Informal Presentation on WPA-TKIP

V
vanhoefm
Mathy Vanhoef
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
We will cover:  Connecting  Sending & receiving packets  Quality of Service (QoS) extension Design Constraints:  Must run on legacy hardware  Uses (hardware) WEP encapsulation
 Defined by EAPOL and results in a session key  What people normally capture & crack
 Result of handshake is 512 bit session key  Renewed after rekeying timeout (1 hour) EAPOL protection DataEncr MIC1 MIC2  DataEncr key: used to encrypt packets  MIC keys (Message Integrity Code):  Verify integrity of data. But why two?
 WPA-TKIP designed for old hardware  Couldn’t use strong integrity checks (CCMP)  New algorithm called Michael was created  Weakness: plaintext + MIC reveals MIC key  To improve security two MIC keys are used  MIC1 for AP to client communication  MIC2 for client to AP communication
TSC Data MIC CRC Encrypted  Calculate MIC to assure integrity  WEP Encapsulation:  Calculate CRC  Encrypt the packet using RC4  Add replay counter (TSC) to avoid replays
TSC Data MIC CRC Encrypted  WEP decapsulation:  Verify TSC to prevent replays  Decrypt packet using RC4  Verify CRC  Verify MIC to assure authenticity
 Replay counter & CRC are good, but MIC not  Transmission error unlikely  Network may be under attack! Defense mechanism on MIC failure:  Client sends MIC failure report to AP  AP silently logs failure  Two failures in 1 min: network down for 1 min
 Defines several QoS channels  Implemented by new field in 802.11 header QoS TSC Data MIC CRC unencrypted Encrypted  Individual replay counter (TSC) per channel  Used to pass replay counter check of receiver!
Channel TSC 0: Best Effort 4000 1: Background 0 2: Video 0 3: Voice 0  Support for up to 8 channels  But WiFi certification only requires 4
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
 Martin Beck: TU-Dresden, Germany  Erik Tews: TU-Darmstadt, Germany  First known attack on TKIP, requires QoS  Decrypts ARP reply sent from AP to client  MIC key for AP to client  Takes at least 8 minutes to execute
QoS TSC Data MIC CRC QoS TSC Data MIC’ CRC'  Remove last byte  CRC can be corrected if last byte is known  Try all 256 values & send using diff. priority  On correct guess: MIC failure report
 Takes 12 minutes to execute  Limited impact: injection of 3-7 small packets
 An improved attack on TKIP  2009/11: targets DHCP Ack packet  Cryptanalysis for RC4 and Breaking WPA-TKIP  2011/11: Removes QoS requirement  Falsification Attacks against WPA-TKIP in a realistic environment  2012/02: Reduces execution time to 8 minutes
 Unpublished (Martin Beck, 2010)  Suggests fragmentation attack  Not implemented, unrealistic usage example  MIC Reset Attack  Implemented, but PoC not available  Incorrect theoretical analysis  Suggests a decryption attack  Not implemented & contains essential flaw
Papers about Denial of Service (DoS) attacks:  802.11 DoS attack: real vulnerabilities and practical solutions  2003: Not specific to TKIP, but WiFi in general  A study of the TKIP cryptographic DoS attack  2007: Requires man-in-the-middle position
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
 MIC = Michael(MAC dest, MAC source, MIC key, priority, data)  Rc4key = MixKey(MAC transmitter, key, TSC)
 Key observations:  Individual replay counter per priority  Priority influences MIC but not encryption key  Two MIC failures: network down  What happens when the priority is changed?
 Capture packet, change priority, replay On Reception :  Verify replay counter  Decrypt packet using RC4  Verify CRC (leftover from WEP)  Verify MIC to assure authenticity
 Capture packet, change priority, replay On Reception :  Verify replay counter OK  Decrypt packet using RC4 OK  Verify CRC (leftover from WEP) OK  Verify MIC to assure authenticity FAIL  Do this twice: Denial of Service
 Disadvantage: attack fails if QoS is disabled  Cryptanalysis for RC4 and breaking WPA:  Capture packet, add QoS header, change priority, replay On Reception:  Doesn’t check whether QoS is actually used  Again bypass replay counter check  MIC still dependent on priority
 Example: network with 20 connected clients  Old deauthentication attack:  Must continuously sends packets  Say 10 deauths per client per second  (10 * 60) * 20 = 12 000 frames per minute  New attack  2 frames per minute
 Specifically exploits flaws in WPA-TKIP  Takes down network for 1 minute yet requires no man-in-the-middle position  Requires sending only two packets to take down the network for 1 minute
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
What is needed to inject packets:  MIC key  Result of Beck & Tews attack  Unused replay counter  Inject packet on unused QoS channel  Keystream corresponding to replay counter  Beck & Tews results in only one keystream…  How can we get more? First need to know RC4!
 Stream cipher  XOR-based This means: Ciphertext Plaintext Keystream  Predicting the plaintext gives the keystream
Simplified:  All data packets start with LLC header  Different for APR, IP and EAPOL packets  Detect ARP & EAPOL based on length  Everything else: IP  Practice: almost no incorrect guesses!  Gives us 12 bytes keystream for each packet
 But is 12 bytes enough to send a packet?  No, MIC & CRC alone are 12 bytes. If only we could somehow combine them…  Using 802.11 fragmentation we can combine 16 keystreams to send one large packet
Data MIC Data1 Data2 Data16 MIC TSC1 Data1 CRC1 TSC16 Data16 MIC CRC16  MIC calculated over complete packet  Each fragment has CRC and different TSC  12 bytes/keystream: inject 120 bytes of data
 Beck & Tews attack: MIC key AP to client  Predict packets & get keystreams  Combine short keystreams by fragmentation  Send over unused QoS channel What can we do with this?  ARP/DNS Poisoning  Sending TCP SYN packets: port scan!
A few notes:  Scan 500 most popular ports  Detect SYN/ACK based on length  Avoid multiple SYN/ACK’s: send RST Port scan of internal client:  Normally not possible  We are bypassing the network firewall / NAT!
 Fragmentation attack implemented!  Slightly improved & verified prediction of packets  Verified usage of 802.11 fragmentation  Realistic example: portscan
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
Assume we know the MIC key  We know the initial MIC state for packets Attack idea:  Construct a packet, so that after processing it, the state is equal to the inital state.  We can then append a random packet to it, knowing that its MIC value is valid.
Targeted packet Prefix Magic Data MIC State1  State1: initial state of every packet
Targeted packet Prefix Magic Data MIC State2  State1: initial state of every packet  State2: state after processing prefix
Targeted packet Prefix Magic Data MIC State3  State1: initial state of every packet  State2: state after processing prefix  State3: equal to state1 due to magic bytes
Targeted packet Prefix Magic Data MIC State4  State1: initial state of every packet  State2: state after processing prefix  State3: equal to state1 due to magic bytes  State4: equal to MIC of targeted packet!
How to calculate the magic bytes?  Method suggested in unpublished paper  Essentially a birthday attack  Has been verified, indeed works Theoretical analysis:  Was done very informal & contained errors  Done correctly using probability theory
 The prefix attack can be used to decrypt the targeted packet. Unpublished paper:  Suggested the prefix to be a ping request  Reply will echo the data = targeted packet  Flaw: ping request contains checksum  As the targeted packet is unknown, we cannot calculate the checksum, packet will be dropped
 The prefix attack can be used to decrypt the targeted packet. Solution:  Prefix is UDP packet to closed port  UDP doesn’t require a checksum  Assuming port is closed, host will reply with ICMP unreachable containing the UDP packet  Make it reply to external ip 
In practice:  Capture a packet from AP to client  Send the prefix using fragmentation  Send the targeted packet  Reply of client contains complete packet  Assumes client isn’t running a firewall  Rudimantary PoC is working
 Correct theoretical analysis  Using clear assumptions & probability theory  Verified by practical experiments!  Working decryption attack:  Their suggestion contained an essential flaw  Different technique based on UDP packets  Rudimentairy proof of concept is working (WIP)
 Highly efficient Denial of Service  Very reliable PoC  Fragmentation to launch actual attacks  Verified that fragmentation works  Reliable PoC portscan attack  MIC reset to decrypt AP to client packets  Correct theoretical analysis  UDP technique  PoC is work in progress
Informal Presentation on WPA-TKIP
1 of 48

Informal Presentation on WPA-TKIP

Download to read offline
Technology

Three new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client. The third attack reset the internal state of the Michael algorithm, allowing an attack to append any (encrypted) TKIP packet with invalidating the MIC. This can be used to decrypt arbitrary packets sent towards the client.

V
vanhoefm

Recommended

Practical Verification of TKIP Vulnerabilities by
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
2.3K views25 slides
New flaws in WPA-TKIP by
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
3.5K views44 slides
Advanced WiFi Attacks Using Commodity Hardware by
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
2.6K views67 slides
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a... by
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...vanhoefm
1.5K views47 slides
Advanced WiFi Attacks Using Commodity Hardware by
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
2.6K views33 slides
T C P I P Weaknesses And Solutions by
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
8.3K views22 slides

More Related Content

What's hot

Packet sniffing & ARP Poisoning by
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
2.7K views31 slides
Mobile Security - Wireless hacking by
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
858 views33 slides
Practical steps to mitigate DDoS attacks by
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
16.5K views44 slides
Hacking Cisco by
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
5.6K views59 slides
DDoS Attack Detection & Mitigation in SDN by
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
7.8K views32 slides
security problems in the tcp/ip protocol suite by
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
3.2K views22 slides

What's hot(20)

Packet sniffing & ARP Poisoning by Viren Rao
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
Viren Rao2.7K views
Mobile Security - Wireless hacking by phanleson
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
phanleson858 views
Practical steps to mitigate DDoS attacks by Security Session
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session16.5K views
Hacking Cisco by guestd05b31
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b315.6K views
DDoS Attack Detection & Mitigation in SDN by Chao Chen
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen7.8K views
security problems in the tcp/ip protocol suite by Yash Kotak
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
Yash Kotak3.2K views
Barriers to TOR Research at UC Berkeley by joebeone
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeley
joebeone793 views
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do... by ShortestPathFirst
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst3.1K views
CEH v9 cheat sheet notes Certified Ethical Hacker by David Sweigert
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
David Sweigert8.1K views
DDoS Attack on DNS using infected IoT Devices by Seungjoo Kim
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
Seungjoo Kim2.9K views
UCL by Janak Chandarana
UCLUCL
UCL
Janak Chandarana546 views
Wireless Attacks by primeteacher32
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher322.5K views
Entropy based DDos Detection in SDN by Vishal Vasudev
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev994 views
Certified Ethical Hacker quick test prep cheat sheet by David Sweigert
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert6.1K views
Test by sinha.mrinal
TestTest
Test
sinha.mrinal710 views
Mitm(man in the middle) ssl proxy attacks by JaeYeoul Ahn
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacks
JaeYeoul Ahn5K views
DDOS by Maulik Kotak
DDOSDDOS
DDOS
Maulik Kotak1.1K views
10 DDoS Mitigation Techniques by IntruGuard
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
IntruGuard28.4K views
Best! by gofortution
Best!Best!
Best!
gofortution2.8K views
SPINS: Security Protocols for Sensor Networks by Abhijeet Awade
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor Networks
Abhijeet Awade4.2K views

Similar to Informal Presentation on WPA-TKIP

802.11i by
802.11i802.11i
802.11iakruthi k
2.7K views41 slides
KRACK attack by
KRACK attackKRACK attack
KRACK attackVadimDavydov3
317 views27 slides
Wireless security837 by
Wireless security837Wireless security837
Wireless security837mark scott
544 views63 slides
WPA2 by
WPA2WPA2
WPA2Mshari Alabdulkarim
18.4K views38 slides
WEP/WPA attacks by
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacksHuda Seyam
1.5K views15 slides
Caffe Latte Attack by
Caffe Latte AttackCaffe Latte Attack
Caffe Latte AttackAirTight Networks
4.3K views26 slides

Similar to Informal Presentation on WPA-TKIP(20)

802.11i by akruthi k
802.11i802.11i
802.11i
akruthi k2.7K views
KRACK attack by VadimDavydov3
KRACK attackKRACK attack
KRACK attack
VadimDavydov3317 views
Wireless security837 by mark scott
Wireless security837Wireless security837
Wireless security837
mark scott544 views
WPA2 by Mshari Alabdulkarim
WPA2WPA2
WPA2
Mshari Alabdulkarim18.4K views
WEP/WPA attacks by Huda Seyam
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
Huda Seyam1.5K views
Caffe Latte Attack by AirTight Networks
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
AirTight Networks4.3K views
spins by bhumikashah22111990
spinsspins
spins
bhumikashah221119901.1K views
Caffe Latte Attack Presented In Toorcon by Md Sohail Ahmad
Caffe Latte Attack Presented In ToorconCaffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In Toorcon
Md Sohail Ahmad780 views
4 wifi security by al-sari7
4 wifi security4 wifi security
4 wifi security
al-sari71.1K views
Pentesting layer 2 protocols by Abdessamad TEMMAR
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
Abdessamad TEMMAR2.2K views
Fundamentals of network hacking by Pranshu Pareek
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek91 views
Wired equivalent privacy by SecArmour by Sec Armour
Wired equivalent privacy by SecArmour Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour
Sec Armour681 views
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf by YuChianWu
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
YuChianWu2 views
Wpa vs Wpa2 by Nzava Luwawa
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2
Nzava Luwawa3.9K views
5169 wireless network_security_amine_k by Rama Krishna M
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
Rama Krishna M937 views
Cys Report Krack Attack Threat Briefing by Debra Baker, CISSP CSSP
Cys Report Krack Attack Threat BriefingCys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat Briefing
Debra Baker, CISSP CSSP349 views
Wireless network security by Vishal Agarwal
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal8.3K views
12 tcp-dns by Culverton Blessy
12 tcp-dns12 tcp-dns
12 tcp-dns
Culverton Blessy1.4K views
Reliable data transfer CN - prashant odhavani- 160920107003 by Prashant odhavani
Reliable data transfer CN - prashant odhavani- 160920107003Reliable data transfer CN - prashant odhavani- 160920107003
Reliable data transfer CN - prashant odhavani- 160920107003
Prashant odhavani302 views
Wifi Security by Shital Kat
Wifi SecurityWifi Security
Wifi Security
Shital Kat2.4K views

Recently uploaded

Netmera Presentation.pdf by
Netmera Presentation.pdfNetmera Presentation.pdf
Netmera Presentation.pdfMustafa Kuğu
22 views50 slides
"Node.js Development in 2024: trends and tools", Nikita Galkin by
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin Fwdays
37 views38 slides
The Power of Generative AI in Accelerating No Code Adoption.pdf by
The Power of Generative AI in Accelerating No Code Adoption.pdfThe Power of Generative AI in Accelerating No Code Adoption.pdf
The Power of Generative AI in Accelerating No Code Adoption.pdfSaeed Al Dhaheri
44 views18 slides
PCCC23:日本AMD株式会社 テーマ1「AMD Instinct™ アクセラレーターの概要」 by
PCCC23:日本AMD株式会社 テーマ1「AMD Instinct™ アクセラレーターの概要」PCCC23:日本AMD株式会社 テーマ1「AMD Instinct™ アクセラレーターの概要」
PCCC23:日本AMD株式会社 テーマ1「AMD Instinct™ アクセラレーターの概要」PC Cluster Consortium
29 views68 slides
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf by
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdfBronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdfThomasBronack
31 views31 slides
Innovation & Entrepreneurship strategies in Dairy Industry by
Innovation & Entrepreneurship strategies in Dairy IndustryInnovation & Entrepreneurship strategies in Dairy Industry
Innovation & Entrepreneurship strategies in Dairy IndustryPervaizDar1
39 views26 slides

Recently uploaded(20)

Netmera Presentation.pdf by Mustafa Kuğu
Netmera Presentation.pdfNetmera Presentation.pdf
Netmera Presentation.pdf
Mustafa Kuğu22 views
"Node.js Development in 2024: trends and tools", Nikita Galkin by Fwdays
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin
Fwdays37 views
The Power of Generative AI in Accelerating No Code Adoption.pdf by Saeed Al Dhaheri
The Power of Generative AI in Accelerating No Code Adoption.pdfThe Power of Generative AI in Accelerating No Code Adoption.pdf
The Power of Generative AI in Accelerating No Code Adoption.pdf
Saeed Al Dhaheri44 views
PCCC23:日本AMD株式会社 テーマ1「AMD Instinct™ アクセラレーターの概要」 by PC Cluster Consortium
PCCC23:日本AMD株式会社 テーマ1「AMD Instinct™ アクセラレーターの概要」PCCC23:日本AMD株式会社 テーマ1「AMD Instinct™ アクセラレーターの概要」
PCCC23:日本AMD株式会社 テーマ1「AMD Instinct™ アクセラレーターの概要」
PC Cluster Consortium29 views
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf by ThomasBronack
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdfBronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf
Bronack Skills - Risk Management and SRE v1.0 12-3-2023.pdf
ThomasBronack31 views
Innovation & Entrepreneurship strategies in Dairy Industry by PervaizDar1
Innovation & Entrepreneurship strategies in Dairy IndustryInnovation & Entrepreneurship strategies in Dairy Industry
Innovation & Entrepreneurship strategies in Dairy Industry
PervaizDar139 views
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream by Alpen-Adria-Universität
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamEvaluation of Quality of Experience of ABR Schemes in Gaming Stream
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream
Alpen-Adria-Universität44 views
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell by Fwdays
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell
Fwdays14 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14140 views
Optimizing Communication to Optimize Human Behavior - LCBM by Yaman Kumar
Optimizing Communication to Optimize Human Behavior - LCBMOptimizing Communication to Optimize Human Behavior - LCBM
Optimizing Communication to Optimize Human Behavior - LCBM
Yaman Kumar39 views
AI + Memoori = AIM by Memoori
AI + Memoori = AIMAI + Memoori = AIM
AI + Memoori = AIM
Memoori15 views
CryptoBotsAI by chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19942 views
Measuring User on the web with the core web vitals - by @theafolayan.pptx by Oluwaseun Raphael Afolayan
Measuring User on the web with the core web vitals - by @theafolayan.pptxMeasuring User on the web with the core web vitals - by @theafolayan.pptx
Measuring User on the web with the core web vitals - by @theafolayan.pptx
Oluwaseun Raphael Afolayan14 views
Cencora Executive Symposium by marketingcommunicati21
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposium
marketingcommunicati21174 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10152 views
Discover Aura Workshop (12.5.23).pdf by Neo4j
Discover Aura Workshop (12.5.23).pdfDiscover Aura Workshop (12.5.23).pdf
Discover Aura Workshop (12.5.23).pdf
Neo4j20 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu474 views
The Coming AI Tsunami.pptx by johnhandby
The Coming AI Tsunami.pptxThe Coming AI Tsunami.pptx
The Coming AI Tsunami.pptx
johnhandby14 views
KubeConNA23 Recap.pdf by MichaelOLeary82
KubeConNA23 Recap.pdfKubeConNA23 Recap.pdf
KubeConNA23 Recap.pdf
MichaelOLeary8228 views
Deep Tech and the Amplified Organisation: Core Concepts by Holonomics
Deep Tech and the Amplified Organisation: Core ConceptsDeep Tech and the Amplified Organisation: Core Concepts
Deep Tech and the Amplified Organisation: Core Concepts
Holonomics17 views

Informal Presentation on WPA-TKIP

  • 2. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 3. We will cover:  Connecting  Sending & receiving packets  Quality of Service (QoS) extension Design Constraints:  Must run on legacy hardware  Uses (hardware) WEP encapsulation
  • 4. Defined by EAPOL and results in a session key  What people normally capture & crack
  • 5. Result of handshake is 512 bit session key  Renewed after rekeying timeout (1 hour) EAPOL protection DataEncr MIC1 MIC2  DataEncr key: used to encrypt packets  MIC keys (Message Integrity Code):  Verify integrity of data. But why two?
  • 6. WPA-TKIP designed for old hardware  Couldn’t use strong integrity checks (CCMP)  New algorithm called Michael was created  Weakness: plaintext + MIC reveals MIC key  To improve security two MIC keys are used  MIC1 for AP to client communication  MIC2 for client to AP communication
  • 7. TSC Data MIC CRC Encrypted  Calculate MIC to assure integrity  WEP Encapsulation:  Calculate CRC  Encrypt the packet using RC4  Add replay counter (TSC) to avoid replays
  • 8. TSC Data MIC CRC Encrypted  WEP decapsulation:  Verify TSC to prevent replays  Decrypt packet using RC4  Verify CRC  Verify MIC to assure authenticity
  • 9. Replay counter & CRC are good, but MIC not  Transmission error unlikely  Network may be under attack! Defense mechanism on MIC failure:  Client sends MIC failure report to AP  AP silently logs failure  Two failures in 1 min: network down for 1 min
  • 10. Defines several QoS channels  Implemented by new field in 802.11 header QoS TSC Data MIC CRC unencrypted Encrypted  Individual replay counter (TSC) per channel  Used to pass replay counter check of receiver!
  • 11. Channel TSC 0: Best Effort 4000 1: Background 0 2: Video 0 3: Voice 0  Support for up to 8 channels  But WiFi certification only requires 4
  • 12. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 13. Martin Beck: TU-Dresden, Germany  Erik Tews: TU-Darmstadt, Germany  First known attack on TKIP, requires QoS  Decrypts ARP reply sent from AP to client  MIC key for AP to client  Takes at least 8 minutes to execute
  • 14. QoS TSC Data MIC CRC QoS TSC Data MIC’ CRC'  Remove last byte  CRC can be corrected if last byte is known  Try all 256 values & send using diff. priority  On correct guess: MIC failure report
  • 15. Takes 12 minutes to execute  Limited impact: injection of 3-7 small packets
  • 16. An improved attack on TKIP  2009/11: targets DHCP Ack packet  Cryptanalysis for RC4 and Breaking WPA-TKIP  2011/11: Removes QoS requirement  Falsification Attacks against WPA-TKIP in a realistic environment  2012/02: Reduces execution time to 8 minutes
  • 17. Unpublished (Martin Beck, 2010)  Suggests fragmentation attack  Not implemented, unrealistic usage example  MIC Reset Attack  Implemented, but PoC not available  Incorrect theoretical analysis  Suggests a decryption attack  Not implemented & contains essential flaw
  • 18. Papers about Denial of Service (DoS) attacks:  802.11 DoS attack: real vulnerabilities and practical solutions  2003: Not specific to TKIP, but WiFi in general  A study of the TKIP cryptographic DoS attack  2007: Requires man-in-the-middle position
  • 19. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 20. MIC = Michael(MAC dest, MAC source, MIC key, priority, data)  Rc4key = MixKey(MAC transmitter, key, TSC)
  • 21. Key observations:  Individual replay counter per priority  Priority influences MIC but not encryption key  Two MIC failures: network down  What happens when the priority is changed?
  • 22. Capture packet, change priority, replay On Reception :  Verify replay counter  Decrypt packet using RC4  Verify CRC (leftover from WEP)  Verify MIC to assure authenticity
  • 23. Capture packet, change priority, replay On Reception :  Verify replay counter OK  Decrypt packet using RC4 OK  Verify CRC (leftover from WEP) OK  Verify MIC to assure authenticity FAIL  Do this twice: Denial of Service
  • 24. Disadvantage: attack fails if QoS is disabled  Cryptanalysis for RC4 and breaking WPA:  Capture packet, add QoS header, change priority, replay On Reception:  Doesn’t check whether QoS is actually used  Again bypass replay counter check  MIC still dependent on priority
  • 25. Example: network with 20 connected clients  Old deauthentication attack:  Must continuously sends packets  Say 10 deauths per client per second  (10 * 60) * 20 = 12 000 frames per minute  New attack  2 frames per minute
