Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mathy Vanhoef
Introduction:   WPA-TKIP Protocol   Existing AttacksNew Attacks:   Denial of Service   Fragmentation Attack   MIC Res...
We will cover: Connecting Sending & receiving packets Quality of Service (QoS) extensionDesign Constraints: Must run o...
   Defined by EAPOL and results in a session key   What people normally capture & crack
   Result of handshake is 512 bit session key   Renewed after rekeying timeout (1 hour)      EAPOL protection      DataE...
   WPA-TKIP designed for old hardware     Couldn’t use strong integrity checks (CCMP)   New algorithm called Michael wa...
TSC             Data               MIC      CRC                       Encrypted   Calculate MIC to assure integrity   WE...
TSC                Data               MIC   CRC                          Encrypted   WEP decapsulation:     Verify TSC t...
   Replay counter & CRC are good, but MIC not     Transmission error unlikely     Network may be under attack!Defense m...
   Defines several QoS channels     Implemented by new field in 802.11 headerQoS TSC              Data               MIC...
Channel            TSC       0: Best Effort       4000       1: Background        0       2: Video             0       3: ...
Introduction:   WPA-TKIP Protocol   Existing AttacksNew Attacks:   Denial of Service   Fragmentation Attack   MIC Res...
   Martin Beck: TU-Dresden, Germany   Erik Tews: TU-Darmstadt, Germany   First known attack on TKIP, requires QoS   De...
QoS TSC             Data             MIC       CRCQoS TSC            Data            MIC’      CRC    Remove last byte  ...
   Takes 12 minutes to execute   Limited impact: injection of 3-7 small packets
   An improved attack on TKIP     2009/11: targets DHCP Ack packet   Cryptanalysis for RC4 and Breaking WPA-TKIP     2...
   Unpublished (Martin Beck, 2010)   Suggests fragmentation attack     Not implemented, unrealistic usage example   MI...
Papers about Denial of Service (DoS) attacks:   802.11 DoS attack: real vulnerabilities and    practical solutions     2...
Introduction:   WPA-TKIP Protocol   Existing AttacksNew Attacks:   Denial of Service   Fragmentation Attack   MIC Res...
   MIC = Michael(MAC dest,                  MAC source,                  MIC key,                  priority,             ...
   Key observations:     Individual replay counter per priority     Priority influences MIC but not encryption key    ...
   Capture packet, change priority, replayOn Reception : Verify replay counter Decrypt packet using RC4 Verify CRC (le...
   Capture packet, change priority, replayOn Reception : Verify replay counter                OK Decrypt packet using R...
   Disadvantage: attack fails if QoS is disabled   Cryptanalysis for RC4 and breaking WPA:     Capture packet, add QoS ...
   Example: network with 20 connected clients   Old deauthentication attack:     Must continuously sends packets     S...
   Specifically exploits flaws in WPA-TKIP   Takes down network for 1 minute yet requires    no man-in-the-middle positi...
Introduction:   WPA-TKIP Protocol   Existing AttacksNew Attacks:   Denial of Service   Fragmentation Attack   MIC Res...
What is needed to inject packets: MIC key     Result of Beck & Tews attack   Unused replay counter     Inject packet o...
   Stream cipher   XOR-basedThis means:         Ciphertext                    Plaintext                    Keystream Pr...
Simplified: All data packets start with LLC header Different for APR, IP and EAPOL packets Detect ARP & EAPOL based on ...
   But is 12 bytes enough to send a packet?   No, MIC & CRC alone are 12 bytes.If only we could somehow combine them…  ...
Data             MIC     Data1      Data2             Data16 MICTSC1    Data1    CRC1          TSC16 Data16    MIC   CRC16...
   Beck & Tews attack: MIC key AP to client   Predict packets & get keystreams   Combine short keystreams by fragmentat...
A few notes: Scan 500 most popular ports Detect SYN/ACK based on length Avoid multiple SYN/ACK’s: send RSTPort scan of ...
   Fragmentation attack implemented!     Slightly improved & verified prediction of packets     Verified usage of 802.1...
Introduction:   WPA-TKIP Protocol   Existing AttacksNew Attacks:   Denial of Service   Fragmentation Attack   MIC Res...
Assume we know the MIC key We know the initial MIC state for packetsAttack idea: Construct a packet, so that after proc...
Targeted packet              Prefix   Magic     Data       MIC     State1   State1: initial state of every packet
Targeted packet          Prefix      Magic     Data        MIC                   State2   State1: initial state of every ...
Targeted packet          Prefix   Magic         Data        MIC                       State3   State1: initial state of e...
Targeted packet          Prefix   Magic       Data        MIC                                        State4   State1: ini...
How to calculate the magic bytes? Method suggested in unpublished paper     Essentially a birthday attack   Has been ve...
   The prefix attack can be used to decrypt the    targeted packet.Unpublished paper: Suggested the prefix to be a ping ...
   The prefix attack can be used to decrypt the    targeted packet.Solution: Prefix is UDP packet to closed port UDP do...
In practice: Capture a packet from AP to client Send the prefix using fragmentation Send the targeted packet Reply of ...
   Correct theoretical analysis     Using clear assumptions & probability theory     Verified by practical experiments!...
   Highly efficient Denial of Service     Very reliable PoC   Fragmentation to launch actual attacks     Verified that...
Informal Presentation on WPA-TKIP
Upcoming SlideShare
Loading in …5
×

Informal Presentation on WPA-TKIP

1,268 views

Published on

Three new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client. The third attack reset the internal state of the Michael algorithm, allowing an attack to append any (encrypted) TKIP packet with invalidating the MIC. This can be used to decrypt arbitrary packets sent towards the client.

