practical verification of tkip vulnerabilities
DESCRIPTION
Presentation given at Asia CCS on the paper "Practicular Verification of WPA-TKIP Vulnerabilities".TRANSCRIPT
![Page 1: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/1.jpg)
Efficient Denial of Service
Forge arbitrary packets to client
Decrypt traffic towards client
1
TKIP: WiFi security protocol
![Page 2: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/2.jpg)
Why study TKIP if a replacement already exist?
2
1999 2002 2004
WEP
Broken
WPA-TKIP
Acceptable
WPA-CCMP (AES)
Secure
![Page 3: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/3.jpg)
Detected 6803 networks 66% support TKIP 19% support only TKIP
3
Need more arguments to kill TKIP!
![Page 4: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/4.jpg)
4
Beck & Tews Attack
>8 mins Key to calculate integrity check
Forge 3 small packets to client
![Page 5: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/5.jpg)
New Attack: Efficient Denial of Service Improve & implement existing ideas to: Forge arbitrary packets Decrypt packets towards client [M. Beck. Enhanced TKIP michael attacks.]
5
![Page 6: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/6.jpg)
1. Add Message Integrity Check (MIC)
2. Encrypt using XOR stream cipher
3. Add Packet ID (#ID) to avoid replays
#ID MIC Data
Encrypted
How are packets sent/received?
6
![Page 7: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/7.jpg)
1. Add Message Integrity Check (MIC)
2. Encrypt using XOR stream cipher
3. Add Packet ID (#ID) to avoid replays
#ID MIC Data
Encrypted
How are packets sent/received?
7
MIC key
Encryption key
![Page 8: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/8.jpg)
8
#ID MIC Data
If decrypted, reveals MIC key.
If ( two MIC failures within a minute )
halt all traffic for 1 minute
![Page 9: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/9.jpg)
Attack: Capture packet, change priority, replay.
9
#ID / prior. MIC Data
Encrypted
![Page 10: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/10.jpg)
Avoids replay detection
Doesn’t affect decryption
Changes expected MIC value
Attack: Capture packet, change priority, replay.
10
#ID / prior. MIC Data
Encrypted Change priority
![Page 11: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/11.jpg)
Avoids replay detection
Doesn’t affect decryption
Changes expected MIC value
Attack: Capture packet, change priority, replay.
11
#ID / prior. MIC Data
Encrypted Change priority
MIC Failure(s) Traffic halted for 1 minute
![Page 12: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/12.jpg)
Beck & Tews attack can forge 3 packets. Injecting more requires new keystreams:
12
Ciphertext Plaintext Keystream
All packets start with LLC header
We predict these with very high accuracy
Capture packets with new #ID’s.
![Page 13: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/13.jpg)
LLC Header is only 12 bytes ….
Combine them using fragmentation!
#ID1 Data1 #ID16 Data16 MIC
Data MIC
Data1 Data16 MIC Data2
12 bytes/fragment: inject 120 bytes of data
![Page 14: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/14.jpg)
Port Scanner:
1. Get MIC key using Beck & Tews attack
2. Inject TCP SYN packets
3. Detect SYN/ACK based on length
Remarks:
High amount of packet injection proven!
Also: DNS poisoning, DHCP spoofing, …
14
![Page 15: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/15.jpg)
AP
Client
1. Sniff packet
2. 15
Attacker
Data MIC Ping req.
Sniffed packet
![Page 16: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/16.jpg)
AP
Client
1. Sniff packet
2. 16
Attacker
Data MIC Ping req.
Sniffed packet
Magic
![Page 17: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/17.jpg)
AP
Client
1. Sniff packet
2.
3. Reply incl. packet
External IP
17
Attacker
Data MIC Ping req.
Sniffed packet
Magic
![Page 18: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/18.jpg)
State1: initial state of every packet
State2: state after processing prefix
State3: equal to state1 due to magic bytes
State4: equal to MIC of sniffed packet!
Data MIC Magic Prefix
Sniffed packet
18
State4 State3 State2 State1
![Page 19: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/19.jpg)
Possible applications? Decrypt web responses:
Web mail
Bank details
…
Decrypt TCP sequence number, hijack
connection and inject malware? 19
![Page 20: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/20.jpg)
Integrity (MIC) not verified when fragmented:
Alfa AWUS036h Belkin F5D7053 Ralink U150BB
20
Attack time reduced from >8 min to zero.
![Page 21: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/21.jpg)
No replay protection:
Alfa AWUS036h Belkin F5D7053 Tomato 1.28 (AP firmware)
21
No need to generate new keystreams!
![Page 22: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/22.jpg)
Always accepts unencrypted packets:
Alfa AWUS036h Belkin F7D1102 Scarlet VDSL (AP of ISP in BE)
22
Game over, you lose!
![Page 23: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/23.jpg)
AP
Client
Your IP!
23 Attacker
![Page 24: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/24.jpg)
TKIP is insecure!
Efficient Denial of Service
Forge any packet towards client
Decrypt traffic towards client
24
![Page 25: Practical Verification of TKIP Vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022042614/559af1181a28ab6d658b45a1/html5/thumbnails/25.jpg)
25