wpa/wpa2 & gpu cracking
DESCRIPTION
WPA security info + gpu crackingTRANSCRIPT
-
WPA / WPA2& GPU attack
Hctor Julio
INFO-F514 - Protocols, cryptanalysis and mathematical cryptology ULB
-
WHAT IS WPA?
Security protocol
Authentication
Encryption
2
-
WEP / WPA / WPA2
WEP WPA WPA2
ENCRYPTION RC4 RC4 (TKIP) AES
KEY ROTATION NONE Dynamic session keysDynamic session
keys
KEY DISTRIBUTION Manually typed into each deviceManually/Automatic
distributionManually/Automatic
distribution
AUTHENTICATION WEP Key 802.1X 802.1X
3
-
RC4
RC4 is deprecated (but is not considered totally broken) 4
-
RC4
WEP: concatenates root key + IVTKIP: implements key mixing function before RC4
5
-
TKIP
MIC: Message Integrity Check MSDU: MAC service data unit
6
-
IS WPA VULNERABLE?
2 kinds of vulnerabilities:
Read the data (decrypt the packages)
Get the authentication key - PSK (domestic networks)
7
-
IS WPA VULNERABLE?
You need the PSK in order to decrypt packages
You can choose strong protocols
You can use WPA2 with AES
Decrypting packages
8
-
IS WPA VULNERABLE?
The Handshake is the most critical point, you use the PSK
If you have the 4wHandshake you can bruteforce them
It doesnt mean that WPA/2 is broken
Getting the PSK
9
-
4 WAY HANDSHAKE
10PMK = PSK + SSID + SSID length
-
Combinations(Use always symbols!)
Available Characters Using The English Language
Possible Passwords, Two Characters
Possible Passwords, Four Characters
Possible Passwords, Six Characters
Lower-case 676 456.976 308.915.776
Lower- and Upper-case 2.704 7.311.616 19.770.609.664
Lower-case, Upper-case, and Numbers 3.844 14.776.336 56.800.235.584
All (Printable) ASCII Characters 8.836 78.074.896 689.869.781.056
11
-
Total search timeassuming 5000 WPA Passwords/Second
(Intel i5-2500K w/ 4 cores, 3.3 GHz)
SEARCH TIME Passwords Between 1 and 4 CharactersPasswords Between 1 and 6 Characters
Passwords Between 1 and 8 Characters
Passwords Between 1 and 12 Characters
Numbers Instant 4 minutes 6.5 hours 7.5 years
Lower-case 2 minutes 18 hours 1.5 years 662263 years
Alphanumeric (including Upper-
case)52 minutes 140 days 1481 years Age of the universe*
All (Printable) ASCII characters 5 hours 5 years 48644 years
Age of the universe*
12
* 13 billion years
-
GPU ATTACKS
A GPU has a lot of cores (hundreds).
Each core can compute one 32-bit arithmetic operation per clock cycle.
CPU work well with extreme parallelism (with same instructions but not same data, and that the GPU advantage for hashing).
Why GPUs?
13
-
14
-
Total search time using GPU (Pyrit in GNU/Linux, WSA in Windows)
SEARCH TIME Passwords Between 1 and 6 Characters (Alphanumeric)Passwords Between 1 and 8 Characters (Alphanumeric)
Nvidia GeForce GTX 460 1 GB35 days (Pyrit w/
CoWPAtty)368.9 years (Pyrit w/
CoWPAtty)
Nvidia GeForce GTX 59011.6 days (Pyrit w/
CoWPAtty)122.5 years (Pyrit w/
CoWPAtty)
2 x Nvidia GeForce GTX 590 6.5 days (WSA) 68.66 years (WSA)
AMD Radeon HD 6850 20.4 days (WSA) 214.75 years (WSA)
AMD Radeon HD 6990 5.88 days (WSA) 62.24 years (WSA)
2 x AMD Radeon HD 69903.08 days (Pyrit w/
CoWPAtty)32.97 years (Pyrit w/
CoWPAtty)
15
-
GPU CLOUD SERVICES Amazon Web Services
NIMBIX
Peer1 Hosting
Penguin Computing
RapidSwitch
SoftLayer16
-
Time & cost using GPU EC2 Instances (Amazon)
Total time 1Million WPA
Passwords/Second
Passwords Between 1 and 4 Characters
Passwords Between 1 and 6 Characters
Passwords Between 1 and 8 Characters
Passwords Between 1 and 12 Characters
NumbersInstant
Estimated Cost: $0.74
InstantEstimated Cost:
$0.74
2 minutesEstimated Cost:
$0.74
12.75 daysEstimated Cost:
$226
Lower-caseInstant
Estimated Cost: $0.74
5 minutesEstimated Cost:
$0.74
2.5 daysEstimated Cost:
$44.403147 years
Alphanumeric (including Upper-case)
InstantEstimated Cost:
$0.74
16 hoursEstimated Cost:
$11.847 years 103 981 388 years
All (Printable) ASCII characters
2 minutesEstimated Cost:
$0.74
9 daysEstimated Cost:
$159.84231 years Age of the universe
17
-
CONCLUSIONS
Dont use RC4
WPA is not broken but WPA2 is much better
Use enterprise / RADIUS networks if you can
Use long PSK with alphanumeric characters (as we have seen a few slides ago)
18
-
SOURCES On the Security of RC4 in TLS and WPA http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
4 way handshake flow http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-psk_4-way_handshake/flow_wpa-psk_4-way_handshake.png
GPU cloud services http://www.nvidia.com/object/gpu-cloud-computing-services.html
Wi-Fi security WEP, WPA and WPA2 http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf
Wi-Fi Security: Cracking WPA With CPUs, GPUs, And The Cloud http://www.tomshardware.com/reviews/wireless-security-hack,2981-7.html
TKIP https://msdn.microsoft.com/en-us/library/windows/hardware/ff570952%28v=vs.85%29.aspx
19
-
WPA / WPA2& GPU attack
Hctor Julio
INFO-F514 - Protocols, cryptanalysis and mathematical cryptology ULB