Bar Mitzvah Attack Analysis

Combined with the RC4 algorithm, a simple analysis of the bar Mitzvah Attack attack principle, and the WEP cracking process to illustrate the common way to crack . (The individual feels that RC4 is obsolete, and to avoid the attack, a better encryption algorithm should be used, such as:ccmp)

Other than thatTLSAgreement isEAPthe extension of protocol is an authentication mechanism, which is independent of the specific encryption algorithm. WEPis the industry to crack moreRC4implementation, now based onRC4of theWEPhas been gradually followed by the optimized versionTKIPalgorithms and a more secureccmpsuperseded (based on theAES). WEPis aWLANdomain, the first encryption algorithm introduced in this paperWEPas a starting point for analysis, take wireless security as an example toBar Mitzvah Attackfor a simple explanation.

First, Bar Mitzvah attack attack principle

As I understand it, the Bar Mitzvah attack attack is actually taking advantage of the statistical characteristics of the random key stream generated by the RC4 algorithm during the Prga phase . Statistical characteristics of pseudo-random key stream in Prga + The common plaintext + simple key length in protocol data can be calculated by counting, playing back and so on, and derive the true secret key.

RC4 There are many security vulnerabilities, especially when RC4 is used in conjunction with CRC, there are more security issues.

Second, the principle of RC4 algorithm

RC4 According to the theory of "one-time-a-secret" principle of design, the use of the flow of secret key encryption method. RC4 has two parts: key scheduling Algorithm (KSA), Random sequence Generation algorithm (PRGA). The secret key scheduling algorithm is confused according to the user's password, resulting in an array of 256B keys. the random sequence generation algorithm confuses the key array generated by the secret key generation algorithm, and the pseudo-random sequence of 256B is used to encrypt the plaintext. the encryption method of RC4 is the bitwise AND operation of looping the pseudo-random sequence and the plaintext.

RC4 Working principle Diagram

Secret key scheduling Algorithm (KSA): KSA is mainly to confuse the user secret key, produce a 128B key array. Thus, the statistical characteristics of the original secret key are weakened. The code is as follows:

S[] is initially set to 0-255 (sequential self-increment), and key is the user password. When the code finishes executing,s[] becomes an unordered sequence.

Random sequence Generation algorithm (PRGA): It is the KSA of the disordered state of the s[] into a random key stream, which is used to encrypt the plaintext. The principle is still the exchange of s[] content, the code is as follows:

The RC4 uses a stream secret key, a byte-by-byte encryption process for plaintext and a bitwise AND operation of plaintext and random key streams.

Three, RC4 safety analysis

by the top of the code can be known: 1 the given password, ksa 2) fixed by s[] Prga the same plaintext encryption result, ) s [] is calculated for the packet, not global, so s[] is not really random. (S[] s[" prga

With the instructions of Bar Mitzvah attack, I personally think that the attack type and the WEP hack are the same principle, both according to s[] and Prga pseudo-random characteristics, Use statistical analysis and replay to analyze some of the passwords, and then use this part of the password to iterate, and then you can get the full password or clear text content.

Below is an example of WEP to illustrate the process of cracking.

Iv. the decryption process of WEP

The main solution of WEP is to use RC4 pseudo-random key stream and weak CRC to make statistics and guess. (Almost all of the decryption procedures for WEP are implemented through RC4 .) )

The crack theory of WEP (August 01)

S.fluhrer,I.martinand theA.shamirCollaborative research has found the most deadly attack on wireless LAN Security. UseWEPpart of the data payload of the frame to calculate theWEPframe is used by theWEPsecret key. BecauseWEPencryption algorithms are actually usingRC4The stream cipher algorithm is used as a pseudo-random number generator, which is determined by the initial vectorIVand theWEPseed generation with key combinationsWEPKey stream , and then the key streamWEPThe frame data payload is performed in an XOR operation to complete the cryptographic operation. andRC4Stream cipher algorithm is a kind of substitution and combination operation of input seed key to generateWEPof the key stream. BecauseWEPThe first byte of a data payload in a frame is a logical link control802.2header information, this header information for eachWEPThe frames are all the same, and the attackers are easy to guess, taking advantage of the first Ming text section andWEPframe Data Payload ciphertext can be obtained by XOR operationPRNGThe first byte in the generated key stream.

In addition, the initial vector in the seed key is transmitted in clear text, and the attacker can intercept it and save it to the initial vectors. s.fluhrer, i.martin and A.shamir proof: Using the known initial vector IV and the first byte of the key stream output, combined with RC4 Key scheme, the attacker can determine WEP secret key.

CRC-32 algorithm defects

Crc- +algorithm, as the data integrity test algorithm, because of its own characteristics not only not to makeWEPsecurity has been strengthened, but further deteriorated. FirstCRCA linear function that examines and is valid data, where the linearity is mainly for XOR or operation, i.e.C (x?y) =c (x)? C (y). Using this nature, a malicious attacker could tamper with the originalPthe content. In particular, if the attacker knew the data to be transmitted, it would be more emboldened. Second,CRC-32Verify and not encrypt function, only be responsible for checking the original text is complete, do not encrypt it. If the attacker knewP, you can figure outRC4 (v,k) (RC4 (v,k) =p? P? RC4 (v,k)), and then you can construct your own encrypted dataC ' = (P ',C (P '))? RC4 (v,k)and the originalIVSent to the receiver together(802.11bAllowIVre-use).

How the WEP password was cracked

L Listen mode passive hack ( This is a client and there is a lot of effective communication )

Based on the information that is known. We know to restore theWEPthe key to the password is to collect enough valid data frames from which we can extractIVvalues and ciphertext. With the first byte of the plaintext corresponding to this cipher is deterministic, he is the logical link control802.2header information. Through this byte of clear text, there are ciphertext we doXORoperation can get a byte ofWEPthe key stream, becauseRC4stream cipher generation algorithms just give the original password to the scrambled order. So the password we get for this one-byte is justIv+passwordpart of it. But becauseRC4the disruption. It is not known that the specific position of this byte is in order. When we collect enoughIVYou can perform statistical analysis operations when the value has a fragment password. Reorder mates with the above password fragmentIVUseRC4the value of the algorithm and the location of multiple stream ciphers are compared. Finally get these password fragments in the correct order. ThisWEP's password is analyzed. Is thatWEPcracking process. Helps you understand the crackWEPthe process of restoring a password by parsing a child password.

L Active Attack ( with client. A small amount of communication or no communication )

Arp-request attack modeattacks that crawl legitimate clientsARPRequest a package. If a legitimate client is found to sendAPof theARPrequest package, the attacker willAPReplay this package. Because802.11bAllowIVre-use. SoAPreceived such aARPThe client is returned after the request. So that the attackers can collect moreIVup. When capturing enoughIVYou can press the above2.9.1In the crack. If there is no way to obtainARPRequest Package We can use it .-0attacks enable legitimate clients andAPreconnect after disconnection. -0 DeautenticateThe attack is actually wireless spoofing. So we'll have a chance to getARPrequest the package.

L Active Attack ( No client-side mode )

First andAPmake a pseudo-link-1 Fakeauth count attack mode. This will generate the data packets. Collection of twoIVof the sameWEPbag, make the cipher in these two bags.XORoperation. Get aXORfile. With thisXORfile Mate ForgeryARPpackage of tools. UseCRC-32the characteristics of forged aARPpackage and the originalIVsent togetherAP. So you can press the top2.9.2In the crack. Which-2 Interactive,-4 ChopChop,-5 Fragmentare all of the above attack types.

Bar Mitzvah Attack Analysis