Date post: | 17-Dec-2015 |
Category: |
Documents |
Upload: | hector-julio |
View: | 70 times |
Download: | 4 times |
WPA / WPA2& GPU attack
Hctor Julio
INFO-F514 - Protocols, cryptanalysis and mathematical cryptology ULB
WHAT IS WPA?
Security protocol
Authentication
Encryption
2
WEP / WPA / WPA2
WEP WPA WPA2
ENCRYPTION RC4 RC4 (TKIP) AES
KEY ROTATION NONE Dynamic session keysDynamic session
keys
KEY DISTRIBUTION Manually typed into each deviceManually/Automatic
distributionManually/Automatic
distribution
AUTHENTICATION WEP Key 802.1X 802.1X
3
RC4
RC4 is deprecated (but is not considered totally broken) 4
RC4
WEP: concatenates root key + IVTKIP: implements key mixing function before RC4
5
TKIP
MIC: Message Integrity Check MSDU: MAC service data unit
6
IS WPA VULNERABLE?
2 kinds of vulnerabilities:
Read the data (decrypt the packages)
Get the authentication key - PSK (domestic networks)
7
IS WPA VULNERABLE?
You need the PSK in order to decrypt packages
You can choose strong protocols
You can use WPA2 with AES
Decrypting packages
8
IS WPA VULNERABLE?
The Handshake is the most critical point, you use the PSK
If you have the 4wHandshake you can bruteforce them
It doesnt mean that WPA/2 is broken
Getting the PSK
9
4 WAY HANDSHAKE
10PMK = PSK + SSID + SSID length
Combinations(Use always symbols!)
Available Characters Using The English Language
Possible Passwords, Two Characters
Possible Passwords, Four Characters
Possible Passwords, Six Characters
Lower-case 676 456.976 308.915.776
Lower- and Upper-case 2.704 7.311.616 19.770.609.664
Lower-case, Upper-case, and Numbers 3.844 14.776.336 56.800.235.584
All (Printable) ASCII Characters 8.836 78.074.896 689.869.781.056
11
Total search timeassuming 5000 WPA Passwords/Second
(Intel i5-2500K w/ 4 cores, 3.3 GHz)
SEARCH TIME Passwords Between 1 and 4 CharactersPasswords Between 1 and 6 Characters
Passwords Between 1 and 8 Characters
Passwords Between 1 and 12 Characters
Numbers Instant 4 minutes 6.5 hours 7.5 years
Lower-case 2 minutes 18 hours 1.5 years 662263 years
Alphanumeric (including Upper-
case)52 minutes 140 days 1481 years Age of the universe*
All (Printable) ASCII characters 5 hours 5 years 48644 years
Age of the universe*
12
* 13 billion years
GPU ATTACKS
A GPU has a lot of cores (hundreds).
Each core can compute one 32-bit arithmetic operation per clock cycle.
CPU work well with extreme parallelism (with same instructions but not same data, and that the GPU advantage for hashing).
Why GPUs?
13
14
Total search time using GPU (Pyrit in GNU/Linux, WSA in Windows)
SEARCH TIME Passwords Between 1 and 6 Characters (Alphanumeric)Passwords Between 1 and 8 Characters (Alphanumeric)
Nvidia GeForce GTX 460 1 GB35 days (Pyrit w/
CoWPAtty)368.9 years (Pyrit w/
CoWPAtty)
Nvidia GeForce GTX 59011.6 days (Pyrit w/
CoWPAtty)122.5 years (Pyrit w/
CoWPAtty)
2 x Nvidia GeForce GTX 590 6.5 days (WSA) 68.66 years (WSA)
AMD Radeon HD 6850 20.4 days (WSA) 214.75 years (WSA)
AMD Radeon HD 6990 5.88 days (WSA) 62.24 years (WSA)
2 x AMD Radeon HD 69903.08 days (Pyrit w/
CoWPAtty)32.97 years (Pyrit w/
CoWPAtty)
15
GPU CLOUD SERVICES Amazon Web Services
NIMBIX
Peer1 Hosting
Penguin Computing
RapidSwitch
SoftLayer16
Time & cost using GPU EC2 Instances (Amazon)
Total time 1Million WPA
Passwords/Second
Passwords Between 1 and 4 Characters
Passwords Between 1 and 6 Characters
Passwords Between 1 and 8 Characters
Passwords Between 1 and 12 Characters
NumbersInstant
Estimated Cost: $0.74
InstantEstimated Cost:
$0.74
2 minutesEstimated Cost:
$0.74
12.75 daysEstimated Cost:
$226
Lower-caseInstant
Estimated Cost: $0.74
5 minutesEstimated Cost:
$0.74
2.5 daysEstimated Cost:
$44.403147 years
Alphanumeric (including Upper-case)
InstantEstimated Cost:
$0.74
16 hoursEstimated Cost:
$11.847 years 103 981 388 years
All (Printable) ASCII characters
2 minutesEstimated Cost:
$0.74
9 daysEstimated Cost:
$159.84231 years Age of the universe
17
CONCLUSIONS
Dont use RC4
WPA is not broken but WPA2 is much better
Use enterprise / RADIUS networks if you can
Use long PSK with alphanumeric characters (as we have seen a few slides ago)
18
SOURCES On the Security of RC4 in TLS and WPA http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
4 way handshake flow http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-psk_4-way_handshake/flow_wpa-psk_4-way_handshake.png
GPU cloud services http://www.nvidia.com/object/gpu-cloud-computing-services.html
Wi-Fi security WEP, WPA and WPA2 http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf
Wi-Fi Security: Cracking WPA With CPUs, GPUs, And The Cloud http://www.tomshardware.com/reviews/wireless-security-hack,2981-7.html
TKIP https://msdn.microsoft.com/en-us/library/windows/hardware/ff570952%28v=vs.85%29.aspx
19
WPA / WPA2& GPU attack
Hctor Julio
INFO-F514 - Protocols, cryptanalysis and mathematical cryptology ULB