Published in: Technology
  • Be the first to comment

Informal Presentation on WPA-TKIP

  1. 1. Mathy Vanhoef
  2. 2. Introduction: WPA-TKIP Protocol Existing AttacksNew Attacks: Denial of Service Fragmentation Attack MIC Reset Attack
  3. 3. We will cover: Connecting Sending & receiving packets Quality of Service (QoS) extensionDesign Constraints: Must run on legacy hardware Uses (hardware) WEP encapsulation
  4. 4.  Defined by EAPOL and results in a session key What people normally capture & crack
  5. 5.  Result of handshake is 512 bit session key Renewed after rekeying timeout (1 hour) EAPOL protection DataEncr MIC1 MIC2 DataEncr key: used to encrypt packets MIC keys (Message Integrity Code):  Verify integrity of data. But why two?
  6. 6.  WPA-TKIP designed for old hardware  Couldn’t use strong integrity checks (CCMP) New algorithm called Michael was created  Weakness: plaintext + MIC reveals MIC key To improve security two MIC keys are used  MIC1 for AP to client communication  MIC2 for client to AP communication
  7. 7. TSC Data MIC CRC Encrypted Calculate MIC to assure integrity WEP Encapsulation:  Calculate CRC  Encrypt the packet using RC4  Add replay counter (TSC) to avoid replays
  8. 8. TSC Data MIC CRC Encrypted WEP decapsulation:  Verify TSC to prevent replays  Decrypt packet using RC4  Verify CRC Verify MIC to assure authenticity
  9. 9.  Replay counter & CRC are good, but MIC not  Transmission error unlikely  Network may be under attack!Defense mechanism on MIC failure: Client sends MIC failure report to AP AP silently logs failure Two failures in 1 min: network down for 1 min
  10. 10.  Defines several QoS channels  Implemented by new field in 802.11 headerQoS TSC Data MIC CRCunencrypted Encrypted  Individual replay counter (TSC) per channel  Used to pass replay counter check of receiver!
  11. 11. Channel TSC 0: Best Effort 4000 1: Background 0 2: Video 0 3: Voice 0 Support for up to 8 channels But WiFi certification only requires 4
  12. 12. Introduction: WPA-TKIP Protocol Existing AttacksNew Attacks: Denial of Service Fragmentation Attack MIC Reset Attack
  13. 13.  Martin Beck: TU-Dresden, Germany Erik Tews: TU-Darmstadt, Germany First known attack on TKIP, requires QoS Decrypts ARP reply sent from AP to client MIC key for AP to client Takes at least 8 minutes to execute
  14. 14. QoS TSC Data MIC CRCQoS TSC Data MIC’ CRC  Remove last byte  CRC can be corrected if last byte is known  Try all 256 values & send using diff. priority  On correct guess: MIC failure report
  15. 15.  Takes 12 minutes to execute Limited impact: injection of 3-7 small packets
  16. 16.  An improved attack on TKIP  2009/11: targets DHCP Ack packet Cryptanalysis for RC4 and Breaking WPA-TKIP  2011/11: Removes QoS requirement Falsification Attacks against WPA-TKIP in a realistic environment  2012/02: Reduces execution time to 8 minutes
  17. 17.  Unpublished (Martin Beck, 2010) Suggests fragmentation attack  Not implemented, unrealistic usage example MIC Reset Attack  Implemented, but PoC not available  Incorrect theoretical analysis Suggests a decryption attack  Not implemented & contains essential flaw
  18. 18. Papers about Denial of Service (DoS) attacks: 802.11 DoS attack: real vulnerabilities and practical solutions  2003: Not specific to TKIP, but WiFi in general A study of the TKIP cryptographic DoS attack  2007: Requires man-in-the-middle position
  19. 19. Introduction: WPA-TKIP Protocol Existing AttacksNew Attacks: Denial of Service Fragmentation Attack MIC Reset Attack
  20. 20.  MIC = Michael(MAC dest, MAC source, MIC key, priority, data) Rc4key = MixKey(MAC transmitter, key, TSC)
  21. 21.  Key observations:  Individual replay counter per priority  Priority influences MIC but not encryption key  Two MIC failures: network down What happens when the priority is changed?
  22. 22.  Capture packet, change priority, replayOn Reception : Verify replay counter Decrypt packet using RC4 Verify CRC (leftover from WEP) Verify MIC to assure authenticity
  23. 23.  Capture packet, change priority, replayOn Reception : Verify replay counter OK Decrypt packet using RC4 OK Verify CRC (leftover from WEP) OK Verify MIC to assure authenticity FAIL Do this twice: Denial of Service
  24. 24.  Disadvantage: attack fails if QoS is disabled Cryptanalysis for RC4 and breaking WPA:  Capture packet, add QoS header, change priority, replayOn Reception: Doesn’t check whether QoS is actually used Again bypass replay counter check MIC still dependent on priority
  25. 25.  Example: network with 20 connected clients Old deauthentication attack:  Must continuously sends packets  Say 10 deauths per client per second  (10 * 60) * 20 = 12 000 frames per minute New attack  2 frames per minute
