SlideShare ist ein Scribd-Unternehmen logo

Informal Presentation on WPA-TKIP

V
vanhoefm

The document summarizes new attacks against the WPA-TKIP protocol. It describes a denial of service attack that can disable a network by replaying two manipulated packets. It also outlines a fragmentation attack that uses predicted keystream bytes to inject packets onto the network, such as for port scanning. Finally, it proposes a MIC reset attack to decrypt packets by crafting a prefix that resets the MIC state. Proofs of concept are provided for the denial of service and fragmentation attacks.

Technologie
1 von 48
Downloaden Sie, um offline zu lesen
Mathy Vanhoef
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
We will cover:  Connecting  Sending & receiving packets  Quality of Service (QoS) extension Design Constraints:  Must run on legacy hardware  Uses (hardware) WEP encapsulation
 Defined by EAPOL and results in a session key  What people normally capture & crack
 Result of handshake is 512 bit session key  Renewed after rekeying timeout (1 hour) EAPOL protection DataEncr MIC1 MIC2  DataEncr key: used to encrypt packets  MIC keys (Message Integrity Code):  Verify integrity of data. But why two?
 WPA-TKIP designed for old hardware  Couldn’t use strong integrity checks (CCMP)  New algorithm called Michael was created  Weakness: plaintext + MIC reveals MIC key  To improve security two MIC keys are used  MIC1 for AP to client communication  MIC2 for client to AP communication
TSC Data MIC CRC Encrypted  Calculate MIC to assure integrity  WEP Encapsulation:  Calculate CRC  Encrypt the packet using RC4  Add replay counter (TSC) to avoid replays
TSC Data MIC CRC Encrypted  WEP decapsulation:  Verify TSC to prevent replays  Decrypt packet using RC4  Verify CRC  Verify MIC to assure authenticity
 Replay counter & CRC are good, but MIC not  Transmission error unlikely  Network may be under attack! Defense mechanism on MIC failure:  Client sends MIC failure report to AP  AP silently logs failure  Two failures in 1 min: network down for 1 min
 Defines several QoS channels  Implemented by new field in 802.11 header QoS TSC Data MIC CRC unencrypted Encrypted  Individual replay counter (TSC) per channel  Used to pass replay counter check of receiver!
Channel TSC 0: Best Effort 4000 1: Background 0 2: Video 0 3: Voice 0  Support for up to 8 channels  But WiFi certification only requires 4
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
 Martin Beck: TU-Dresden, Germany  Erik Tews: TU-Darmstadt, Germany  First known attack on TKIP, requires QoS  Decrypts ARP reply sent from AP to client  MIC key for AP to client  Takes at least 8 minutes to execute
QoS TSC Data MIC CRC QoS TSC Data MIC’ CRC'  Remove last byte  CRC can be corrected if last byte is known  Try all 256 values & send using diff. priority  On correct guess: MIC failure report
 Takes 12 minutes to execute  Limited impact: injection of 3-7 small packets
 An improved attack on TKIP  2009/11: targets DHCP Ack packet  Cryptanalysis for RC4 and Breaking WPA-TKIP  2011/11: Removes QoS requirement  Falsification Attacks against WPA-TKIP in a realistic environment  2012/02: Reduces execution time to 8 minutes
 Unpublished (Martin Beck, 2010)  Suggests fragmentation attack  Not implemented, unrealistic usage example  MIC Reset Attack  Implemented, but PoC not available  Incorrect theoretical analysis  Suggests a decryption attack  Not implemented & contains essential flaw
Papers about Denial of Service (DoS) attacks:  802.11 DoS attack: real vulnerabilities and practical solutions  2003: Not specific to TKIP, but WiFi in general  A study of the TKIP cryptographic DoS attack  2007: Requires man-in-the-middle position
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
 MIC = Michael(MAC dest, MAC source, MIC key, priority, data)  Rc4key = MixKey(MAC transmitter, key, TSC)
 Key observations:  Individual replay counter per priority  Priority influences MIC but not encryption key  Two MIC failures: network down  What happens when the priority is changed?
 Capture packet, change priority, replay On Reception :  Verify replay counter  Decrypt packet using RC4  Verify CRC (leftover from WEP)  Verify MIC to assure authenticity
 Capture packet, change priority, replay On Reception :  Verify replay counter OK  Decrypt packet using RC4 OK  Verify CRC (leftover from WEP) OK  Verify MIC to assure authenticity FAIL  Do this twice: Denial of Service
 Disadvantage: attack fails if QoS is disabled  Cryptanalysis for RC4 and breaking WPA:  Capture packet, add QoS header, change priority, replay On Reception:  Doesn’t check whether QoS is actually used  Again bypass replay counter check  MIC still dependent on priority
