Efficient Denial of Service

Forge arbitrary packets to client

Decrypt traffic towards client

1

TKIP: WiFi security protocol

Why study TKIP if a replacement already exist?

2

1999 2002 2004

WEP

Broken

WPA-TKIP

Acceptable

WPA-CCMP (AES)

Secure

Detected 6803 networks 66% support TKIP 19% support only TKIP

3

Need more arguments to kill TKIP!

4

Beck & Tews Attack

>8 mins Key to calculate integrity check

Forge 3 small packets to client

New Attack: Efficient Denial of Service Improve & implement existing ideas to: Forge arbitrary packets Decrypt packets towards client [M. Beck. Enhanced TKIP michael attacks.]

5

1. Add Message Integrity Check (MIC)

2. Encrypt using XOR stream cipher

3. Add Packet ID (#ID) to avoid replays

#ID MIC Data

Encrypted

How are packets sent/received?

6

1. Add Message Integrity Check (MIC)

2. Encrypt using XOR stream cipher

3. Add Packet ID (#ID) to avoid replays

#ID MIC Data

Encrypted

How are packets sent/received?

7

MIC key

Encryption key

8

#ID MIC Data

If decrypted, reveals MIC key.

If ( two MIC failures within a minute )

halt all traffic for 1 minute

Attack: Capture packet, change priority, replay.

9

#ID / prior. MIC Data

Encrypted

Avoids replay detection

Doesn’t affect decryption

Changes expected MIC value

Attack: Capture packet, change priority, replay.

10

#ID / prior. MIC Data

Encrypted Change priority

Avoids replay detection

Doesn’t affect decryption

Changes expected MIC value

Attack: Capture packet, change priority, replay.

11

#ID / prior. MIC Data

Encrypted Change priority

MIC Failure(s) Traffic halted for 1 minute

Beck & Tews attack can forge 3 packets. Injecting more requires new keystreams:

12

Ciphertext Plaintext Keystream

All packets start with LLC header

We predict these with very high accuracy

Capture packets with new #ID’s.

LLC Header is only 12 bytes ….

Combine them using fragmentation!

#ID1 Data1 #ID16 Data16 MIC

Data MIC

Data1 Data16 MIC Data2

12 bytes/fragment: inject 120 bytes of data

Port Scanner:

1. Get MIC key using Beck & Tews attack

2. Inject TCP SYN packets

3. Detect SYN/ACK based on length

Remarks:

High amount of packet injection proven!

Also: DNS poisoning, DHCP spoofing, …

14

AP

Client

1. Sniff packet

2. 15

Attacker

Data MIC Ping req.

Sniffed packet

AP

Client

1. Sniff packet

2. 16

Attacker

Data MIC Ping req.

Sniffed packet

Magic

AP

Client

1. Sniff packet

2.

3. Reply incl. packet

External IP

17

Attacker

Data MIC Ping req.

Sniffed packet

Magic

State1: initial state of every packet

State2: state after processing prefix

State3: equal to state1 due to magic bytes

State4: equal to MIC of sniffed packet!

Data MIC Magic Prefix

Sniffed packet

18

State4 State3 State2 State1

Possible applications? Decrypt web responses:

Web mail

Bank details

…

Decrypt TCP sequence number, hijack

connection and inject malware? 19

Integrity (MIC) not verified when fragmented:

Alfa AWUS036h Belkin F5D7053 Ralink U150BB

20

Attack time reduced from >8 min to zero.

No replay protection:

Alfa AWUS036h Belkin F5D7053 Tomato 1.28 (AP firmware)

21

No need to generate new keystreams!

Always accepts unencrypted packets:

Alfa AWUS036h Belkin F7D1102 Scarlet VDSL (AP of ISP in BE)

22

Game over, you lose!

AP

Client

Your IP!

23 Attacker

TKIP is insecure!

Efficient Denial of Service

Forge any packet towards client

Decrypt traffic towards client

24

25