USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

V
All Your Biases Belong To Us:
Breaking RC4 in WPA-TKIP and TLS
Mathy Vanhoef and Frank Piessens, KU Leuven
USENIX Security 2015
RC4
2
Intriguingly simple stream cipher
WEP
WPA-TKIP
SSL / TLS PPP/MPPE
And others ...
RC4
3
Plaintext CiphertextKeystreamRC4
Key
Intriguingly simple stream cipher
Is RC4 still used?!
4
ICSI Notary: TLS connections using RC4
50%
30%
13%
0%
10%
20%
30%
40%
50%
60%
March 2013 Februari 2015 July 2015
RC4 fallback not taken into account!
RC4 Fallback
5
Client Server
ClientHello: without RC4 Browser first tries without RC4
ServerHello: use AES
Alert: Handshake Failed
RC4 Fallback
6
ClientHello: without RC4 Browser first tries without RC4
If that fails …
Client Server
ClientHello: with RC4
ServerHello: use RC4
RC4 Fallback
7
Client Server
Alert: Handshake Failed
ClientHello: without RC4 Browser first tries without RC4
If that fails …
… fallback to RC4
ClientHello: with RC4
ServerHello: use RC4
RC4 Fallback
8
Client Server
Alert: Handshake Failed
ClientHello: without RC4 Browser first tries without RC4
Forgeable by attacker!
… fallback to RC4
 13% estimate is a lower bound
 Force connection (which we
assumed secure) to use RC4
Our Goal: further kill RC4
9
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
First: Existing Biases
10
Distribution keystream byte 2
Pr 𝒁 𝟐 = 𝟎 =
𝟐
𝟐𝟓𝟔
[MS01]
First: Existing Biases
11
Distribution keystream byte 1 (to 256)
First: Existing Biases
12
Distribution keystream byte 1 (to 256)
AlFardan et al. ‘13:
first 256 bytes biased
Short-term biases
Long-Term Biases
13
A B S A B
Fluhrer-McGrew (2000):
 Some consecutive values are biased
Examples: 0, 0 and (0, 1)
Mantin’s ABSAB Bias (2005):
 A byte pair (𝐴, 𝐵) likely reappears
Fluhrer-McGrew: only 8 out
of 65 536 pairs are biased
Search for new biases
14
Traditional emperical approach:
 Generate large amount of keystreams
 Manually inspect data or graph
How to automate
the search?
Search for new biases
15
Hypothesis tests!
 Uniformly distributed: Chi-squared test.
 Correlated: M-test (detect outliers = biases)
Traditional emperical approach:
 Generate large amount of keystreams
 Manually inspect data or graph
Allows a large-scale search,
revealing many new biases
Biases in Bytes 258-513
16
Example: keystream byte 258
Biases in Bytes 258-513
17
Example: keystream byte 320
Biases in Bytes 258-513
18
Example: keystream byte 352
Biases quickly
become quite weak
New Long-term Bias
19
(𝑍256∙𝑤, 𝑍256∙𝑤+2) = (128, 0)
with probability 2−16
(1 + 2−8
)
128 0 ...
Every block of 256 bytes
Additional Biases
20
See paper!
Our Goal: further kill RC4
21
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
Existing Methods [AlFardan et al. ‘13]
22
Plaintext encrypted under
several keystreams
Ciphertext Distribution Plaintext guess 𝜇
Induced keystream
distribution
Verify guess: how close to
real keystream distribution?
Example: Decrypt byte 1
23
Ciphertext Distribution
Example: Decrypt byte 1
24
RC4 & Ciphertext distribution
Example: Decrypt byte 1
25
If plaintext byte 𝜇 = 0x28: RC4 & Induced
𝜇 = 0x28 has low likelihood
Example: Decrypt byte 1
26
If plaintext byte 𝜇 = 0x5C: RC4 & Induced
𝜇 = 0x5C has higher likelihood
Example: Decrypt byte 1
27
If plaintext byte 𝜇 = 0x5A: RC4 & Induced