 Example: network with 20 connected clients  Old deauthentication attack:  Must continuously sends packets  Say 10 deauths per client per second  (10 * 60) * 20 = 12 000 frames per minute  New attack  2 frames per minute
 Specifically exploits flaws in WPA-TKIP  Takes down network for 1 minute yet requires no man-in-the-middle position  Requires sending only two packets to take down the network for 1 minute
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
What is needed to inject packets:  MIC key  Result of Beck & Tews attack  Unused replay counter  Inject packet on unused QoS channel  Keystream corresponding to replay counter  Beck & Tews results in only one keystream…  How can we get more? First need to know RC4!
 Stream cipher  XOR-based This means: Ciphertext Plaintext Keystream  Predicting the plaintext gives the keystream
Simplified:  All data packets start with LLC header  Different for APR, IP and EAPOL packets  Detect ARP & EAPOL based on length  Everything else: IP  Practice: almost no incorrect guesses!  Gives us 12 bytes keystream for each packet
 But is 12 bytes enough to send a packet?  No, MIC & CRC alone are 12 bytes. If only we could somehow combine them…  Using 802.11 fragmentation we can combine 16 keystreams to send one large packet
Data MIC Data1 Data2 Data16 MIC TSC1 Data1 CRC1 TSC16 Data16 MIC CRC16  MIC calculated over complete packet  Each fragment has CRC and different TSC  12 bytes/keystream: inject 120 bytes of data
 Beck & Tews attack: MIC key AP to client  Predict packets & get keystreams  Combine short keystreams by fragmentation  Send over unused QoS channel What can we do with this?  ARP/DNS Poisoning  Sending TCP SYN packets: port scan!
A few notes:  Scan 500 most popular ports  Detect SYN/ACK based on length  Avoid multiple SYN/ACK’s: send RST Port scan of internal client:  Normally not possible  We are bypassing the network firewall / NAT!
 Fragmentation attack implemented!  Slightly improved & verified prediction of packets  Verified usage of 802.11 fragmentation  Realistic example: portscan
Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
Assume we know the MIC key  We know the initial MIC state for packets Attack idea:  Construct a packet, so that after processing it, the state is equal to the inital state.  We can then append a random packet to it, knowing that its MIC value is valid.
Targeted packet Prefix Magic Data MIC State1  State1: initial state of every packet
Targeted packet Prefix Magic Data MIC State2  State1: initial state of every packet  State2: state after processing prefix
Targeted packet Prefix Magic Data MIC State3  State1: initial state of every packet  State2: state after processing prefix  State3: equal to state1 due to magic bytes
Targeted packet Prefix Magic Data MIC State4  State1: initial state of every packet  State2: state after processing prefix  State3: equal to state1 due to magic bytes  State4: equal to MIC of targeted packet!
How to calculate the magic bytes?  Method suggested in unpublished paper  Essentially a birthday attack  Has been verified, indeed works Theoretical analysis:  Was done very informal & contained errors  Done correctly using probability theory
 The prefix attack can be used to decrypt the targeted packet. Unpublished paper:  Suggested the prefix to be a ping request  Reply will echo the data = targeted packet  Flaw: ping request contains checksum  As the targeted packet is unknown, we cannot calculate the checksum, packet will be dropped
 The prefix attack can be used to decrypt the targeted packet. Solution:  Prefix is UDP packet to closed port  UDP doesn’t require a checksum  Assuming port is closed, host will reply with ICMP unreachable containing the UDP packet  Make it reply to external ip 
In practice:  Capture a packet from AP to client  Send the prefix using fragmentation  Send the targeted packet  Reply of client contains complete packet  Assumes client isn’t running a firewall  Rudimantary PoC is working
 Correct theoretical analysis  Using clear assumptions & probability theory  Verified by practical experiments!  Working decryption attack:  Their suggestion contained an essential flaw  Different technique based on UDP packets  Rudimentairy proof of concept is working (WIP)
 Highly efficient Denial of Service  Very reliable PoC  Fragmentation to launch actual attacks  Verified that fragmentation works  Reliable PoC portscan attack  MIC reset to decrypt AP to client packets  Correct theoretical analysis  UDP technique  PoC is work in progress
Informal Presentation on WPA-TKIP

Empfohlen

Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...vanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IPSukh Sandhu
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 

Empfohlen

Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...vanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IPSukh Sandhu
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeleyjoebeone
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
UCL
UCLUCL
UCLJanak Chandarana
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacksprimeteacher32
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Test
TestTest
Testsinha.mrinal
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
 
DDOS
DDOSDDOS
DDOSMaulik Kotak
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation TechniquesIntruGuard
 
Best!
Best!Best!
Best!gofortution
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksAbhijeet Awade
 
802.11i
802.11i802.11i
802.11iakruthi k
 
KRACK attack
KRACK attackKRACK attack
KRACK attackVadimDavydov3
 

Weitere ähnliche Inhalte

Was ist angesagt?

Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeleyjoebeone
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation TechniquesIntruGuard
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksAbhijeet Awade
 

Was ist angesagt? (20)

Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeley
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
 
UCL
UCLUCL
UCL
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Test
TestTest
Test
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacks
 
DDOS
DDOSDDOS
DDOS
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 
Best!
Best!Best!
Best!
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor Networks
 

Ähnlich wie Informal Presentation on WPA-TKIP

Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacksHuda Seyam
 
Caffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In ToorconCaffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In ToorconMd Sohail Ahmad
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmourSec Armour
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfYuChianWu
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_kRama Krishna M
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Reliable data transfer CN - prashant odhavani- 160920107003
Reliable data transfer CN - prashant odhavani- 160920107003Reliable data transfer CN - prashant odhavani- 160920107003
Reliable data transfer CN - prashant odhavani- 160920107003Prashant odhavani
 

Ähnlich wie Informal Presentation on WPA-TKIP (20)

802.11i
802.11i802.11i
802.11i
 
KRACK attack
KRACK attackKRACK attack
KRACK attack
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
WPA2
WPA2WPA2
WPA2
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
 
spins
spinsspins
spins
 
Caffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In ToorconCaffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In Toorcon
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
 
Wpa vs Wpa2
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
 
Cys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat BriefingCys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat Briefing
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dns
 
Reliable data transfer CN - prashant odhavani- 160920107003
Reliable data transfer CN - prashant odhavani- 160920107003Reliable data transfer CN - prashant odhavani- 160920107003
Reliable data transfer CN - prashant odhavani- 160920107003
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 

Kürzlich hochgeladen

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Kürzlich hochgeladen (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Informal Presentation on WPA-TKIP

  • 2. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 3. We will cover:  Connecting  Sending & receiving packets  Quality of Service (QoS) extension Design Constraints:  Must run on legacy hardware  Uses (hardware) WEP encapsulation
  • 4. Defined by EAPOL and results in a session key  What people normally capture & crack
  • 5. Result of handshake is 512 bit session key  Renewed after rekeying timeout (1 hour) EAPOL protection DataEncr MIC1 MIC2  DataEncr key: used to encrypt packets  MIC keys (Message Integrity Code):  Verify integrity of data. But why two?
  • 6. WPA-TKIP designed for old hardware  Couldn’t use strong integrity checks (CCMP)  New algorithm called Michael was created  Weakness: plaintext + MIC reveals MIC key  To improve security two MIC keys are used  MIC1 for AP to client communication  MIC2 for client to AP communication
  • 7. TSC Data MIC CRC Encrypted  Calculate MIC to assure integrity  WEP Encapsulation:  Calculate CRC  Encrypt the packet using RC4  Add replay counter (TSC) to avoid replays
  • 8. TSC Data MIC CRC Encrypted  WEP decapsulation:  Verify TSC to prevent replays  Decrypt packet using RC4  Verify CRC  Verify MIC to assure authenticity
  • 9. Replay counter & CRC are good, but MIC not  Transmission error unlikely  Network may be under attack! Defense mechanism on MIC failure:  Client sends MIC failure report to AP  AP silently logs failure  Two failures in 1 min: network down for 1 min
  • 10. Defines several QoS channels  Implemented by new field in 802.11 header QoS TSC Data MIC CRC unencrypted Encrypted  Individual replay counter (TSC) per channel  Used to pass replay counter check of receiver!
  • 11. Channel TSC 0: Best Effort 4000 1: Background 0 2: Video 0 3: Voice 0  Support for up to 8 channels  But WiFi certification only requires 4
  • 12. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 13. Martin Beck: TU-Dresden, Germany  Erik Tews: TU-Darmstadt, Germany  First known attack on TKIP, requires QoS  Decrypts ARP reply sent from AP to client  MIC key for AP to client  Takes at least 8 minutes to execute
  • 14. QoS TSC Data MIC CRC QoS TSC Data MIC’ CRC'  Remove last byte  CRC can be corrected if last byte is known  Try all 256 values & send using diff. priority  On correct guess: MIC failure report
  • 15. Takes 12 minutes to execute  Limited impact: injection of 3-7 small packets
  • 16. An improved attack on TKIP  2009/11: targets DHCP Ack packet  Cryptanalysis for RC4 and Breaking WPA-TKIP  2011/11: Removes QoS requirement  Falsification Attacks against WPA-TKIP in a realistic environment  2012/02: Reduces execution time to 8 minutes
  • 17. Unpublished (Martin Beck, 2010)  Suggests fragmentation attack  Not implemented, unrealistic usage example  MIC Reset Attack  Implemented, but PoC not available  Incorrect theoretical analysis  Suggests a decryption attack  Not implemented & contains essential flaw
  • 18. Papers about Denial of Service (DoS) attacks:  802.11 DoS attack: real vulnerabilities and practical solutions  2003: Not specific to TKIP, but WiFi in general  A study of the TKIP cryptographic DoS attack  2007: Requires man-in-the-middle position
  • 19. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 20. MIC = Michael(MAC dest, MAC source, MIC key, priority, data)  Rc4key = MixKey(MAC transmitter, key, TSC)
  • 21. Key observations:  Individual replay counter per priority  Priority influences MIC but not encryption key  Two MIC failures: network down  What happens when the priority is changed?
  • 22. Capture packet, change priority, replay On Reception :  Verify replay counter  Decrypt packet using RC4  Verify CRC (leftover from WEP)  Verify MIC to assure authenticity
  • 23. Capture packet, change priority, replay On Reception :  Verify replay counter OK  Decrypt packet using RC4 OK  Verify CRC (leftover from WEP) OK  Verify MIC to assure authenticity FAIL  Do this twice: Denial of Service
  • 24. Disadvantage: attack fails if QoS is disabled  Cryptanalysis for RC4 and breaking WPA:  Capture packet, add QoS header, change priority, replay On Reception:  Doesn’t check whether QoS is actually used  Again bypass replay counter check  MIC still dependent on priority
  • 25. Example: network with 20 connected clients  Old deauthentication attack:  Must continuously sends packets  Say 10 deauths per client per second  (10 * 60) * 20 = 12 000 frames per minute  New attack  2 frames per minute
  • 26. Specifically exploits flaws in WPA-TKIP  Takes down network for 1 minute yet requires no man-in-the-middle position  Requires sending only two packets to take down the network for 1 minute
  • 27. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 28. What is needed to inject packets:  MIC key  Result of Beck & Tews attack  Unused replay counter  Inject packet on unused QoS channel  Keystream corresponding to replay counter  Beck & Tews results in only one keystream…  How can we get more? First need to know RC4!
  • 29. Stream cipher  XOR-based This means: Ciphertext Plaintext Keystream  Predicting the plaintext gives the keystream
  • 30. Simplified:  All data packets start with LLC header  Different for APR, IP and EAPOL packets  Detect ARP & EAPOL based on length  Everything else: IP  Practice: almost no incorrect guesses!  Gives us 12 bytes keystream for each packet
  • 31. But is 12 bytes enough to send a packet?  No, MIC & CRC alone are 12 bytes. If only we could somehow combine them…  Using 802.11 fragmentation we can combine 16 keystreams to send one large packet
  • 32. Data MIC Data1 Data2 Data16 MIC TSC1 Data1 CRC1 TSC16 Data16 MIC CRC16  MIC calculated over complete packet  Each fragment has CRC and different TSC  12 bytes/keystream: inject 120 bytes of data
  • 33. Beck & Tews attack: MIC key AP to client  Predict packets & get keystreams  Combine short keystreams by fragmentation  Send over unused QoS channel What can we do with this?  ARP/DNS Poisoning  Sending TCP SYN packets: port scan!
  • 34. A few notes:  Scan 500 most popular ports  Detect SYN/ACK based on length  Avoid multiple SYN/ACK’s: send RST Port scan of internal client:  Normally not possible  We are bypassing the network firewall / NAT!
  • 35. Fragmentation attack implemented!  Slightly improved & verified prediction of packets  Verified usage of 802.11 fragmentation  Realistic example: portscan
  • 36. Introduction:  WPA-TKIP Protocol  Existing Attacks New Attacks:  Denial of Service  Fragmentation Attack  MIC Reset Attack
  • 37. Assume we know the MIC key  We know the initial MIC state for packets Attack idea:  Construct a packet, so that after processing it, the state is equal to the inital state.  We can then append a random packet to it, knowing that its MIC value is valid.
  • 38. Targeted packet Prefix Magic Data MIC State1  State1: initial state of every packet
  • 39. Targeted packet Prefix Magic Data MIC State2  State1: initial state of every packet  State2: state after processing prefix
  • 40. Targeted packet Prefix Magic Data MIC State3  State1: initial state of every packet  State2: state after processing prefix  State3: equal to state1 due to magic bytes
  • 41. Targeted packet Prefix Magic Data MIC State4  State1: initial state of every packet  State2: state after processing prefix  State3: equal to state1 due to magic bytes  State4: equal to MIC of targeted packet!
  • 42. How to calculate the magic bytes?  Method suggested in unpublished paper  Essentially a birthday attack  Has been verified, indeed works Theoretical analysis:  Was done very informal & contained errors  Done correctly using probability theory
  • 43. The prefix attack can be used to decrypt the targeted packet. Unpublished paper:  Suggested the prefix to be a ping request  Reply will echo the data = targeted packet  Flaw: ping request contains checksum  As the targeted packet is unknown, we cannot calculate the checksum, packet will be dropped
  • 44. The prefix attack can be used to decrypt the targeted packet. Solution:  Prefix is UDP packet to closed port  UDP doesn’t require a checksum  Assuming port is closed, host will reply with ICMP unreachable containing the UDP packet  Make it reply to external ip 
  • 45. In practice:  Capture a packet from AP to client  Send the prefix using fragmentation  Send the targeted packet  Reply of client contains complete packet  Assumes client isn’t running a firewall  Rudimantary PoC is working
  • 46. Correct theoretical analysis  Using clear assumptions & probability theory  Verified by practical experiments!  Working decryption attack:  Their suggestion contained an essential flaw  Different technique based on UDP packets  Rudimentairy proof of concept is working (WIP)
  • 47. Highly efficient Denial of Service  Very reliable PoC  Fragmentation to launch actual attacks  Verified that fragmentation works  Reliable PoC portscan attack  MIC reset to decrypt AP to client packets  Correct theoretical analysis  UDP technique  PoC is work in progress