Tweet
Tweet

Slide 1

Slide 1 text

൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIPʹର͢Δฏจճ෮߈ܸ ΩʔϫʔυɿετϦʔϜ҉߸ɼRC4ɼWPA-TKIPɼݤ૬ؔɼฏจճ෮߈ܸ ҏ౻ཽഅ ٶ஍ॆࢠ େࡕେֶ ISEC @ ࡳຈίϯϕϯγϣϯηϯλʔ 2018. 7. 26 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 1 / 36

Slide 2

Slide 2 text

͸͡Ίʹ ݚڀഎܠɿRC4 ͱ WPA-TKIP RC4 ▶ KSA ͱ PRGA ʹΑΔΩʔετϦʔϜͷੜ੒ WPA-TKIP ▶ ಛ௃ɿTKIP ʹΑΔ RC4 ൿີݤ {K[0], K[1], K[2]} ͷੜ੒खॱ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 2 / 36

Slide 3

Slide 3 text

͸͡Ίʹ ݚڀഎܠɿRC4 ͱ WPA-TKIP RC4 ▶ KSA ͱ PRGA ʹΑΔΩʔετϦʔϜͷੜ੒ WPA-TKIP ▶ ಛ௃ɿTKIP ʹΑΔ RC4 ൿີݤ {K[0], K[1], K[2]} ͷੜ੒खॱ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 2 / 36

Slide 4

Slide 4 text

͸͡Ίʹ ݚڀഎܠɿSSL/TLS, WEP. WPA-TKIP ͷݱঢ় ▶ SSL/TLS Ͱͷ RC4 ར༻ېࢭ [Pop15] ▶ શ΢Σϒϒϥ΢βʗαʔόͷ͏ͪ໿ 18.7%͕ RC4 Λະͩαϙʔτத ▶ WEP, WPA-TKIP ར༻ͷඇਪ঑ ▶ ࣗ୐ແઢ LAN (Wi-Fi) ͷ҉߸Խʹؔ͢Δݱঢ় [IPA, 2016] ▶ ແઢ LAN ʹର͢Δμ΢ϯάϨʔυΞλοΫͷݱ࣮తͳڴҖ [VP16] ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 3 / 36

Slide 5

Slide 5 text

͸͡Ίʹ ݚڀഎܠɿSSL/TLS, WEP. WPA-TKIP ͷݱঢ় ▶ SSL/TLS Ͱͷ RC4 ར༻ېࢭ [Pop15] ▶ શ΢Σϒϒϥ΢βʗαʔόͷ͏ͪ໿ 18.7%͕ RC4 Λະͩαϙʔτத ▶ WEP, WPA-TKIP ར༻ͷඇਪ঑ ▶ ࣗ୐ແઢ LAN (Wi-Fi) ͷ҉߸Խʹؔ͢Δݱঢ় [IPA, 2016] ▶ ແઢ LAN ʹର͢Δμ΢ϯάϨʔυΞλοΫͷݱ࣮తͳڴҖ [VP16] ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 3 / 36

Slide 6

Slide 6 text

͸͡Ίʹ ݚڀഎܠɿSSL/TLS, WEP. WPA-TKIP ͷݱঢ় ▶ SSL/TLS Ͱͷ RC4 ར༻ېࢭ [Pop15] ▶ શ΢Σϒϒϥ΢βʗαʔόͷ͏ͪ໿ 18.7%͕ RC4 Λະͩαϙʔτத ▶ WEP, WPA-TKIP ར༻ͷඇਪ঑ ▶ ࣗ୐ແઢ LAN (Wi-Fi) ͷ҉߸Խʹؔ͢Δݱঢ় [IPA, 2016] ▶ ແઢ LAN ʹର͢Δμ΢ϯάϨʔυΞλοΫͷݱ࣮తͳڴҖ [VP16] ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 3 / 36

