Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Similar documents
KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake

Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Table of Contents 1 WLAN Security Configuration Commands 1-1

WPA-GPG: Wireless authentication using GPG Key

Chapter 24 Wireless Network Security

Physical and Link Layer Attacks

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Troubleshooting WLANs (Part 2)

05 - WLAN Encryption and Data Integrity Protocols

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

IEEE i and wireless security

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

1 FIVE STAGES OF I.

Secure Initial Access Authentication in WLAN

Wireless Network Security Spring 2015

KRACK & ROCA 吳忠憲 陳君明 1,3 1,2,3. J.-S. Wu Jimmy Chen. 1. NTU, National Taiwan University 2. IKV, InfoKeyVault Technology 3.

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Wireless Network Security Spring 2016

Wireless Network Security

Advanced WiFi Attacks Using Commodity Hardware

WPA Passive Dictionary Attack Overview

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Network Encryption 3 4/20/17

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Plaintext Recovery Attacks Against WPA/TKIP

WiFuzz: detecting and exploiting logical flaws in the Wi-Fi cryptographic handshake

Wireless LAN Security. Gabriel Clothier

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Securing a Wireless LAN

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

FAQ on Cisco Aironet Wireless Security

Summary on Crypto Primitives and Protocols

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Misuse-resistant crypto for JOSE/JWT

Wireless Networked Systems

Chapter 17. Wireless Network Security

Wireless Security i. Lars Strand lars (at) unik no June 2004

Wireless KRACK attack client side workaround and detection

Exam Advanced Network Security

Link Security A Tutorial

Wireless Network Security

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

The Final Nail in WEP s Coffin

Configuring a VAP on the WAP351, WAP131, and WAP371

Cryptographic Knowledge Base

Securing Your Wireless LAN

The security of existing wireless networks

TLS1.2 IS DEAD BE READY FOR TLS1.3

What you will learn. Summary Question and Answer

Configuring WEP and WEP Features

Securing Wireless Communication Against Dictionary Attacks Without Using PKI

Configuring Cipher Suites and WEP

Appendix E Wireless Networking Basics

Cisco Systems 5760 Wireless LAN Controller

Configuring Authentication Types

Lab Configure Enterprise Security on AP

Secure Wireless LAN Design and Deployment

Pass, No Record: An Android Password Manager

Real-time protocol. Chapter 16: Real-Time Communication Security

Advanced WiFi Attacks Using Commodity Hardware

Security Setup CHAPTER

SSL/TLS. How to send your credit card number securely over the internet

Crypto: Passwords and RNGs. CS 642 Guest Lecturer: Adam Everspaugh

Authentication Handshakes

LESSON 12: WI FI NETWORKS SECURITY

CSC 474/574 Information Systems Security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, and AP1522 Wireless LAN Access Points

Security Enhanced IEEE 802.1x Authentication Method for WLAN Mobile Router

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

Configuring a WLAN for Static WEP

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Security in IEEE Networks

Plaintext-Recovery Attacks Against Datagram TLS

CS 494/594 Computer and Network Security

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Security and Authentication for Wireless Networks

Wireless Security K. Raghunandan and Geoff Smith. Technology September 21, 2013

Block Cipher Modes of Operation

Solutions to exam in Cryptography December 17, 2013

Stream Ciphers. Stream Ciphers 1

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

The Secure Shell (SSH) Protocol

Security Handshake Pitfalls

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

What is Eavedropping?

WLAN The Wireless Local Area Network Consortium

Transcription:

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018

Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2

Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 3

The 4-way handshake Used to connect to any protected Wi-Fi network Provides mutual authentication Negotiates fresh PTK: pairwise transient key Appeared to be secure: No attacks in over a decade (apart from password guessing) Proven that negotiated key (PTK) is secret 1 And encryption protocol proven secure 5 4

4-way handshake (simplified) 5

4-way handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 6

4-way handshake (simplified) Attack isn t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 7

4-way handshake (simplified) 8

4-way handshake (simplified) 9

4-way handshake (simplified) PTK is installed 10

4-way handshake (simplified) 11

Frame encryption (simplified) Nonce (packet number) Plaintext data PTK (session key) Mix Packet key Nonce Nonce reuse implies keystream reuse (in all WPA2 ciphers) 12

4-way handshake (simplified) Installing PTK initializes nonce to zero 13

Reinstallation Attack Channel 1 Channel 6 14

Reinstallation Attack 15

Reinstallation Attack Block Msg4 16

Reinstallation Attack 17

Reinstallation Attack In practice Msg4 is sent encrypted 18

Reinstallation Attack Key reinstallation! Nonce is reset 19

Reinstallation Attack Same nonce is used! 20

Reinstallation Attack Keystream 21

Reinstallation Attack Keystream Decrypted! 22

Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 23

General impact Transmit nonce reset Decrypt frames sent by victim Receive replay counter reset Replay frames towards victim 24

Cipher suite specific AES-CCMP: No practical frame forging attacks WPA-TKIP: Recover Message Integrity Check key from plaintext 2,3 Forge/inject frames sent by the device under attack 25

Handshake specific Group key handshake: Client is attacked, but only AP sends real broadcast frames Can only replay broadcast frames to client 4-way handshake: Client is attacked replay/decrypt/forge 26

Implementation specific ios 10 and Windows: 4-way handshake not affected Cannot decrypt unicast traffic (nor replay/decrypt) But group key handshake is affected (replay broadcast) Note: ios 11 does have vulnerable 4-way handshake 6 wpa_supplicant 2.4+ Client used on Linux and Android 6.0+ On retransmitted msg3 will install all-zero key 27

Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 28

Idea 1: replay other handshake messages? 29

Idea 1: replay other handshake messages? What if we replay Msg4? 30

MediaTek drivers vulnerable! Certain MediaTek Drivers accept replayed Msg4 s Used in 100+ devices many vulnerable products 9 ASUS RT-AC51U TP-Link RE370K 31

Idea 2: A/SNonce renewed during rekey? AP can start new handshake to refresh the PTK Same messages exchanged as initial handshake New ANonce and SNonce must be used macos: Patched default KRACK attack But reuses the SNonce during a rekey SNonce reuse patched in macos 10.13.3 32

Exploiting SNonce reuse No problem if ANonce does change But Linux s hostapd reused ANonce Previous key was renegotiated and reinstalled Can decrypt old captured traffic! Adversary can replay old handshake Tricky because messages must now be encrypted But feasible under specific circumstances 33

Idea 3: further audit patches Several users reported: Patched client still vulnerable to group key reinstallations Either our patches are flawed or device always accepts replayed broadcast frames?! 34

No broadcast replay checks! Netis WF-2120 AWUS036NH Nexus 5X 8 of out 16 tested devices vulnerable Likely caused by faulty hardware/firmware decryption 35

Related issue: group key improperly installed 36

Related issue: group key improperly installed Contains key & current replay counter 37

Related issue: group key improperly installed Contains key & current replay counter Some install key using zero replay counter 38

Related issue: group key improperly installed Affected devices: Samsung S3 LTE $POPULAR_CLIENT How to abuse this? 39

GTK Install Attack 40

GTK Install Attack 41

GTK Install Attack Replay counter is reset to zero 42

GTK Install Attack 43

Idea 4: Impact of replaying broadcast frames? Kankun smart power plug Android app to control it Commands are broadcast UDP Destination MAC in payload (?!) Challenge/response protocol 44

Command Replay 45

Command Replay 46

Command Replay 47

Command Replay 48

Command Replay Command again executed: E.g. switch on/off 49

Is your device affected? github.com/vanhoefm/krackattacks-scripts Tests clients and APs Works on Kali Linux Remember to: Disable hardware encryption Use a proper Wi-Fi dongle! 50

Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 51

Limitations of formal proofs 4-way handshake proven secure Encryption protocol proven secure The combination was not proven secure! 52

Multi-party vulnerability coordination Widespread issue! How to disclose? Guidelines and Practices for Multi-Party Vulnerability Coordination (Draft) 7 Remember: Goal is to protect users There are various opinions 53

Conclusion Flaw is in WPA2 standard Proven correct but is insecure! Attack has practical impact Update all clients & check APs 54

Thank you! Questions? krackattacks.com

References 1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005. 2. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009. 3. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013. 4. A. Joux. Authentication failures in NIST version of GCM. 2016. 5. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002. 6. Apple. About the security content of ios 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/en-us/ht208222 7. Multi-party vuln coordination 8. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017. 9. WikiDevi. MediaTek MT7620. Retrieved 2 April from https://wikidevi.com/wiki/mediatek_mt7620a 10. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/nod%20cryptographic%20requirements%20v1.1%20top%20secret.p df 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback