smashing wep in a passive attack
play

Smashing WEP in A Passive Attack POUYAN SEPEHRDAD PETR SUSIL - PowerPoint PPT Presentation

Mar 23, 2024 •216 likes •746 views

Smashing WEP in A Passive Attack POUYAN SEPEHRDAD PETR SUSIL SERGE VAUDENAY MARTIN VUAGNOUX 1 2 No one Uses WEP Any More. 2 Hotels No one Uses WEP Any More. Restaurants Airports 2 Wireless Networks in Singapore: 20% WEP Hotels No

  1. Smashing WEP in A Passive Attack POUYAN SEPEHRDAD PETR SUSIL SERGE VAUDENAY MARTIN VUAGNOUX 1

  2. 2

  3. No one Uses WEP Any More. 2

  4. Hotels No one Uses WEP Any More. Restaurants Airports 2

  5. Wireless Networks in Singapore: 20% WEP Hotels No one Uses WEP Any More. Restaurants Singapore is not alone. The same problem in most Asia. Airports 2

  6. RC4 3

  7. Reminder on RC4 RC4 3

  8. Reminder on RC4 RC4 RC4/WEP 3

  9. Reminder on RC4 RC4 RC4/WEP Tornado Attack on WEP 3

  10. Reminder on RC4 RC4 RC4/WEP Tornado Attack on WEP Challenges 3

  11. Reminder on RC4 Reminder on RC4 RC4 RC4/WEP Tornado Attack on WEP Challenges 3

  12. KSA PRGA Key S N-1 Keystream 4

  13. 1: for i = 0 to N − 1 do 2: S [ i ] ← i 3: end for 4: j ← 0 5: for i = 0 to N − 1 do 6: j ← j + S [ i ]+ K [ i mod L ] 7: swap ( S [ i ] , S [ j ]) 8: end for KSA 5

  14. 1: for i = 0 to N − 1 do 2: S [ i ] ← i 3: end for 4: j ← 0 5: for i = 0 to N − 1 do 6: j ← j + S [ i ]+ K [ i mod L ] 7: swap ( S [ i ] , S [ j ]) 8: end for KSA 0 1 2 3 4 5 6 7 8 9 10 11 12 ... 255 i j 5

  15. 1: for i = 0 to N − 1 do 2: S [ i ] ← i 3: end for 4: j ← 0 5: for i = 0 to N − 1 do 6: j ← j + S [ i ]+ K [ i mod L ] 7: swap ( S [ i ] , S [ j ]) 8: end for KSA 7 1 2 3 4 5 6 0 8 9 10 11 12 ... 255 i j 6

  16. 1: for i = 0 to N − 1 do 2: S [ i ] ← i 3: end for 4: j ← 0 5: for i = 0 to N − 1 do 6: j ← j + S [ i ]+ K [ i mod L ] 7: swap ( S [ i ] , S [ j ]) 8: end for KSA 7 1 2 3 4 5 6 0 8 9 10 11 12 ... 255 i j 7

  17. 1: for i = 0 to N − 1 do 2: S [ i ] ← i 3: end for 4: j ← 0 5: for i = 0 to N − 1 do 6: j ← j + S [ i ]+ K [ i mod L ] 7: swap ( S [ i ] , S [ j ]) 8: end for KSA 7 12 2 3 4 5 6 0 8 9 10 11 1 ... 255 i j 8

  18. 1: i ← 0 2: j ← 0 3: loop 4: i ← i + 1 5: j ← j + S [ i ] 6: swap ( S [ i ] , S [ j ]) 7: output z i = S [ S [ i ]+ S [ j ]] 8: end loop PRGA 9

  19. 1: i ← 0 2: j ← 0 3: loop 4: i ← i + 1 5: j ← j + S [ i ] 6: swap ( S [ i ] , S [ j ]) 7: output z i = S [ S [ i ]+ S [ j ]] 8: end loop PRGA 18 3 211 7 81 245 121 5 66 78 189 34 133 ... 32 i j 9

  20. 1: i ← 0 2: j ← 0 3: loop 4: i ← i + 1 5: j ← j + S [ i ] 6: swap ( S [ i ] , S [ j ]) 7: output z i = S [ S [ i ]+ S [ j ]] 8: end loop PRGA 18 7 211 3 81 245 121 5 66 78 189 34 133 ... 32 i j 10

  21. 1: i ← 0 2: j ← 0 3: loop 4: i ← i + 1 5: j ← j + S [ i ] 6: swap ( S [ i ] , S [ j ]) 7: output z i = S [ S [ i ]+ S [ j ]] 8: end loop PRGA 18 7 211 3 81 245 121 5 66 78 189 34 133 ... 32 i j Keystream byte = S[7+3]=S[10]=189 11

  22. Reminder on RC4 Reminder on RC4 RC4 RC4/WEP Tornado attack on WEP Challenges 12

  23. Reminder on RC4 RC4 RC4/WEP RC4/WEP Tornado attack on WEP Challenges 12

  24. RC4 z1 z2 z3 ... k[0] k[1] k[2] k[3] ... k[15] 13

  25. RC4 WEP z1 z2 z3 ... k[0] k[1] k[2] k[3] ... k[15] 13

  26. RC4 WEP z1 z2 z3 ... k[3] ... k[15] k[0] k[1] k[2] 13

  27. RC4 WEP z1 z2 z3 ... k[3] ... k[15] k[0] k[1] k[2] the same for each WEP is vulnerable. packet encryption. 13

  28. Reminder on RC4 RC4 RC4/WEP RC4/WEP Tornado Attack on WEP Challenges 14

  29. Reminder on RC4 RC4 RC4/WEP Tornado Attack on WEP Tornado Attack on WEP Challenges 14

  30. RC4 Key Keystream 15

  31. RC4 Key Keystream ? 15

  32.  Conditional biases: pairs of ¯ f j , p j with a predicate ¯ g j Pr [ ¯ K [ i ] = ¯ f j ( z , clue ) | ¯ g j ( z , clue )] = p j RC4 Key Keystream ? 15

  33.  Conditional biases: pairs of ¯ f j , p j with a predicate ¯ g j Pr [ ¯ K [ i ] = ¯ f j ( z , clue ) | ¯ g j ( z , clue )] = p j RC4 Key Keystream ? ¯ row reference ¯ f g p P 1 2 − σ i S t [ i ] = 0, z 2 = 0 i A u15 fixed − j 15

  34.  Conditional biases: pairs of ¯ f j , p j with a predicate ¯ g j Pr [ ¯ K [ i ] = ¯ f j ( z , clue ) | ¯ g j ( z , clue )] = p j 22 Biases RC4 Key Keystream ? ¯ row reference ¯ f g p P 1 2 − σ i S t [ i ] = 0, z 2 = 0 i A u15 fixed − j 15

  35. Roos, A.: A class of weak keys in RC4 stream cipher. 1995 Wagner, D.: Weak keys in RC4. 1995 Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: the insecurity of 802.11. 2001 Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. 2001 Stubblefield, A., Ioannidis, J., Rubin, A.D.: Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. 2002 Korek: Next generation of WEP attacks? 2004 Devine, C., Otreppe, T.: Aircrack-ng 2004 Martin, J.I.S.: Weplab 2004 Mantin, I.: A practical attack on the fixed RC4 in the WEP mode. 2005 Klein, A.: Attacks on the RC4 stream cipher. 2006 Tews, E., Weinmann, R., Pyshkin, A.: Breaking 104 Bit WEP in Less Than 60 Seconds. 2007 Vaudenay, S., Vuagnoux, M.: Passive–only Key Recovery Attacks on RC4 2007 Beck, M., Tews, E. Practical Attacks Against WEP and WPA. 2009 Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Smashing WEP in a Passive Attack 2013

  36. Roos, A.: A class of weak keys in RC4 stream cipher. 1995 Wagner, D.: Weak keys in RC4. 1995 Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: the insecurity of 802.11. 2001 Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. 2001 Stubblefield, A., Ioannidis, J., Rubin, A.D.: Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. 2002 5500,000 100,000 Korek: Next generation of WEP attacks? 2004 Devine, C., Otreppe, T.: Aircrack-ng 2004 Martin, J.I.S.: Weplab 2004 Mantin, I.: A practical attack on the fixed RC4 in the WEP mode. 2005 60,000 Klein, A.: Attacks on the RC4 stream cipher. 2006 40,000 Tews, E., Weinmann, R., Pyshkin, A.: Breaking 104 Bit WEP in Less Than 60 Seconds. 2007 32,700 Vaudenay, S., Vuagnoux, M.: Passive–only Key Recovery Attacks on RC4 2007 30,000 Beck, M., Tews, E. Practical Attacks Against WEP and WPA. 2009 19,800 Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Smashing WEP in a Passive Attack 2013

  37. Attack on WEP 1: compute the ranking L 15 for I = (15) and I 0 = { 0 , 1 , 2 } 2: truncate L 15 to its first ρ 15 terms 3: for each ¯ k 15 in L 15 do run recursive attack on input ¯ k 15 4: 5: end for 6: stop: attack failed recursive attack with input (¯ k 15 , ¯ k 3 , . . . , ¯ k i − 1 ) : 7: If input is only ¯ k 15 , set i = 3. 8: if i ≤ i max then compute the ranking L i for I = ( i ) and I 0 = { 0 , . . . , i − 1 , 15 } 9: truncate L i to its first ρ i terms 10: for each ¯ k i in L i do 11: run recursive attack on input (¯ k 15 , ¯ k 3 , . . . , ¯ k i − 1 , ¯ k i ) 12: end for 13: 14: else for each ¯ k i max +1 , . . . , ¯ k 14 do 15: test key (¯ k 3 , . . . , ¯ k 14 , ¯ k 15 ) and stop if correct 16: end for 17: 18: end if 17

  38. Attack on WEP 1: compute the ranking L 15 for I = (15) and I 0 = { 0 , 1 , 2 } 2: truncate L 15 to its first ρ 15 terms 3: for each ¯ k 15 in L 15 do run recursive attack on input ¯ k 15 4: Y x : counter for x 5: end for 6: stop: attack failed R(x): rank of x recursive attack with input (¯ k 15 , ¯ k 3 , . . . , ¯ k i − 1 ) : 7: If input is only ¯ k 15 , set i = 3. 8: if i ≤ i max then compute the ranking L i for I = ( i ) and I 0 = { 0 , . . . , i − 1 , 15 } 9: truncate L i to its first ρ i terms 10: for each ¯ k i in L i do 11: run recursive attack on input (¯ k 15 , ¯ k 3 , . . . , ¯ k i − 1 , ¯ k i ) 12: end for 13: 14: else for each ¯ k i max +1 , . . . , ¯ k 14 do 15: test key (¯ k 3 , . . . , ¯ k 14 , ¯ k 15 ) and stop if correct 16: end for 17: 18: end if 17

  39. Attack on WEP 1: compute the ranking L 15 for I = (15) and I 0 = { 0 , 1 , 2 } 2: truncate L 15 to its first ρ 15 terms 3: for each ¯ k 15 in L 15 do run recursive attack on input ¯ k 15 4: Y x : counter for x 5: end for 6: stop: attack failed R(x): rank of x recursive attack with input (¯ k 15 , ¯ k 3 , . . . , ¯ k i − 1 ) : 7: If input is only ¯ k 15 , set i = 3. 8: if i ≤ i max then compute the ranking L i for I = ( i ) and I 0 = { 0 , . . . , i − 1 , 15 } 9: truncate L i to its first ρ i terms 10: for each ¯ k i in L i do 11: run recursive attack on input (¯ k 15 , ¯ k 3 , . . . , ¯ k i − 1 , ¯ k i ) 12: end for 13: 14: else for each ¯ k i max +1 , . . . , ¯ k 14 do 15: test key (¯ k 3 , . . . , ¯ k 14 , ¯ k 15 ) and stop if correct 16: end for 17: 18: end if The parameters are all optimized 17

  40. Reminder on RC4 RC4 RC4/WEP Tornado Attack on WEP Tornado Attack on WEP Challenges 18

  41. Reminder on RC4 RC4 RC4/WEP Tornado Attack on WEP Challenges Challenges 18

  42. In our EUROCRYPT’11 Paper: We made a heuristic assumption that V ( Y good ) ⇥ V ( Y bad ) . In practice: V ( Y good ) ⇤ = V ( Y bad ) We made a heuristic approximation that ( Y good � Y i ) ’s are independent for all bad i ’s. In practice: ( Y good � Y i ) ’s are not independent. Assume the rank R of the correct counter to be normally distributed. In practice: R is not normally distributed. Assume R is following Poisson distribution. In practice E ( R ) ⇤ = V ( R ) . 19

  43. 0.25 Polya distribution with p = 0.9839 and r = 0.356 Experimental R 3 distribution for 5000 packets 0.2 0.15 Probability 0.1 0.05 0 0 10 20 30 40 50 R 3 Realization 20

Recommend

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

257 views • 22 slides
Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address

911 views • 13 slides
luis@ringzero.net Luis Miras What Im Not Covering What I Will Be Covering Attack Passive

luis@ringzero.net Luis Miras What Im Not Covering What I Will Be Covering Attack Passive

luis@ringzero.net Luis Miras What Im Not Covering What I Will Be Covering Attack Passive (Sniffing) authentication data sensitive data Active (Injection) Denial of Service Execution of arbitrary commands RF

722 views • 71 slides
Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.)

462 views • 35 slides
Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem

660 views • 46 slides
Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

Techorganic About PGP Disclaimer Vulnerabilities Musings from the brainpan 64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64- bit

451 views • 9 slides
What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive voice? Active Voice In an active sentence, the subject performs the action (the verb) to the object . Passive Voice In a passive sentence, the thing

610 views • 14 slides
Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the movement of ions and other molecules across cell membranes without the need of energy input (ATP) Ions or molecules move from an area of higher

651 views • 33 slides
Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St Sauver, Scientist 1 Agenda Introduction Passive DNS, Including Times When Passive DNS May Not Work Well Overcoming Obfuscation Pillz

962 views • 47 slides
References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html Exploiting format string vulnerabilities https://crypto.stanford.edu/cs155/papers/for matstring-1.2.pdf Once upon a free()

427 views • 19 slides
Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions:

Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions:

Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions: blame-shifting scientific writing Acquisition Active Voice: the subject performs the action of the verb Example: The dog attacked my neighbor.

595 views • 21 slides
Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match

Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match

Dimer Interpretations in Cluster Algebras: Smashing, Splitting, and Finding the Perfect Match Piriyakorn Piriyatamwong and Caledonia Wilson University of Minnesota Twin Cities REU in Combinatorics Monday July 30, 2018 Introduction Consider

463 views • 45 slides
Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha, and Doaa

Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha, and Doaa

Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha, and Doaa Ashmawy Western University London, Ontario, Canada CHES-2018 1 Outline Introduction. Proposed AES S-box Architecture. New

824 views • 58 slides
How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero

How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero

How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero Diffusivity Limit) Yue-Kin Tsang Courant Institute of Mathematical Sciences New York University Thomas M. Antonsen, Jr. and Edward Ott University

381 views • 24 slides
Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on

Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on

\x90\x90\x90\x90\x90\x90\x90\x90 Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on linux_x86_64 <fritsch+blackhat@in.tum.de> Hagen Fritsch Technische Universitt Mnchen Black Hat Europe

928 views • 49 slides
Background and involvement in passive seismic Passive Seismic in the Literature World Oil

Background and involvement in passive seismic Passive Seismic in the Literature World Oil

Background and involvement in passive seismic Passive Seismic in the Literature World Oil Article Geo Expo Article AAGP Explorer Article Basic Equipment Gear and ATV Seismometer Data Recorder Monitor Hookup Problems Problems Wind

733 views • 42 slides
1 Measurement Passive Measurements Sprint has a passive measurement architecture Passive

1 Measurement Passive Measurements Sprint has a passive measurement architecture Passive

Introduction Impact of Link Failures on VoIP Performance Tier-1 ISPs interested in providing Voice- Over-IP (VoIP) Need to provide quality International Workshop on Network and Operating Voice quality and availability System

394 views • 6 slides
Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday (review) 2 last few times encrypted code changing code polymorphic, metamorphic anti-VM/emulation anti-debugging stealth tunneling

817 views • 71 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith,

Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith,

Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith, instructor Passive Verbs Avoid excessive use of passive verbs. They can bog down descriptive writing and create boring sentences. (See Bedford p 142.)

202 views • 5 slides

More recommend