group keys
play

Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm - PowerPoint PPT Presentation

Oct 13, 2023 •24 likes •534 views

Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm Observation General Wi-Fi crypto is widely studied Predictable pre-shared Recover pre-shared key & dictionary attack key(s) protecting

  1. Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm

  2. Observation General Wi-Fi crypto is widely studied Predictable pre-shared Recover pre-shared key & dictionary attack key(s) protecting all against handshake WEP traffic Rogue AP against Tornado Attack: enterprise networks Recover WPA-TKIP to steal credentials session keys (theoretic)  Mainly targets pre-shared and session keys 2

  3. What about group keys? Group keys protect broadcast and multicast frames:  All clients posses a copy of the group key Security of group keys not yet properly studied!  In contrast with pre- shared & session (=pairwise) keys … We analyze security of group key during its full lifetime! 3

  4. Background: group key lifetime 4

  5. Background: group key lifetime Three important stages: Group Key 1. Generation (flawed RNG) 5

  6. Background: group key lifetime Three important stages: Group Key Session Key 1 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) Encrypted group key sent to client Group Key Session Key 6

  7. Background: group key lifetime Three important stages: Group Key Session Key 1 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) 3. Usage (abuse to decrypt all traffic) Addressing some of these issues: Group Key  New RNG for Wi-Fi platforms? Session Key 7

  8. Background: sending group frames Client A Group Key Session Key Group Key Session Key A Session Key B Group Key Session Key Client B 8

  9. Background: sending group frames 1. Client uses pairwise key to send group frame to AP Client A Recv: AP Session Key FF: ⋯ :FF Dest: Src: Client A Session Key A Client B 9

  10. Background: sending group frames 1. Client uses pairwise key to send group frame to AP 2. AP broadcasts group frame using group key Client A  Only AP sends real group frames Group Key FF: ⋯ :FF Recv: FF: ⋯ :FF Dest: Group Key Src: Client A Group Key Client B 10

  11. Agenda: security of group keys Flawed generation Inject & decrypt all traffic Force RC4 in handshake New Wi-Fi tailored RNG 11

  12. Agenda: security of group keys Flawed generation Inject & decrypt all traffic Force RC4 in handshake New Wi-Fi tailored RNG 12

  13. How are group keys generated? Based on a key hierarchy: Sampled only at boot!  AP randomly generates public Public Private counter and secret master key counter master key  Derives group temporal key (GTK) +1 from these values every hour SHA-1 Entropy only introduced at boot  Bad design: if master key is leaked, all group keys become known! Group Temporal Key (GTK) 13

  14. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness “ Each STA can generate cryptographic-quality random numbers . This assumption is fundamental, as cryptographic methods require a source of randomness. See M.5 for suggested hardware and software methods to achieve randomness suitable for this purpose . ” 14

  15. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only “ This clause suggests two sample techniques that can be combined with the other recommendations of IETF RFC 4086 to harvest randomness. [..] These solutions are expository only , to demonstrate that it is feasible to harvest randomness on any IEEE 802.11 platform. [..] they do not preclude the use of other sources of randomness when available [..] ; in this case, the more the merrier. As many sources of randomness as possible should be gathered into a buffer, and then hashed, to obtain a seed for the PRNG. ” 15

  16. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only Inconsistent description of RNG’s security guarantees!  How secure is the 802.11 RNG?  How many platforms implement this RNG? 16

  17. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution 17

  18. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand Deviates from traditional RNG design:  No entropy pools being maintained  Entropy is only collected when the RNG is being invoked 18

  19. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand  Based on frame arrival timestamps and clock jitter 19

  20. 802.11 RNG: entropy sources Frame arrival times:  Collected by starting & aborting handshakes  Problem: AP will be blacklisted by clients Clock jitter and drift:  No minimum time resolution  small clock jitter  Hence contains only low amount of randomness ¯\_( ツ )_/¯ 20

  21. Surely no one implemented this…? Weakened 802.11 RNG Depends on OS Estimated ~22% of Wi-Fi networks Open Firmware Custom RNG Hostapd: /dev/random 21

  22. Surely no one implemented this…? Weakened 802.11 RNG Depends on OS Estimated ~22% of Wi-Fi networks Open Firmware Custom RNG Hostapd: /dev/random 22

  23. MediaTek RNG: overview Uses custom Linux drivers:  Implements 802.11’s group key hierarchy  But GNONCE “counter” is randomly refreshed on GTK rekey  Based on the 802.11 RNG using only clock jitter  Uses jiffies for current time: equals uptime of the AP  Predict both GMK and GNONCE to determine group key! At boot Group master key (GMK) Group Temporal SHA-1 Key (GTK) RNG Counter (GNONCE) 23

  24. MediaTek RNG: key search  Jiffies have at best millisecond accuracy  GMK: generated at boot  limited set of possible values  GNONCE: depends on uptime of router (and clock skew)  Uptime is leaked in beacons  Capture encrypted broadcast packet and search for key  RT-AC51U OpenCL ~3 mins GMK & GTK 24

  25. MediaTek: predicting the GTK DEMO 25

  26. Surely no one implemented this…? Weakened 802.11 RNG Depends on OS Estimated ~22% of Wi-Fi networks Open Firmware Custom RNG Hostapd: /dev/random 26

  27. Broadcom: Linux When running on a Linux kernel:  Implements 802.11’s group key hierarchy  Randomness from /dev/urandom “Mining your Ps and Qs” by Heninger et al.:  /dev/urandom might be predictable at boot  All group keys might be predictable on old kernels 27

  28. Broadcom: VxWorks and eCos Proprietary Open Source 28

  29. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds) Group master key (GMK) Group Temporal RNG SHA-1 Key (GTK) Counter (GNONCE) 29

  30. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) At boot Group master key (GMK) Group Temporal RNG SHA-1 Key (GTK) Counter (GNONCE) 30

  31. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) OpenCL ~4 mins GMK & GTK WRT54Gv5 31

  32. Surely no one implemented this…? Weakened 802.11 RNG Depends on OS Estimated ~22% of Wi-Fi networks Open Firmware Custom RNG Hostapd: /dev/random 32

  33. Open Firmware Open Firmware:  An open source BIOS  Supports client Wi-Fi functionality in BIOS (!)  Randomness from boot time & linear congruential generator Hostapd:  Based on 802.11 group key hierarchy  Also injects new entropy on group rekeys!  Reads from /dev/random on boot & when clients join  If not enough entropy available, connections are rejected 33

  34. Agenda: security of group keys Flawed generation Inject & decrypt all traffic Force RC4 in handshake New Wi-Fi tailored RNG 34

  35. Injecting unicast packets?  Put unicast IP packet in a broadcast frame? Flags Receiver FF: ⋯ :FF Source IP Destination IP Data to client 802.11 specific  Detected by “Hole 196” check Hole 196 check done at network- layer … … but an AP works at link -layer! 35

  36. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: Victim Attacker AP Sender Destination Data 36

  37. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP Victim Attacker AP Flags Receiver Final dest. FF: ⋯ :FF Victim Sender Destination Data To AP 802.11 specific Encrypted using group key 37

  38. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame Victim Attacker AP Flags Receiver Final dest. FF: ⋯ :FF Victim Sender Destination Data To AP 802.11 specific Decrypted using group key 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, iMinds-DistriNet, KU Leuven USENIX Security 2016 Security of Wi-Fi group keys? Protect broadcast and multicast Wi-Fi frames: All clients share a

564 views • 29 slides
2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse Countermeasures: slow login, close after several

563 views • 14 slides
Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower

Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower

The Keys Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower keys Upper keys Miami Rocklands (Everglades Keys) Sea of saw grass. Sea of pine trees sea of tropical

201 views • 9 slides
Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3-

Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3-

Smith System Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3- Keep Your Eyes Moving 4- Leave Yourself an Out 5- Make Sure They See You Aim im Hig igh The first rule for this method is

682 views • 10 slides
Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1 ,

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1 ,

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1 , Celine Chevalier 2 , Mark Manulis 3 , David Pointcheval 1 1 cole Normale Suprieure CNRS INRIA, Paris, France 2 Telecom ParisTech, France 3

400 views • 15 slides
(CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys

(CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys

Napster: central search engine (CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys to linear search space Stoica, R. Morris, D. Karger, F. Kaashoek, and Keep pointers (fingers) into

281 views • 12 slides
AVL Trees All keys in left subtree smaller than nodes key 2 6 10 12 All keys in

AVL Trees All keys in left subtree smaller than nodes key 2 6 10 12 All keys in

1/21/2016 Review: Binary Search Tree (BST) Structure property (binary tree) Each node has 2 children 8 Result: keeps operations simple CSE373: Data Structures and Algorithms Order property 5 11 AVL Trees All keys in

414 views • 5 slides
Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary

Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary

Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary operations (insertItem, removeItem, findElement) and maintain an order relation for the keys we use an external comparator for keys New

452 views • 31 slides
Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1 2 2047 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR9983950

768 views • 53 slides
Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler August 2018 DEF CON 26 Public keys what for? Break them! Retrieve the private keys Show how easy it is If we can do it