𝜇 = 0x5A has highest likelihood!
Types of likelihood estimates
28
Previous works: pick value with highest likelihood.
Better idea: list of candidates in decreasing likelihood:
 Most likely one may not be correct!
 Prune bad candidates (e.g. bad CRC)
 Brute force cookies or passwords
How to calculate list of candidates?
1st idea: Generate List of Candidatess
29
Gist of the Algorithm: Incremental approach
Calculate candidates of length 1, length 2, ...
1
2
𝑛
1
2
𝑛
1
2
𝑛
...
2nd idea: abusing the ABSAB bias
30
Assume there’s surrounding known plaintext
 Derive values of A, B
 Combine with ABSAB bias to (probablisticly) predict A′, B′
 Ordinary likelihood calculation over only (A′, B′)
A B S A’ B’
Known Plaintext Unknown Plaintext
Likelihood estimate:
!
Our Goal: further kill RC4
31
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
TKIP Background
32
How are packets sent/received?
1. Add Message Integrity Check (MIC)
2. Add CRC (leftover from WEP)
3. Add IV (increments every frame)
4. Encrypt using RC4 (per-packet key)
Encrypted
MICDataIV CRC
Flaw #1: TKIP Per-packet Key
33
Key-Mix
Key Sender MAC 𝐼𝑉
packet key
Anti-FMS(𝐼𝑉0, 𝐼𝑉1)
 𝐼𝑉-dependent biases in keystream
[Gupta/Paterson et al.]
Avoid weak keys which broke WEP
Flaw #2: MIC is invertible
34
If decrypted, reveals MIC key
MICDataIV CRC
 With the MIC key, an attacker can inject and
decrypt some packets [AsiaCCS ‘13]
Goal: decrypt data and MIC
35
If decrypted, reveals MIC key
MICDataIV CRC
Generate identical packets (otherwise MIC changes):
 Assume victim connects to server of attacker
 Retransmit identical TCP packet
 List of plaintext candidates (unknown MIC and CRC)
 Prune bad candidates based on CRC
Evaluation
36
Simulations with 230
candidates:
 Need ≈ 224
captures to decrypt with high success rates
Emperical tests:
 Server can inject 2 500 packets per second
 Roughly one hour to capture sufficient traffic
 Successfully decrypted packet & found MIC key!
Our Goal: further kill RC4
37
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
TLS Background
38
Client Server
 Focus on record protocol with RC4 as cipher
Handshake protocol
Negotiate keys
Record protocol
Encrypt data
Targeting HTTPS Cookies
39
Previous attacks only used Fluhrer-McGrew (FM) biases
We combine FM bias with the ABSAB bias
Must surround cookie with known plaintext
1. Remove unknown plaintext arround cookie
2. Inject known plaintext arround cookie
Example: manipulated HTTP request
40
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
Trident/7.0; rv:11.0) like Gecko
Host: a.site.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: auth=????????????????; P=aaaaaaaaaaaaaaaaa
Surrounded by known
plaintext at both sides
Headers are
predictable
Preparation: manipulating cookies
41
Clienta.site.com fake.site.com
HTTPS insecure
Remove & inject
secure cookies!
Performing the attack!
42
JavaScript: Cross-Origin requests in WebWorkers
Performing the attack!
43
Keep-Alive connection to generate them fast
Performing the attack!
44
Combine Fluhrer-McGrew and ABSAB biases
Decrypting 16-character cookie
45
Takes 75 hours with 4450 requests / second
Ciphertext copies times 227
Decrypting 16-character cookie
46
DEMO!
rc4nomore.com
Questions?
May the bias be ever in your favor
1 of 47

Recommended

Advanced WiFi Attacks Using Commodity Hardware by
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
2.6K views67 slides
Advanced WiFi Attacks Using Commodity Hardware by
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
2.6K views33 slides
Practical Verification of TKIP Vulnerabilities by
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
2.3K views25 slides
Informal Presentation on WPA-TKIP by
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
1.6K views48 slides
New flaws in WPA-TKIP by
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
3.5K views44 slides
Pertemuan 9 intrusion detection system by
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemnewbie2019
397 views21 slides

More Related Content

What's hot

Chapter 6 firewall by
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewallnewbie2019
4.5K views33 slides
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation by
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSystem ID Warehouse
1.4K views15 slides
Hacking L2 Switches by
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 SwitchesNavaneetha Sankar
1.1K views38 slides
Firewall - Network Defense in Depth Firewalls by
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
2.2K views43 slides
Hacking Cisco by
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
5.6K views59 slides
Best! by
Best!Best!
Best!gofortution
2.8K views55 slides

What's hot(19)

Chapter 6 firewall by newbie2019
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewall
newbie20194.5K views
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation by System ID Warehouse
Super Barcode Training Camp - Motorola AirDefense Wireless Security PresentationSuper Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
System ID Warehouse1.4K views
Firewall - Network Defense in Depth Firewalls by phanleson
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
phanleson2.2K views
Hacking Cisco by guestd05b31
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b315.6K views
Network Security - Layer 2 by samis
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
samis6.1K views
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures. by Sumutiu Marius
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius6.4K views
Snort by nazzf
SnortSnort
Snort
nazzf69 views
3.Network by phanleson
3.Network3.Network
3.Network
phanleson815 views
Wireless hacking and security by Adel Zalok
Wireless hacking and securityWireless hacking and security
Wireless hacking and security
Adel Zalok2.4K views
Authentication in wireless - Security in Wireless Protocols by phanleson
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
phanleson928 views
Wireless security presentation by Muhammad Zia
Wireless security presentationWireless security presentation
Wireless security presentation
Muhammad Zia40.5K views

Similar to USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Wireless security837 by
Wireless security837Wireless security837
Wireless security837mark scott
544 views63 slides
Fundamentals of network hacking by
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
91 views38 slides
Computer network (3) by
Computer network (3)Computer network (3)
Computer network (3)NYversity
416 views39 slides
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015) by
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)Igalia
412 views24 slides
RC4&RC5 by
RC4&RC5RC4&RC5
RC4&RC5guestff64339
1.7K views64 slides
RC4&RC5 by
RC4&RC5RC4&RC5
RC4&RC5Mohamed El-Serngawy
26.7K views64 slides

Similar to USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS(20)

Wireless security837 by mark scott
Wireless security837Wireless security837
Wireless security837
mark scott544 views
Fundamentals of network hacking by Pranshu Pareek
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek91 views
Computer network (3) by NYversity
Computer network (3)Computer network (3)
Computer network (3)
NYversity416 views
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015) by Igalia
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)
Igalia412 views
Unit 3:Enterprise Security by prachi67
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
prachi6742 views
SSL/TLS Eavesdropping with Fullpath Control by Mike Thompson
SSL/TLS Eavesdropping with Fullpath ControlSSL/TLS Eavesdropping with Fullpath Control
SSL/TLS Eavesdropping with Fullpath Control
Mike Thompson2.2K views
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack... by Aaron Zauner
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
Aaron Zauner992 views
Hacking SSL When Using RC4 by Khairi Aiman
Hacking SSL When Using RC4Hacking SSL When Using RC4
Hacking SSL When Using RC4
Khairi Aiman538 views
802.11i by akruthi k
802.11i802.11i
802.11i
akruthi k2.7K views
DTS Solution - Wireless Security Protocols / PenTesting by Shah Sheikh
DTS Solution - Wireless Security Protocols / PenTesting DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting
Shah Sheikh2.8K views
Wifi Security by Shital Kat
Wifi SecurityWifi Security
Wifi Security
Shital Kat2.4K views
Wi fi-security-the-details-matter by DESMOND YUEN
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
DESMOND YUEN99 views
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf by YuChianWu
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
YuChianWu2 views

Recently uploaded

"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy by
"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy
"Role of a CTO in software outsourcing company", Yuriy NakonechnyyFwdays
40 views21 slides
GigaIO: The March of Composability Onward to Memory with CXL by
GigaIO: The March of Composability Onward to Memory with CXLGigaIO: The March of Composability Onward to Memory with CXL
GigaIO: The March of Composability Onward to Memory with CXLCXL Forum
126 views12 slides
[2023] Putting the R! in R&D.pdf by
[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdfEleanor McHugh
38 views127 slides
Transcript: The Details of Description Techniques tips and tangents on altern... by
Transcript: The Details of Description Techniques tips and tangents on altern...Transcript: The Details of Description Techniques tips and tangents on altern...
Transcript: The Details of Description Techniques tips and tangents on altern...BookNet Canada
119 views15 slides
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa... by
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...The Digital Insurer
28 views18 slides
AMD: 4th Generation EPYC CXL Demo by
AMD: 4th Generation EPYC CXL DemoAMD: 4th Generation EPYC CXL Demo
AMD: 4th Generation EPYC CXL DemoCXL Forum
126 views6 slides

Recently uploaded(20)

"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy by Fwdays
"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy
"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy
Fwdays40 views
GigaIO: The March of Composability Onward to Memory with CXL by CXL Forum
GigaIO: The March of Composability Onward to Memory with CXLGigaIO: The March of Composability Onward to Memory with CXL
GigaIO: The March of Composability Onward to Memory with CXL
CXL Forum126 views
[2023] Putting the R! in R&D.pdf by Eleanor McHugh
[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf
Eleanor McHugh38 views
Transcript: The Details of Description Techniques tips and tangents on altern... by BookNet Canada
Transcript: The Details of Description Techniques tips and tangents on altern...Transcript: The Details of Description Techniques tips and tangents on altern...
Transcript: The Details of Description Techniques tips and tangents on altern...
BookNet Canada119 views
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa... by The Digital Insurer
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...
AMD: 4th Generation EPYC CXL Demo by CXL Forum
AMD: 4th Generation EPYC CXL DemoAMD: 4th Generation EPYC CXL Demo
AMD: 4th Generation EPYC CXL Demo
CXL Forum126 views
.conf Go 2023 - Data analysis as a routine by Splunk
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk90 views
"Fast Start to Building on AWS", Igor Ivaniuk by Fwdays
"Fast Start to Building on AWS", Igor Ivaniuk"Fast Start to Building on AWS", Igor Ivaniuk
"Fast Start to Building on AWS", Igor Ivaniuk
Fwdays36 views
Understanding GenAI/LLM and What is Google Offering - Felix Goh by NUS-ISS
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix Goh
NUS-ISS39 views
MemVerge: Gismo (Global IO-free Shared Memory Objects) by CXL Forum
MemVerge: Gismo (Global IO-free Shared Memory Objects)MemVerge: Gismo (Global IO-free Shared Memory Objects)
MemVerge: Gismo (Global IO-free Shared Memory Objects)
CXL Forum112 views
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum... by NUS-ISS
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
NUS-ISS28 views
The Importance of Cybersecurity for Digital Transformation by NUS-ISS
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
NUS-ISS25 views
AI: mind, matter, meaning, metaphors, being, becoming, life values by Twain Liu 刘秋艳
AI: mind, matter, meaning, metaphors, being, becoming, life valuesAI: mind, matter, meaning, metaphors, being, becoming, life values
AI: mind, matter, meaning, metaphors, being, becoming, life values
MemVerge: Memory Viewer Software by CXL Forum
MemVerge: Memory Viewer SoftwareMemVerge: Memory Viewer Software
MemVerge: Memory Viewer Software
CXL Forum118 views
Astera Labs: Intelligent Connectivity for Cloud and AI Infrastructure by CXL Forum
Astera Labs:  Intelligent Connectivity for Cloud and AI InfrastructureAstera Labs:  Intelligent Connectivity for Cloud and AI Infrastructure
Astera Labs: Intelligent Connectivity for Cloud and AI Infrastructure
CXL Forum125 views
"Quality Assurance: Achieving Excellence in startup without a Dedicated QA", ... by Fwdays
"Quality Assurance: Achieving Excellence in startup without a Dedicated QA", ..."Quality Assurance: Achieving Excellence in startup without a Dedicated QA", ...
"Quality Assurance: Achieving Excellence in startup without a Dedicated QA", ...
Fwdays33 views
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu... by NUS-ISS
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
NUS-ISS32 views
Future of Learning - Khoong Chan Meng by NUS-ISS
Future of Learning - Khoong Chan MengFuture of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan Meng
NUS-ISS31 views
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... by Vadym Kazulkin
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin70 views
Web Dev - 1 PPT.pdf by gdsczhcet
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet52 views

USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

  • 1. All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS Mathy Vanhoef and Frank Piessens, KU Leuven USENIX Security 2015
  • 2. RC4 2 Intriguingly simple stream cipher WEP WPA-TKIP SSL / TLS PPP/MPPE And others ...
  • 4. Is RC4 still used?! 4 ICSI Notary: TLS connections using RC4 50% 30% 13% 0% 10% 20% 30% 40% 50% 60% March 2013 Februari 2015 July 2015 RC4 fallback not taken into account!
  • 5. RC4 Fallback 5 Client Server ClientHello: without RC4 Browser first tries without RC4 ServerHello: use AES
  • 6. Alert: Handshake Failed RC4 Fallback 6 ClientHello: without RC4 Browser first tries without RC4 If that fails … Client Server
  • 7. ClientHello: with RC4 ServerHello: use RC4 RC4 Fallback 7 Client Server Alert: Handshake Failed ClientHello: without RC4 Browser first tries without RC4 If that fails … … fallback to RC4
  • 8. ClientHello: with RC4 ServerHello: use RC4 RC4 Fallback 8 Client Server Alert: Handshake Failed ClientHello: without RC4 Browser first tries without RC4 Forgeable by attacker! … fallback to RC4  13% estimate is a lower bound  Force connection (which we assumed secure) to use RC4
  • 9. Our Goal: further kill RC4 9 New Biases Plaintext Recovery Break WPA-TKIP Attack HTTPS
  • 10. First: Existing Biases 10 Distribution keystream byte 2 Pr 𝒁 𝟐 = 𝟎 = 𝟐 𝟐𝟓𝟔 [MS01]
  • 11. First: Existing Biases 11 Distribution keystream byte 1 (to 256)
  • 12. First: Existing Biases 12 Distribution keystream byte 1 (to 256) AlFardan et al. ‘13: first 256 bytes biased Short-term biases
  • 13. Long-Term Biases 13 A B S A B Fluhrer-McGrew (2000):  Some consecutive values are biased Examples: 0, 0 and (0, 1) Mantin’s ABSAB Bias (2005):  A byte pair (𝐴, 𝐵) likely reappears
  • 14. Fluhrer-McGrew: only 8 out of 65 536 pairs are biased Search for new biases 14 Traditional emperical approach:  Generate large amount of keystreams  Manually inspect data or graph How to automate the search?
  • 15. Search for new biases 15 Hypothesis tests!  Uniformly distributed: Chi-squared test.  Correlated: M-test (detect outliers = biases) Traditional emperical approach:  Generate large amount of keystreams  Manually inspect data or graph Allows a large-scale search, revealing many new biases
  • 16. Biases in Bytes 258-513 16 Example: keystream byte 258
  • 17. Biases in Bytes 258-513 17 Example: keystream byte 320
  • 18. Biases in Bytes 258-513 18 Example: keystream byte 352 Biases quickly become quite weak
  • 19. New Long-term Bias 19 (𝑍256∙𝑤, 𝑍256∙𝑤+2) = (128, 0) with probability 2−16 (1 + 2−8 ) 128 0 ... Every block of 256 bytes
  • 21. Our Goal: further kill RC4 21 New Biases Plaintext Recovery Break WPA-TKIP Attack HTTPS
  • 22. Existing Methods [AlFardan et al. ‘13] 22 Plaintext encrypted under several keystreams Ciphertext Distribution Plaintext guess 𝜇 Induced keystream distribution Verify guess: how close to real keystream distribution?
  • 23. Example: Decrypt byte 1 23 Ciphertext Distribution
  • 24. Example: Decrypt byte 1 24 RC4 & Ciphertext distribution
  • 25. Example: Decrypt byte 1 25 If plaintext byte 𝜇 = 0x28: RC4 & Induced 𝜇 = 0x28 has low likelihood
  • 26. Example: Decrypt byte 1 26 If plaintext byte 𝜇 = 0x5C: RC4 & Induced 𝜇 = 0x5C has higher likelihood
