Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
All Your Biases Belong To Us:
Breaking RC4 in WPA-TKIP and TLS
Mathy Vanhoef and Frank Piessens, KU Leuven
USENIX Security...
RC4
2
Intriguingly simple stream cipher
WEP
WPA-TKIP
SSL / TLS PPP/MPPE
And others ...
RC4
3
Plaintext CiphertextKeystreamRC4
Key
Intriguingly simple stream cipher
Is RC4 still used?!
4
ICSI Notary: TLS connections using RC4
50%
30%
13%
0%
10%
20%
30%
40%
50%
60%
March 2013 Februari 20...
RC4 Fallback
5
Client Server
ClientHello: without RC4 Browser first tries without RC4
ServerHello: use AES
Alert: Handshake Failed
RC4 Fallback
6
ClientHello: without RC4 Browser first tries without RC4
If that fails …
Client Ser...
ClientHello: with RC4
ServerHello: use RC4
RC4 Fallback
7
Client Server
Alert: Handshake Failed
ClientHello: without RC4 B...
ClientHello: with RC4
ServerHello: use RC4
RC4 Fallback
8
Client Server
Alert: Handshake Failed
ClientHello: without RC4 B...
Our Goal: further kill RC4
9
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
First: Existing Biases
10
Distribution keystream byte 2
Pr 𝒁 𝟐 = 𝟎 =
𝟐
πŸπŸ“πŸ”
[MS01]
First: Existing Biases
11
Distribution keystream byte 1 (to 256)
First: Existing Biases
12
Distribution keystream byte 1 (to 256)
AlFardan et al. β€˜13:
first 256 bytes biased
Short-term bi...
Long-Term Biases
13
A B S A B
Fluhrer-McGrew (2000):
 Some consecutive values are biased
Examples: 0, 0 and (0, 1)
Mantin...
Fluhrer-McGrew: only 8 out
of 65 536 pairs are biased
Search for new biases
14
Traditional emperical approach:
 Generate ...
Search for new biases
15
Hypothesis tests!
 Uniformly distributed: Chi-squared test.
 Correlated: M-test (detect outlier...
Biases in Bytes 258-513
16
Example: keystream byte 258
Biases in Bytes 258-513
17
Example: keystream byte 320
Biases in Bytes 258-513
18
Example: keystream byte 352
Biases quickly
become quite weak
New Long-term Bias
19
(𝑍256βˆ™π‘€, 𝑍256βˆ™π‘€+2) = (128, 0)
with probability 2βˆ’16
(1 + 2βˆ’8
)
128 0 ...
Every block of 256 bytes
Additional Biases
20
See paper!
Our Goal: further kill RC4
21
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
Existing Methods [AlFardan et al. β€˜13]
22
Plaintext encrypted under
several keystreams
Ciphertext Distribution Plaintext g...
Example: Decrypt byte 1
23
Ciphertext Distribution
Example: Decrypt byte 1
24
RC4 & Ciphertext distribution
Example: Decrypt byte 1
25
If plaintext byte πœ‡ = 0x28: RC4 & Induced
πœ‡ = 0x28 has low likelihood
Example: Decrypt byte 1
26
If plaintext byte πœ‡ = 0x5C: RC4 & Induced
πœ‡ = 0x5C has higher likelihood
Example: Decrypt byte 1
27
If plaintext byte πœ‡ = 0x5A: RC4 & Induced
πœ‡ = 0x5A has highest likelihood!
Types of likelihood estimates
28
Previous works: pick value with highest likelihood.
Better idea: list of candidates in de...
1st idea: Generate List of Candidatess
29
Gist of the Algorithm: Incremental approach
Calculate candidates of length 1, le...
2nd idea: abusing the ABSAB bias
30
Assume there’s surrounding known plaintext
 Derive values of A, B
 Combine with ABSA...
Our Goal: further kill RC4
31
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
TKIP Background
32
How are packets sent/received?
1. Add Message Integrity Check (MIC)
2. Add CRC (leftover from WEP)
3. A...
Flaw #1: TKIP Per-packet Key
33
Key-Mix
Key Sender MAC 𝐼𝑉
packet key
Anti-FMS(𝐼𝑉0, 𝐼𝑉1)
οƒ  𝐼𝑉-dependent biases in keystream...
Flaw #2: MIC is invertible
34
If decrypted, reveals MIC key
MICDataIV CRC
οƒ  With the MIC key, an attacker can inject and
d...
Goal: decrypt data and MIC
35
If decrypted, reveals MIC key
MICDataIV CRC
Generate identical packets (otherwise MIC change...
Evaluation
36
Simulations with 230
candidates:
 Need β‰ˆ 224
captures to decrypt with high success rates
Emperical tests:
...
Our Goal: further kill RC4
37
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
TLS Background
38
Client Server
οƒ  Focus on record protocol with RC4 as cipher
Handshake protocol
Negotiate keys
Record pro...
Targeting HTTPS Cookies
39
Previous attacks only used Fluhrer-McGrew (FM) biases
We combine FM bias with the ABSAB bias
Mu...
Example: manipulated HTTP request
40
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
Trident/7.0; rv:11.0) like Gecko
Host...
Preparation: manipulating cookies
41
Clienta.site.com fake.site.com
HTTPS insecure
Remove & inject
secure cookies!
Performing the attack!
42
JavaScript: Cross-Origin requests in WebWorkers
Performing the attack!
43
Keep-Alive connection to generate them fast
Performing the attack!
44
Combine Fluhrer-McGrew and ABSAB biases
Decrypting 16-character cookie
45
Takes 75 hours with 4450 requests / second
Ciphertext copies times 227
Decrypting 16-character cookie
46
DEMO!
rc4nomore.com
Questions?
May the bias be ever in your favor
Upcoming SlideShare
Loading in …5
×

USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

1,074 views

Published on

Presentation given at USENIX Security on the paper All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS.

Published in: Technology
  • Be the first to comment

USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

  1. 1. All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS Mathy Vanhoef and Frank Piessens, KU Leuven USENIX Security 2015
  2. 2. RC4 2 Intriguingly simple stream cipher WEP WPA-TKIP SSL / TLS PPP/MPPE And others ...
  3. 3. RC4 3 Plaintext CiphertextKeystreamRC4 Key Intriguingly simple stream cipher
  4. 4. Is RC4 still used?! 4 ICSI Notary: TLS connections using RC4 50% 30% 13% 0% 10% 20% 30% 40% 50% 60% March 2013 Februari 2015 July 2015 RC4 fallback not taken into account!
  5. 5. RC4 Fallback 5 Client Server ClientHello: without RC4 Browser first tries without RC4 ServerHello: use AES
  6. 6. Alert: Handshake Failed RC4 Fallback 6 ClientHello: without RC4 Browser first tries without RC4 If that fails … Client Server
  7. 7. ClientHello: with RC4 ServerHello: use RC4 RC4 Fallback 7 Client Server Alert: Handshake Failed ClientHello: without RC4 Browser first tries without RC4 If that fails … … fallback to RC4
  8. 8. ClientHello: with RC4 ServerHello: use RC4 RC4 Fallback 8 Client Server Alert: Handshake Failed ClientHello: without RC4 Browser first tries without RC4 Forgeable by attacker! … fallback to RC4 οƒ˜ 13% estimate is a lower bound οƒ˜ Force connection (which we assumed secure) to use RC4
  9. 9. Our Goal: further kill RC4 9 New Biases Plaintext Recovery Break WPA-TKIP Attack HTTPS
  10. 10. First: Existing Biases 10 Distribution keystream byte 2 Pr 𝒁 𝟐 = 𝟎 = 𝟐 πŸπŸ“πŸ” [MS01]
  11. 11. First: Existing Biases 11 Distribution keystream byte 1 (to 256)
  12. 12. First: Existing Biases 12 Distribution keystream byte 1 (to 256) AlFardan et al. β€˜13: first 256 bytes biased Short-term biases
  13. 13. Long-Term Biases 13 A B S A B Fluhrer-McGrew (2000):  Some consecutive values are biased Examples: 0, 0 and (0, 1) Mantin’s ABSAB Bias (2005):  A byte pair (𝐴, 𝐡) likely reappears
  14. 14. Fluhrer-McGrew: only 8 out of 65 536 pairs are biased Search for new biases 14 Traditional emperical approach:  Generate large amount of keystreams  Manually inspect data or graph How to automate the search?
  15. 15. Search for new biases 15 Hypothesis tests!  Uniformly distributed: Chi-squared test.  Correlated: M-test (detect outliers = biases) Traditional emperical approach:  Generate large amount of keystreams  Manually inspect data or graph οƒ Allows a large-scale search, revealing many new biases
  16. 16. Biases in Bytes 258-513 16 Example: keystream byte 258
  17. 17. Biases in Bytes 258-513 17 Example: keystream byte 320
  18. 18. Biases in Bytes 258-513 18 Example: keystream byte 352 Biases quickly become quite weak
  19. 19. New Long-term Bias 19 (𝑍256βˆ™π‘€, 𝑍256βˆ™π‘€+2) = (128, 0) with probability 2βˆ’16 (1 + 2βˆ’8 ) 128 0 ... Every block of 256 bytes
  20. 20. Additional Biases 20 See paper!
  21. 21. Our Goal: further kill RC4 21 New Biases Plaintext Recovery Break WPA-TKIP Attack HTTPS
  22. 22. Existing Methods [AlFardan et al. β€˜13] 22 Plaintext encrypted under several keystreams Ciphertext Distribution Plaintext guess πœ‡ Induced keystream distribution Verify guess: how close to real keystream distribution?
  23. 23. Example: Decrypt byte 1 23 Ciphertext Distribution
  24. 24. Example: Decrypt byte 1 24 RC4 & Ciphertext distribution
  25. 25. Example: Decrypt byte 1 25 If plaintext byte πœ‡ = 0x28: RC4 & Induced πœ‡ = 0x28 has low likelihood
  26. 26. Example: Decrypt byte 1 26 If plaintext byte πœ‡ = 0x5C: RC4 & Induced πœ‡ = 0x5C has higher likelihood
  27. 27. Example: Decrypt byte 1 27 If plaintext byte πœ‡ = 0x5A: RC4 & Induced πœ‡ = 0x5A has highest likelihood!
  28. 28. Types of likelihood estimates 28 Previous works: pick value with highest likelihood. Better idea: list of candidates in decreasing likelihood:  Most likely one may not be correct!  Prune bad candidates (e.g. bad CRC)  Brute force cookies or passwords How to calculate list of candidates?
  29. 29. 1st idea: Generate List of Candidatess 29 Gist of the Algorithm: Incremental approach Calculate candidates of length 1, length 2, ... 1 2 𝑛 1 2 𝑛 1 2 𝑛 ...
  30. 30. 2nd idea: abusing the ABSAB bias 30 Assume there’s surrounding known plaintext  Derive values of A, B  Combine with ABSAB bias to (probablisticly) predict Aβ€², Bβ€² οƒ˜ Ordinary likelihood calculation over only (Aβ€², Bβ€²) A B S A’ B’ Known Plaintext Unknown Plaintext Likelihood estimate: !
  31. 31. Our Goal: further kill RC4 31 New Biases Plaintext Recovery Break WPA-TKIP Attack HTTPS
  32. 32. TKIP Background 32 How are packets sent/received? 1. Add Message Integrity Check (MIC) 2. Add CRC (leftover from WEP) 3. Add IV (increments every frame) 4. Encrypt using RC4 (per-packet key) Encrypted MICDataIV CRC
  33. 33. Flaw #1: TKIP Per-packet Key 33 Key-Mix Key Sender MAC 𝐼𝑉 packet key Anti-FMS(𝐼𝑉0, 𝐼𝑉1) οƒ  𝐼𝑉-dependent biases in keystream [Gupta/Paterson et al.] Avoid weak keys which broke WEP
  34. 34. Flaw #2: MIC is invertible 34 If decrypted, reveals MIC key MICDataIV CRC οƒ  With the MIC key, an attacker can inject and decrypt some packets [AsiaCCS β€˜13]
  35. 35. Goal: decrypt data and MIC 35 If decrypted, reveals MIC key MICDataIV CRC Generate identical packets (otherwise MIC changes):  Assume victim connects to server of attacker  Retransmit identical TCP packet οƒ˜ List of plaintext candidates (unknown MIC and CRC) οƒ˜ Prune bad candidates based on CRC
  36. 36. Evaluation 36 Simulations with 230 candidates:  Need β‰ˆ 224 captures to decrypt with high success rates Emperical tests:  Server can inject 2 500 packets per second  Roughly one hour to capture sufficient traffic  Successfully decrypted packet & found MIC key!
  37. 37. Our Goal: further kill RC4 37 New Biases Plaintext Recovery Break WPA-TKIP Attack HTTPS
  38. 38. TLS Background 38 Client Server οƒ  Focus on record protocol with RC4 as cipher Handshake protocol Negotiate keys Record protocol Encrypt data
  39. 39. Targeting HTTPS Cookies 39 Previous attacks only used Fluhrer-McGrew (FM) biases We combine FM bias with the ABSAB bias Must surround cookie with known plaintext 1. Remove unknown plaintext arround cookie 2. Inject known plaintext arround cookie
  40. 40. Example: manipulated HTTP request 40 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: a.site.com Connection: Keep-Alive Cache-Control: no-cache Cookie: auth=????????????????; P=aaaaaaaaaaaaaaaaa Surrounded by known plaintext at both sides Headers are predictable
  41. 41. Preparation: manipulating cookies 41 Clienta.site.com fake.site.com HTTPS insecure Remove & inject secure cookies!
  42. 42. Performing the attack! 42 JavaScript: Cross-Origin requests in WebWorkers
  43. 43. Performing the attack! 43 Keep-Alive connection to generate them fast
  44. 44. Performing the attack! 44 Combine Fluhrer-McGrew and ABSAB biases
  45. 45. Decrypting 16-character cookie 45 Takes 75 hours with 4450 requests / second Ciphertext copies times 227
  46. 46. Decrypting 16-character cookie 46 DEMO! rc4nomore.com
  47. 47. Questions? May the bias be ever in your favor

Γ—