684 views • 31 slides
4D transponder coil creating new dimensions for multifunctional car keys Leopoldo Bertossi

4D transponder coil creating new dimensions for multifunctional car keys Leopoldo Bertossi

TDK Technologies & Products Press Conference 2018 4D transponder coil creating new dimensions for multifunctional car keys Leopoldo Bertossi Product Marketing Director Transponder Coils TDK Magnetics Business Group In the era of IoT and

227 views • 3 slides
Keys to Develop and Secure Potential Prospects Keys to Develop and Secure Potential Prospects

Keys to Develop and Secure Potential Prospects Keys to Develop and Secure Potential Prospects

Keys to Develop and Secure Potential Prospects Keys to Develop and Secure Potential Prospects Presenters Joe Butler, Vice President Justin Brown, Vice President The Keys Ask Connect Develop Secure Conclusion

604 views • 18 slides
Keys to French FOLD-OUT & BOOKLET (a complement, not a substitute to any FSL programmes)

Keys to French FOLD-OUT & BOOKLET (a complement, not a substitute to any FSL programmes)

Keys to French FOLD-OUT & BOOKLET (a complement, not a substitute to any FSL programmes) Monique MacKinnon momackinnon@gmail.com Keys to French Resources have been designed to assist English speaking Canadians to quickly and easily become

472 views • 4 slides
D&O Insurance: Best Practices and Keys to Success NACD New England June 9, 2009 1

D&O Insurance: Best Practices and Keys to Success NACD New England June 9, 2009 1

D&O Insurance: Best Practices and Keys to Success NACD New England June 9, 2009 1 Panelists & Moderator Moderator Jordan D. Hershman, Esq. Co-chair of the Securities Litigation Practice Group at Bingham McCutchen LLP

716 views • 24 slides
The Magic of Stenography MARY MCKEON, RMR, CRR, CBC 18 Letters 24 Keys Shorthand on a

The Magic of Stenography MARY MCKEON, RMR, CRR, CBC 18 Letters 24 Keys Shorthand on a

The Magic of Stenography MARY MCKEON, RMR, CRR, CBC 18 Letters 24 Keys Shorthand on a machine Different combinations make different words and sounds Can press a lot of keys at the same time Its how often I hit the keyboard

526 views • 10 slides
Lecture 20 Random Samples 0/ 13 One of the most important concepts in statistics is that of a

Lecture 20 Random Samples 0/ 13 One of the most important concepts in statistics is that of a

Lecture 20 Random Samples 0/ 13 One of the most important concepts in statistics is that of a random sample. The definition of a random sample is rather abstract. However it is critical to understand the idea behind the definition, so we

266 views • 14 slides
Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo

Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo

Black-Box Assessment of Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo dsoeder@cylance.com cabad@cylance.com gacevedo@cylance.com Agenda About PRNGs PRNGs by Example Attack Methodology

574 views • 29 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Foundations of Chemical Kinetics Lecture 25: The Gillespie stochastic simulation algorithm Marc

Foundations of Chemical Kinetics Lecture 25: The Gillespie stochastic simulation algorithm Marc

Foundations of Chemical Kinetics Lecture 25: The Gillespie stochastic simulation algorithm Marc R. Roussel Department of Chemistry and Biochemistry The chemical master equation vs simulations As noted earlier, the chemical master equation

358 views • 11 slides
More Graphics and Objects Rose-Hulman Institute of Technology Computer Science and Software

More Graphics and Objects Rose-Hulman Institute of Technology Computer Science and Software

More Graphics and Objects Rose-Hulman Institute of Technology Computer Science and Software Engineering Check out 06-MoreGraphicsAndObjects from SVN. Get help if youre stuck. No quiz today. Announcements Sunday sessions: new poll on

275 views • 11 slides
A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G.

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G.

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G. Salagnac, C. Lauradoux 1 The need for random numbers Computers are built to be fully deterministic... ...but unpredictability is still required

483 views • 33 slides
STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse

STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse

STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse Transform Method Prepared by Dr Thiyanga Talagala 1. Probability distribution functions in R to generate random num- bers rbeta beta

281 views • 12 slides
Student Responsibilities Mat 2170 Week 9 Reading: Textbook, Sections 6.1 6.3 Objects and

Student Responsibilities Mat 2170 Week 9 Reading: Textbook, Sections 6.1 6.3 Objects and

Student Responsibilities Mat 2170 Week 9 Reading: Textbook, Sections 6.1 6.3 Objects and Classes Lab 9 Attendance Spring 2014 1 2 Recall: Writing Methods Notes About Using Methods A method invocation or call uses its name

318 views • 7 slides

More recommend