC 0 , TSC 1 )-specific biases: 1. Group ciphertexts into 2 16 groups according to (TSC 0 , TSC 1 ) value 2. Carry out likelihood analysis for each group using appropriate keystream distribution 3. Combine likelihoods across groups to recover plaintext � 22

Existence of Large (TSC 0 , TSC 1 )-specific Biases (TSC 0 , TSC 1 ) = (0x00, 0x00) 0.550%& 0.410%' 0.500%& 0.405%' 0.450%& 0.400%' Probability* Probability* 0.400%& 0.395%' 0.350%& 0.390%' 0.300%& 0.250%& 0.385%' 0& 32& 64& 96& 128& 160& 192& 224& 256& 0' 32' 64' 96' 128' 160' 192' 224' 256' Byte*value* Byte*value* Keystream byte 1 Keystream byte 17 (TSC 0 , TSC 1 )-specific RC4 keys RC4 keys with random (TSC 0 , TSC 1 ) � 23

Computational Requirements for (TSC 0 , TSC 1 )-specific Attack • Problem: • A very large number of keystreams are required to get an accurate estimate for the (TSC 0 , TSC 1 )-specific keystream distributions 2 32 × 2 16 = 2 48 = ~2 14 Minimum: core days keystreams per (TSC 0 , TSC 1 ) Keystreams (TSC 0 , TSC 1 ) pair pairs 2 40 × 2 16 = 2 56 = ~2 22 Ideally: core days keystreams per (TSC 0 , TSC 1 ) Keystreams (TSC 0 , TSC 1 ) pair pairs ~2 34 keystreams per core day � 24


 
 
 
 
 
 TSC 0 Aggregation • TSC 1 is used to compute two key bytes; TSC 0 only one: 
 = TSC 1 K 0 = (TSC 1 & 0x20) | 0x7f K 1 = TSC 0 K 2 • Hence, we might expect significant biases to be strongly correlated with TSC 1 • Experiments confirm this 
 • Alternative plaintext recovery attack • Group ciphertexts according to TSC 1 and carry out likelihood analysis based on TSC 1 -specific keystream estimates • Reduced required number of keystreams with a factor of 2 8 � 25

Location of Large TSC 1 Specific Biases Byte value vs. position TSC 1 vs. position 2 2 255 255 224 224 192 1.5 192 1.5 160 160 Byte value [0...255] TSC1 [0...255] 128 128 1 1 96 96 64 0.5 64 0.5 32 32 0 0 0 0 1 32 64 96 128 160 192 224 256 1 32 64 96 128 160 192 224 256 Position [1...256] Position [1...256] Color encoding: absolute strength of largest bias × 2 16 � 26

Plaintext Recovery Rate 2 20 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 27

Plaintext Recovery Rate 2 22 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 28

Plaintext Recovery Rate 2 24 Frames 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( � 29