  • 27. Example: Decrypt byte 1 27 If plaintext byte 𝜇 = 0x5A: RC4 & Induced 𝜇 = 0x5A has highest likelihood!
  • 28. Types of likelihood estimates 28 Previous works: pick value with highest likelihood. Better idea: list of candidates in decreasing likelihood:  Most likely one may not be correct!  Prune bad candidates (e.g. bad CRC)  Brute force cookies or passwords How to calculate list of candidates?
  • 29. 1st idea: Generate List of Candidatess 29 Gist of the Algorithm: Incremental approach Calculate candidates of length 1, length 2, ... 1 2 𝑛 1 2 𝑛 1 2 𝑛 ...
  • 30. 2nd idea: abusing the ABSAB bias 30 Assume there’s surrounding known plaintext  Derive values of A, B  Combine with ABSAB bias to (probablisticly) predict A′, B′  Ordinary likelihood calculation over only (A′, B′) A B S A’ B’ Known Plaintext Unknown Plaintext Likelihood estimate: !
  • 31. Our Goal: further kill RC4 31 New Biases Plaintext Recovery Break WPA-TKIP Attack HTTPS
  • 32. TKIP Background 32 How are packets sent/received? 1. Add Message Integrity Check (MIC) 2. Add CRC (leftover from WEP) 3. Add IV (increments every frame) 4. Encrypt using RC4 (per-packet key) Encrypted MICDataIV CRC
  • 33. Flaw #1: TKIP Per-packet Key 33 Key-Mix Key Sender MAC 𝐼𝑉 packet key Anti-FMS(𝐼𝑉0, 𝐼𝑉1)  𝐼𝑉-dependent biases in keystream [Gupta/Paterson et al.] Avoid weak keys which broke WEP
  • 34. Flaw #2: MIC is invertible 34 If decrypted, reveals MIC key MICDataIV CRC  With the MIC key, an attacker can inject and decrypt some packets [AsiaCCS ‘13]
  • 35. Goal: decrypt data and MIC 35 If decrypted, reveals MIC key MICDataIV CRC Generate identical packets (otherwise MIC changes):  Assume victim connects to server of attacker  Retransmit identical TCP packet  List of plaintext candidates (unknown MIC and CRC)  Prune bad candidates based on CRC
  • 36. Evaluation 36 Simulations with 230 candidates:  Need ≈ 224 captures to decrypt with high success rates Emperical tests:  Server can inject 2 500 packets per second  Roughly one hour to capture sufficient traffic  Successfully decrypted packet & found MIC key!
  • 37. Our Goal: further kill RC4 37 New Biases Plaintext Recovery Break WPA-TKIP Attack HTTPS
  • 38. TLS Background 38 Client Server  Focus on record protocol with RC4 as cipher Handshake protocol Negotiate keys Record protocol Encrypt data
  • 39. Targeting HTTPS Cookies 39 Previous attacks only used Fluhrer-McGrew (FM) biases We combine FM bias with the ABSAB bias Must surround cookie with known plaintext 1. Remove unknown plaintext arround cookie 2. Inject known plaintext arround cookie
  • 40. Example: manipulated HTTP request 40 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: a.site.com Connection: Keep-Alive Cache-Control: no-cache Cookie: auth=????????????????; P=aaaaaaaaaaaaaaaaa Surrounded by known plaintext at both sides Headers are predictable
  • 41. Preparation: manipulating cookies 41 Clienta.site.com fake.site.com HTTPS insecure Remove & inject secure cookies!
  • 42. Performing the attack! 42 JavaScript: Cross-Origin requests in WebWorkers
  • 43. Performing the attack! 43 Keep-Alive connection to generate them fast
  • 44. Performing the attack! 44 Combine Fluhrer-McGrew and ABSAB biases
  • 45. Decrypting 16-character cookie 45 Takes 75 hours with 4450 requests / second Ciphertext copies times 227
  • 47. Questions? May the bias be ever in your favor