Post on 07-Jul-2015
description
Efficient Denial of Service
Forge arbitrary packets to client
Decrypt traffic towards client
1
TKIP: WiFi security protocol
Why study TKIP if a replacement already exist?
2
1999 2002 2004
WEP
Broken
WPA-TKIP
Acceptable
WPA-CCMP (AES)
Secure
Detected 6803 networks 66% support TKIP 19% support only TKIP
3
Need more arguments to kill TKIP!
4
Beck & Tews Attack
>8 mins Key to calculate integrity check
Forge 3 small packets to client
New Attack: Efficient Denial of Service Improve & implement existing ideas to: Forge arbitrary packets Decrypt packets towards client [M. Beck. Enhanced TKIP michael attacks.]
5
1. Add Message Integrity Check (MIC)
2. Encrypt using XOR stream cipher
3. Add Packet ID (#ID) to avoid replays
#ID MIC Data
Encrypted
How are packets sent/received?
6
1. Add Message Integrity Check (MIC)
2. Encrypt using XOR stream cipher
3. Add Packet ID (#ID) to avoid replays
#ID MIC Data
Encrypted
How are packets sent/received?
7
MIC key
Encryption key
8
#ID MIC Data
If decrypted, reveals MIC key.
If ( two MIC failures within a minute )
halt all traffic for 1 minute
Attack: Capture packet, change priority, replay.
9
#ID / prior. MIC Data
Encrypted
Avoids replay detection
Doesn’t affect decryption
Changes expected MIC value
Attack: Capture packet, change priority, replay.
10
#ID / prior. MIC Data
Encrypted Change priority
Avoids replay detection
Doesn’t affect decryption
Changes expected MIC value
Attack: Capture packet, change priority, replay.
11
#ID / prior. MIC Data
Encrypted Change priority
MIC Failure(s) Traffic halted for 1 minute
Beck & Tews attack can forge 3 packets. Injecting more requires new keystreams:
12
Ciphertext Plaintext Keystream
All packets start with LLC header
We predict these with very high accuracy
Capture packets with new #ID’s.
LLC Header is only 12 bytes ….
Combine them using fragmentation!
#ID1 Data1 #ID16 Data16 MIC
Data MIC
Data1 Data16 MIC Data2
12 bytes/fragment: inject 120 bytes of data
Port Scanner:
1. Get MIC key using Beck & Tews attack
2. Inject TCP SYN packets
3. Detect SYN/ACK based on length
Remarks:
High amount of packet injection proven!
Also: DNS poisoning, DHCP spoofing, …
14
AP
Client
1. Sniff packet
2. 15
Attacker
Data MIC Ping req.
Sniffed packet
AP
Client
1. Sniff packet
2. 16
Attacker
Data MIC Ping req.
Sniffed packet
Magic
AP
Client
1. Sniff packet
2.
3. Reply incl. packet
External IP
17
Attacker
Data MIC Ping req.
Sniffed packet
Magic
State1: initial state of every packet
State2: state after processing prefix
State3: equal to state1 due to magic bytes
State4: equal to MIC of sniffed packet!
Data MIC Magic Prefix
Sniffed packet
18
State4 State3 State2 State1
Possible applications? Decrypt web responses:
Web mail
Bank details
…
Decrypt TCP sequence number, hijack
connection and inject malware? 19
Integrity (MIC) not verified when fragmented:
Alfa AWUS036h Belkin F5D7053 Ralink U150BB
20
Attack time reduced from >8 min to zero.
No replay protection:
Alfa AWUS036h Belkin F5D7053 Tomato 1.28 (AP firmware)
21
No need to generate new keystreams!
Always accepts unencrypted packets:
Alfa AWUS036h Belkin F7D1102 Scarlet VDSL (AP of ISP in BE)
22
Game over, you lose!
AP
Client
Your IP!
23 Attacker
TKIP is insecure!
Efficient Denial of Service
Forge any packet towards client
Decrypt traffic towards client
24
25