Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction"— Presentation transcript:

1 Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction suman@cs.utah.edu http://www.cs.utah.edu/~ suman Our Approach Future Directions References IEEE 802.11 security is a major concern. Wired Equivalent Privacy (WEP) had several major vulnerabilities. new wireless security standard 802.11i with Robust Security Network Association (RSNA). 802.11i recommends use of Counter Mode with Cipher Block Chaining Message Authentication Code (CCMP). CCMP features - Advanced Encryption Standard (AES) as its underlying encryption algorithm. AES attacks - No successful publicly known algebraic cryptanalytic attack till now. Known Side Channel attacks. Side channel attack exploits extra information (i.e., timing information, power consumption etc.) leaked by the system to guess keys. Timing based side channel attack uses encryption timing information to guess keys. Implement our attack against real-world AP and evaluate the effect of wireless delays. In case of Pre Shared Key (PSK) mode of CCMP, investigating if dictionary based password guessing attacks can be used to help our attack guess the keys faster. Making our attack work with less number of time samples by modifying it to exploit the structured nature of counter value as used in CCMP. D. Bernstein. Cache-timing Attacks on AES, April 2005 http://cr.yp.to/antiforgery/cachetiming-20050414.pdf J. Bonneau and I. Mironov. Cache-Collision Timing Attacks Against AES. In CHES, pages 201–215, 2006 Counter mode using AES AES-128 used by 802.11i CCMP One AES Round Performance-sensitive software implementations of AES - Pre-compute output of SUBBYTE, SHIFTROWS MIXCOLUMN and put these values in large lookup tables each mapping one byte of input to four bytes of output. Variable time lookup in these tables caused by cache collisions is the source of timing attacks against AES. Possible Solution Modify AES implementations to keep multiple copies of each lookup table in memory and randomly choose one of the copies of the appropriate lookup table to retrieve the value. This will increase the space overhead of AES implementations and may yield lower performance as well because of the probable loss of spatial and temporal locality. Need to investigate the exact nature of performance degradation and how does it vary with the number of copies maintained for each table. Potential Issues ‏ [1] noted that the input bytes to the first round of AES encryption are plaintext bytes XOR-ed with key material bytes. These bytes are used to index the lookup tables. This causes the entire encryption time to be affected by each of the byte values of XOR-ed output of key and plaintext. Bonneau [2] presents another cache access pattern based timing attack on AES which works by gathering timing information on AES final round and uses it to launch an attack to recover full AES key. We adapt the attack presented in [1] to work against 802.11i CCMP. The counter value for each new packet is initialized using packet number, source MAC address of the packet, flag and priority fields. All these are sent in cleartext so the attacker can calculate the value of the counter. So in our scheme an attacker will- Collect timing data for each possible values XOR-ed key material and plaintext input of on reference AP which is similar to the target AP. Correlate collected data with the data collected from the target AP to guess the value of XOR-ed key material and plaintext input. Derive the key by XOR-ing known plaintext (i.e., counter value) with the guessed value to get the key. [2] notes constant process load => Higher probability of success. Access Point process load remains constant. Our attack is based on the time taken to encrypt a plaintext. In CCMP an attacker can only measure the time taken to encrypt a particular plaintext (i.e., counter value) directly by measuring encryption time of packets which are less than AES block size (128 bits). Encryption time of packets bigger than that will be equal to the total time of encrypting all the counter values used for different blocks of that packet. Needs to take care of the possibility of wireless delays outweighing the effects of cached lookups. Effect of delay can be minimized by only considering packets with delays exceeding the minimum delay by less than a certain threshold value. A typical wireless network

Download ppt "Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction"

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
Advanced Encryption Standard

Advanced Encryption Standard
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.

The Dangers of Mitigating Security Design Flaws: A Wireless Case Study Nick Petroni Jr., William Arbaugh University of Maryland Presented by: Abe Murray.
This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.

This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Similar presentations

Ads by Google