![Page 1: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/1.jpg)
All Your Biases Belong To Us:
Breaking RC4 in WPA-TKIP and TLS
Mathy Vanhoef and Frank Piessens, KU Leuven
USENIX Security 2015
![Page 2: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/2.jpg)
RC4
2
Intriguingly simple stream cipher
WEP
WPA-TKIPSSL / TLS PPP/MPPE
And others ...
![Page 3: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/3.jpg)
RC4
3
Plaintext CiphertextKeystreamRC4
Key
Intriguingly simple stream cipher
![Page 4: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/4.jpg)
Is RC4 still used?!
4
ICSI Notary: TLS connections using RC4
50%
30%
13%
0%
10%
20%
30%
40%
50%
60%
March 2013 Februari 2015 July 2015
RC4 fallback not taken into account!
![Page 5: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/5.jpg)
RC4 Fallback
5
Client Server
ClientHello: without RC4 Browser first tries without RC4
ServerHello: use AES
![Page 6: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/6.jpg)
Alert: Handshake Failed
RC4 Fallback
6
ClientHello: without RC4 Browser first tries without RC4
If that fails …
Client Server
![Page 7: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/7.jpg)
ClientHello: with RC4
ServerHello: use RC4
RC4 Fallback
7
Client Server
Alert: Handshake Failed
ClientHello: without RC4 Browser first tries without RC4
If that fails …
… fallback to RC4
![Page 8: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/8.jpg)
ClientHello: with RC4
ServerHello: use RC4
RC4 Fallback
8
Client Server
Alert: Handshake Failed
ClientHello: without RC4 Browser first tries without RC4
Forgeable by attacker!
… fallback to RC4
13% estimate is a lower bound
Force connection (which we assumed secure) to use RC4
![Page 9: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/9.jpg)
Our Goal: further kill RC4
9
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
![Page 10: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/10.jpg)
First: Existing Biases
10
Distribution keystream byte 2
Pr 𝒁𝟐 = 𝟎 =𝟐
𝟐𝟓𝟔[MS01]
![Page 11: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/11.jpg)
First: Existing Biases
11
Distribution keystream byte 1 (to 256)
![Page 12: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/12.jpg)
First: Existing Biases
12
Distribution keystream byte 1 (to 256)
AlFardan et al. ‘13:
first 256 bytes biased
Short-term biases
![Page 13: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/13.jpg)
Long-Term Biases
13
A B S A B
Fluhrer-McGrew (2000):
Some consecutive values are biased
Examples: 0, 0 and (0, 1)
Mantin’s ABSAB Bias (2005):
A byte pair (𝐴, 𝐵) likely reappears
![Page 14: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/14.jpg)
Fluhrer-McGrew: only 8 out
of 65 536 pairs are biased
Search for new biases
14
Traditional emperical approach:
Generate large amount of keystreams
Manually inspect data or graph
How to automate
the search?
![Page 15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/15.jpg)
Search for new biases
15
Hypothesis tests!
Uniformly distributed: Chi-squared test.
Correlated: M-test (detect outliers = biases)
Traditional emperical approach:
Generate large amount of keystreams
Manually inspect data or graph
Allows a large-scale search, revealing many new biases
![Page 16: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/16.jpg)
Biases in Bytes 258-513
16
Example: keystream byte 258
![Page 17: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/17.jpg)
Biases in Bytes 258-513
17
Example: keystream byte 320
![Page 18: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/18.jpg)
Biases in Bytes 258-513
18
Example: keystream byte 352
Biases quickly
become quite weak
![Page 19: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/19.jpg)
New Long-term Bias
19
(𝑍256∙𝑤 , 𝑍256∙𝑤+2) = (128, 0)
with probability 2−16(1 + 2−8)
128 0 ...
Every block of 256 bytes
![Page 20: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/20.jpg)
Additional Biases
20
See paper!
![Page 21: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/21.jpg)
Our Goal: further kill RC4
21
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
![Page 22: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/22.jpg)
Existing Methods [AlFardan et al. ‘13]
22
Plaintext encrypted under
several keystreams
Ciphertext Distribution Plaintext guess 𝜇Induced keystream
distribution
Verify guess: how close to
real keystream distribution?
![Page 23: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/23.jpg)
Example: Decrypt byte 1
23
Ciphertext Distribution
![Page 24: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/24.jpg)
Example: Decrypt byte 1
24
RC4 & Ciphertext distribution
![Page 25: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/25.jpg)
Example: Decrypt byte 1
25
If plaintext byte 𝜇 = 0x28: RC4 & Induced
𝜇 = 0x28 has low likelihood
![Page 26: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/26.jpg)
Example: Decrypt byte 1
26
If plaintext byte 𝜇 = 0x5C: RC4 & Induced
𝜇 = 0x5C has higher likelihood
![Page 27: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/27.jpg)
Example: Decrypt byte 1
27
If plaintext byte 𝜇 = 0x5A: RC4 & Induced
𝜇 = 0x5A has highest likelihood!
![Page 28: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/28.jpg)
Types of likelihood estimates
28
Previous works: pick value with highest likelihood.
Better idea: list of candidates in decreasing likelihood:
Most likely one may not be correct!
Prune bad candidates (e.g. bad CRC)
Brute force cookies or passwords
How to calculate list of candidates?
![Page 29: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/29.jpg)
1st
idea: Generate List of Candidatess
29
Gist of the Algorithm: Incremental approach
Calculate candidates of length 1, length 2, ...
1
2
𝑛
1
2
𝑛
1
2
𝑛
...
![Page 30: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/30.jpg)
2nd
idea: abusing the ABSAB bias
30
Assume there’s surrounding known plaintext
Derive values of A, B
Combine with ABSAB bias to (probablisticly) predict A′, B′
Ordinary likelihood calculation over only (A′, B′)
A B S A’ B’
Known Plaintext Unknown Plaintext
Likelihood estimate:
!
![Page 31: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/31.jpg)
Our Goal: further kill RC4
31
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
![Page 32: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/32.jpg)
TKIP Background
32
How are packets sent/received?
1. Add Message Integrity Check (MIC)
2. Add CRC (leftover from WEP)
3. Add IV (increments every frame)
4. Encrypt using RC4 (per-packet key)
Encrypted
MICDataIV CRC
![Page 33: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/33.jpg)
Flaw #1: TKIP Per-packet Key
33
Key-Mix
Key Sender MAC 𝐼𝑉
packet key
Anti-FMS(𝐼𝑉0, 𝐼𝑉1)
𝐼𝑉-dependent biases in keystream[Gupta/Paterson et al.]
Avoid weak keys which broke WEP
![Page 34: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/34.jpg)
Flaw #2: MIC is invertible
34
If decrypted, reveals MIC key
MICDataIV CRC
With the MIC key, an attacker can inject and
decrypt some packets [AsiaCCS ‘13]
![Page 35: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/35.jpg)
Goal: decrypt data and MIC
35
If decrypted, reveals MIC key
MICDataIV CRC
Generate identical packets (otherwise MIC changes):
Assume victim connects to server of attacker
Retransmit identical TCP packet
List of plaintext candidates (unknown MIC and CRC)
Prune bad candidates based on CRC
![Page 36: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/36.jpg)
Evaluation
36
Simulations with 230 candidates:
Need ≈ 224 captures to decrypt with high success rates
Emperical tests:
Server can inject 2 500 packets per second
Roughly one hour to capture sufficient traffic
Successfully decrypted packet & found MIC key!
![Page 37: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/37.jpg)
Our Goal: further kill RC4
37
New Biases Plaintext Recovery
Break WPA-TKIP Attack HTTPS
![Page 38: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/38.jpg)
TLS Background
38
Client Server
Focus on record protocol with RC4 as cipher
Handshake protocol
Negotiate keys
Record protocol
Encrypt data
![Page 39: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/39.jpg)
Targeting HTTPS Cookies
39
Previous attacks only used Fluhrer-McGrew (FM) biases
We combine FM bias with the ABSAB bias
Must surround cookie with known plaintext
1. Remove unknown plaintext arround cookie
2. Inject known plaintext arround cookie
![Page 40: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/40.jpg)
Example: manipulated HTTP request
40
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: a.site.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: auth=????????????????; P=aaaaaaaaaaaaaaaaa
Surrounded by known
plaintext at both sides
Headers are
predictable
![Page 41: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/41.jpg)
Preparation: manipulating cookies
41
Clienta.site.com fake.site.com
HTTPS insecure
Remove & inject
secure cookies!
![Page 42: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/42.jpg)
Performing the attack!
42JavaScript: Cross-Origin requests in WebWorkers
![Page 43: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/43.jpg)
Performing the attack!
43Keep-Alive connection to generate them fast
![Page 44: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/44.jpg)
Performing the attack!
44Combine Fluhrer-McGrew and ABSAB biases
![Page 45: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/45.jpg)
Decrypting 16-character cookie
45
Takes 75 hours with 4450 requests / second
Ciphertext copies times 227
![Page 46: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/46.jpg)
Decrypting 16-character cookie
46
DEMO!rc4nomore.com
![Page 47: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS](https://reader030.vdocument.in/reader030/viewer/2022012811/61c2235354da9c2d8d0268c8/html5/thumbnails/47.jpg)
Questions?
May the bias be ever in your favor