Slide 7

Slide 7 text

͸͡Ίʹ ؔ࿈ݚڀɿNew Iterated RC4 Key Correlations [IM18] ൓෮ੑͷ͋Δݤ૬ؔ Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) ϖΞ͕ ℓ ϥ΢ϯυ͝ͱ൓෮͢Δݤ૬ؔʢݤ௕ɿℓ = 16ʣ Ϟνϕʔγϣϯɿ (K[0], K[1]) ϖΞͱ (K[0], K[2]) ϖΞΛ༻͍ͨฏจճ෮߈ܸ Table 1 : {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 4 / 36

Slide 8

Slide 8 text

͸͡Ίʹ ؔ࿈ݚڀɿNew Iterated RC4 Key Correlations [IM18] ൓෮ੑͷ͋Δݤ૬ؔ Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) ϖΞ͕ ℓ ϥ΢ϯυ͝ͱ൓෮͢Δݤ૬ؔʢݤ௕ɿℓ = 16ʣ Ϟνϕʔγϣϯɿ (K[0], K[1]) ϖΞͱ (K[0], K[2]) ϖΞΛ༻͍ͨฏจճ෮߈ܸ Table 1 : {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 4 / 36

Slide 9

Slide 9 text

͸͡Ίʹ ؔ࿈ݚڀɿNew Iterated RC4 Key Correlations [IM18] ൓෮ੑͷ͋Δݤ૬ؔ Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) ϖΞ͕ ℓ ϥ΢ϯυ͝ͱ൓෮͢Δݤ૬ؔʢݤ௕ɿℓ = 16ʣ Ϟνϕʔγϣϯɿ (K[0], K[1]) ϖΞͱ (K[0], K[2]) ϖΞΛ༻͍ͨฏจճ෮߈ܸ Table 1 : {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 4 / 36

Slide 10

Slide 10 text

͸͡Ίʹ ϞνϕʔγϣϯɿϕετΞλοΫ [PPS14, VP15] ͱͷൺֱ Table 2 : ฏจճ෮߈ܸ [MS01, IOWM13, ABP+13, PPS14, VP15] ؔ࿈ݚڀ ֓ཁ Z2 = 0 ͷόΠΞεɼ෼෍ͷࣝผʹඞཁͳαϯϓϧ਺ͷධՁɼ [MS01] ϒϩʔυΩϟετηοςΟϯάʹ͓͚Δ߈ܸख๏ΛॳΊͯఏҊ ઌ಄ 257 όΠτͷΩʔετϦʔϜʹؔ͢Δ࠷దͳόΠΞεηοτɼ [IOWM13] 232 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ ઌ಄ 256 όΠτͷΩʔετϦʔϜʹؔ͢Δ෼෍Λแׅతʹར༻ɼ [ABP+13] 232 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 100%ͷ֬཰Ͱ෮ݩ [ABP+13] Λ֦ுɼWPA-TKIP ʹ͓͚Δ IV ຖͷ෼෍Λར༻ɼ [PPS14] 228 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ [VP15] [ABP+13] ͱ [PPS14] + ฏจީิϦετʢ༏ઌॱҐʣ ϞνϕʔγϣϯɿϕετΞλοΫ [PPS14, VP15] ͱͷൺֱ ▶ ݤ૬ؔ [GMM+14, IM18] Λ༻͍ͨ߈ܸ͸ϕετΞλοΫΑΓ΋ޮ཰త͔ʁ ▶ όΠτ୯ҐͰ࠷దͳ߈ܸΛબ୒͢Δ͜ͱͰϕετΞλοΫΛߋ৽Ͱ͖Δ͔ʁ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 5 / 36

