• Description: 802.11 Wifi Security
• Lecturer: Guillaume Jeanne
All your Wireless belongs to us
SecurIMAG
2012-03-01
WARNING: SecurIMAG is a security club at
Ensimag. Thoughts, ideas and opinions are not
related to Ensimag. The authors assume no
liability including for errors and omissions.
¡¡_ (in)security we trust _!!
Grenoble INP
Ensimag
Presentation : Guillaume Jeanne
2 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
• Parcours :
• Prepa MP* au lycée Claude-Fauriel (Saint-Etienne, 42)
• 1A ENSIMAG
• Why SecurIMAG ? (the ultimate question)
• I've always been fascinated by computer
security and how we could divert an object from
its normal use. (hacking)
• Contact :
• guillaume.jeanne{(_a\.t_)}ensimag.fr
Outline
3 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo
WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo
Reminder of French Law
4
Art.323-1
« Le fait d’accéder ou de se maintenir, frauduleusement,
dans tout ou partie d’un système de traitement automatisé
de données est puni de deux ans d’emprisonnement et
de 30 000 euros d’amende.
Lorsqu’il en est résulté soit la suppression ou la
modification de données contenues dans le système, soit
une altération du fonctionnement de ce système, la peine
est de trois ans d’emprisonnement et de 45 000 euros
d’amende. »
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
802.11b, Wired Equivalent Privacy (WEP)
5
• 802.11: a (1999), b(1999), g(2003), n (2009)
• Security (1999):
• Data encryption: Wireless Equivalent Privacy “WEP”
• Authentication: o Shared Key Authentication “SKA” (WEP is used during
authentication)
o Open System Authentication (no authentication occurs)
• Beginning: 40bits keys (U.S. law), WEP2 : 104bits
• Severely criticized for its lack of security
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, How it works ? Emission
6
• Message M (unencrypted)
• Control Function : CRC32 (to check integrity)
• RC4 Encryption :
IV (Initialization vector) (24 bits) + WEP key (104 bits)
RC4( )=
M
M CRC(M)
IV WEP Key RC4(Seed)
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, How it works ? Emission
7
⊕
=
M CRC(M)
RC4(Seed)
IV (24 bits) encrypted message C
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, How it works ? Reception
8
• exactly the same thing !
• retrieves the IV, concatenates it with wep key, encrypt
with RC4, xor with the encrypted message. calculates
the checksum and check it.
RC4( )
=
⊕
=
IV WEP Key
RC4(Seed)
encrypted message C
M
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Shared Key Authentication “SKA”
9
• Four Way Handshake using the WEP password (secret
key)
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Outline
10 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo
WPA - Changes - WPA Security Problems 1/ dictionary attack - Demo
WEP, Security problems
1/ Reuse the byte sequence
11
1/ Reuse the byte sequence Principle:
• A = M1 ⊕ RC4(Seed)
• B = M2 ⊕ RC4(Seed)
• A ⊕ B = M1 ⊕ RC4(Seed) ⊕ M2 ⊕ RC4(Seed) =
M1 ⊕ M2
• If you know M1, you can deduce M2 : (and vice versa)
M2 = M1 ⊕ M2 ⊕ M1
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
1/ Reuse the byte sequence
12
• Question : how to know M1…?
easy; M1 is a internet packet. known structure.
social engineering : send an email; contents will be
encrypted by the wep key…
BUT
• The aim of the IV is to encrypt the packets differently,
then the principle explained above will not work…
except if…
• the same IV is reused ! It’s easy to detect because IVs
are not encrypted.
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
1/ Reuse the byte sequence
13
• You shall not reuse the same IV !
• But…IVs are only 24 bits so IVs are necessarily reused.
• There is a 50% chance IV will be reused after 4823
packets !
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Annex : Birthday Paradox
14
• Problem : how many people are needed in order that the
probability of 2 of them being born on the same day is
1/2 ?
• …
• Only 23
• Explanations :
(23*22)/2=253 pairs
failure rate for each pair :
1-1/365=99,726%
(1-1/365)^253=49,9%
=> 50,1% success
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
(this is not a lie! )
Annex : Birthday Paradox table
15
n p(n)
10 11.7%
20 41.1%
23 50.1%
30 70.6%
50 97.0%
57 99.0%
100 99.99997%
200 99.9999999999999999999999999998%
300 (100 − (6×10−80))%
350 (100 − (3×10−129))%
365 (100 − (1.45×10−155))%
366 100% SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
1/ Reuse the byte sequence
16
Application here
• ½ (4823 x 4822 ) = 11 628 253 pairs
• failure rate for each pair : 1- ½^24
• [1-(½^24)]^ 11 628 253 = 50,00%
50% success
4,823s (8Mbit/s, 1ko)
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Outline
17 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo
WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
18
2/ Fluhrer, Mantin and Shamir attack
• The most famous WEP attack.
• published in a 2001 paper titled “Weaknesses in the Key
Scheduling Algorithm of RC4” (1)
• implemented in AirSnort and Aircrack.
• exploits the weaknesses of the RC4 key generation
algorithm and IVs.
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
19
RC4 key generation algorithm
• Generate two tables S and K of a size of 256 bytes
• Initialize the table S by the integers from 0 to 255 (state
table)
• Fill-in the table K with the secret key
• Pseudo-randomly permute the table S using the secret
key
• Pseudo-randomly permute the table S with itself
• Xor the sequence obtained of the table S with the flow of
data
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
20
The attack
• Some IVs provide information about the secret key via
their first byte, these IVs are called low IVs and are of
the form (A+3, N-1, X) (3 bytes) where :
• A is the byte of the key to attack
• N = 256 because RC4 is modulo 256
• X is between 0 and 255
For each byte of the key, there are 256 low IVs.
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
21
• The first byte of a 802.11b packet matches the SNAP
header and it is almost always 0xAA.
output = 0xAA ⊕ FirstByte
• Now you can attack, here is the algorithm : (KSA)
begin ksa(with int keylength, with byte K[keylength]) for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + K[i mod keylength]) mod 256 swap(S[i],S[j]) endfor End
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
22
Explanation:
• First Key Byte : low IVs (A=0) [3,15,2,1,2,3,4,5] (mod 16)
• K[] =
• S[] =
• KSA :
1) i=0, j=0+0+3=3, S[] =
2) i =1, j=3+1+15=3, S[] =
3) i=2, j=3+2+2=7, S[] =
First byte = output – j – S[i] = 9 – 7 – 1 = 1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
3 15 2 X X X X X 3 15 2 X X X X X
3 1 2 0 …
3 0 2 1 4 5 …
3 0 7 1 4 5 6 2 8 9 10 11 12 13 14 15
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
23 SecurIMAG - title - author - date
• Second Byte, [4,15,9,1,2,3,4,5]
• K[] =
• S[] =
• KSA :
1) j=4, S[]=
2) j=4, S[]=
3) j=15,S[]=
4) j=3, S[]=
Second Byte = 6 – 3 – 1 = 2
4 15 9 1 X X X X 4 15 9 1 X X X X
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 1
15 2
4 0
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
24
• but in reality : a 5% chance that the byte is true (for 1 IV)
• => repeat this for several IVs (X varies)
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
25
• Consequences
• Ability to modify the packets (integrity loss)
• Ability to authenticate
• « Solutions »
• increasing the size of the WEP key (and/or the
possible space of the IV) is not enough (B’day
paradox)
• we should rely on another kind of cipher (eg: block
cipher, see WPA)
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WEP, Security problems
2/ Fluhrer, Mantin and Shamir attack
26
Furthermore
• Breaking 104 bit WEP in less than 60 seconds (2)
• In 2007, Erik Tews, Andrei Pychkine, and Ralf-Philipp
Weinmann were able to extend Klein's 2005 attack and
optimize it for usage against WEP. With the new attack it
is possible to recover a 104-bit WEP key with probability
50% using only 40,000 captured packets.
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
DEMO
27 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
28
Outline
28 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
802.11b WEP - How it works - WEP Security Problems 1/ Reuse the byte sequence 2/ Fluhrer, Mantin and Shamir attack - Demo
WPA - Changes - WPA Security Problems 1/ Dictionary attack - Demo
802.11i, Wi-Fi Protected Access (WPA & WPA2)
29
• WPA became available around 1999.
• WPA2 around 2004
• Following serious weaknesses researchers had found in
the previous system (WEP).
• Changes: • Temporary Key Integrity Protocol (TKIP)
o still RC4 but:128 bits key/packet
o rekeying mechanism (frequently change, avoiding collisions)
o the ICV field is replaced by
– a MICHAEL integrity check (64 bits)
– sequence number for each packet (replay protection)
• AES (block cipher), optionnal in WPA o Mandatory in WPA2
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WPA, Security problems
dictionary attack
30
Dictionary attack
• test all the words in a dictionary
• It’s the only wpa attack which allows to recover the key
existing in aircrack
• Concretely you should disconnect a station from the
network and you then capture the packet it sends to
reconnect (Handshake)
• Then you can launch the attack
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Problem 1 : Storage
31
• dictionaries are very heavy to store
• 5 characters key (uppercase lowercase numbers): 458 Mo
• 10 characters key :
8392993 To
• 63 characters key :
5,25e+99 Po SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Problem 1 : Solution
32
• generate the dictionary on the fly !
• Crunch (3.2)
http://sourceforge.net/projects/crunch-wordlist/
• Pipe « | » on aircrack
/pentest/passwords/crunch/./crunch 10 10 0123456789abc[…]xyz –o wordlist.txt
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Problem 2 : Time
33
• Dictionary attack is very long
• Time = O(n²)
• double the length => time will be
squared
• Question : how to speed up the attack?
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Accelerate the attack
34 SecurIMAG - title - author - date
ElcomSoft Distributed Password Recovery (3)
• Support for NVIDIA CUDA cards, ATI Radeon and
Tableau TACC1441 hardware accelerators.
• Allows up to 64 CPUs or CPU cores and up to 32 GPUs
per processing node
• Distributed password recovery over LAN,
Internet or both.
Accelerate the attack
35 SecurIMAG - title - author - date
Application family
Applications Extensions Type of
recovery Password
types Hardware
Acceleration
Microsoft Office 2007
Word, Excel, PowerPoint, Project
.DOCX,
.XLSX,
.PPTX, password
file opening password
NVIDIA ATI
Tableau
Microsoft Office 2007
Access .ACCDB password file opening password
Microsoft Office 2010
Word, Excel, Access, PowerPoint
.DOCX,
.XLSX, .PPTX password
file opening password
NVIDIA ATI
Tableau
Microsoft Office
XP/2003 Word, Excel, PowerPoint
.DOC, .XLS,
.PPT password
"open" password only
Microsoft Office
97/2000 Word, Excel .DOC, .XLS password
"open" password only
Microsoft Office
97/2000 Word, Excel .DOC, .XLS key
"open" password only - guaranteed decryption
OpenDoc word processing (text) documents
.ODT, .OTT,
.SXW, .STW password NVIDIA
OpenDoc spreadsheets .ODS, .OTS, .SXC, .STC
password NVIDIA
OpenDoc presentations .ODP, .OTP, .SXI, .STI
password NVIDIA
OpenDoc graphics/drawing .ODG, .OTG, .SXD, .STD
password NVIDIA
OpenDoc formulae, mathematical equations
.ODF, .SXM password NVIDIA
Microsoft Money .MNY password
Intuit Quicken1 .QDF password
PGP and Open-Key Passwords
PGP zip archives1 .PGP password
PGP and Open-Key Passwords
PGP secret key rings .SKR password
37 SecurIMAG - title - author - date
Adobe Acrobat
PDF with 256-bit encryption
.PDF password "user" and "owner" password
Adobe Acrobat
PDF with 128-bit encryption
.PDF password "user" and "owner" password
Adobe Acrobat
PDF with 40-bit encryption
.PDF password "user" and "owner" password
Adobe Acrobat
PDF with 40-bit encryption
.PDF key
"user" password - guaranteed decryption
System Passwords
Microsoft Windows NT, 2000, XP, 2003, Vista
password logon passwords (LM/NTLM)
NVIDIA2
System Passwords
Microsoft Windows password SYSKEY startup passwords
System Passwords
Microsoft Windows password
DCC (Domain Cached Credentials) passwords
NVIDIA2
38
System Passwords
UNIX password users’ passwords
System Passwords
Wireless networks Password
WPA and WPA2 passwords
NVIDIA ATI
Tableau
iPhone/iPod/iPad backup
iTunes password NVIDIA
ATI Tableau
BlackBerry backup
BlackBerry Desktop Software (old)
.IPD, .BBB password AES-NI3
Mozilla, FireFox, Thunderbird
password master passwords
BlackBerry backup
BlackBerry Desktop Software (6.0+ for Windows, 2.0+ for Mac)
password NVIDIA
ATI Tableau
Apple iWork
Pages, Numbers, Keynote .pages, .numbers, .key
password password to open
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Performance comparison
39
• 10x faster on Nvidia 8800GT than on Core2Duo 3,3Ghz
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
But … it is relative
40
• 5 characters WPA key brut force attack:
1 day and 18 hours vs 16 days and 4 hours
• 10 characters WPA key brut force attack:
1 551 683 291 days (4251 millennium)
…a WPA2 key can have 63 characters
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Full CUDA on Backtrack
41
• CUDA natively used by Backtrack (and more particularly
crunch and aircrack)
http://www.offensive-security.com/
documentation/backtrack-4-cuda-
guide.pdf
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
WPA & WPA2 Conclusion
42
• How to improve the attack :
• Use Rainbow tables
• here 120Go hash of LanManager of Windows:
http://www.korben.info/UserFiles/File/hak5_rtables_lm_
all_1-7.torrent
• How to protect yourselves :
• Use key > 10 characters
• Use special characters
• Change the default password
SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
Annex : Rainbow table
43 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
DEMO
44 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
References
45
• (1) http://aboba.drizzlehosting.com/IEEE/rc4_ksaproc.pdf
• http://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_
attack
• http://en.wikipedia.org/wiki/RC4
• http://en.wikipedia.org/wiki/Birthday_problem
• Jon Erickson ”Hacking: The Art of Exploitation”
• (2) Breaking 104 bit WEP in less than 60
seconds :http://eprint.iacr.org/2007/120.pdf
• http://jwis2009.nsysu.edu.tw/location/paper/A%20Practica
l%20Message%20Falsification%20Attack%20on%20WPA
• (3) http://www.elcomsoft.com/edpr.html SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01
References
46
• http://www.offensive-
security.com/documentation/backtrack-4-cuda-guide.pdf
• http://sourceforge.net/projects/crunch-wordlist/
Questions ?
47 SecurIMAG - Wifi Security – Guillaume J. – 2012/03/01