Klein s and PTW Attacks on WEP

Similar documents
Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

On the pseudo-random generator ISAAC

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4

Cryptanalysis of Hiji-bij-bij (HBB)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 12: Block ciphers

Exercise Sheet Cryptography 1, 2011

RC4 State Information at Any Stage Reveals the Secret Key

Chapter 2. A Look Back. 2.1 Substitution ciphers

Complementing Feistel Ciphers

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Classical Cryptography

CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Algebraic Techniques in Differential Cryptanalysis

Differential-Linear Cryptanalysis of Serpent

Asymmetric Encryption

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Attacks on the RC4 stream cipher

The Pseudorandomness of Elastic Block Ciphers

Key reconstruction from the inner state of RC4

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Security of the AES with a Secret S-box

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Alternative Approaches: Bounded Storage Model

Impossible Differential Cryptanalysis of Mini-AES

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

FFT-Based Key Recovery for the Integral Attack

Some New Weaknesses in the RC4 Stream Cipher

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Solution of Exercise Sheet 7

Chapter 2 : Perfectly-Secret Encryption

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Lecture 4: DES and block ciphers

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Computer Science A Cryptography and Data Security. Claude Crépeau

Akelarre. Akelarre 1

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

Number theory (Chapter 4)

Block Ciphers and Feistel cipher

CSCI3381-Cryptography

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Public-key Cryptography: Theory and Practice

Lecture 1: Introduction to Public key cryptography

Truncated differential cryptanalysis of five rounds of Salsa20

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

CS 6260 Applied Cryptography

Lecture Notes. Advanced Discrete Structures COT S

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Jay Daigle Occidental College Math 401: Cryptology

Differential Attack on Five Rounds of the SC2000 Block Cipher

Secret Key: stream ciphers & block ciphers

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

DD2448 Foundations of Cryptography Lecture 3

CPSC 467b: Cryptography and Computer Security

arxiv:nlin/ v1 [nlin.cd] 10 Aug 2006

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

On the Weak State in GGHN-like Ciphers

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Introduction to Cryptology. Lecture 2

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Security of Networks (12) Exercises

Private-key Systems. Block ciphers. Stream ciphers

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Benes and Butterfly schemes revisited

Cryptanalysis of the Full Spritz Stream Cipher

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

A Five-Round Algebraic Property of the Advanced Encryption Standard

Solution to Midterm Examination

On Correlation Between the Order of S-boxes and the Strength of DES

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Cryptanalysis of a Multistage Encryption System

CTR mode of operation

(Non-)Random Sequences from (Non-)Random Permutations - Analysis of RC4 stream cipher

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

CPA-Security. Definition: A private-key encryption scheme

Exam Security January 19, :30 11:30

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CPSC 467b: Cryptography and Computer Security

Block Cipher Cryptanalysis: An Overview

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268

Number Theory in Cryptography

Perfectly-Secret Encryption

Transcription:

TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the paper [1] by Klein and [2] by Tews, Weinmann and Pyshkin. 1 Notation n 256; S array containing the numbers {0,..., n 1} in some order. Each number is present only once. S is also called a permutation; S i RC4 internal permutation S after the i-th RC4 round. 1 i n corresponds to the key setup algorithm, while i > n is the key stream generation algorithm; j i RC4 internal variable j after the i-th RC4 round; K RC4 key; l length of K in bytes. Equals 16 for the 104-bit Wired Equivalent Privacy (WEP); X RC4 key stream; Rk WEP root key. 13 bytes for the 104-bit WEP; IV WEP per-packet initialization vector. 3 bytes; assignment; swap; bitwise XOR; for all; iff if and only if; concatenation. Indexing in arrays starts from 0, i.e. the first element of S is S[0]. All formulas are implicitly written modulo n, except for the values of probabilities. In Sections 4 and 5 we present attacks on the 104-bit WEP, i.e. l = 16. 1

K message RC4 X ciphertext 2 RC4 Stream Cipher Figure 1: RC4 stream cipher. Fig. 1 and Algorithms 1 and 2 illustrate the RC4 encryption. Algorithm 1 RC4 key setup 1: S (0, 1,..., 255) 2: j 0 3: for i 0 to 255 do 4: j j + S[i] + K[ i mod l ] 5: S[i] S[j] 6: end for 7: i 0 8: j 0 Algorithm 2 RC4 key stream generation 1: i i + 1 2: j j + S[i] 3: S[i] S[j] 4: return S[ S[i] + S[j] ] 3 Klein s Correlation in RC4 Throughout this section i is a positive integer less than n. 3.1 Klein s Theorem We present a simplified version of [1, Theorem 1]. The theorem is relevant not only to RC4, as it applies to permutations in general. Theorem 1. Let S be a random permutation 1 of the numbers {0,..., n 1}. 1 S is random means that it is picked from the n! possible permutations such that the probability of picking each one is 1/n!. 2

Then for all integers i, x, c {0,..., n 1}, the following holds: Pr ( S[ S[i] + x ] + x = i ) = 2 n, (1) Pr ( S[ S[i] + x ] + x = c ) = n 2, where c i. (2) n(n 1) Proof. To show (1) we will count the total number of different permutations S that satisfy the condition under the Pr sign. Consider the following two disjoint cases: Case 1: S[i] = i x. (3) It follows that i = S[i] + x and, substituting the index i in (3), we get S[ S[i] + x ] = i x. This is equivalent to condition (1), so we are only left with one condition. (3) puts a restriction on one element S[i]. The remaining n 1 elements can take any of the remaining n 1 values. Thus the total number of permutations satisfying (3) is (n 1)!. Case 2: S[i] i x. (4) We now have two conditions that should be met simultaneously. Condition (1) leaves only one possibility for the element S[ S[i] + x ], leaving the remaining elements unrestricted. Because of (4), we have that S[i] + x i, so conditions (1) and (4) apply to elements with different indices. Condition (4) leaves n 1 possibilities for the value of S[i]. The remaining n 2 elements of S can take any of the remaining n 2 unused values. Thus Case 2 incorporates a total of (n 1)(n 2)! = (n 1)! permutations. We have shown that Cases 1 and 2 allow a total of 2(n 1)! different permutations. Since S is picked at random from n! possibilities, the probability that we hit either of the two cases is 2(n 1)! n! = 2 n, which proves (1). To show (2) we will again count possible permutations. We first show that (5) holds. Suppose the opposite is true: S[i] = i x. Then S[i] + x = i, and, substituting the index in (2), we get that S[i] + x = c. But c i, so S[i] + x i, what contradicts our assumption. Thus S[i] i x. (5) Since S[i] + x i, conditions (2) and (5) apply to elements with different indices in S. Condition (2) leaves one possibility for the value of the element S[ S[i] + x ]. This value is c x, and it is different from i x, because c i. So when it comes to the element S[i], it cannot take the value c x because it 3

is already used, and cannot take the value i x because of the condition (5). The element S[i] is only left with n 2 possibilities. The remaining n 2 elements can take any of the remaining n 2 values. Thus the total number of permutations satisfying (2) is (n 2)(n 2)!. This gives us the probability (n 2)(n 2)! n! = n 2 n(n 1). 3.2 Equation (10) Observe that in Lines 4 and 5 of Algorithm 1 the current round number is i + 1. Thus we can write j i+1 = j i + S i [i] + K[ i mod l ], (6) S i+1 [i] = S i [j i+1 ]. (7) After substituting j i+1 in (7) with the value from (6) we get S i+1 [i] = S }{{} i [ j i + S i [i] + K[ i mod l ] ]. (8) }{{} h g Now denote g and h as pictured in (8). Since permutations are invertible, we have that S[g] = h iff S 1 [h] = g, (9) so we can rewrite (8) as or 3.3 Equation (13) S 1 i [ S i+1 [i] ] = j i + S i [i] + K[ i mod l ], K[ i mod l ] = S 1 i [ S i+1 [i] ] (j i + S i [i]). (10) Observe from Line 4 of Algorithm 2 that after a round number i + n the following holds: S i+n [ S i+n [i] + S i+n [j i+n ] ] = X[i 1]. (11) In (1) choose S to be S i+n and x to be S i+n [j i+n ]. Theorem 1 implies that Pr ( S i+n [ S i+n [i] + S i+n [j i+n ] ] + S i+n [j i+n ] = i ) = 2 n. (12) Combining (11) and (12) we get Pr( S i+n [j i+n ] = i X[i 1] ) = 2 }{{}}{{} n. (13) β γ 4

3.4 Equation (16) We now use (2) substituting, as before, S with S i+n and x with S i+n [j i+n ]: c i, Pr ( S i+n [ S i+n [i] + S i+n [j i+n ] ] + S i+n [j i+n ] = c ) = n 2 n(n 1) (14) Combining (11) and (14) we get c i, Pr ( X[i 1] + S i+n [j i+n ] = c ) = n 2 n(n 1). Now add i to each side and rearrange the terms: c i, Pr ( S i+n [j i+n ] c + i = i X[i 1] ) = n 2 n(n 1). (15) After denoting δ = S i+n [j i+n ] c + i, we notice that c i iff c = S i+n [j i+n ] δ + i i iff δ S i+n [j i+n ], and thus (15) can be written as δ S i+n [j i+n ], Pr( i X[i 1] }{{}}{{} β γ = δ ) = n 2 n(n 1). (16) 3.5 Equation (20) Consider Algorithm 1 where Line 4 is replaced with j rand(n). (17) This is a rude approximation 2 of the original algorithm, but it will let us derive some important probability estimates. On each round of this modified key setup algorithm, S[i] is swapped with an element S[j], where j is now random. In particular, during the round number i + 2, the probability of the event j = i equals 1/n, and so the probability that j i is 1 1/n. Thus S i+1 [i] stays unchanged during the (i + 2)nd round with probability 1 1/n. We write this fact as Pr ( S i+1 [i] = S i+2 [i] ) = 1 1 n. The same reasoning applies to subsequent rounds, i.e. the probability that S i+1 [i] stays unchanged during the next k rounds is (1 1/n) k, k < n i. 2 If the key K consisted of n independent random bytes, this approximation would be precise in terms of probability distributions. But since l < n, we should expect some imprecision in final results, which will show through an increased number of packets required for the WEP attack in practice. 5

Moreover, if we replace Line 2 of Algorithm 2 with (17), our result generalizes to any number of rounds. Using k = n 2, we can write Pr ( S i+1 [i] = S i+n 1 [i] ) = Now observe from Line 3 of Algorithm 2 that ( 1 1 n) n 2. (18) S i+n [j i+n ] = S i+n 1 [i]. (19) Substituting S i+n 1 [i] in (18) with the value from (19) we get Pr( S i+1 [i] }{{} α 3.6 Equation (22) Lemma 1. If = S i+n [j i+n ] ) = }{{} β Pr(α = β) = p 1, Pr(β = γ) = p 2, δ β, Pr(γ = δ) = p 3, ( 1 1 n) n 2. (20) then Pr(α = γ) = p 1 p 2 + (1 p 1 )p 3. Proof. Consider two cases: Case 1: α = β. We find that Pr(α = γ) = Pr(β = γ) = p 2. Case 2: α β. If we now let δ = α, what is allowed since α β, we see that Pr(α = γ) = Pr(γ = δ) = p 3. Since Case 1 happens with probability p 1, and Case 2 with probability (1 p 1 ), we get that Pr(α = γ) = p 1 p 2 + (1 p 1 )p 3. The result of Lemma 1 applies to Equations (13), (16) and (20) with the notation for α, β, γ and δ introduced in these equations. It follows that ( Pr( S i+1 [i] = i X[i 1] ) = 1 1 ) ( n 2 ( 2 n n + 1 1 1 ) ) n 2 n 2 n n(n 1). If we use n = 256, the last formula approximates to 0.0053 1.36/n. Thus we have that Pr( S i+1 [i] = i X[i 1] ) 1.36 n. (21) 6

Consider (10) that holds unconditionally, and replace the term S i+1 [i] with the value from (21). Since the equality under the Pr sign in (21) holds with the given probability, we can write Pr ( K[ i mod l ] = S 1 i [ i X[i 1] ] (S i [i] + j i ) ) 1.36 n. (22) Note that, according to Algorithm 1, for i < l, the key bytes K[0], K[1],..., K[i 1] completely determine the permutation S i. Therefore (22) expresses the dependency between the i-th key byte, the i preceding key bytes and the (i 1)st key stream byte. We see a severe probability deviation from the mean value 1/n. This fact will be used in our attack to obtain information about the value of the key byte K[i]. 4 Klein s Attack on WEP The payload field in the 802.11 data frame s MAC protocol data unit (MPDU) consists of: IV, padding, Rk s ID, data, ICV, }{{}}{{} plaintext encrypted where IV is a 3-byte initialization vector, Rk s ID is a 2-bit root key identifier and ICV is the integrity check value. The data field carries packets from higher layers. The encryption is performed by RC4 using the key K = IV Rk. Note that the secret root key Rk is prepent with an IV, which is transmitted over the air in clear text. The IV is different for each packet (which is not always true in practice). Assume we have captured a packet where we know the first 15 bytes of the data field in clear text 3. We compute 15 bytes of the RC4 key stream as follows (see also Fig. 1): X[i] = ciphertext[i] data[i], i {0, 1,..., 14}. Since we know the value of IV = (K[0], K[1], K[2]), we can run the first three rounds of the RC4 key setup algorithm, and thus obtain S 3 and j 3. From S 3 it is also straightforward to compute S3 1 using (9). Now write (22) for i = 3: Pr( K[3] = S3 1 [ 3 X[2] ] (S 3[3] + j 3 ) ) }{{} k 0 1.36 n. 3 To recover a 13-byte Rk we do not actually need the first 2 bytes, but only need the following 13 bytes of the data. 7

We compute the value k 0 and store it as a candidate for Rk[0]. Note that with a rather high probability 1 1.36/n, the byte Rk[0] can have a value different from k 0. Thus we need to collect more evidence about Rk[0]. Luckily, this can be done using packets that are transmitted between the same stations (thus the same Rk 4 ), but have different IVs. Each new IV provides us with a new experiment outcome, whereas an observation of same IVs gives no new information whatsoever, since same IVs yield identical three first rounds of the key setup Algorithm 1. When enough votes are collected, we can choose the highest rated value of k 0. Klein estimates the number of unique IVs sufficient to recover the byte Rk[0] to be 25000. After choosing the most frequent k 0, we let K[3] = k 0, what allows us to run the fourth round of the key setup algorithm for each given IV. Using the same collection of captured packets we now carry out similar calculations for the byte Rk[1]. By this approach we find all the bytes of Rk and finally test it by a trial decryption of some ciphertext for which we know the plaintext, or a part of it. In a case when too few unique IVs were used, the right candidate for some Rk[i] might not be the most frequent one. Then we have to try the second, third and so on, most frequent candidates for Rk[i], recomputing the subsequent key bytes Rk[i + 1],..., Rk[l 1] for each new Rk[i]. This iterative try-and-fail process is repeated until the correct root key is found. Note the high computational cost of correcting falsely guessed key bytes in this approach. 5 PTW Improved Key Calculation Tews, Weinmann and Pyshkin extend the Klein s attack such that it is possible to compute key bytes independently of each other. Consider Line 4 of Algorithm 1 during an (i + 3)rd round, for some i n 3: j i+3 = j i+2 + S i+2 [i + 2] + K[ i + 2 mod l ]. (23) Similarly the (i + 2)nd round yields j i+2 = j i+1 + S i+1 [i + 1] + K[ i + 1 mod l ], and substituting j i+2 in (23) gives j i+3 = j i+1 + i+2 m=i+1 S m [m] + i+2 m=i+1 K[ m mod l ]. 4 We assume that the root key is not changed during the attack, what is very likely to be true in practice. 8

After doing this substitution i 2 times we get j i+3 = j 3 + i+2 S m [m] + Now write (22) replacing i with i + 3: i+2 K[ m mod l ]. (24) Pr ( K[ i + 3 mod l ] = S 1 i+3 [ i + 3 X[i + 2] ] (S i+3[i + 3] + j i+3 ) ) 1.36 n, and replace the rightmost term j i+3 with the one from (24). After regrouping of terms we get: Pr( i+3 K[ m mod l ] } {{ } σ i = Si+3 1 [ i + 3 X[i + 2] ] (j i+3 3 + After denoting σ i as pictured above, the last equation becomes ( ) Pr σ i = S 1 i+3 [ i + 3 X[i + 2] ] (j 3 + i+3 S m [m]) S m [m]) ) 1.36 n. 1.36 n. (25) The right side of the equality under the Pr sign is dependent on the first i + 3 key setup rounds. The authors of the PTW attack note that with a rather high probability elements in S that are used in this expression stay unchanged since the third round of the key setup algorithm. Thus we can replace them with the corresponding elements in S 3 and still have a significant probability deviation for small i s [2, Equations 7 and 8)]: Pr( σ i = S 1 3 [ i + 3 X[i + 2] ] (j 3 + i+3 } {{ } A i S 3 [m]) ) > 1 n. (26) The PTW attack proceeds as follows. For each captured packet we run the first three rounds of the RC4 key setup algorithm and compute the values A i for all i {0, 1,..., 12}. Every new IV yields new (possibly repeating) thirteen values A i. When a sufficient number of packets is analysed, we choose the most frequent candidates for A i s and assign them to the variables σ i for all i {0, 1,..., 12}. The root key bytes are then obtained using Rk[0] = σ 0 ; Rk[i] = σ i σ i 1, i {1,..., 12}. The root key is then checked for correctness by a trial decryption. If it is wrong, we choose less frequent candidates for σ i s and try again. As compared to Klein s attack, this approach does not require recalculation of statistics for rightmost key bytes every time we correct a falsely guessed σ i. 9

References [1] Andreas Klein. Attacks on the RC4 stream cipher. Des. Codes Cryptography, 48(3):269 286, 2008. [2] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104 bit WEP in less than 60 seconds. In Sehun Kim, Moti Yung, and Hyung- Woo Lee, editors, WISA, volume 4867 of Lecture Notes in Computer Science, pages 188 202. Springer, 2007. 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback