KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Similar documents
KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake

Physical and Link Layer Attacks

Troubleshooting WLANs (Part 2)

Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018

Advanced WiFi Attacks Using Commodity Hardware

Chapter 24 Wireless Network Security

KRACK & ROCA 吳忠憲 陳君明 1,3 1,2,3. J.-S. Wu Jimmy Chen. 1. NTU, National Taiwan University 2. IKV, InfoKeyVault Technology 3.

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Wireless Network Security Spring 2016

Wireless Network Security Spring 2015

WPA-GPG: Wireless authentication using GPG Key

Table of Contents 1 WLAN Security Configuration Commands 1-1

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

05 - WLAN Encryption and Data Integrity Protocols

WPA Passive Dictionary Attack Overview

Secure Initial Access Authentication in WLAN

Exam Advanced Network Security

FAQ on Cisco Aironet Wireless Security

Wireless Network Security

IEEE i and wireless security

Advanced WiFi Attacks Using Commodity Hardware

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Summary on Crypto Primitives and Protocols

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Wireless LAN Security. Gabriel Clothier

1 FIVE STAGES OF I.

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Network Encryption 3 4/20/17

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Misuse-resistant crypto for JOSE/JWT

Wireless KRACK attack client side workaround and detection

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Authentication Handshakes

CSC 474/574 Information Systems Security

Wireless Networked Systems

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

WarDriving. related fixed line attacks war dialing port scanning

Configuring Cipher Suites and WEP

Plaintext Recovery Attacks Against WPA/TKIP

Mobile Security Fall 2013

Overview of Security

What is Eavedropping?

Stream Ciphers. Stream Ciphers 1

Configuring a VAP on the WAP351, WAP131, and WAP371

Wireless Security i. Lars Strand lars (at) unik no June 2004

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Chapter 17. Wireless Network Security

Link Security A Tutorial

Security Setup CHAPTER

Appendix E Wireless Networking Basics

Configuring Authentication Types

Wireless technology Principles of Security

Configuring WEP and WEP Features

Securing a Wireless LAN

WiFuzz: detecting and exploiting logical flaws in the Wi-Fi cryptographic handshake

The security of existing wireless networks

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

L13. Reviews. Rocky K. C. Chang, April 10, 2015

GETTING THE MOST OUT OF EVIL TWIN

ECE 646 Lecture 8. Modes of operation of block ciphers

Wireless Network Security

Wi-Fi Security for Next Generation Connectivity. Perry Correll Aerohive, Wi-Fi Alliance member October 2018

CIS 4360 Secure Computer Systems Applied Cryptography

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

CS 161 Computer Security

Defeating All Man-in-the-Middle Attacks

Secure Wireless LAN Design and Deployment

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Cisco Systems 5760 Wireless LAN Controller

1 Achieving IND-CPA security

TLS1.2 IS DEAD BE READY FOR TLS1.3

Pass, No Record: An Android Password Manager

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Wireless Network Security

Real-time protocol. Chapter 16: Real-Time Communication Security

Cryptographic Knowledge Base

CS 494/594 Computer and Network Security

Securing Your Wireless LAN

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

SSL/TLS. How to send your credit card number securely over the internet

Section 4 Cracking Encryption and Authentication

LESSON 12: WI FI NETWORKS SECURITY

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Lab Configure Enterprise Security on AP

Transcription:

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure that s secure? Seems so! No attacks in 14 years & proven secure. 2

Introduction Key reinstallation when ic_set_key is called again? 4

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 5

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 6

The 4-way handshake Used to connect to any protected Wi-Fi network Provides mutual authentication Negotiates fresh PTK: pairwise transient key Appeared to be secure: No attacks in over a decade (apart from password guessing) Proven that negotiated key (PTK) is secret 1 And encryption protocol proven secure 7 7

4-way handshake (simplified) 8

4-way handshake (simplified) 9

4-way handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 10

4-way handshake (simplified) Attack isn t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 11

4-way handshake (simplified) 12

4-way handshake (simplified) 13

4-way handshake (simplified) 14

4-way handshake (simplified) PTK is installed 15

4-way handshake (simplified) 16

Frame encryption (simplified) Nonce (packet number) Plaintext data PTK (session key) Mix Packet key Nonce Nonce reuse implies keystream reuse (in all WPA2 ciphers) 17

4-way handshake (simplified) Installing PTK initializes nonce to zero 18

Reinstallation Attack Channel 1 Channel 6 19

Reinstallation Attack 20

Reinstallation Attack 21

Reinstallation Attack Block Msg4 22

Reinstallation Attack 23

Reinstallation Attack 24

Reinstallation Attack In practice Msg4 is sent encrypted 25

Reinstallation Attack Key reinstallation! nonce is reset 26

Reinstallation Attack 27

Reinstallation Attack Same nonce is used! 28

Reinstallation Attack Keystream Decrypted! 29

Key Reinstallation Attack Other Wi-Fi handshakes also vulnerable: Group key handshake FT handshake TDLS PeerKey handshake For details see our CCS 17 paper 12 : Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 30