Slide 11

Slide 11 text

͸͡Ίʹ ϞνϕʔγϣϯɿϕετΞλοΫ [PPS14, VP15] ͱͷൺֱ Table 2 : ฏจճ෮߈ܸ [MS01, IOWM13, ABP+13, PPS14, VP15] ؔ࿈ݚڀ ֓ཁ Z2 = 0 ͷόΠΞεɼ෼෍ͷࣝผʹඞཁͳαϯϓϧ਺ͷධՁɼ [MS01] ϒϩʔυΩϟετηοςΟϯάʹ͓͚Δ߈ܸख๏ΛॳΊͯఏҊ ઌ಄ 257 όΠτͷΩʔετϦʔϜʹؔ͢Δ࠷దͳόΠΞεηοτɼ [IOWM13] 232 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ ઌ಄ 256 όΠτͷΩʔετϦʔϜʹؔ͢Δ෼෍Λแׅతʹར༻ɼ [ABP+13] 232 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 100%ͷ֬཰Ͱ෮ݩ [ABP+13] Λ֦ுɼWPA-TKIP ʹ͓͚Δ IV ຖͷ෼෍Λར༻ɼ [PPS14] 228 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ [VP15] [ABP+13] ͱ [PPS14] + ฏจީิϦετʢ༏ઌॱҐʣ ϞνϕʔγϣϯɿϕετΞλοΫ [PPS14, VP15] ͱͷൺֱ ▶ ݤ૬ؔ [GMM+14, IM18] Λ༻͍ͨ߈ܸ͸ϕετΞλοΫΑΓ΋ޮ཰త͔ʁ ▶ όΠτ୯ҐͰ࠷దͳ߈ܸΛબ୒͢Δ͜ͱͰϕετΞλοΫΛߋ৽Ͱ͖Δ͔ʁ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 5 / 36

Slide 12

Slide 12 text

͸͡Ίʹ ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1, Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 6 / 36

Slide 13

Slide 13 text

͸͡Ίʹ ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1, Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 6 / 36

Slide 14

Slide 14 text

͸͡Ίʹ ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1, Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 6 / 36

Slide 15

Slide 15 text

͸͡Ίʹ ൃද಺༰ 1 ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ Mantin ͱ Shamir ͷ߈ܸ [MS01] Isobe Βͷ࠷దͳόΠΞεηοτ [IOWM13] AlFardan Βͷ߈ܸ [ABP+13] Paterson Βͷ߈ܸ [PPS14] Sen Gupta Βͷݤ૬ؔ [GMM+14] Ito ͱ Miyaji ͷ൓෮ੑͷ͋Δݤ૬ؔ [IM18] 2 ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠߈ܸ ݤ૬ؔΛར༻ͨ͠࠷దͳ߈ܸ 3 ·ͱΊ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 7 / 36

Slide 16

Slide 16 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ Table 3 : ฏจճ෮߈ܸ [MS01, IOWM13, ABP+13, PPS14, VP15] ؔ࿈ݚڀ ֓ཁ Z2 = 0 ͷόΠΞεɼ෼෍ͷࣝผʹඞཁͳαϯϓϧ਺ͷධՁɼ [MS01] ϒϩʔυΩϟετηοςΟϯάʹ͓͚Δ߈ܸख๏ΛॳΊͯఏҊ ઌ಄ 257 όΠτͷΩʔετϦʔϜʹؔ͢Δ࠷దͳόΠΞεηοτɼ [IOWM13] 232 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ ઌ಄ 256 όΠτͷΩʔετϦʔϜʹؔ͢Δ෼෍Λแׅతʹར༻ɼ [ABP+13] 232 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 100%ͷ֬཰Ͱ෮ݩ [ABP+13] Λ֦ுɼWPA-TKIP ʹ͓͚Δ IV ຖͷ෼෍Λར༻ɼ [PPS14] 228 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ [VP15] [ABP+13] ͱ [PPS14] + ฏจީิϦετʢ༏ઌॱҐʣ Table 4 : ݤ૬ؔ [GMM+14, IM18] ؔ࿈ݚڀ ֓ཁ Zr = a · K[0] + b · K[1] + c · K[2] + d ʢWPA-TKIP Ͱͷݤ૬ؔʣ ɼ [GMM+14] {P1, P3, P256, P257} Λ [IOWM13] ΑΓ΋ޮ཰తʹ෮ݩ [IM18] Zr = K[0] − K[r mod ℓ] − r ʢ൓෮ੑͷ͋Δݤ૬ؔʣ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 8 / 36

Slide 17

Slide 17 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ Table 3 : ฏจճ෮߈ܸ [MS01, IOWM13, ABP+13, PPS14, VP15] ؔ࿈ݚڀ ֓ཁ Z2 = 0 ͷόΠΞεɼ෼෍ͷࣝผʹඞཁͳαϯϓϧ਺ͷධՁɼ [MS01] ϒϩʔυΩϟετηοςΟϯάʹ͓͚Δ߈ܸख๏ΛॳΊͯఏҊ ઌ಄ 257 όΠτͷΩʔετϦʔϜʹؔ͢Δ࠷దͳόΠΞεηοτɼ [IOWM13] 232 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ ઌ಄ 256 όΠτͷΩʔετϦʔϜʹؔ͢Δ෼෍Λแׅతʹར༻ɼ [ABP+13] 232 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 100%ͷ֬཰Ͱ෮ݩ [ABP+13] Λ֦ுɼWPA-TKIP ʹ͓͚Δ IV ຖͷ෼෍Λར༻ɼ [PPS14] 228 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ [VP15] [ABP+13] ͱ [PPS14] + ฏจީิϦετʢ༏ઌॱҐʣ Table 4 : ݤ૬ؔ [GMM+14, IM18] ؔ࿈ݚڀ ֓ཁ Zr = a · K[0] + b · K[1] + c · K[2] + d ʢWPA-TKIP Ͱͷݤ૬ؔʣ ɼ [GMM+14] {P1, P3, P256, P257} Λ [IOWM13] ΑΓ΋ޮ཰తʹ෮ݩ [IM18] Zr = K[0] − K[r mod ℓ] − r ʢ൓෮ੑͷ͋Δݤ૬ؔʣ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 8 / 36

Slide 18

Slide 18 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ఆཧ 1 [MS01, Theorem 1] PRGA ͷॳظ಺෦ঢ়ଶ S0 ͕ϥϯμϜͳঢ়ଶͰ͋ΔͱԾఆ͢Δɽ͜ͷ࣌ɼRC4 ʹ ͓͚Δ 2 όΠτ໨ͷΩʔετϦʔϜ͕ 0 ͱͳΔ֬཰͸ɼ 2 N ʹۙࣅ͞ΕΔɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 9 / 36

Slide 19

Slide 19 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ఆཧ 1 [MS01, Theorem 1] PRGA ͷॳظ಺෦ঢ়ଶ S0 ͕ϥϯμϜͳঢ়ଶͰ͋ΔͱԾఆ͢Δɽ͜ͷ࣌ɼRC4 ʹ ͓͚Δ 2 όΠτ໨ͷΩʔετϦʔϜ͕ 0 ͱͳΔ֬཰͸ɼ 2 N ʹۙࣅ͞ΕΔɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 9 / 36

Slide 20

Slide 20 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ϒϩʔυΩϟετηοςΟϯά ▶ ಉҰͷฏจ P ΛҟͳΔෳ਺ͷൿີݤ K Λ༻͍ͯ҉߸Խͨ͠৘ใ C Λૹ৴ ఆཧ 3 [MS01, Theorem 3] P2 Λ 2 όΠτ໨ͷฏจͱ͠ɼC(1) 2 , . . . , C(k) 2 ΛҰ༷ϥϯμϜʹબΜͩ k ݸͷൿີ ݤͰ RC4 ʹΑΓ҉߸Խ͞Εͨ҉߸จͱ͢Δɽ͜ͷ࣌ɼk = Ω(N) ͳΒ͹ɼk ݸͷ ҉߸จ͔Β P2 Λಋग़ՄೳͰ͋Δɽ P2 ͷ෮ݩํ๏ ▶ RC4 ͷ҉߸ԽɿC2 = P2 ⊕ Z2 ▶ ʢఆཧ 1ʣ 2 N ͷ֬཰Ͱ C2 = Z2 ͕੒ཱ ▶ ࠷΋ස౓ͷߴ͍ C2 ͷ஋Λ P2 ͱͯ͠෮ݩ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 10 / 36

Slide 21

Slide 21 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ϒϩʔυΩϟετηοςΟϯά ▶ ಉҰͷฏจ P ΛҟͳΔෳ਺ͷൿີݤ K Λ༻͍ͯ҉߸Խͨ͠৘ใ C Λૹ৴ ఆཧ 3 [MS01, Theorem 3] P2 Λ 2 όΠτ໨ͷฏจͱ͠ɼC(1) 2 , . . . , C(k) 2 ΛҰ༷ϥϯμϜʹબΜͩ k ݸͷൿີ ݤͰ RC4 ʹΑΓ҉߸Խ͞Εͨ҉߸จͱ͢Δɽ͜ͷ࣌ɼk = Ω(N) ͳΒ͹ɼk ݸͷ ҉߸จ͔Β P2 Λಋग़ՄೳͰ͋Δɽ P2 ͷ෮ݩํ๏ ▶ RC4 ͷ҉߸ԽɿC2 = P2 ⊕ Z2 ▶ ʢఆཧ 1ʣ 2 N ͷ֬཰Ͱ C2 = Z2 ͕੒ཱ ▶ ࠷΋ස౓ͷߴ͍ C2 ͷ஋Λ P2 ͱͯ͠෮ݩ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 10 / 36

Slide 22

Slide 22 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ϒϩʔυΩϟετηοςΟϯά ▶ ಉҰͷฏจ P ΛҟͳΔෳ਺ͷൿີݤ K Λ༻͍ͯ҉߸Խͨ͠৘ใ C Λૹ৴ ఆཧ 3 [MS01, Theorem 3] P2 Λ 2 όΠτ໨ͷฏจͱ͠ɼC(1) 2 , . . . , C(k) 2 ΛҰ༷ϥϯμϜʹબΜͩ k ݸͷൿີ ݤͰ RC4 ʹΑΓ҉߸Խ͞Εͨ҉߸จͱ͢Δɽ͜ͷ࣌ɼk = Ω(N) ͳΒ͹ɼk ݸͷ ҉߸จ͔Β P2 Λಋग़ՄೳͰ͋Δɽ P2 ͷ෮ݩํ๏ ▶ RC4 ͷ҉߸ԽɿC2 = P2 ⊕ Z2 ▶ ʢఆཧ 1ʣ 2 N ͷ֬཰Ͱ C2 = Z2 ͕੒ཱ ▶ ࠷΋ස౓ͷߴ͍ C2 ͷ஋Λ P2 ͱͯ͠෮ݩ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 10 / 36

Slide 23

Slide 23 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 2ɿIsobe Βͷ࠷దͳόΠΞεηοτ [IOWM13] ϥ΢ϯυ r ࠷దͳࣄ৅ Zr ֬཰ʢཧ࿦஋ʣ 1 Z1 = 0 | Z2 = 0 2−8 · (1 + 2−1.009) 2 Z2 = 0 2−8 · (1 + 20) 3 Z3 = 131 2−8 · (1 + 2−8.089) 4 Z4 = 0 2−8 · (1 + 2−7.581) 5-15 Zr = r max: 2−8 · (1 + 2−7.627), min: 2−8 · (1 + 2−7.737) 16 Z16 = 240 2−8 · (1 + 2−4.671) 17-31 Zr = r max: 2−8 · (1 + 2−7.759), min: 2−8 · (1 + 2−7.912) 32 Z32 = 224 2−8 · (1 + 2−5.176) 33-47 Zr = 0 max: 2−8 · (1 + 2−7.897), min: 2−8 · (1 + 2−8.050) 48 Z48 = 208 2−8 · (1 + 2−5.651) 49-63 Zr = 0 max: 2−8 · (1 + 2−8.072), min: 2−8 · (1 + 2−8.224) 64 Z64 = 192 2−8 · (1 + 2−6.085) 65-79 Zr = 0 max: 2−8 · (1 + 2−8.246), min: 2−8 · (1 + 2−8.398) 80 Z80 = 176 2−8 · (1 + 2−6.574) 81-95 Zr = 0 max: 2−8 · (1 + 2−8.420), min: 2−8 · (1 + 2−8.571) 96 Z96 = 160 2−8 · (1 + 2−6.970) 97-111 Zr = 0 max: 2−8 · (1 + 2−8.592), min: 2−8 · (1 + 2−8.741) 112 Z112 = 144 2−8 · (1 + 2−7.300) 113-255 Zr = 0 max: 2−8 · (1 + 2−8.763), min: 2−8 · (1 + 2−10.052) 256 Z256 = 0 2−8 · (1 − 2−9.474) 257 Z257 = 0 2−8 · (1 + 2−9.474) ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 11 / 36

Slide 24

Slide 24 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] ϒϩʔυΩϟετηοςΟϯά ▶ ಉҰͷฏจ P ΛҟͳΔෳ਺ͷൿີݤ K Λ༻͍ͯ҉߸Խͨ͠৘ใ C Λૹ৴ ࠷໬ਪఆ๏ɿΩʔετϦʔϜͷ෼෍Λแׅతʹར༻ 1. ϒϩʔυΩϟετηοςΟϯάͷঢ়گԼͰ҉߸จ {C(1), . . . , C(S)} Λऩू 2. ฏจީิ஋ µ Λਪଌ ▶ ީิ஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍දΛ࡞੒ 3. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍දͱൺֱ ▶ ฏจͷ࠷໬ਪఆ஋ P∗ Λग़ྗ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 12 / 36

Slide 25

Slide 25 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 1 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 1N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 13 / 36

Slide 26

Slide 26 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 1 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 1N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 13 / 36

Slide 27

Slide 27 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 1 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 1N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 13 / 36

Slide 28

Slide 28 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 1 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 1N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 13 / 36

Slide 29

Slide 29 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 4ɿPaterson Βͷ߈ܸ [PPS14] ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 14 / 36

Slide 30

Slide 30 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 4ɿPaterson Βͷ߈ܸ [PPS14] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ IV = (IV0, IV1 ) ͝ͱʹ࡞੒ p IV,r,k := Pr(Zr = k), IV = (0x00, 0x00), . . . , (0xFF, 0xFF), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) IV,k = |{j | C IV,j,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. IV ͝ͱʹฏจ͕ µ ͱͳΔ֬཰ λ IV,µ Λಋग़ λ IV,µ = S! N(µ) IV,0x00 ! · · · N(µ) IV,0xFF ! ∏ k∈{0x00, . . . , 0xFF} p N(µ) IV,k IV,r,k 4. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ λµ = ∏ (0x00, 0x00)≤IV≤(0xFF, 0xFF) λ IV,µ 5. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 15 / 36

Slide 31

Slide 31 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 5ɿSen Gupta Βͷݤ૬ؔ [GMM+14] Ϟνϕʔγϣϯɿ WPA-TKIP ʹର͢Δฏจճ෮߈ܸΛޮ཰Խ ެ։৘ใ {K[0], K[1], K[2]} Λ༻͍ͨΩʔετϦʔϜʹؔ͢Δݤ૬ؔ Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} Table 5 : {P1, P3, P256, P257} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [GMM+14] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P1 Z1 = −K[0] − K[1] 210.896 Z1 = 0 | Z2 = 0 218.072 P3 Z3 = K[0] + K[1] + K[2] + 3 213.939 Z3 = 131 224.218 P256 Z256 = −K[0] 213.803 Z256 = 0 226.814 P257 Z257 = −K[0] − K[1] 216.758 Z257 = 0 227.062 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 16 / 36

Slide 32

Slide 32 text

ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 6ɿIto ͱ Miyaji ͷ൓෮ੑͷ͋Δݤ૬ؔ [IM18] ൓෮ੑͷ͋Δݤ૬ؔ Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) ϖΞ͕ ℓ ϥ΢ϯυ͝ͱ൓෮͢Δݤ૬ؔʢݤ௕ɿℓ = 16ʣ Ϟνϕʔγϣϯɿ (K[0], K[1]) ϖΞͱ (K[0], K[2]) ϖΞΛ༻͍ͨฏจճ෮߈ܸ Table 6 : {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 17 / 36

Slide 33

Slide 33 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1, Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 18 / 36

Slide 34

Slide 34 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Table 7 : WPA-TKIP ʹ͓͚Δ࠷దͳόΠΞεηοτ [GMM+14, IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P1 Z1 = −K[0] − K[1] 210.896 Z1 = 0 | Z2 = 0 218.072 P3 Z3 = K[0] + K[1] + K[2] + 3 213.939 Z3 = 131 224.218 P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 P256 Z256 = −K[0] 213.803 Z256 = 0 226.814 P257 Z257 = −K[0] − K[1] 216.758 Z257 = 0 227.062 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 19 / 36

Slide 35

Slide 35 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ 2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36

Slide 36

Slide 36 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ 2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36

Slide 37

Slide 37 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ 2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36

Slide 38

Slide 38 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ 2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36

Slide 39

Slide 39 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ 2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36

Slide 40

Slide 40 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Table 8 : ߈ܸʹඞཁͳ҉߸จ਺ͱ੒ޭ֬཰ͷൺֱ λʔήοτ [GMM+14, IM18] [IOWM13] ҉߸จ਺ ੒ޭ֬཰ (%) ੒ޭ֬཰ (%) P1 217 100 3.91 P3 220 100 1.17 P17 223 100 5.47 P18 224 100 8.59 P33 225 100 7.03 P34 225 100 8.98 P49 227 100 28.1 P50 226 100 18.8 P66 228 100 53.5 P82 229 100 69.9 P256 219 100 0.39 P257 222 100 0.78 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 21 / 36

Slide 41

Slide 41 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Figure 1 : ੒ޭ֬཰ͷൺֱɿ224 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 22 / 36

Slide 42

Slide 42 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Figure 2 : ੒ޭ֬཰ͷൺֱɿ226 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 23 / 36

Slide 43

Slide 43 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Figure 3 : ੒ޭ֬཰ͷൺֱɿ228 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 24 / 36

Slide 44

Slide 44 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Figure 4 : ੒ޭ֬཰ͷൺֱɿ230 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 25 / 36

Slide 45

Slide 45 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Figure 5 : ੒ޭ֬཰ͷൺֱɿ222 − 230 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 26 / 36

Slide 46

Slide 46 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ؔ࿈ݚڀ 2ɿAlFardan Βͷ߈ܸ [ABP+13]ʢ࠶ܝʣ 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 2 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 2N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 27 / 36

Slide 47

Slide 47 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 2ɿݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠߈ܸ p1,k := Pr(Z1 = −K[0] − K[1] + k), p3,k := Pr(Z3 = K[0] + K[1] + K[2] + k), p17,k := Pr(Z17 = K[0] − K[1] + k), p18,k := Pr(Z18 = K[0] − K[2] + k), p33,k := Pr(Z33 = K[0] − K[1] + k), p34,k := Pr(Z34 = K[0] − K[2] + k), p49,k := Pr(Z49 = K[0] − K[1] + k), p50,k := Pr(Z50 = K[0] − K[2] + k), p66,k := Pr(Z66 = K[0] − K[2] + k), p82,k := Pr(Z82 = K[0] − K[2] + k), p256,k := Pr(Z256 = −K[0] + k), p257,k := Pr(Z257 = −K[0] − K[1] + k). 3ଟ߲෼෍ͷύϥϝʔλ p = (pr,0x00, . . . , pr,0xFF) ͷ૯࿨͕ 1 Ͱͳ͚Ε͹ͳΒͳ͍ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 28 / 36

Slide 48

Slide 48 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 2ɿݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠߈ܸ Table 9 : ߈ܸʹඞཁͳ҉߸จ਺ͱ੒ޭ֬཰ͷൺֱ ఏҊํ๏ [PPS14] λʔήοτ ҉߸จ਺ ੒ޭ֬཰ (%) ੒ޭ֬཰ (%) P1 216 99.6 100 P3 220 100 3.52 P17 223 100 100 P18 224 100 32.4 P33 223 92.2 100 P34 225 100 98.0 P49 224 50.0 100 P50 226 100 61.3 P66 228 100 94.1 P82 229 100 97.3 P256 219 100 100 P257 222 99.6 100 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 29 / 36

Slide 49

Slide 49 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 3ɿݤ૬ؔΛར༻ͨ͠࠷దͳ߈ܸ Figure 6 : ੒ޭ֬཰ͷൺֱɿ224 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 30 / 36

Slide 50

Slide 50 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 3ɿݤ૬ؔΛར༻ͨ͠࠷దͳ߈ܸ Figure 7 : ੒ޭ֬཰ͷൺֱɿ226 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 31 / 36

Slide 51

Slide 51 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 3ɿݤ૬ؔΛར༻ͨ͠࠷దͳ߈ܸ Figure 8 : ੒ޭ֬཰ͷൺֱɿ228 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 32 / 36

Slide 52

Slide 52 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 3ɿݤ૬ؔΛར༻ͨ͠࠷దͳ߈ܸ Figure 9 : ੒ޭ֬཰ͷൺֱɿ230 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 33 / 36

Slide 53

Slide 53 text

ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 3ɿݤ૬ؔΛར༻ͨ͠࠷దͳ߈ܸ Figure 10 : ੒ޭ֬཰ͷൺֱɿ222 − 230 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 34 / 36

Slide 54

Slide 54 text

·ͱΊ ·ͱΊ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1, Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 35 / 36

Slide 55

Slide 55 text

References I [ABP+13] Nadhem J. AlFardan, Daniel J. Bernstein, Keneth G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt. On the Security of RC4 in TLS. In USENIX Security Symposium 2013, 2013. [GMM+14] Sourav Sen Gupta, Subhamoy Maitra, Willi Meier, Goutam Paul, and Santanu Sarkar. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption - FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 350–369. Springer Berlin Heidelberg, 2014. [IM18] Ryoma Ito and Atsuko Miyaji. New Iterated RC4 Key Correlations. In Willy Susilo and Guomin Yang, editors, Information Security and Privacy - ACISP 2018, volume 10946 of Lecture Notes in Computer Science, pages 154–171. Springer International Publishing, 2018. [IOWM13] Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, and Masakatu Morii. Full Plaintext Recovery Attack on Broadcast RC4. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2013. [MS01] Itsik Mantin and Adi Shamir. Practical Attack on Broadcast RC4. In Mitsuru Matsui, editor, Fast Software Encryption - FSE 2001, volume 2355 of Lecture Notes in Computer Science, pages 152–164. Springer Berlin Heidelberg, 2001. [PPS14] Kenneth G. Paterson, Bertram Poettering, and Jacob C.N. Schuldt. Plaintext Recovery Attacks Against WPA/TKIP. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption - FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 325–349. Springer Berlin Heidelberg, 2014. [VP15] Mathy Vanhoef and Frank Piessens. All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS. In USENIX Security Symposium 2015, pages 97–112, 2015. [VP16] Mathy Vanhoef and Frank Piessens. Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys. In USENIX Security Symposium 2016, 2016. ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 36 / 36