improved krack attacks against
play

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef - PowerPoint PPT Presentation

Feb 02, 2023 •423 likes •991 views

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

  1. Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef — @vanhoefm OPCDE, Dubai, 7 April 2018

  2. Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2

  3. Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 3

  4. The 4-way handshake Used to connect to any protected Wi-Fi network › Provides mutual authentication › Negotiates fresh PTK: pairwise transient key Appeared to be secure: › No attacks in over a decade (apart from password guessing) › Proven that negotiated key (PTK) is secret 1 › And encryption protocol proven secure 5 4

  5. 4-way handshake (simplified) 5

  6. 4-way handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 6

  7. 4-way handshake (simplified) Attack isn’t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 7

  8. 4-way handshake (simplified) 8

  9. 4-way handshake (simplified) 9

  10. 4-way handshake (simplified) PTK is installed 10

  11. 4-way handshake (simplified) 11

  12. Frame encryption (simplified) Nonce Plaintext data (packet number) Packet key PTK Mix (session key) Nonce  Nonce reuse implies keystream reuse (in all WPA2 ciphers) 12

  13. 4-way handshake (simplified) Installing PTK initializes nonce to zero 13

  14. Reinstallation Attack Channel 1 Channel 6 14

  15. Reinstallation Attack 15

  16. Reinstallation Attack Block Msg4 16

  17. Reinstallation Attack 17

  18. Reinstallation Attack In practice Msg4 is sent encrypted 18

  19. Reinstallation Attack Key reinstallation! Nonce is reset 19

  20. Reinstallation Attack Same nonce is used! 20

  21. Reinstallation Attack Keystream 21

  22. Reinstallation Attack Keystream Decrypted! 22

  23. Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 23

  24. General impact Transmit nonce reset Decrypt frames sent by victim Receive replay counter reset Replay frames towards victim 24

  25. Cipher suite specific AES-CCMP: › No practical frame forging attacks WPA-TKIP: › Recover Message Integrity Check key from plaintext 2,3 › Forge/inject frames sent by the device under attack 25

  26. Handshake specific Group key handshake: › Client is attacked, but only AP sends real broadcast frames › Can only replay broadcast frames to client 4-way handshake: › Client is attacked  replay/decrypt/forge 26

  27. Implementation specific iOS 10 and Windows: 4-way handshake not affected › Cannot decrypt unicast traffic (nor replay/decrypt) › But group key handshake is affected (replay broadcast) › Note: iOS 11 does have vulnerable 4-way handshake 6 wpa_supplicant 2.4+ › Client used on Linux and Android 6.0+ › On retransmitted msg3 will install all-zero key 27

  28. Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 28

  29. Idea 1: replay other handshake messages? 29

  30. Idea 1: replay other handshake messages? What if we replay Msg4? 30

  31. MediaTek drivers vulnerable! › Certain MediaTek Drivers accept replayed Msg4’s › Used in 100+ devices  many vulnerable products 9 ASUS RT-AC51U TP-Link RE370K 31

  32. Idea 2: A/SNonce renewed during rekey? AP can start new handshake to refresh the PTK › Same messages exchanged as initial handshake › New ANonce and SNonce must be used macOS: › Patched default KRACK attack › But reuses the SNonce during a rekey › SNonce reuse patched in macOS 10.13.3 32

  33. Exploiting SNonce reuse No problem if ANonce does change › But Linux’s hostapd reused ANonce … › Previous key was renegotiated and reinstalled › Can decrypt old captured traffic ! Adversary can replay old handshake › Tricky because messages must now be encrypted › But feasible under specific circumstances 33

  34. Idea 3: further audit patches Several users reported: “ Patched client still vulnerable to group key reinstallations” › Either our patches are flawed … › … or device always accepts replayed broadcast frames?! 34

  35. No broadcast replay checks! Netis WF-2120 AWUS036NH Nexus 5X › 8 of out 16 tested devices vulnerable › Likely caused by faulty hardware/firmware decryption 35

  36. Related issue: group key improperly installed 36

  37. Related issue: group key improperly installed Contains key & current replay counter 37

  38. Related issue: group key improperly installed Contains key & current replay counter Some install key using zero replay counter 38

  39. Related issue: group key improperly installed Affected devices: › Samsung S3 LTE › $POPULAR_CLIENT How to abuse this? 39

  40. GTK Install Attack 40

  41. GTK Install Attack 41

  42. GTK Install Attack Replay counter is reset to zero 42

  43. GTK Install Attack 43

  44. Idea 4: Impact of replaying broadcast frames? Kankun smart power plug › Android app to control it Commands are broadcast UDP › Destination MAC in payload (?!) › Challenge/response protocol 44

