sicurezza delle reti - uniroma2.it · wep: changing iv •wep standard does not specify iv’s...

Sicurezza delle Reti Esercitazione

27-03-2012

[email protected]

One-Time Pad

• Remember One-Time Pad?

E(M, K) D(CT, K)

M CT M

E(M, K) = M K = CT D(CT, K) = CT K = ? D(CT, K) = D(M K, K) = M K K = M

Sicurezza delle Reti - Esercitazione

K K

One-Time Pad: Bad News

• Fast encryption/decryption (XOR)

• Perfect secrecy ⇒ |K| ≥ |M|

• K and M have same length • Hard to use in practice!

• Idea: • Split M in N chucks of K length ⇒ {𝑴𝟎, 𝑴𝟏, …, 𝑴𝑵} • 𝑪𝑻𝟎 =𝑴𝟎 K, 𝑪𝑻𝟏 =𝑴𝟏 K, … • But…

• 𝑪𝑻𝟎 𝑪𝑻𝟏 = ?? ⇒ 𝑪𝑻𝟎 𝑪𝑻𝟏 = 𝑴𝟎 𝑴𝟏 • Use random key K only once!


Idea: Stream Cipher

• Replace "random key" by pseudo-random key • Use a Pseudo-Random Generator (PRG)

• Takes a truly random key • Expand key into "random-looking" sequence

PRG: 𝟎, 𝟏 𝒔 → 𝟎, 𝟏 𝒏 , 𝒏 ≫ 𝒔

K: 128-bit ⇒ PRG(K): 𝟏𝟎𝟔-bit

E(M, PRG(K)) D(CT, PRG(K))

M CT M


K128

K2048 K128

K2048

One-time key-stream?

• Same issue of One-Time Pad • 𝑪𝑻𝟎 𝑪𝑻𝟏 = (𝑴𝟎 𝑲) (𝑴𝟏 𝑲) = 𝑴𝟎 𝑴𝟏

• If one message known ⇒ Other known • Limited entropy • Context information

• Use pseudo-random PRG(K) only once!

• Refresh seed value using "nonce" 𝑲𝒊 = 𝑷𝑹𝑮 𝒏𝒐𝒏𝒄𝒆 | 𝑲)

• Secure if: • Unique "nonce" • Unpredictable PRG:

𝑷𝑹𝑮 𝑿 |𝟎,…,𝒊 ⇏ 𝑷𝑹𝑮 𝑿 |𝒊+𝟏,…,𝒏 Sicurezza delle Reti - Esercitazione

WEP: Wired Equivalent Protocol

• Special purpose for 802.11b • Intended to make wireless as secure as wired… • Intended to provide:

• Authentication • Integrity • Confidentiality

• What is wrong in a protocol that uses:

• RC4 as PRG function • 40-bit key as seed • 24-bit nonce for freshness


WEP: Protocol

1. <IV || K> used as RC4 seed…MUST BE never repeated (why?) • K is a shared key ⇒ Security depends by IV cycle

2. CRC-32 checksum is linear in XOR (then?) 3. IV generation algorithm is implementation dependent (then?)

1.

3. 2.


WEP: Changing IV

• Stream Cipher must be synchronized both sides • Not suitable in lossy channels

• WEP Solution:

• Refresh IV per each frame • Can decrypt even if previous packet was lost

• Send IV in cleartext • Not an issue if it does never repeats:

keystream = PRG(IV || K) ⇒ K unknown


WEP: Changing IV

• WEP standard does not specify IV’s generation algorithm • Left to implementation!

• NEVER do this with security issues • We can choose:

• Incremental generation ⇒ 𝒓𝒊 = 𝒓𝒊−𝟏 + 𝟏 • Only 24-bit IV ⇒ ONLY 𝟐𝟐𝟒 cycles ≈ 𝟏𝟕𝑴 frames • Assuming 1500-byte frames at 7Mbps • IV re-cycle after….less than 8h!

• Random generation • Birthday paradox • 𝑷 𝑰𝑽𝒏 = 𝑰𝑽𝒏−𝒕 > 𝟓𝟎% after… 𝟐𝟏𝟐 ≈ 𝟒𝟎𝟎𝟎 frames

• On some 802.11 cards • IV reset after power cycle


WEP: Attacks • Passive attack

• Create dictionary: {𝑰𝑽, 𝑹𝑪𝟒 𝑰𝑽 |𝑲)}

• Use known messages to recovery keystream

[𝑴⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)]⨁M = 𝑹𝑪𝟒 𝑰𝑽 |𝑲)

• Known messages?

• Send an e-mail with large known attachment

• Authentication can help you!

• Wait for IV to repeat 𝑴′⨁𝑹𝑪𝟒 𝑰𝑽 𝑲 ]⨁𝑹𝑪𝟒 𝑰𝑽 𝑲 = 𝑴′

• Idea:

• We can use longer key K (e.g. > 40 bit)

• IV still 24 bits ⇒ Same attack time!! Sicurezza delle Reti - Esercitazione

WEP: Authentication

• Authentication based on Challenge Handshake

• User must prove knowledge of K

• Encrypt the challenge using symmetric cipher

Challenge

ENCK(Challenge)


WEP: Authentication

• Authentication based on Challenge Handshake

• User must prove knowledge of K

• Encrypt the challenge using symmetric cipher

• Same key RC4(IV || K) as frame encryption

Challenge

IV, Challenge RC4(IV || K)


WEP: Authentication

• Rogue Access Point

• Sends multiple Challenges to user

• Retrieve multiple 𝑰𝑽𝒏, 𝑹𝑪𝟒 𝑰𝑽𝒏 |𝑲) pairs

• Reuse recovered pairs on the authenticator

Challenge: 𝑪𝒏

𝑰𝑽𝒏, 𝑪𝒏 𝑹𝑪𝟒 𝑰𝑽𝒏 |𝑲)


WEP: Authentication

• No need to know key

• AP sends challenge C

• Attacker chooses 𝑰𝑽𝒙 from dictionary

• Can compute 𝑪 𝑹𝑪𝟒 𝑰𝑽𝒙 𝑲

• Authentication successful!

Challenge: 𝑪

𝑰𝑽𝒙, 𝑪 𝑹𝑪𝟒 𝑰𝑽𝒙 |𝑲)


WEP: Authentication

• If no active attack possible

• If no IV avaible

• Just eavesdrop ONE authentication

• Attacker can recover a valid 𝑰𝑽, 𝑹𝑪𝟒 𝑰𝑽 𝑲 pair

Challenge: 𝑪

𝑰𝑽𝒙, 𝑪 𝑹𝑪𝟒 𝑰𝑽𝒙 |𝑲)


Example: Bit Flipping

Bob ⨁ PRG(K) Eve ⨁ PRG(K)

B o b E v e

42 6F 62 45 76 65 ⨁

07 19 07

⨁

𝚫𝑴

𝑴 𝑴′


WEP: Integrity

• Useless encryption, what about integrity?

• CRC-32 of message as Integrity Check Value

• CRC-32 is NOT an hash function!

• Linear function:

𝑪𝑹𝑪𝟑𝟐 𝑿⨁𝒀 = 𝑪𝑹𝑪𝟑𝟐 𝑿 ⨁ 𝑪𝑹𝑪𝟑𝟐(𝒀)

• USE crypto algorithms to verify integrity!

• Avoid messages authentication!

• Conseguences:

• Message modification (bit flipping)!

• Message injection!


WEP: Message modification

• Simple operations to switch M to M’

• No need to know keystream

• Flipped bits computing: 𝑪𝑻′ = 𝑪𝑻 ⨁ (𝚫𝑴 𝑪𝑹𝑪(𝚫𝑴))

• 𝑪𝑻′ is an encrypted message with valid ICV!

𝐂𝐓 = 𝐌 𝐂𝐑𝐂 𝐌 ⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)

𝐂𝐓′ = 𝐌′ 𝐂𝐑𝐂 𝑴′ ⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)


WEP: Message injection

• Attacker knows how to recover: 𝐈𝐕, 𝑹𝑪𝟒 𝑰𝑽 𝑲

• Attacker can inject message 𝑴′

• Authenticate 𝑴′ computing CRC32(𝑴′)

• Encrypt message and send frame

𝑰𝑽, 𝐌′ 𝐂𝐑𝐂 𝑴′ ⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)

𝑰𝑽, 𝐌′ 𝐂𝐑𝐂 𝑴′ ⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)


WEP Teaching

• Make use of good cipher is not enough: • YOU MUST design good protocols • YOU MUST make good usage of ciphers

• The best protocol with the best cipher Could be the worst solution!

• YOU MUST avoid confusion

e.g. Integrity is not Authentication


Could get even worse?

• Is it possible to recover the key K? Yes!

• Cryptoanalytic attacks on RC4:

1. Fluhrer, Mantin e Shamir (show weakness)

• There are some "weak" IVs correlated to keystream - 5% probability, a byte in the keystream is equal to a byte in the key

- 4-6 million of packets ⇒ 50% probability to recover K

2. Stubblefield, Ioannidis, Rubin (use weakness)

• Focus on discovery of first bit of keystream

- 802.11 uses SNAP LLC encapsulation ⇒ 1st byte known (0xAA)

- Attack time linear with key-size

3. Others… Sicurezza delle Reti - Esercitazione

802.11 aftermath • Optimized WEP attacks ⇒ WEP DEATH!

• WPA: a temporary solution (2003) • Based on Temporal Key Integrity Protocol (TKIP)

• Maintain hardware compatibility

• Longer IVs (48 bit)

• IV protection ⇒ IV in RC4 differs from IV in plaintext

• Ephemeral derivation of key K ⇒ Time changing

• WPA-2: a definitive solution (2004) • Similar to WPA but:

• Based on newer AES encryption ⇒ Needs new hardware

• Support for server authentication


http://aircrack-ng.org/





Aircrack-ng


• Open-source suite providing:

• Packet sniffer: airodump-ng

• Password Cracker: aircrack-ng

• Packet injection tool: aireplay-ng

• Others…

• Many key recovery attacks:

• Pyshkin, Tews e Weinmann (PTW)

• Only 35-40k packets for 128-bit key

• Fluhrer, Mantin e Shamir

• Brute-force attack (also on WPA/WPA-2 handshake)

Aircrack-ng: Setup


• Need to switch wireless card on Monitor Mode

• Different by Promiscuous Mode: no need to be associated

• Only supported wireless cards

• Atheros, Linksys, …

• Need to install proper drivers

• Need to patch proper firmware

Now you can sniff all packets over the wireless channel!

Aircrack-ng: airmon

• airmon-ng start <wireless_id> (e.g. wlan0)

• service network-manager stop (kill NM service)

Aircrack-ng: airmon

• Check wireless interfaces: iwconfig

• wlan0: physical interface

• mon0: virtual interface

Aircrack-ng: airodump

• Let’s see the list of avaible networks: airodump-ng mon0

Networks

Clients


• Airodump is the sniffing tool

• Can be used to see the list of avaible networks

• Can be used to sniff and save the trace of a network

1. Choose the target WEP network: 76:6A:89:54:4A:A4

• At least a client connected

• More sniffed traffic: less crack time

2. Filter networks flow: --bssid <network_bssid>

3. Save packets trace: -w <file.pcap>


• Start target sniffing:

airodump-ng -w wep --bssid 76:6A:89:54:4A:A4 mon0

Increase that!


• Wait until #Data reach reasonable value

• Small passphrase ≈ 𝟏𝟎𝒌

• Long passphrase ≈ 𝟒𝟎𝒌

Enough?

Aircrack-ng: aircrack

• The traffic trace is stored in .pcap file wep-01.pcap

• Start aircrack tool to retrieve passphrase

aircrack-ng wep-01.pcap

crackit.cap

crackit.cap

crackit.cap

Aircrack-ng: need traffic

• If not enough traffic in the network

• Injection of packets in the network: aireplay-ng 1. Replay of sniffed ARP packets

2. Force disassiociation of clients

• Sniff reassociation packets

• To perform packet injection

• You need to presents to AP as an authenticated client

aireplay-ng + macchanger

What about WPA?

• No efficient methods to crack WPA/WPA-2

• Only bruteforce attack on keystream

1. Sniff the 4-way handshake

2. Start the bruteforce attack on WPA Key

• Complexity depends on password complexity

• Think some default passwords of some vendors

S = f(MAC) very weak

• Useless WPA protection…

sicurezza delle reti - uniroma2.it · wep: changing iv •wep standard does not specify iv’s...

Documents