Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Similar documents
KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Physical and Link Layer Attacks

Table of Contents 1 WLAN Security Configuration Commands 1-1

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018

Chapter 24 Wireless Network Security

WPA-GPG: Wireless authentication using GPG Key

Advanced WiFi Attacks Using Commodity Hardware

Wireless Network Security Spring 2016

Secure Initial Access Authentication in WLAN

Troubleshooting WLANs (Part 2)

Wireless Network Security Spring 2015

KRACK & ROCA 吳忠憲 陳君明 1,3 1,2,3. J.-S. Wu Jimmy Chen. 1. NTU, National Taiwan University 2. IKV, InfoKeyVault Technology 3.

05 - WLAN Encryption and Data Integrity Protocols

Wireless Network Security

WPA Passive Dictionary Attack Overview

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

IEEE i and wireless security

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Wireless LAN Security. Gabriel Clothier

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

What is Eavedropping?

Misuse-resistant crypto for JOSE/JWT

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

FAQ on Cisco Aironet Wireless Security

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Network Encryption 3 4/20/17

Plaintext Recovery Attacks Against WPA/TKIP

1 FIVE STAGES OF I.

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Securing Your Wireless LAN

Wireless Security i. Lars Strand lars (at) unik no June 2004

Advanced WiFi Attacks Using Commodity Hardware

Chapter 17. Wireless Network Security

Configuring Cipher Suites and WEP

Link Security A Tutorial

Summary on Crypto Primitives and Protocols

Authentication Handshakes

Exam Advanced Network Security

Wireless Networked Systems

Secure Wireless LAN Design and Deployment

CSC 474/574 Information Systems Security

Configuring a VAP on the WAP351, WAP131, and WAP371

Appendix E Wireless Networking Basics

Wireless Network Security

Mobile Security Fall 2013

Configuring Authentication Types

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

SSL/TLS. How to send your credit card number securely over the internet

L13. Reviews. Rocky K. C. Chang, April 10, 2015

ECE 646 Lecture 8. Modes of operation of block ciphers

WarDriving. related fixed line attacks war dialing port scanning

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Wireless KRACK attack client side workaround and detection

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Security in IEEE Networks

WiFuzz: detecting and exploiting logical flaws in the Wi-Fi cryptographic handshake

Securing a Wireless LAN

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

What you will learn. Summary Question and Answer

Crypto: Passwords and RNGs. CS 642 Guest Lecturer: Adam Everspaugh

Security Handshake Pitfalls

Configuring a WLAN for Static WEP

Real-time protocol. Chapter 16: Real-Time Communication Security

CIS 4360 Secure Computer Systems Applied Cryptography

LESSON 12: WI FI NETWORKS SECURITY

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Section 4 Cracking Encryption and Authentication

CS 494/594 Computer and Network Security

Lab Configure Enterprise Security on AP

4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Cryptographic Knowledge Base

Configuring Wireless Security Settings on the RV130W

Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Stream Ciphers. Stream Ciphers 1

Security Setup CHAPTER

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

Wi-Fi Security for Next Generation Connectivity. Perry Correll Aerohive, Wi-Fi Alliance member October 2018

The security of existing wireless networks

Configuring WEP and WEP Features

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Configuring the Client Adapter

Securing Wireless Communication Against Dictionary Attacks Without Using PKI

The Salsa20 Family of Stream Ciphers

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Configuring the Client Adapter through Windows CE.NET

Transcription:

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 3

The 4-way handshake Used to connect to any protected Wi-Fi network Two main purposes: Mutual authentication Negotiate fresh PTK: pairwise temporal key Appeared to be secure: No attacks in over a decade (apart from password guessing) Proven that negotiated key (PTK) is secret 1 And encryption protocol proven secure 7 4

4-way handshake (simplified) 5

4-way handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 6

4-way handshake (simplified) Attack isn t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 7

4-way handshake (simplified) 8

4-way handshake (simplified) 9

4-way handshake (simplified) PTK is installed 10

4-way handshake (simplified) 11

Frame encryption (simplified) Nonce (packet number) Plaintext data PTK (session key) Mix Packet key Nonce Nonce reuse implies keystream reuse (in all WPA2 ciphers) 12

4-way handshake (simplified) Installing PTK initializes nonce to zero 13

Reinstallation Attack Channel 1 Channel 6 14

Reinstallation Attack 15

Reinstallation Attack 16

Reinstallation Attack Block Msg4 17

Reinstallation Attack 18

Reinstallation Attack In practice Msg4 is sent encrypted 19

Reinstallation Attack Key reinstallation! nonce is reset 20

Reinstallation Attack Same nonce is used! 21

Reinstallation Attack keystream Decrypted! 22

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 23

General impact Transmit nonce reset Decrypt frames sent by victim Receive replay counter reset Replay frames towards victim 24

Cipher suite specific AES-CCMP: No practical frame forging attacks WPA-TKIP: Recover Message Integrity Check key from plaintext 4,5 Forge/inject frames sent by the device under attack GCMP (WiGig): Recover GHASH authentication key from nonce reuse 6 Forge/inject frames in both directions 25

Handshake specific Group key handshake: Client is attacked, but only AP sends real broadcast frames Can only replay broadcast frames to client 4-way handshake: Client is attacked replay/decrypt/forge FT handshake (fast roaming = 802.11r): Access Point is attacked replay/decrypt/forge No MitM required, can keep causing nonce resets 26

Implementation specific Windows and ios: 4-way handshake not affected Cannot decrypt unicast traffic (nor replay/decrypt) But group key handshake is affected (replay broadcast) wpa_supplicant 2.4+ Client used on Linux and Android 6.0+ On retransmitted msg3 will install all-zero key 27

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 28

Misconceptions I Updating only the client or AP is sufficient Both vulnerable clients & vulnerable APs must apply patches Need to be close to network and victim Can use special antenna from afar No useful data is transmitted after handshake Trigger new handshakes during TCP connection 29

Misconceptions II Obtaining channel-based MitM is hard Nope, can use channel switch announcements Attack complexity is hard Script only needs to be written once and some are already doing this! 30

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 31

Limitations of formal proofs 4-way handshake proven secure Encryption protocol proven secure The combination was not proven secure! 32

Model vs. implementation Abstract model real code Must assure code matches specification The wpa_supplicant 2.6 case Complex state machine & turned out to still be vulnerable Need formal verification of implementations 33

On a related note Workshop on: Security Protocol Implementations: Development and Analysis (SPIDA) Co-located with EuroS&P 2018 focuses on improving development & analysis of security protocols implementations 34

Thank you! Questions? krackattacks.com

References 1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005. 2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008. 3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/ 4. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009. 5. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013. 6. A. Joux. Authentication failures in NIST version of GCM. 2016. 7. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002. 36

Countermeasures Problem: many clients won t get updates Solution: AP can prevent (most) attacks on clients! Don t retransmit message 3/4 Don t retransmit group message 1/2 However: Impact on reliability unclear Clients still vulnerable when connected to unmodified APs 37

Handshake specific Group key handshake: Client is attacked replay broadcast frames to client Because client never sends real broadcast frames! Unicast 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback