[cryptography] RC4 is dangerous in ways not yet known - heads up on near injection WPA2 downgrade to TKIP RC4

nymble nymble at gmail.com
Sun Sep 21 22:49:27 PDT 2014


On Sep 15, 2014, at 1:02 AM, coderman <coderman at gmail.com> wrote:

> first and foremost:
> WPA2 does NOT prevent an adversary able to inject packets at you from
> downgrading crypto to flawed RC4. due to odd forgotten legacy protocol
> bits, every implementation of WPA2 that i have tested is vulnerable to
> an active downgrade to TKIP/RC4 while still being "WPA2" and still
> showing all signs of using strongest security settings.

TKIP is NOT the same as RC4 … while we are trying to remove it from
any usage in Wi-FI, it has yet to be fully broken (publicly).

> 
> let me re-iterate: _WPA2 only_ as a setting on router or client device
> does not prevent an active RC4 downgrade when using WPA2. AES-CCMP
… vendors create crappy UIs.  WPA2 only should mean just AES-CCMP.
Some are done correctly.

> must be explicitly checked for, and this is not straightforward in
> end-user configuration or management utilities.
> 
> RECOMMENDATION: use a wireless packet capture utility to specifically
> check for and alert on the presence of TKIP in a WPA2 session. this
> never happens under legitimate circumstances. [if you know of one,
> please tell me!]
YEs/

> 
> TKIP in WPA2 == Active injection attack by "well funded" adversary[0]
Please elaborate.  TKIP has not been identified as a ‘active attack’ vector.

> 
> ---
> 
> i missed the renewed speculation that periodically swirls around RC4, e.g.
> 
> "I feel but cannot prove that the day is coming when we learn that
> everything we ever encrypted with RC4 is very practical to decrypt"
> - https://twitter.com/marshray/status/505586082461655040
> 
> "Kind of annoyed SHA-1 is a "crypto emergency" when most of the web
> was encrypted with RC4 last year and almost no one cared"
> - https://twitter.com/bascule/status/509239990216163330
> 
> "This attack also applies directly to WPA/TKIP, with similar success
> rates, because of its use of per-packet keys for RC4. Here, the
> particular structure of WPA/TKIP keys means that a different set of
> biases are obtained in the first 256 bytes of RC4 keystream... For
> WPA/TKIP, the only reasonable countermeasure is to upgrade to WPA2."
> - http://www.isg.rhul.ac.uk/tls/
> 
> ---
> 
> i have an advisory pending to full-disclosure with details on this
> WPA2 force downgrade to TKIP attack and a rant about Kaminsky's DEF
> CON 22 talk. advisory includes timeline indicating "in the wild"
> discovery of this technique late 2013.  any earlier indications
> welcome!
> 
> to be clear, this issue is with backwards compatibility in WPA2, and
> the manner in which a local attacker (8 miles or more with power and
> directional emission) can force the WPA2 protected session to use
> TKIP/RC4 while appearing to both client and network management
> equipment to be using WPA2 and best security configuration. (not WEP,
> not WPA)
> 
> this is not about how RC4 is broken; i have no idea about the nature
> of the RC4 weaknesses enabling decryption, and this as yet unknown
> attack is certainly more effective than the attack described in
> CVE-2013-2566:
> "The attacks can only be carried out by a determined attacker who can
> generate sufficient sessions for the attacks. They recover a limited
> amount of plaintext. In this sense, the attacks do not pose a
> significant danger to ordinary users of TLS or WPA/TKIP in their
> current form. However, it is a truism that attacks only get better
> with time, and we anticipate significant further improvements to our
> attacks."
> 
> the attacks observed in the wild did not rely on any additional or
> excessive packet creation to reach effectiveness.
> 
> best regards,
> 
> 
> 
> 0. About TKIP with WPA2...
> some tools know that TKIP is backwards compatible in WPA2, having
> written to spec. E.g. airodump-ng: "Not mandatory, but TKIP is
> typically used with WPA and CCMP is typically used with WPA2."
> 
> in my testing i have never seen a device that could do WPA2 but not
> AES-CCMP.
WPA2 is supposed to mean AES-CCMP.  WPA is TKIP.  
Unclear that you know what you are saying ….


nymble


> if you find one i'd like to know about it!  if you ever see
> a device+router pair that used to speak AES-CCMP over WPA2 suddenly
> using TKIP you are under active attack.
> 
> finally, i mention "advanced attacker" because utilizing this
> downgrade also means applying an as yet unknown attack on the RC4
> cipher to decrypt.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography





More information about the cypherpunks mailing list