13:34 The attack on wpa details | |
In explanation of the topic compromised WPA. Attempt yet to understand what happened and what it can threaten us. Since cryptographic attack - a thing is needed to understand quite a lot of specific knowledge, the article may be considered in some ways the study of security in Wi-Fi networks. Well, for starters have a little stroll on the theory of cryptographic protocols, Wi-Fi. While the impatient and those who are not interested in all this is science-like casuistry, it is not forbidden to proceed immediately to a conclusion. WEPWEP protocol is currently considered obsolete, not recommended for use at all in favor of WPA and WPA2. You bet! Vulnerability of its serious enough that they allow to crack the key and connect to a secure network in minutes. How many of these very minute need, depends on the intensity of traffic on the network, the average loaded network breaks down for a minute or two (are interested in this question refer to the article and the homepage of the main hacker TOOLS for wi-fi aircrack-ng). WPA/WPA2 themselves are to some extent, the suspension of WEP, in the sense that the basic format of the packet and the encryption algorithm (for WPA) is not changed, thus there was no need to change the equipment, in most cases, it was enough to update the firmware (correct to speak not about WPA/WPA2, and the standard of IEEE 802.11i; WPA - it's part of it, including key management protocol and encryption, TKIP, WPA2 also fully implements the standard including protocol with AES-CCMP encryption). Since the packet formats for all protocols have much in common, starting with the WEP packet as very simple: We are in this package are most interested in the transmitted data (Network Data) Here IV - Initialization Vector is , Salt required to build per-packet key. Data - is actually transmitted data generated in the upper-layer protocol stack, OSI (for example, data can be an IP packet). IC (hereinafter called this field ICV - Integrity Check Value) - this CRC32 check-sum from the Data, which serves to verify data integrity. Data + ICV encrypted with the RC4 algorithm with a key IV + WEP_key, ie obtained by simple concatenation of IV and password WEP. Size IV - 24-bit, RC4 cipher uses a key length of 64 or 128 bits. This explains why the WEP password lengths are 5 or 13 characters (ie, 40 or 104 bits). RC4 - a stream cipher. Initialized with a key, and then issues a sequence of pseudo-random bits with uniform distribution, called the keystream. This sequence can be used to encrypt data (traditionally called plaintext) by the operation XOR, the resulting sequence is usually called the ciphertext. The WEP vulnerabilities associated with small mean IV, a primitive algorithm for obtaining a per-packet key, the vulnerabilities of the RC4 algorithm and its streaming nature. WPASo, in this picture that I had previously called the Network Data, comes after the MAC Header (check-sum of the FCS is not shown here, as in the figure for WEP; it does not interest us, unnecessarily . its processing is on the lower level model OSI). IV - it's the same 24-bit WEP Initialization Vector, only its meaning is somewhat different structure of the data packet is much more complex. To understand the meaning of the representation of the field, let us consider briefly (and fully consider the time and effort there, and I'm afraid of boring :-)) Protocol TKIP, which I have already mentioned: TKIP (Temporal Key Integrity Protocol) implements three approaches to improve the safety of radio protocols, the family of IEEE 802.11. Firstly, it is a function of mixing keys, which combines a secret master key PTK (see below) with the initialization vector, before his transfer as a key algorithm, RC4. Second, this sequence counter (TSC - TKIP Sequence Counter) 48-bit length, whose value increases with each transmitted packet. Packets received out of order will be rejected (ie, packets will be rejected with an earlier TSC), which protects against the so-called replay-attacks. Finally, a 64-bit security code messages MIC (Message Integrity Code). TKIP also implements a mechanism rekeying'a - changing session keys, and ensures that each packet will be transmitted with a unique RC4 key. The session key, PTK (Pairwise Transient Key) - a set of 4 x 128-bit keys used for TKIP encryption packages separate periods between shifts keys. Note that the PTK - it is not WEP password, and neither he nor the mechanism of its generation are not part of TKIP. The PTK includes 4 keys: one for data encryption TKIP (let's call it TK), one for calculating the MIC (and its MTK), and two so-called EAPOL key, which I will not touch. The keys are generated using the password WPA (finally appeared password!), Known to both parties during a four "handshake" (picture, there is a fairly detailed article in English about the WPA). Returning to the previous figure with the structure of the package WPA, see that everything between the MAC Header and Data in essence - the counter TSC plus some field offices that serve to protect against weak keys and saying, that uses Extended IV . TSC is set to zero at the beginning of the session, and steadily increases with each allocated to this device package, the capacity of 48 bits is enough for ~ 250 trillion package that can be considered sufficient, taking into account the periodic re-initialization of session keys (unlike the 24-bit IV in WEP). A unique key to encrypt the package is calculated from TK, TA (Transmittor Address - MAC address of the transmitter) and TSC by a certain two-phase hashing mechanism, which gives the