Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Similar documents
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018

WPA-GPG: Wireless authentication using GPG Key

Physical and Link Layer Attacks

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Wireless Network Security Spring 2016

KRACK & ROCA 吳忠憲 陳君明 1,3 1,2,3. J.-S. Wu Jimmy Chen. 1. NTU, National Taiwan University 2. IKV, InfoKeyVault Technology 3.

Chapter 24 Wireless Network Security

Wireless Network Security

Wireless LAN Security. Gabriel Clothier

Wireless Network Security Spring 2015

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Troubleshooting WLANs (Part 2)

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Secure Initial Access Authentication in WLAN

05 - WLAN Encryption and Data Integrity Protocols

Table of Contents 1 WLAN Security Configuration Commands 1-1

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Exam Advanced Network Security

WPA Passive Dictionary Attack Overview

Network Encryption 3 4/20/17

1 FIVE STAGES OF I.

Advanced WiFi Attacks Using Commodity Hardware

FAQ on Cisco Aironet Wireless Security

WarDriving. related fixed line attacks war dialing port scanning

Wi-Fi Security for Next Generation Connectivity. Perry Correll Aerohive, Wi-Fi Alliance member October 2018

IEEE i and wireless security

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Appendix E Wireless Networking Basics

Real-time protocol. Chapter 16: Real-Time Communication Security

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CS 494/594 Computer and Network Security


CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Secure Wireless LAN Design and Deployment

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Computer Networks & Security 2016/2017

WiFuzz: detecting and exploiting logical flaws in the Wi-Fi cryptographic handshake

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

Chapter 17. Wireless Network Security

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Cisco Desktop Collaboration Experience DX650 Security Overview

Advanced WiFi Attacks Using Commodity Hardware

Cisco Systems 5760 Wireless LAN Controller

Mobile Security Fall 2013

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Security Enhanced IEEE 802.1x Authentication Method for WLAN Mobile Router

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Security Handshake Pitfalls

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

SSL/TLS. How to send your credit card number securely over the internet

White Paper for Wacom: Cryptography in the STU-541 Tablet

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

Security Handshake Pitfalls

Family Structural Overview

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Crypto: Passwords and RNGs. CS 642 Guest Lecturer: Adam Everspaugh

COSC4377. Chapter 8 roadmap

Encryption. INST 346, Section 0201 April 3, 2018

Modeling and Verification of IEEE i Security Protocol for Internet of Things

CS Computer Networks 1: Authentication

Security in IEEE Networks

Configuring Wireless Security Settings on the RV130W

Authentication and Security: IEEE 802.1x and protocols EAP based

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

Network Security: WLAN Mobility. Tuomas Aura CS-E4300 Network security Aalto University, Autumn 2017

Authentication Handshakes

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Configuring r BSS Fast Transition

Configuring the Client Adapter through Windows CE.NET

Key Management in Ad-Hoc Networks

An Executable Model for JFKr

Crypto meets Web Security: Certificates and SSL/TLS

Crypto Background & Concepts SGX Software Attestation

CPSC 467b: Cryptography and Computer Security

CSC 474/574 Information Systems Security

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

CPSC 467: Cryptography and Computer Security

FIPS SECURITY POLICY FOR

Wireless Network Security

Wireless Communications and Mobile Computing

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

SSL/TLS. Pehr Söderman Natsak08/DD2495

Transcription:

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi security?

The 4-way handshake Two main purposes: Mutual authentication Negotiate fresh PTK: pairwise temporal key Appeared to be secure: No attacks in more than a decade Proven as secure in 2005 1 That is: negotiated key (PTK) is secret

Wi-Fi handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 4

Wi-Fi handshake (simplified) Attack isn t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 5

Wi-Fi handshake (simplified) 6

Wi-Fi handshake (simplified) PTK is installed 7

Wi-Fi handshake (simplified) 8

Encrypting data frames (simplified) Nonce = Packet Number Plaintext data Nonce Keystream should never be reused Each nonce results in a unique keystream 9

Wi-Fi handshake (simplified) Installing PTK resets nonce to zero 10

Key Reinstallation Attack 11

12

Block Msg4 13

14

In practice Msg4 is sent encrypted 15

16

Key reinstallation! nonce is reset 17

18

Same nonce is used! 19

keystream 20

keystream Decrypted! 21

Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi security?

Misconceptions I No useful data is transmitted after handshake Trigger handshakes during TCP connection Difficult to derive keystream Already have 82 bytes from encrypted Msg4 Need high signal strength to get MitM Use channel switch announcements, BSS Transition Requests, jammers,

Misconceptions II Need to be close to network Can use special antenna 2,3 Using (AES-)CCMP mitigates the attack No, still allows decryption & replay of frames Enterprise networks (802.1x) are not vulnerable Also use 4-way handshake and are affected

Misconceptions III You need the password to perform attacks Nope. Then you could decrypt all already Updating only client or AP is sufficient Both vulnerable clients and vulnerable APs need to apply patches Attack complexity is hard Script only needs to be written once

Attacks only get better, they never get worse. Bruce Schneier

Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi security?

Countermeasures Problem: many clients will not get updated Solution: AP can prevent attacks on clients! Don t retransmit message 3/4 Don t retransmit group message 1/2 However: Impact on reliability currently unclear Clients still vulnerable when connected to other unmodified APs 28

Fuzzing Basic fuzzing as part of device certification Test against key reinstallations Fuzzing length fields: avoid well-known bugs Plaintext frames rejected if encryption enabled? Advanced fuzzing of widely used tools: Can do more costly fuzzing on specific tools Make these fuzzing tools open source

Millions of dollars saved (for Microsoft and the world). Patrice Godefroid, Microsoft Research

Other recommendations Not Wi-Fi Alliance task, but Make standards easier to access. Just a download link, nothing on top. Anyone should be able to easily follow discussions. Mailing list?

Need open source firmware Code is getting more closed: Functionality is offloaded to closed firmware E.g. 4-way handshake is being offloaded We cannot trust this code! At least open source security critical parts? Catch problems earlier & get help

Long-term: formal verification Programming is hard. Are patches correct? Missed attack against wpa_supplicant 2.6 Collaboration with academia: Create formal and precise state machines Formal verification of core code E.g. prove correctness of open source tools

Thank you! Questions? krackattacks.com

References 1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005. 2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008. 3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designercantenna/ 3

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback