big bias hunting in amazonia: large-scale computation and exploitation ... bias hunting in... · 7...
TRANSCRIPT
![Page 1: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/1.jpg)
Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases
Kenny Paterson
Information Security Group
@kennyog ; www.isg.rhul.ac.uk/~kp
![Page 2: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/2.jpg)
Overview
• RC4
• Attacking RC4 in TLS
• Big bias hunting: Attacking RC4 in WPA/TKIP
• Concluding remarks
2
![Page 3: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/3.jpg)
RC4
![Page 4: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/4.jpg)
4
RC4
• Designed by Ron Rivest in late 1980s, became public in 1994. • A byte-oriented stream cipher.
• Variable-length key.
• Elegant design, fast in software, very compact description, easy to implement.
• Widely adopted in secure communications protocols: • TLS
• WEP
• WPA/TKIP
• Kerberos
• MPPE
• …
4
![Page 5: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/5.jpg)
5
RC4
5
RC4 State
Byte permutation and indices i and j
RC4 Key scheduling RC4 Keystream generation
![Page 6: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/6.jpg)
6
Cryptanalysis of RC4 (Or: Isn’t RC4 Broken Already?)
• Given its wide-spread use, RC4 has been subject to a lot of cryptanalysis.
• Biases in keystreams
• Key/state recovery attacks
• Related key attacks
• It’s usage in WEP was completely broken, starting with [FMS01]. • Full key-recovery attack now possible with 10k-20k packets [SVV11].
• Many short-term and long-term biases in its keystreams have been identified.
• [FM00], [MS01], [M02], [M05], [MPS11], [SMPS11],…
• Why then is it still so popular in applications?
6
![Page 7: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/7.jpg)
7
Popularity of RC4
• It’s fast and easy to implement.
• It’s hard to displace a widely-deployed algorithm without practical, demonstrated attacks.
• The WEP disaster can be argued as a special case, where the use of the algorithm was at fault, not the algorithm itself.
• Composition of key from long-term key and public counter enabled special attacks.
• Lack of practical, demonstrated attacks on common applications.
7
![Page 8: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/8.jpg)
Attacking RC4 in TLS Joint work with Nadhem AlFardan, Daniel J. Bernstein, Bertram Poettering and Jacob C.N. Schuldt
![Page 9: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/9.jpg)
9
Broadcast Attack Setting
• Introduced by Mantin-Shamir in 2001.
• Imagine a fixed but unknown plaintext P is encrypted many times under RC4 using different keys Ki.
• Attack recovers bytes of P by exploiting biases in RC4 keystreams.
• Different from usual setting: recover K from many (P,C) pairs.
9
![Page 10: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/10.jpg)
10
Broadcast Attack – Example
• Example: • Mantin-Shamir bias: Pr[Z2 = 0x00] ≈ 1/128
• But Cr = Pr Zr.
• So C2 = P2 with probability 1/128.
• Hence, with enough encryptions, can recover P2 directly from C2.
• Just take the most common value of C2 as estimate for P2!
• Does the attack extend to other bytes of plaintext?
• Is the attack really applicable to RC4 in TLS?
• How many ciphertexts are needed for reliable plaintext recovery?
10
![Page 11: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/11.jpg)
Single-byte Biases in the RC4 Keystream
[Mantin-Shamir 2001]:
[Mironov 2002]:
Described distribution of Z1 (bias away from 0, sine-like distribution)
[Maitra-Paul-Sen Gupta 2011]: for 3 ≤ r ≤ 255
[Sen Gupta-Maitra-Paul-Sarkar 2011]:
Zi = value of i-th keystream byte
l = keylength
11
![Page 12: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/12.jpg)
Approach in [ABPPS13]:
Based on the output from 245 random independent 128-bit RC4 keys, estimate the
keystream byte distributions for the first 256 bytes
This computation revealed many new biases in the RC4 keystream.
(Some of these were independently discovered and exploited in [IOWM13]. )
Complete Single-byte Keystream Distributions
Z1
...
Z2 Z3 ...
...