  • 26. Specifically exploits flaws in WPA-TKIP  Takes down network for 1 minute yet requires no man-in-the-middle position  Requires sending only two packets to take down the network for 1 minute
  • 27. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 28. What is needed to inject packets:  MIC key  Result of Beck & Tews attack  Unused replay counter  Inject packet on unused QoS channel  Keystream corresponding to replay counter  Beck & Tews results in only one keystream…  How can we get more? First need to know RC4!
  • 29. Stream cipher  XOR-based This means: Ciphertext Plaintext Keystream  Predicting the plaintext gives the keystream
  • 30. Simplified:  All data packets start with LLC header  Different for APR, IP and EAPOL packets  Detect ARP & EAPOL based on length  Everything else: IP  Practice: almost no incorrect guesses!  Gives us 12 bytes keystream for each packet
  • 31. But is 12 bytes enough to send a packet?  No, MIC & CRC alone are 12 bytes. If only we could somehow combine them…  Using 802.11 fragmentation we can combine 16 keystreams to send one large packet
  • 32. Data MIC Data1 Data2 Data16 MIC TSC1 Data1 CRC1 TSC16 Data16 MIC CRC16  MIC calculated over complete packet  Each fragment has CRC and different TSC  12 bytes/keystream: inject 120 bytes of data
  • 33. Beck & Tews attack: MIC key AP to client  Predict packets & get keystreams  Combine short keystreams by fragmentation  Send over unused QoS channel What can we do with this?  ARP/DNS Poisoning  Sending TCP SYN packets: port scan!
  • 34. A few notes:  Scan 500 most popular ports  Detect SYN/ACK based on length  Avoid multiple SYN/ACK’s: send RST Port scan of internal client:  Normally not possible  We are bypassing the network firewall / NAT!
  • 35. Fragmentation attack implemented!  Slightly improved & verified prediction of packets  Verified usage of 802.11 fragmentation  Realistic example: portscan
  • 36. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 37. Assume we know the MIC key  We know the initial MIC state for packets Attack idea:  Construct a packet, so that after processing it, the state is equal to the inital state.  We can then append a random packet to it, knowing that its MIC value is valid.
  • 38. Targeted packet Prefix Magic Data MIC State1  State1: initial state of every packet
  • 39. Targeted packet Prefix Magic Data MIC State2  State1: initial state of every packet  State2: state after processing prefix
  • 40. Targeted packet Prefix Magic Data MIC State3  State1: initial state of every packet  State2: state after processing prefix  State3: equal to state1 due to magic bytes
  • 41. Targeted packet Prefix Magic Data MIC State4  State1: initial state of every packet  State2: state after processing prefix  State3: equal to state1 due to magic bytes  State4: equal to MIC of targeted packet!
  • 42. How to calculate the magic bytes?  Method suggested in unpublished paper  Essentially a birthday attack  Has been verified, indeed works Theoretical analysis:  Was done very informal & contained errors  Done correctly using probability theory
  • 43. The prefix attack can be used to decrypt the targeted packet. Unpublished paper:  Suggested the prefix to be a ping request  Reply will echo the data = targeted packet  Flaw: ping request contains checksum  As the targeted packet is unknown, we cannot calculate the checksum, packet will be dropped
  • 44. The prefix attack can be used to decrypt the targeted packet. Solution:  Prefix is UDP packet to closed port  UDP doesn’t require a checksum  Assuming port is closed, host will reply with ICMP unreachable containing the UDP packet  Make it reply to external ip 
  • 45. In practice:  Capture a packet from AP to client  Send the prefix using fragmentation  Send the targeted packet  Reply of client contains complete packet  Assumes client isn’t running a firewall  Rudimantary PoC is working
  • 46. Correct theoretical analysis  Using clear assumptions & probability theory  Verified by practical experiments!  Working decryption attack:  Their suggestion contained an essential flaw  Different technique based on UDP packets  Rudimentairy proof of concept is working (WIP)
  • 47. Highly efficient Denial of Service  Very reliable PoC  Fragmentation to launch actual attacks  Verified that fragmentation works  Reliable PoC portscan attack  MIC reset to decrypt AP to client packets  Correct theoretical analysis  UDP technique  PoC is work in progress