A Security Analysis of the WPA-TKIP and TLS Security Protocols
Author:
Abstract:
This dissertation analyzes the security of popular network protocols. First we investigate the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP), and then we study the security of the RC4 stream cipher in both WPA-TKIP and the Transport Layer Security (TLS) protocol. We focus on these protocols because of their popularity. In particular, around November 2012, WPA-TKIP was used by two-thirds of encrypted Wi-Fi networks, and it is currently still used by more than half of all encrypted networks. Similarly, around 2013, RC4 was used in half of all TLS connections. Finally, with as goal to implement reliable proof-of-concepts for some of our attacks against WPA-TKIP, we also study physical layer security aspects of Wi-Fi. In the first part of this dissertation we focus on WPA-TKIP when used to protect unicast Wi-Fi traffic. Here we demonstrate how fragmentation of Wi-Fi frames can be used to inject an arbitrary number of packets, and we show how this attack can be applied in practice by performing a portscan on any client connected to the network. Then we propose a technique to decrypt arbitrary packets sent towards a client. Our technique first resets the internal state of the Michael algorithm, and abuses this to make victims forward packets to a server under control of the adversary, effectively decrypting the packets. We also present a novel Denial of Service (DoS) attack that requires the injection of only two frames every minute. Additionally, we discover that several network cards use flawed and insecure implementations of WPA-TKIP. In the second part of the dissertation, our goal is to attack WPA-TKIP when used to protect broadcast and multicast traffic, i.e., group traffic. This is important since, even in 2016, more than half of all encrypted Wi-Fi networks still protect group traffic using WPA-TKIP. To carry out our attack in a general setting, we must be able to reliably block certain packets from arriving at their destination, preferably using cheap commodity Wi-Fi devices. Hence we first study low-layer aspects of the Wi-Fi protocol. Surprisingly, we found that commodity devices allow us to violate several assumptions made by the Wi-Fi protocol. We show this enables us to implement a constant and selective jammer using commodity Wi-Fi devices. Although the selective jammer can block a large percentage of packets from arriving at their destination, we found that an even more effective method is to block packets by obtaining a channel-based man-in-the-middle (MitM) position. In such a position, packets are blocked by not forwarding them. Finally, we demonstrate that our MitM position allows us to attack WPA-TKIP, when used as a group cipher, within only 7 minutes. In the last part of the dissertation we attack RC4 in both WPA-TKIP and TLS. First we search for new biases in the RC4 keystream, in hope they might be useful to improve our attacks. We empirically search for them using statistical hypothesis tests. This reveals many new biases in the initial keystream bytes, as well as several new long-term biases. Then we design algorithms that are capable of using multiple types of biases, in order to recover a repeatedly encrypted secret. These algorithms return a list of plaintext candidates in decreasing likelihood, and are applied to attack WPA-TKIP and TLS. For the WPA-TKIP scenario we first introduce a method to generate a large number of identical packets. We decrypt this packet by generating its plaintext candidate list, and use redundant packet structure to prune bad candidates. From the decrypted packet we derive the WPA-TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. In the attack against TLS, we show how to decrypt a secure HTTP cookie with a high success rate, by capturing roughly one billion ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin's ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack, and decrypt the cookie, within merely 75 hours.