 Efficient Denial of Service Forge arbitrary packets to client Decrypt traffic towards client1TKIP:WiFi security protocol
Why studyTKIP if a replacement already exist?21999 2002 2004WEPBrokenWPA-TKIPAcceptableWPA-CCMP(AES)Secure
Detected 6803 networks66% supportTKIP19% support onlyTKIP3Need more arguments to killTKIP!
4Beck &Tews Attack>8 mins Key to calculateintegrity checkForge 3 smallpackets to client
NewAttack: Efficient Denial of ServiceImprove & implement existing ideas to: Forge arbitrary packets Decrypt packets to...
1. Add Message Integrity Check (MIC)2. Encrypt using XOR stream cipher3. Add Packet ID (#ID) to avoid replays#ID MICDataEn...
1. Add Message Integrity Check (MIC)2. Encrypt using XOR stream cipher3. Add Packet ID (#ID) to avoid replays#ID MICDataEn...
8#ID MICDataIf decrypted, reveals MIC key.If ( two MIC failures within a minute )halt all traffic for 1 minute
Attack: Capture packet, change priority, replay.9#ID / prior. MICDataEncrypted
 Avoids replay detection Doesn’t affect decryption Changes expected MIC valueAttack: Capture packet, change priority, r...
 Avoids replay detection Doesn’t affect decryption Changes expected MIC valueAttack: Capture packet, change priority, r...
Beck &Tews attack can forge 3 packets.Injecting more requires new keystreams:12Ciphertext PlaintextKeystream All packets ...
 LLC Header is only 12 bytes …. Combine them using fragmentation!#ID1 Data1 #ID16 Data16 MICData MICData1 Data16 MICData...
Port Scanner:1. Get MIC key using Beck &Tews attack2. InjectTCP SYN packets3. Detect SYN/ACK based on lengthRemarks: High...
APClient1. Sniff packet2.15AttackerData MICPing req.Sniffed packet
APClient1. Sniff packet2.16AttackerData MICPing req.Sniffed packetMagic
APClient1. Sniff packet2.3. Reply incl. packetExternal IP17AttackerData MICPing req.Sniffed packetMagic
 State1: initial state of every packet State2: state after processing prefix State3: equal to state1 due to magic bytes...
Possible applications? Decrypt web responses: Web mail Bank details … DecryptTCP sequence number, hijackconnection an...
Integrity (MIC) not verified when fragmented:AlfaAWUS036h Belkin F5D7053 Ralink U150BB20Attack time reducedfrom >8 min to ...
No replay protection:AlfaAWUS036h Belkin F5D7053 Tomato 1.28(AP firmware)21No need to generatenew keystreams!
Always accepts unencrypted packets:AlfaAWUS036h Belkin F7D1102 ScarletVDSL(AP of ISP in BE)22Game over, you lose!
APClientYour IP!23Attacker
TKIP is insecure! Efficient Denial of Service Forge any packet towards client Decrypt traffic towards client24
25
Upcoming SlideShare
Loading in …5
×

Practical Verification of TKIP Vulnerabilities

1,773 views

Published on

Presentation given at Asia CCS on the paper "Practicular Verification of WPA-TKIP Vulnerabilities".

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,773
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Practical Verification of TKIP Vulnerabilities

  1. 1.  Efficient Denial of Service Forge arbitrary packets to client Decrypt traffic towards client1TKIP:WiFi security protocol
  2. 2. Why studyTKIP if a replacement already exist?21999 2002 2004WEPBrokenWPA-TKIPAcceptableWPA-CCMP(AES)Secure
  3. 3. Detected 6803 networks66% supportTKIP19% support onlyTKIP3Need more arguments to killTKIP!
  4. 4. 4Beck &Tews Attack>8 mins Key to calculateintegrity checkForge 3 smallpackets to client
  5. 5. NewAttack: Efficient Denial of ServiceImprove & implement existing ideas to: Forge arbitrary packets Decrypt packets towards client[M. Beck. EnhancedTKIP michael attacks.]5
  6. 6. 1. Add Message Integrity Check (MIC)2. Encrypt using XOR stream cipher3. Add Packet ID (#ID) to avoid replays#ID MICDataEncryptedHow are packets sent/received?6
  7. 7. 1. Add Message Integrity Check (MIC)2. Encrypt using XOR stream cipher3. Add Packet ID (#ID) to avoid replays#ID MICDataEncryptedHow are packets sent/received?7MIC keyEncryption key
  8. 8. 8#ID MICDataIf decrypted, reveals MIC key.If ( two MIC failures within a minute )halt all traffic for 1 minute
  9. 9. Attack: Capture packet, change priority, replay.9#ID / prior. MICDataEncrypted
  10. 10.  Avoids replay detection Doesn’t affect decryption Changes expected MIC valueAttack: Capture packet, change priority, replay.10#ID / prior. MICDataEncryptedChangepriority
  11. 11.  Avoids replay detection Doesn’t affect decryption Changes expected MIC valueAttack: Capture packet, change priority, replay.11#ID / prior. MICDataEncryptedChangepriorityMIC Failure(s) Traffic halted for 1 minute
  12. 12. Beck &Tews attack can forge 3 packets.Injecting more requires new keystreams:12Ciphertext PlaintextKeystream All packets start withLLC header We predict these withvery high accuracyCapture packetswith new #ID’s.
  13. 13.  LLC Header is only 12 bytes …. Combine them using fragmentation!#ID1 Data1 #ID16 Data16 MICData MICData1 Data16 MICData2 12 bytes/fragment: inject 120 bytes of data
  14. 14. Port Scanner:1. Get MIC key using Beck &Tews attack2. InjectTCP SYN packets3. Detect SYN/ACK based on lengthRemarks: High amount of packet injection proven! Also: DNS poisoning, DHCP spoofing, …14
  15. 15. APClient1. Sniff packet2.15AttackerData MICPing req.Sniffed packet
  16. 16. APClient1. Sniff packet2.16AttackerData MICPing req.Sniffed packetMagic
  17. 17. APClient1. Sniff packet2.3. Reply incl. packetExternal IP17AttackerData MICPing req.Sniffed packetMagic
  18. 18.  State1: initial state of every packet State2: state after processing prefix State3: equal to state1 due to magic bytes State4: equal to MIC of sniffed packet!Data MICMagicPrefixSniffed packet18State4State3State2State1
  19. 19. Possible applications? Decrypt web responses: Web mail Bank details … DecryptTCP sequence number, hijackconnection and inject malware?19
  20. 20. Integrity (MIC) not verified when fragmented:AlfaAWUS036h Belkin F5D7053 Ralink U150BB20Attack time reducedfrom >8 min to zero.
  21. 21. No replay protection:AlfaAWUS036h Belkin F5D7053 Tomato 1.28(AP firmware)21No need to generatenew keystreams!
  22. 22. Always accepts unencrypted packets:AlfaAWUS036h Belkin F7D1102 ScarletVDSL(AP of ISP in BE)22Game over, you lose!
  23. 23. APClientYour IP!23Attacker
  24. 24. TKIP is insecure! Efficient Denial of Service Forge any packet towards client Decrypt traffic towards client24
  25. 25. 25

×