output 104-bit string to which is added WEP IV (yes, the same 24-bit IV) for 128-bit key (actually a picture of the formation of the key visual, but inaccurate, meticulous can look at this). Whew ... What we've got left? Oh yeah, MIC. It was created mainly to fight poddlekoy (forgery) packages. Is computed from the data of the entire message (plus the address of the transmitter and receiver) before fragmentation and a possible change of order packets by using the algorithm named MICHAEL, generating a signature of length 64 bits. Algorithm, except the data using a key, namely, the aforementioned MTK. Importantly, the algorithm is in some sense, is reversible, ie knowing the data and MIC signature, we can calculate the key MTK. The fight against counterfeiting by the Access Point is, in fact, as follows: if the packet came with incorrect MIC (in this case it is valid for other attributes, ie has a valid value TSC and ICV amount has been checked), then sent to the sender notice and, if possible, this event is recorded in the log as a hacking attempt. If, within 60 seconds, comes another packet with an invalid MIC, the access point initiates rekeying of data by the sender. Thus spoofed packets with impunity (relatively) can be sent no more frequently than once per minute. Chop-Chop attackFrom an impressive list of attacks to which the vulnerable WEP, consider the so-called Chop-Chop attack (from the English. Chop, loose translation - "cut off a slice). This attack allows you to see plaintext message (ie message data before encryption), and thus RC4 keystream package (plaintext + keystream = ciphertext => keystream = ciphertext + plaintext). Attack uses the fact that the CRC32 check-sum does not pass the requirements for a cryptographic hash function. Remember that ideologically CRC is the remainder of the division of a string S, presented in the form of a polynomial (of X) with coefficients equal to the corresponding bit in its binary representation, a predefined polynomial PCRC (X), where the arithmetic operations are performed in the field GF (2) (podrobnee, for example, Wikipedia). However, in such form CRC is insensitive to the zeros at the beginning and end of a string, so in practice in the beginning and end appended to the special line (of length equal to the number of bits of CRC), which is denoted as Li (top) and Lf (end). Usually, they both consist of 32 binary units. Thus, for CRC32: CRC = (X32 * S + Li * Xn +32 + Lf) mod PCRC (1) , where n - the length of S in bits. It is noteworthy that if the original string S attributed to the right of CRC, a CRC of the resulting line will be constant and equal to the CRC empty string to denote a Pzero (proved very easy, just remember that in GF (2) addition and subtraction are one and the same operation - XOR), or as a formula (X32 * (X32 * S + CRC) + Li * Xn +64 + Lf) mod PCRC = Pzero (2) In WEP-package last byte of data (Network Data) - is an encrypted ICV, ie CRC on the message. Let's forget for a while encrypting and consider what would happen if we remove the last byte, which is denoted as R, from the package. Let Q - a package without a byte, then Q is unlikely to have the desired content (ie, CRC). But it turns out that the Q can be added to a polynomial in M ??so that the correct CRC. Substituting the first SO = Q * X8 + R, and then S1 = Q + M in (2), easy to find that M = (X32) -1 * (1 + (X8) -1) * (Pzero + Lf) + (X8) -1 * R Raise the polynomial P in-1yu degree means to find a polynomial P ' that P * P '= 1 mod PCRC, which is always possible, because PCRC is irreducible polynomials with operations modulo PCRC form field. By the way, the degree of M does not exceed 32, because M is sufficient to take modulo PCRC. If you go through all bytes of R from 0 to 255, and send them to the network access point, we finally stumble on the right. Understand that we are in bytes, in reality also is simple: packets with an invalid ICV quietly drops as sent with the error, if the CRC is correct, we can expect a response packet, for example, in the case of WPA, it will usually be the package, which informs about incorrect MIC. But more on that later. And what about encryption? It turns out that the package is encrypted, does not matter, because RC4 encryption algorithm is reduced to XOR-ivan data keystream'om, but the addition of M are the same XOR, as well as the XOR operation is commutative and associative, then it does not matter, add M to the original data and then encrypt, or is already encrypted. This process can be repeated further, "biting off" by a byte of the message, and it is theoretically possible to decrypt WEP packet of arbitrary length. The attack on WPAFinally, we in fact, the subject of the article. So, what happens if you try to use Chop-Chop attack to the network with WPA protection? TKIP has basically two means to protect against such attacks:
The first paragraph in part on the attacker's hand, because allows us to understand when he guessed the next byte. The second is more complicated: indeed, suppose we caught ARP packet sent by one of the devices in the network, it is caught and Access Point, to forward the packet to it again pointless, since TSC is incremented, plus a first device, perhaps by sending more packets increasing the count even more. The author considers the attack found an outlet in the specification of IEEE 802.11e, decisive improvements in QoS networks for Wi-Fi. The dry residue here is this: Wi-Fi devices support multiple packet queue (which is above them, I called channels; what exactly do they relate to real radio channels, I do not presume to say), according to one of the authors, Eric Tyuza, it was supposed to use 4 channel in the standard of 8, in reality, the authors found up to 16. Channels are usually not used simultaneously, saving bandwidth for important packages. In an unloaded network is often all traffic goes to one channel, thus package we are likely to catch on a channel with a high counter TSC, as it can be resent by switching to a less loaded channel. It is important that, again referring to the authors, when sending a message about an incorrect MIC counter channel is not increased, thus more channels can not switch. If the network does not support QoS extensions, the attack is, in principle, also feasible, if we can prevent selected for decrypting the package on the AP and sent him to disable the device from the network. It is clear that attempts to decrypt any packet length bytes per minute, it is fairly hopeless - a standard Wi-Fi package has a size of ~ 2300 bytes, ie it will take about one and a half days, and during this time or TSC counter increases, and keys will be replaced, or access point srebutitsya, or you "fuses". Moreover, having one device that can break only one package. Well, sniffer do not work out, see what we can give a transcript of short packets, eg, ARP, which are easily identified by their length (14 bytes). Actually, the attacker knows most of the contents of the APR package, namely the headers and MAC addresses. If you can also do, and some assumptions about the structure of the break open IP network (the network created from under Windows, for example, can be expected that the IP addresses will be of the form 192.168.0.x), then the guess will be nothing. Ie, guessing 12 bytes ICV + MIC, the rest can just pick up, using ICV amount. From this figure mentioned in the press in 12 minutes for hacking. What's next? Decode a single packet, an attacker learns RC4-keystream package (use it, however, can only, while TSC has not changed) and, more importantly, the session MTK - I mentioned that the MIC is reversible, and the data and signature you can set the key. The latter means that until the next change of keys, there is no need to guess more than MIC, and, for example, to crack the next ARP packet (with the same assumptions about the structure of the network) will take 4-5 minutes. Use the decrypted data to send forged packets can be, depending on the number of QoS channels from 7 to 15 times (less if the traffic goes on more than one channel), will continue to "chop-chopit" another package. Conclusion: degree of threat and protectionIf you recall the reports in the press to report Tyuza, for example: Erik Tews will show how he was able to crack WPA encryption ... in a relatively short amount of time : 12 to 15 minutes ... in order to read data being sent from a router to a laptop computer. To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a «mathematical breakthrough», that lets them crack WPA much more quickly than any previous attempt, Ruiu said. Www.pcworld.com it is obvious that the paint "slightly" exaggerated - read traffic from the AP to the client in fact is impossible, and somehow it is not clear that the «mathematical breakthrough» made such authors, as chop-chop attack is known already since 2004 ... Despite the fact that the statements were heard on breaking the encryption, WPA passwords themselves, and even temporary session keys (not counting the MIC key) in full security. Attack allows you to decipher some short packets being processed, spending in the best case for 4-5 minutes on the package, and using the results of decoding, to inject a very limited number of equally short packets back to the network . Yes, it seems, the first serious attack demonstrated the vulnerability of Protocol TKIP, but the great majority worry about the reasons to be seen. According Tyuza: "if you use encryption, but in order to protect their online channel is the use of random people, you're in complete safety." An attack can not be used for any connection to a home or corporate network, or to track them in traffic. Nevertheless, Petty Tricks in theory can be done, such as: "poison» ARP (perhaps DNS) cache, read a certain amount of private traffic Tyuz also indicates the possibility to cheat Some firewalls. What methods can deal with this kind of attack? Well, first, of course, you can simply switch to WPA2 with AES encryption. Also, the authors recommend reducing the regeneration key access point (up to 2-3 minutes, which will, in principle, impossible to describe the procedure above) and disable the automatic sending of messages about incorrect MIC in the packet. Unfortunately, it is unclear whether providing advanced access point settings such thin (personally, I now have no idea if someone met, it would be interesting to know). Well, you can hardly say that WPA hacked. Moreover, I think that until worry especially about. However, citing a source, "now that these two (Beck and Hughes) have opened the door, WPA sure to attract the attention of thousands of researchers: white, gray and black." Material and links Battered, but not broken (the popular and accessible article about the attack) Article Beck and Tyuza The article on WPA Prezentashka (in the article used a couple of pictures ) aircrack-ng Not a bad article about the CRC and the theory of hacking Article on how fast crack WEP and FMS attack in vikiredii Disclaimer Please do not judge strictly, not I am a specialist in information security and wireless protocols, or even an amateur, rather from interested :-) And I beg your pardon, if handled story theory and detail. | |
|
Total comments: 0 | |