  26. 26.  Specifically exploits flaws in WPA-TKIP Takes down network for 1 minute yet requires no man-in-the-middle position Requires sending only two packets to take down the network for 1 minute
  27. 27. Introduction: WPA-TKIP Protocol Existing AttacksNew Attacks: Denial of Service Fragmentation Attack MIC Reset Attack
  28. 28. What is needed to inject packets: MIC key  Result of Beck & Tews attack Unused replay counter  Inject packet on unused QoS channel Keystream corresponding to replay counter  Beck & Tews results in only one keystream…  How can we get more? First need to know RC4!
  29. 29.  Stream cipher XOR-basedThis means: Ciphertext Plaintext Keystream Predicting the plaintext gives the keystream
  30. 30. Simplified: All data packets start with LLC header Different for APR, IP and EAPOL packets Detect ARP & EAPOL based on length Everything else: IP Practice: almost no incorrect guesses! Gives us 12 bytes keystream for each packet
  31. 31.  But is 12 bytes enough to send a packet? No, MIC & CRC alone are 12 bytes.If only we could somehow combine them… Using 802.11 fragmentation we can combine 16 keystreams to send one large packet
  32. 32. Data MIC Data1 Data2 Data16 MICTSC1 Data1 CRC1 TSC16 Data16 MIC CRC16  MIC calculated over complete packet  Each fragment has CRC and different TSC  12 bytes/keystream: inject 120 bytes of data
  33. 33.  Beck & Tews attack: MIC key AP to client Predict packets & get keystreams Combine short keystreams by fragmentation Send over unused QoS channelWhat can we do with this? ARP/DNS Poisoning Sending TCP SYN packets: port scan!
  34. 34. A few notes: Scan 500 most popular ports Detect SYN/ACK based on length Avoid multiple SYN/ACK’s: send RSTPort scan of internal client: Normally not possible We are bypassing the network firewall / NAT!
  35. 35.  Fragmentation attack implemented!  Slightly improved & verified prediction of packets  Verified usage of 802.11 fragmentation Realistic example: portscan
  36. 36. Introduction: WPA-TKIP Protocol Existing AttacksNew Attacks: Denial of Service Fragmentation Attack MIC Reset Attack
  37. 37. Assume we know the MIC key We know the initial MIC state for packetsAttack idea: Construct a packet, so that after processing it, the state is equal to the inital state. We can then append a random packet to it, knowing that its MIC value is valid.
  38. 38. Targeted packet Prefix Magic Data MIC State1 State1: initial state of every packet
  39. 39. Targeted packet Prefix Magic Data MIC State2 State1: initial state of every packet State2: state after processing prefix
  40. 40. Targeted packet Prefix Magic Data MIC State3 State1: initial state of every packet State2: state after processing prefix State3: equal to state1 due to magic bytes
  41. 41. Targeted packet Prefix Magic Data MIC State4 State1: initial state of every packet State2: state after processing prefix State3: equal to state1 due to magic bytes State4: equal to MIC of targeted packet!
  42. 42. How to calculate the magic bytes? Method suggested in unpublished paper  Essentially a birthday attack Has been verified, indeed worksTheoretical analysis: Was done very informal & contained errors Done correctly using probability theory
  43. 43.  The prefix attack can be used to decrypt the targeted packet.Unpublished paper: Suggested the prefix to be a ping request Reply will echo the data = targeted packet Flaw: ping request contains checksum  As the targeted packet is unknown, we cannot calculate the checksum, packet will be dropped
  44. 44.  The prefix attack can be used to decrypt the targeted packet.Solution: Prefix is UDP packet to closed port UDP doesn’t require a checksum Assuming port is closed, host will reply with ICMP unreachable containing the UDP packet Make it reply to external ip 
  45. 45. In practice: Capture a packet from AP to client Send the prefix using fragmentation Send the targeted packet Reply of client contains complete packet Assumes client isn’t running a firewall Rudimantary PoC is working
  46. 46.  Correct theoretical analysis  Using clear assumptions & probability theory  Verified by practical experiments! Working decryption attack:  Their suggestion contained an essential flaw  Different technique based on UDP packets  Rudimentairy proof of concept is working (WIP)
  47. 47.  Highly efficient Denial of Service  Very reliable PoC Fragmentation to launch actual attacks  Verified that fragmentation works  Reliable PoC portscan attack MIC reset to decrypt AP to client packets  Correct theoretical analysis  UDP technique  PoC is work in progress

×