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 31

General impact Transmit nonce reset Decrypt frames sent by victim Receive replay counter reset Replay frames towards victim 32

Cipher suite specific AES-CCMP: No practical frame forging attacks WPA-TKIP: Recover Message Integrity Check key from plaintext 4,5 Forge/inject frames sent by the device under attack GCMP (WiGig): Recover GHASH authentication key from nonce reuse 6 Forge/inject frames in both directions 33

Handshake specific Group key handshake: Client is attacked, but only AP sends real broadcast frames Unicast 34

Handshake specific Group key handshake: Client is attacked, but only AP sends real broadcast frames Can only replay broadcast frames to client 4-way handshake: client is attacked replay/decrypt/forge FT handshake (fast roaming = 802.11r): Access Point is attacked replay/decrypt/forge No MitM required, can keep causing nonce resets 35

FT Handshake 36

FT Handshake 37

FT Handshake 38

FT Handshake 39

FT Handshake 40

FT Handshake 41

FT Handshake 42

FT Handshake 43

FT Handshake Nonce reuse! Use to decrypt frames 44

Implementation specific ios 10 and Windows: 4-way handshake not affected Cannot decrypt unicast traffic (nor replay/decrypt) But group key handshake is affected (replay broadcast) Note: ios 11 does have vulnerable 4-way handshake 8 wpa_supplicant 2.4+ Client used on Linux and Android 6.0+ On retransmitted msg3 will install all-zero key 45

46

Android (victim) 47

48

49

50

51

52

Now trivial to intercept and manipulate client traffic 53

Is your devices affected? github.com/vanhoefm/krackattacks-scripts Tests clients and APs Works on Kali Linux Remember to: Disable hardware encryption Use a supported Wi-Fi dongle! 54

Countermeasures Many clients won t get updates AP can prevent (most) attacks on clients! Don t retransmit message 3/4 Don t retransmit group message 1/2 However: Impact on reliability unclear Clients still vulnerable when connected to unmodified APs 55

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 56

Misconceptions I Updating only the client or AP is sufficient Both vulnerable clients & vulnerable APs must apply patches Need to be close to network and victim Can use special antenna from afar Must be connected to network as attacker (i.e. have password) Only need to be nearby victim and network 57

Misconceptions II No useful data is transmitted after handshake Trigger new handshakes during TCP connection Obtaining channel-based MitM is hard Nope, can use channel switch announcements Attack complexity is hard Script only needs to be written once and some are (privately) doing this! 58

Misconceptions III Using (AES-)CCMP mitigates the attack Still allows decryption & replay of frames Enterprise networks (802.1x) aren t affected Also use 4-way handshake & are affected It s the end of the world! Let s not get carried away Image from KRACK: Your Wi-Fi is no longer secure by Kaspersky 59

Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 60

Limitations of formal proofs 4-way handshake proven secure Encryption protocol proven secure The combination was not proven secure! 61

Keep protocols simple The wpa_supplicant 2.6 case: Complex state machine & turned out to still be vulnerable Need formal verification of implementations Re-keying introduces unnecessary complexity (and therefore opportunities for bugs or other unexpected behavior) without delivering value in return. 9 62

Disclosure coordination: preparation Flawed standard! How to disclose? Is it truly a widespread issue? Contacted vendors we didn t test ourselves They re vulnerable + feedback on report Determining who to inform? Notifying more vendors higher chance of leaks We relied on CERT/CC to contact vendors 63

Disclosure coordination: planning Duration of embargo: Long: risk of details leaking Short: not enough time to patch Avoid uncertainty: set clear deadline Open source patches? Developed and tested in private Shared 1 week in advance over private mailing lists 64

Multi-party vulnerability coordination For more advice see: Guidelines and Practices for Multi-Party Vulnerability Coordination (Draft) 11 Remember: Goal is to protect users There are various opinions 65

Conclusion Flaw is in WPA2 standard Proven correct but is insecure! Attack has practical impact Update all clients & check APs 66

Thank you! Questions? krackattacks.com

References 1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005. 2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008. 3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/ 4. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009. 5. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013. 6. A. Joux. Authentication failures in NIST version of GCM. 2016. 7. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002. 8. Apple. About the security content of ios 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/enus/ht208222 9. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/nod%20cryptographic%20requirements%20v1.1%20top%20secret.pdf 10. J. Salowey and E. Rescorla. TLS Renegotiation Vulnerability. Retrieved 5 December 2017 from https://www.ietf.org/proceedings/76/slides/tls-7.pdf 11. Bhargavan et al. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In IEEE S&P, 2014. 12. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017. 68

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback