Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah

1. Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction Our Approach Potential Issues ‏ • Performance-sensitive software implementations of AES - • Pre-compute output of SUBBYTE, SHIFTROWS MIXCOLUMN and put these values in large lookup tables each mapping one byte of input to four bytes of output. • Variable time lookup in these tables caused by cache collisions is the source of timing attacks against AES. • Our attack is based on the time taken to encrypt a plaintext. In CCMP an attacker can only measure the time taken to encrypt a particular plaintext (i.e., counter value) directly by measuring encryption time of packets which are less than AES block size (128 bits). Encryption time of packets bigger than that will be equal to the total time of encrypting all the counter values used for different blocks of that packet. • Needs to take care of the possibility of wireless delays outweighing the effects of cached lookups. Effect of delay can be minimized by only considering packets with delays exceeding the minimum delay by less than a certain threshold value. A typical wireless network • IEEE 802.11 security is a major concern. • Wired Equivalent Privacy (WEP) had several major vulnerabilities. • new wireless security standard 802.11i with Robust Security Network Association (RSNA). • 802.11i recommends use of Counter Mode with Cipher Block Chaining Message Authentication Code (CCMP). • CCMP features - • Advanced Encryption Standard (AES) as its underlying encryption algorithm. • AES attacks - • No successful publicly known algebraic cryptanalytic attack till now. • Known Side Channel attacks. • Side channel attack exploits extra information (i.e., timing information, power consumption etc.) leaked by the system to guess keys. • Timing based side channel attack uses encryption timing information to guess keys. Possible Solution One AES Round Modify AES implementations to keep multiple copies of each lookup table in memory and randomly choose one of the copies of the appropriate lookup table to retrieve the value. This will increase the space overhead of AES implementations and may yield lower performance as well because of the probable loss of spatial and temporal locality. Need to investigate the exact nature of performance degradation and how does it vary with the number of copies maintained for each table. • [1] noted that the input bytes to the first round of AES encryption are plaintext bytes XOR-ed with key material bytes. These bytes are used to index the lookup tables. This causes the entire encryption time to be affected by each of the byte values of XOR-ed output of key and plaintext. • Bonneau [2] presents another cache access pattern based timing attack on AES which works by gathering timing information on AES final round and uses it to launch an attack to recover full AES key. We adapt the attack presented in [1] to work against 802.11i CCMP. The counter value for each new packet is initialized using packet number, source MAC address of the packet, flag and priority fields. All these are sent in cleartext so the attacker can calculate the value of the counter. So in our scheme an attacker will- • Collect timing data for each possible values XOR-ed key material and plaintext input of on reference AP which is similar to the target AP. • Correlate collected data with the data collected from the target AP to guess the value of XOR-ed key material and plaintext input. • Derive the key by XOR-ing known plaintext (i.e., counter value) with the guessed value to get the key. [2] notes constant process load => Higher probability of success. Access Point process load remains constant. Future Directions • Implement our attack against real-world AP and evaluate the effect of wireless delays. • In case of Pre Shared Key (PSK) mode of CCMP, investigating if dictionary based password guessing attacks can be used to help our attack guess the keys faster. • Making our attack work with less number of time samples by modifying it to exploit the structured nature of counter value as used in CCMP. Counter mode using AES References D. Bernstein. Cache-timing Attacks on AES, April 2005 http://cr.yp.to/antiforgery/cachetiming-20050414.pdf J. Bonneau and I. Mironov. Cache-Collision Timing Attacks Against AES. In CHES, pages 201–215, 2006 AES-128 used by 802.11i CCMP suman@cs.utah.edu http://www.cs.utah.edu/~suman