[cryptography] RC4 is dangerous in ways not yet known - heads up on near injection WPA2 downgrade to TKIP RC4

coderman coderman at gmail.com
Mon Sep 15 04:02:37 EDT 2014


first and foremost:
WPA2 does NOT prevent an adversary able to inject packets at you from
downgrading crypto to flawed RC4. due to odd forgotten legacy protocol
bits, every implementation of WPA2 that i have tested is vulnerable to
an active downgrade to TKIP/RC4 while still being "WPA2" and still
showing all signs of using strongest security settings.

let me re-iterate: _WPA2 only_ as a setting on router or client device
does not prevent an active RC4 downgrade when using WPA2. AES-CCMP
must be explicitly checked for, and this is not straightforward in
end-user configuration or management utilities.

RECOMMENDATION: use a wireless packet capture utility to specifically
check for and alert on the presence of TKIP in a WPA2 session. this
never happens under legitimate circumstances. [if you know of one,
please tell me!]

TKIP in WPA2 == Active injection attack by "well funded" adversary[0]

---

i missed the renewed speculation that periodically swirls around RC4, e.g.

"I feel but cannot prove that the day is coming when we learn that
everything we ever encrypted with RC4 is very practical to decrypt"
 - https://twitter.com/marshray/status/505586082461655040

"Kind of annoyed SHA-1 is a "crypto emergency" when most of the web
was encrypted with RC4 last year and almost no one cared"
 - https://twitter.com/bascule/status/509239990216163330

"This attack also applies directly to WPA/TKIP, with similar success
rates, because of its use of per-packet keys for RC4. Here, the
particular structure of WPA/TKIP keys means that a different set of
biases are obtained in the first 256 bytes of RC4 keystream... For
WPA/TKIP, the only reasonable countermeasure is to upgrade to WPA2."
 - http://www.isg.rhul.ac.uk/tls/

---

i have an advisory pending to full-disclosure with details on this
WPA2 force downgrade to TKIP attack and a rant about Kaminsky's DEF
CON 22 talk. advisory includes timeline indicating "in the wild"
discovery of this technique late 2013.  any earlier indications
welcome!

to be clear, this issue is with backwards compatibility in WPA2, and
the manner in which a local attacker (8 miles or more with power and
directional emission) can force the WPA2 protected session to use
TKIP/RC4 while appearing to both client and network management
equipment to be using WPA2 and best security configuration. (not WEP,
not WPA)

this is not about how RC4 is broken; i have no idea about the nature
of the RC4 weaknesses enabling decryption, and this as yet unknown
attack is certainly more effective than the attack described in
CVE-2013-2566:
"The attacks can only be carried out by a determined attacker who can
generate sufficient sessions for the attacks. They recover a limited
amount of plaintext. In this sense, the attacks do not pose a
significant danger to ordinary users of TLS or WPA/TKIP in their
current form. However, it is a truism that attacks only get better
with time, and we anticipate significant further improvements to our
attacks."

the attacks observed in the wild did not rely on any additional or
excessive packet creation to reach effectiveness.

best regards,



0. About TKIP with WPA2...
some tools know that TKIP is backwards compatible in WPA2, having
written to spec. E.g. airodump-ng: "Not mandatory, but TKIP is
typically used with WPA and CCMP is typically used with WPA2."

in my testing i have never seen a device that could do WPA2 but not
AES-CCMP. if you find one i'd like to know about it!  if you ever see
a device+router pair that used to speak AES-CCMP over WPA2 suddenly
using TKIP you are under active attack.

finally, i mention "advanced attacker" because utilizing this
downgrade also means applying an as yet unknown attack on the RC4
cipher to decrypt.


More information about the cryptography mailing list