  45. Command Replay 45

  46. Command Replay 46

  47. Command Replay 47

  48. Command Replay 48

  49. Command Replay Command again executed: E.g. switch on/off 49

  50. Is your device affected? github.com/vanhoefm/krackattacks-scripts › Tests clients and APs › Works on Kali Linux Remember to: › Disable hardware encryption › Use a proper Wi-Fi dongle! 50

  51. Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 51

  52. Limitations of formal proofs › 4-way handshake proven secure › Encryption protocol proven secure The combination was not proven secure! 52

  53. Multi-party vulnerability coordination Widespread issue! How to disclose? Guidelines and Practices for Multi-Party Vulnerability Coordination (Draft) 7 Remember: › Goal is to protect users › There are various opinions 53

  54. Conclusion › Flaw is in WPA2 standard › Proven correct but is insecure! › Attack has practical impact › Update all clients & check APs 54

  55. Thank you! Questions? krackattacks.com

  56. References 1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005. 2. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009. 3. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013. 4. A. Joux. Authentication failures in NIST version of GCM. 2016. 5. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002. 6. Apple. About the security content of iOS 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/en-us/HT208222 7. Multi-party vuln coordination 8. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017. 9. WikiDevi. MediaTek MT7620. Retrieved 2 April from https://wikidevi.com/wiki/MediaTek_MT7620A 10. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.p df 56

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128

365 views • 35 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni

Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni

Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni Camurati*, Aurlien Francillon*, Franois-Xavier Standaert** *EURECOM, **Universit catholique de Louvain Who am I? Giovanni Camurati Ph.D. Student at

1.27k views • 94 slides
KRACK Attack Team 05 Duncan Yee Eric Kwok Derrick Lee 1 Content Introduction Overview

KRACK Attack Team 05 Duncan Yee Eric Kwok Derrick Lee 1 Content Introduction Overview

KRACK Attack Team 05 Duncan Yee Eric Kwok Derrick Lee 1 Content Introduction Overview Problem Implementation Discussion References 2 Introduction The IEEE 802.11 wireless network protocol is the most common protocol used to connect

1k views • 30 slides
Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann

Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann

Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel GOST Designed by Soviet cryptographers in the 1980 s Motivated by the desire to construct an

995 views • 34 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018 Outsourcing Data with Search

654 views • 62 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud Kenny Paterson Information Security Group Application Setting Storing Records in the Cloud value of record ( N possible values) record identifier

615 views • 59 slides
Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2

Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2

Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2 Deian Stefan 3 1 EPFL, Switzerland 2 FHNW, Switzerland 3 The Cooper Union, USA AFRICACRYPT 2010, Mai 03-06, Stellenbosch Abstract Follow-up of

506 views • 16 slides
Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery Ananth Raghunathan Stanford University Pseudorandom Functions (PRFs) x { 0 , 1 } R k K x k PRF PRF( k , x ) x Rand Rand(

565 views • 23 slides
Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Introduction Results ECHO Grstl Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas Peyrin CRYPTO 2010 Santa Barbara - November 19, 2010 Introduction Results ECHO Grstl Outline

382 views • 23 slides
On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of

On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of

Motivation Previous Work Improved Filter Conclusion On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of Algorithmics, Cryptology and Security (LACS) University of Luxembourg Early Symmetric Crypto 2015

533 views • 37 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples Countermeasures against DoS Crypto Puzzles Stateless Protocols Avoid IP address spoofing / identifying malicious nodes Ingress filtering

937 views • 72 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Computer Communication Networks Network Security ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1

Computer Communication Networks Network Security ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1

Computer Communication Networks Network Security ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1 Network Security Goals: understand principles of network security: cryptography and its many uses beyond confidentiality

587 views • 57 slides
The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs Bluetooth Security and Cooperation in Wireless Networks Georg-August University Gttingen Security in Wireless Networks Wireless networks are

519 views • 48 slides
I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche, Kashyap Thimmaraju , Liron Schiff and Stefan Schmid IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1 Outline 1. Motivation 2. Covert

999 views • 95 slides
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C.

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C.

CS259: Security Analysis of Network Protocols, Winter 2008 Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic Todays Plan First half The meaning, importance and technique of

729 views • 24 slides
Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly Again, by what you know The system asks the user to provide some information If its provided correctly, the user is authenticated

233 views • 20 slides

More recommend