12
![Page 13: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/13.jpg)
Keystream Distribution at Position 1
Pro
ba
bili
ty
0.003906
Byte value
0.003950
0.003878
13
Keystream Distribution at Position 1
![Page 14: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/14.jpg)
Keystream Distribution at Position 2
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
14
![Page 15: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/15.jpg)
Keystream Distribution at Position 3
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
15
![Page 16: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/16.jpg)
Keystream Distribution at Position 4
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
16
![Page 17: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/17.jpg)
Keystream Distribution at Position 5
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
17
![Page 18: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/18.jpg)
Keystream Distribution at Position 6
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
18
![Page 19: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/19.jpg)
Keystream Distribution at Position 7
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
19
![Page 20: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/20.jpg)
Keystream Distribution at Position 8
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
20
![Page 21: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/21.jpg)
Keystream Distribution at Position 9
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
21
![Page 22: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/22.jpg)
Keystream Distribution at Position 10
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
22
![Page 23: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/23.jpg)
Keystream Distribution at Position 11
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
23
![Page 24: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/24.jpg)
Keystream Distribution at Position 12
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
24
![Page 25: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/25.jpg)
Keystream Distribution at Position 13
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
25
![Page 26: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/26.jpg)
Keystream Distribution at Position 14
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
26
![Page 27: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/27.jpg)
Keystream Distribution at Position 15
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
27
![Page 28: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/28.jpg)
Keystream Distribution at Position 16
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
28
![Page 29: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/29.jpg)
Keystream Distribution at Position 17
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
29
![Page 30: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/30.jpg)
Keystream Distribution at Position 18
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
30
![Page 31: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/31.jpg)
Keystream Distribution at Position 19
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
31
![Page 32: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/32.jpg)
Keystream Distribution at Position 20
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
32
![Page 33: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/33.jpg)
Keystream Distribution at Position 21
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
33
![Page 34: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/34.jpg)
Keystream Distribution at Position 22
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
34
![Page 35: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/35.jpg)
Keystream Distribution at Position 23
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
35
![Page 36: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/36.jpg)
Keystream Distribution at Position 24
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
36
![Page 37: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/37.jpg)
Keystream Distribution at Position 25
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
37
![Page 38: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/38.jpg)
Keystream Distribution at Position 26
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
38
![Page 39: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/39.jpg)
Keystream Distribution at Position 27
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
39
![Page 40: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/40.jpg)
Keystream Distribution at Position 28
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
40
![Page 41: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/41.jpg)
Keystream Distribution at Position 29
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
41
![Page 42: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/42.jpg)
Keystream Distribution at Position 30
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
42
![Page 43: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/43.jpg)
Keystream Distribution at Position 31
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
43
![Page 44: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/44.jpg)
Keystream Distribution at Position 32
Pro
babili
ty
0.003906
Byte value
0.003950
0.003878
44
![Page 45: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/45.jpg)
All the Biases
45
![Page 46: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/46.jpg)
46
Broadcast Attack for RC4 in TLS
Is the attack really applicable to RC4 in TLS?
• How is the RC4 algorithm actually used in TLS?
• How much TLS traffic is actually encrypted using RC4?
• How can we ensure that the same plaintext is repeatedly encrypted under different keys?
• What is a good target for the repeated plaintext?
• Can we ensure the target plaintext aligns with the positions where the keystream biases are present?
• How can we deal with the fact that there are multiple biases in each keystream position Zr?
46
![Page 47: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/47.jpg)
47
Broadcast Attack for RC4 in TLS
Is the attack really applicable to RC4 in TLS?
• How is the RC4 algorithm actually used in TLS?
• How much TLS traffic is actually encrypted using RC4?
• How can we ensure that the same plaintext is repeatedly encrypted under different keys?
• What is a good target for the repeated plaintext?
• How can we deal with the fact that there are multiple biases in each keystream position Zr?
47
![Page 48: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/48.jpg)
48
Use of RC4 in TLS
48
MAC
SQN || HDR Application Data
RC4 Keystream
Ciphertext
MAC tag
HDR
MAC HMAC-MD5, HMAC-SHA1, HMAC-SHA256
Encrypt CBC-AES128, CBC-AES256, CBC-3DES, RC4-128
Application Data
![Page 49: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/49.jpg)
49
Use of RC4 in TLS
• Fresh 128-bit key for RC4 for each TLS connection. • The key is derived from the TLS master secret and nonces exchanged
in the TLS Handshake Protocol run between TLS Client and Server.
• Different key in each direction on secure channel.
• Think of it as a random 128-bit value.
• All bytes of RC4 keystream are used.
• But the first 36 bytes (roughly) are used to encrypt unpredictable messages.
• The TLS Handshake Finished messages.
• So the Mantin-Shamir bias is not exploitable in this application
49
![Page 50: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/50.jpg)
• In the face of the BEAST and Lucky 13 attacks on CBC-based ciphersuites in TLS, switching to RC4 was a recommended mitigation.
• Use of RC4 in the wild:
Rate of RC4 Usage in TLS
ICSI Certificate Notary
Jan. 2013 survey of 16 billion TLS connections:
Approx. 50% protected via RC4 ciphersuites
50
![Page 51: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/51.jpg)
51
Broadcast Attack for RC4 in TLS
Is the attack really applicable to RC4 in TLS?
• How is the RC4 algorithm actually used in TLS?
• How much TLS traffic is actually encrypted using RC4?
• How can we ensure that the same plaintext is repeatedly encrypted under different keys?
• What is a good target for the repeated plaintext?
• How can we deal with the fact that there are multiple biases in each keystream position Zr?
51
![Page 52: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/52.jpg)
How the Web Works
browser
TLS secure channel
Cookie for
goodsite.com
52
badsite.com
goodsite.com
![Page 53: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/53.jpg)
53
How the Web Works
53
• Target plaintext is an HTTP secure cookie for goodsite.com.
• Browser Same Origin Policy prevents direct access to cookie.
• JavaScript running in the browser from badsite.com gives attacker the repeated plaintext capability.
• The cookie is added automatically to every HTTP request sent from the browser.
• JavaScript can pad requests in various ways to control exact position of the cookie.
• Attacker needs to force a new TLS connection for each HTTP request.
• Can do this by having active MITM component closing TCP connection via TCP RST or sequence of TCP FIN/ACK messages.
![Page 54: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/54.jpg)
54
Broadcast Attack for RC4 in TLS
Is the attack really applicable to RC4 in TLS?
• How is the RC4 algorithm actually used in TLS?
• How much TLS traffic is actually encrypted using RC4?
• How can we ensure that the same plaintext is repeatedly encrypted under different keys?
• What is a good target for the repeated plaintext?
• How can we deal with the fact that there are multiple biases in each keystream position Zr?
54
![Page 55: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/55.jpg)
We use an optimal statistical procedure based on Bayes’ theorem.
• This automatically deals with the presence of multiple biases in the keystream bytes.
• [IOWM14] used a sub-optimal procedure relying only on the largest bias in each position (and did not consider in detail the applicability to TLS).
Plaintext Recovery for TLS-RC4
55
![Page 56: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/56.jpg)
Details of Statistical Analysis
Let c denote the n-vector of ciphertext bytes in position r.
We wish to maximise Pr[P=p|C=c].
Bayes theorem:
Pr[P=p|C=c] = Pr[C=c |P=p].Pr[P=p]/Pr[C=c]
= Pr[Z=c (p,p,…,p)].Pr[P=p]/Pr[C=c]
Pr[C=c] is independent of the choice of p.
For simplicity, assume Pr[P=p] is constant.
Then to maximise Pr[P=p | C=c] over all choices of p, we simply need to maximise the expression:
Pr[Z=c (p,p,…,p)].
56
C1
C2
C3
Cn
...
r
![Page 57: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/57.jpg)
Details of Statistical Analysis
To maximise Pr[P=p | C=c] over all choices of p, we simply need to maximise the expression:
Pr[Z=c (p,p,…,p)].
Formally, this is the likelihood of the keystream bytes Z=c (p,p,…,p).
Let q = (q00, q01,…, qFF) denote the vector of keystream byte probabilities in position r.
Let nx be the number of occurrences of byte value x in Z=c (p,p,…,p).
Then:
Pr[Z=c (p,p,…,p)] =
Attack: compute this expression for each candidate p and output the value of p giving the maximum value.
57
q00 q01 qFF nFF n01 n00
…
![Page 58: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/58.jpg)
Success Probability 220 Connections
58
![Page 59: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/59.jpg)
59
Success Probability 221 Connections
![Page 60: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/60.jpg)
60
Success Probability 222 Connections
![Page 61: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/61.jpg)
61
Success Probability 223 Connections
![Page 62: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/62.jpg)
62
Success Probability 224 Connections
![Page 63: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/63.jpg)
63
Success Probability 225 Connections
![Page 64: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/64.jpg)
64
Success Probability 226 Connections
![Page 65: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/65.jpg)
65
Success Probability 227 Connections
![Page 66: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/66.jpg)
66
Success Probability 228 Connections
![Page 67: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/67.jpg)
67
Success Probability 229 Connections
![Page 68: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/68.jpg)
68
Success Probability 230 Connections
![Page 69: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/69.jpg)
69
Success Probability 231 Connections
![Page 70: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/70.jpg)
70
Success Probability 232 Connections
![Page 71: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/71.jpg)
Current Status of RC4 in TLS
Snapshot from ICSI Certificate Notary Project:
71
![Page 72: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/72.jpg)
Comments
• Amount of TLS-RC4 traffic is declining, but not as quickly as we might hope.
• ICSI: from 50% to ~33%.
• SSL Pulse: 81% of 150k sites surveyed still support RC4.
• Security Pitfalls: 1% of 400k sites support only RC4!
• But attacks only get better with time…
• Double-byte bias attack in [ABPPS13] – more ciphertexts, but single connection, so faster overall.
• Exploitation of known plaintext distributions.
• Ranking of plaintext candidates – e.g. for password recovery, only need password to be in top T candidates.
• IT’S TIME TO STOP USING RC4 IN TLS!
72
![Page 73: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/73.jpg)
Big bias hunting in Amazonia: Attacking RC4 in WPA/TKIP Joint work with Bertram Poettering and Jacob C.N. Schuldt
![Page 74: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/74.jpg)
Introduction to WPA/TKIP
• WEP, WPA, WPA2 are all IEEE standards for wireless LAN encryption under the 802.11 family.
• WEP (1999) is considered to be badly broken
• Beginning with [FMS01], now roughly 10k-20k packets needed for key recovery.
• Other attacks on integrity, authentication.
• WPA/TKIP was proposed by IEEE in 2003 as an intermediate solution.
• Allow reuse of same hardware, firmware-only upgrade.
• Hence only limited changes to WEP design were possible.
• Introduction of supposedly stronger per-frame keys (TKIP: Temporal Key Integrity Protocol).
74
![Page 75: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/75.jpg)
Introduction to WPA/TKIP
• WPA was only intended as a temporary fix.
• WPA2 (2004) introduces a strong cryptographic solution based on AES-CCM.
• But WPA is still in widespread use today.
• Vanhoef-Piessens (2013):
71% of 6803 networks surveyed still permit WPA/TKIP; 19% allowed only WPA/TKIP.
• Significant previous analysis of WPA in [TB09], [SVV11].
75
![Page 76: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/76.jpg)
Overview of WPA/TKIP Encryption
• TK (Temporal Key): 128 bits, used to protect many consecutive frames.
• TSC (TKIP Sequence Counter) : 48 bits, incremented for each frame sent.
• TA (Transmitter Address): 48 bits, MAC address of sender.
76
TK TA TSC
16 byte key
RC4
RC4 keystream
Mixing
![Page 77: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/77.jpg)
WPA/TKIP Key Mixing Function
77
TK TA TSC
13 bytes K2 K1 K0
K0 = TSC 1
K1 = (TSC 1 OR 0x20) AND 0x7f
K2 = TSC 0
(TSC0 and TSC 1 are the two least significant bytes of TSC )
Mixing
![Page 78: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/78.jpg)
Exploiting TSC Information
• We can immediately apply previous statistical attacks to WPA/TKIP, with quite some success.
• Using keystream distributions for random keys having WPA/TKIP structure.
• See full version of [ABPPS13] for details.
• But recall that WPA/TKIP keys have additional structure:
K0 = TSC1
K1 = (TSC1 OR 0x20) AND 0x7f
K2 = TSC0
• Recall also that the TSC value is transmitted in clear as part of the WPA/TKIP frame.
78
![Page 79: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/79.jpg)
Exploiting TSC Information
• Idea:
There may be even larger keystream biases that arise for specific (TSC 0,TSC 1) values; these could disappear when aggregating over all (TSC 0,TSC 1) values.
• Exploitation in plaintext recovery attack:
• Bin available ciphertexts into 216 bins according to (TSC0,TSC 1) value.
• Carry out likelihood analysis in each bin using bin-specific keystream distribution.
• Multiply likelihoods across bins to compute plaintext likelihoods.
• Similar (but different) ideas were developed in [SMMPS14].
79
![Page 80: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/80.jpg)
Confirming Existence of Large (TSC 0,TSC 1) –specific Biases
80
0.250%&
0.300%&
0.350%&
0.400%&
0.450%&
0.500%&
0.550%&
0& 32& 64& 96& 128& 160& 192& 224& 256&
Probab
ility*
Byte*value*
0.340%&
0.380%&
0.420%&
0.460%&
0.500%&
0.540%&
0& 32& 64& 96& 128& 160& 192& 224& 256&
Probab
ility*
Byte*value*
Output byte 1, (TSC0,TSC 1) = (0x00,0x00) Output byte 33, (TSC0,TSC 1) = (0x00,0x00)
Blue: TSC -specific biases Red: fully aggregated WPA/TKIP biases
![Page 81: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/81.jpg)
Exploiting TSC Information
• Problem:
This approach requires a large number of keystreams to get accurate estimates for each of the 216 different (TSC0,TSC1)-specific keystream distributions.
• At a minimum, we would like to use at least 232 keystreams for each (TSC0,TSC1) value, hence 248 in total.
• With our local computing setup, computing 224 keystreams for each of the 216 (TSC0,TSC1) values required 26 core days of computation.
• This computation did indicate the presence of many new biases.
• Desired computation would then need 214 core days.
81
![Page 82: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/82.jpg)
TSC 0 Aggregation
• TSC 1 is used in computing two key bytes; TSC0 in only one:
K0 = TSC 1
K1 = (TSC 1 OR 0x20) AND 0x7f
K2 = TSC 0
• Hence we may expect biases to depend more strongly on TSC1 than on TSC0.
• So we could ignore TSC0 and look only at how biases depend on TSC1.
• Effectively, we would then be aggregating biases over TSC0.
• We call this TSC 0 aggregation
• In the plaintext recovery attack, we would then use only 28 bins instead of 216.
• And we’d need 28 times fewer keystreams for estimating distributions.
• Our first attack applied to WPA/TKIP can then be seen as the variant where we aggregate over both TSC0 and TSC1, using just 1 bin.
• We call this full aggregation.
82
![Page 83: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/83.jpg)
Plaintext recovery based on TSC 0 aggregation: 220 frames
83
0%#
20%#
40%#
60%#
80%#
100%#
0# 32# 64# 96# 128# 160# 192# 224# 256#
Recovery(rate(
Byte(posi/ on(
![Page 84: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/84.jpg)
Plaintext recovery based on TSC 0 aggregation: 222 frames
84
0%#
20%#
40%#
60%#
80%#
100%#
0# 32# 64# 96# 128# 160# 192# 224# 256#
Recovery(rate(
Byte(posi/ on(
![Page 85: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/85.jpg)
Plaintext recovery based on TSC 0 aggregation: 224 frames
85
0%#
20%#
40%#
60%#
80%#
100%#
0# 32# 64# 96# 128# 160# 192# 224# 256#
Recovery(rate(
Byte(posi/ on(
![Page 86: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/86.jpg)
Plaintext recovery based on TSC 0 aggregation: 226 frames
86
0%#
20%#
40%#
60%#
80%#
100%#
0# 32# 64# 96# 128# 160# 192# 224# 256#
Recovery(rate(
Byte(posi/ on(
![Page 87: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/87.jpg)
Plaintext recovery based on TSC 0 aggregation: 228 frames
87
0%#
20%#
40%#
60%#
80%#
100%#
0# 32# 64# 96# 128# 160# 192# 224# 256#
Recovery(rate(
Byte(posi/ on(
![Page 88: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/88.jpg)
Plaintext recovery with TSC 0 aggregation (blue) compared to full aggregation (red): 224 frames
88
0%#
20%#
40%#
60%#
80%#
100%#
0# 32# 64# 96# 128# 160# 192# 224# 256#
Recovery(rate(
Byte(posi/ on(
![Page 89: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/89.jpg)
Performance of Single-byte Plaintext Recovery Attacks
89
Red: basic attack (full aggregation); blue: TSC 0 aggregation. Solid line: average over all 256 posns; dotted line: average over odd posns
![Page 90: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/90.jpg)
Big-bias Hunting
• We then obtained a grant from the UK government enabling us to compute accurate per (TSC 0,TSC 1) keystream distributions.
• We used Amazon EC2 to carry out large-scale single-byte and double-byte keystream distribution computations.
• For first 512 positions of keystreams in each case.
• Single-byte: 232 keystreams per (TSC 0,TSC 1) value, 248 in total.
• Double-byte: 230 keystreams per (TSC 0,TSC 1) value, 246 in total.
• Total computation was about 63 virtual core years.
• Approximately 5% of computation involved in RSA-768 sieving step.
• (Or just 1% of the latest EPFL computations!)
90
![Page 91: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/91.jpg)
Big-bias Hunting
• We exploited the inherent parallelism in the problem.
• We used, in both computations, 256 ‘c3.x8large’ instances in parallel.
• 8192 virtual cores, mapping onto 4096 Intel Xeon 2.8GHz processors.
• Essentially, an entire Amazon EC2 data centre.
• Boto (Python) + Ubuntu 13.10 + OpenSSL + careful cache optimisations.
• Running cost: $614 per hour (+ 20% tax).
• Make very sure your code is correct before executing it!
• Make sure to terminate instances as soon as computation is done!
91
![Page 92: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/92.jpg)
Big-bias Hunting: Single-Byte Computation
• Single-byte computation ran for 32 hours, or 30 virtual core years, and cost approximately $20k.
• Produced dataset consisting of 216 x 29 x 28 32-bit integers.
• One counter per (TSC0,TSC1), per position, and per keystream byte value.
• 32GB of distribution data in total.
92
![Page 93: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/93.jpg)
Big-bias Hunting: Double-Byte Computation
• Double-byte computation ran for 35 hours, or 33 virtual core years, and cost approximately $23k.
• Produced dataset consisting of 216 x 29 x 216 32-bit integers.
• One counter per (TSC0,TSC1), per position, and per pair of keystream byte values.
• 8TB in total, storage cost of $410 per month on EC2.
• Data transfer to our local RAID was charged at $0.12 per GB, $983 in total.
• We used bbcp tool developed by experimental physicists; 48 hours at 50MB per second.
93
![Page 94: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/94.jpg)
Performance of Single-byte Plaintext Recovery Attacks
94
Red: basic attack (full aggregation); blue: TSC 0 aggregation. Solid line: average over all 256 posns; dotted line: average over odd posns
![Page 95: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/95.jpg)
Performance of Single-byte Plaintext Recovery Attacks
95
Red: basic attack (full aggregation); blue: TSC 0 aggregation; green: no aggregation. Solid line: average over all 256 posns; dotted line: average over odd posns
![Page 96: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/96.jpg)
WPA/TKIP Closing Remarks
• Plaintext recovery for WPA/TKIP is possible for the first 256 bytes of frames, provided sufficiently many independent encryptions of the same plaintext are available.
• Security is far below the level implied by the 128-bit key TK .
• Suitable targets for attack might include fixed but unknown fields in encapsulated protocol headers.
• Targeting HTTP traffic via client-side Javascript also possible, as in TLS attacks.
96
![Page 97: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/97.jpg)
Concluding Remarks
![Page 98: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/98.jpg)
Concluding Remarks
• RC4 is still widely used for performance and legacy reasons.
• Don’t underestimate the power of inertia.
• Broadcast attacks can be made practical.
• Interesting statistical questions arise.
• As a community, we should work more on making our attacks practical and maximising their real-world impact.
• This requires understanding of and interaction with that real world!
99
![Page 99: Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation ... Bias Hunting in... · 7 Popularity of RC4 •It’s fast and easy to implement. •It’s hard to displace](https://reader033.vdocuments.site/reader033/viewer/2022042023/5e7ba5e60bba855396117e4f/html5/thumbnails/99.jpg)
“Thank Yous”
My thanks to:
• The Asiacrypt 2014 program chairs and general chairs for the invitation and for their hospitality.
• My co-authors Bertram Poettering and Jacob Schuldt.
• My additional co-authors on [ABPPS13] – Nadhem AlFardan and Dan Bernstein.
• Martin Albrecht, Jon Hart and Adrian Thomas at RHUL for their assistance with sourcing, building and maintaining our local computing infrastructure and for help in managing AWS.
• EPSRC and the UK government for funding our adventures in Amazonia.
100