key reinstallation attacks
play

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef - PowerPoint PPT Presentation

Jul 05, 2023 •279 likes •857 views

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat Europe, 7 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

  1. Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef — @vanhoefm Black Hat Europe, 7 December 2017

  2. Introduction PhD Defense, July 2016: “You recommend WPA2 with AES, but are you sure that’s secure?” Seems so! No attacks in 14 years & proven secure. 2

  4. Introduction Key reinstallation when ic_set_key is called again? 4

  5. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 5

  6. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 6

  7. The 4-way handshake Used to connect to any protected Wi-Fi network › Provides mutual authentication › Negotiates fresh PTK: pairwise temporal key Appeared to be secure: › No attacks in over a decade (apart from password guessing) › Proven that negotiated key (PTK) is secret 1 › And encryption protocol proven secure 7 7

  8. 4-way handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 8

  9. 4-way handshake (simplified) Attack isn’t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 9

  10. 4-way handshake (simplified) 10

  11. 4-way handshake (simplified) PTK is installed 11

  12. 4-way handshake (simplified) 12

  13. Frame encryption (simplified) Nonce Plaintext data (packet number) Packet key PTK Mix (session key) Nonce  Nonce reuse implies keystream reuse (in all WPA2 ciphers) 13

  14. 4-way handshake (simplified) Installing PTK initializes nonce to zero 14

  15. Reinstallation Attack Channel 1 Channel 6 15

  16. Reinstallation Attack 16

  17. Reinstallation Attack Block Msg4 17

  18. Reinstallation Attack 18

  19. Reinstallation Attack 19

  20. Reinstallation Attack In practice Msg4 is sent encrypted 20

  21. Reinstallation Attack 21

  22. Reinstallation Attack Key reinstallation! nonce is reset 22

  23. Reinstallation Attack 23

  24. Reinstallation Attack Same nonce is used! 24

  25. Reinstallation Attack Keystream 25

  26. Reinstallation Attack Keystream Decrypted! 26

  27. Key Reinstallation Attack Other Wi-Fi handshakes also vulnerable: › Group key handshake › FT handshake › TDLS PeerKey handshake For details see our CCS’17 paper 12 : › “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” 27

  28. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 28

  29. General impact Transmit nonce reset Decrypt frames sent by victim Receive replay counter reset Replay frames towards victim 29

  30. Cipher suite specific AES-CCMP: No practical frame forging attacks WPA-TKIP: › Recover Message Integrity Check key from plaintext 4,5 › Forge/inject frames sent by the device under attack GCMP (WiGig): › Recover GHASH authentication key from nonce reuse 6 › Forge/inject frames in both directions 30

  31. Handshake specific Group key handshake: › Client is attacked, but only AP sends real broadcast frames Unicast 31

  32. Handshake specific Group key handshake: › Client is attacked, but only AP sends real broadcast frames › Can only replay broadcast frames to client 4-way handshake: client is attacked  replay/decrypt/forge FT handshake (fast roaming = 802.11r): › Access Point is attacked  replay/decrypt/forge › No MitM required, can keep causing nonce resets 32

  33. Implementation specific iOS 10 and Windows: 4-way handshake not affected › Cannot decrypt unicast traffic (nor replay/decrypt) › But group key handshake is affected (replay broadcast) › Note: iOS 11 does have vulnerable 4-way handshake 8 wpa_supplicant 2.4+ › Client used on Linux and Android 6.0+ › On retransmitted msg3 will install all-zero key 33

  34. Android (victim) 34

  35. 35

  36. 36

  37. 37

  38. 38

  39. 39

  40. Now trivial to intercept and manipulate client traffic 40

  41. Is your devices affected? github.com/vanhoefm/krackattacks-scripts › Tests clients and APs › Works on Kali Linux Remember to: › Disable hardware encryption › Use a supported Wi-Fi dongle! 41

  42. Countermeasures Problem: many clients won’t get updates Solution: AP can prevent (most) attacks on clients! › Don’t retransmit message 3/4 › Don’t retransmit group message 1/2 However: › Impact on reliability unclear › Clients still vulnerable when connected to unmodified APs 42

  43. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 43

  44. Misconceptions I Updating only the client or AP is sufficient › Both vulnerable clients & vulnerable APs must apply patches Need to be close to network and victim › Can use special antenna from afar Must be connected to network as attacker (i.e. have password) › Only need to be nearby victim and network 44

  45. Misconceptions II No useful data is transmitted after handshake › Trigger new handshakes during TCP connection Obtaining channel-based MitM is hard › Nope, can use channel switch announcements Attack complexity is hard › Script only needs to be written once … › … and some are (privately) doing this! 45

  46. Misconceptions III Using (AES-)CCMP mitigates the attack › Still allows decryption & replay of frames Enterprise networks (802.1x) aren’t affected › Also use 4-way handshake & are affected It’s the end of the world! › Let’s not get carried away  Image from “ KRACK: Your Wi-Fi is no longer secure” by Kaspersky 46

  47. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 47

  48. Limitations of formal proofs I › 4-way handshake proven secure › Encryption protocol proven secure The combination was not proven secure! 48

  49. Limitations of formal proofs II Were the proofs too abstract? › They did not model retransmissions › Abstract model ≠ real code “In theory, theory and practice are the same. In practice, they are not.” 49

  50. Keep protocols simple I The wpa_supplicant 2.6 case: › Complex state machine & turned out to still be vulnerable › Need formal verification of implementations Discovered other vulnerabilities: › Hostapd reuses ANonce during rekey › $POPULAR_CLIENT reuses SNonce during rekey › When combined, rekeying reinstalls the existing PTK 50

  51. Keep protocols simple II Network Operations Division Cryptographic Requirements 9 : “ Re-keying introduces unnecessary complexity (and therefore opportunities for bugs or other unexpected behavior) without delivering value in return .”  Keep the protocol and code simple! 51

  52. Need rigorous specifications Original WPA2 standard (802.11i amendment) › State machine described in pseudo code › Doesn’t define when messages are accepted 52

  53. Need rigorous specifications Original WPA2 standard (802.11i amendment) › State machine described in pseudo code › Doesn’t define when messages are accepted 802.11r amendment (FT handshake) › Better defines how/when to handle messages › But some terms and cases still unclear S1KH state machine 53

  54. On a related note… Workshop on: Security Protocol Implementations: Development and Analysis (SPIDA) Co-located with EuroS&P 2018 “ focuses on improving development & analysis of security protocol implementations” 54

  55. Thank you! Questions? krackattacks.com

  56. References 1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005. 2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008. 3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/ 4. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009. 5. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013. 6. A. Joux. Authentication failures in NIST version of GCM. 2016. 7. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002. 8. Apple. About the security content of iOS 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/en- us/HT208222 9. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf 10. J. Salowey and E. Rescorla. TLS Renegotiation Vulnerability. Retrieved 5 December 2017 from https://www.ietf.org/proceedings/76/slides/tls-7.pdf 11. Bhargavan et al. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In IEEE S&P, 2014. 12. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017. 56

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat

KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat

KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat IL, 24 January 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in

726 views • 47 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
Application protocols David Hovemeyer 18 November 2019 David Hovemeyer Computer Systems

Application protocols David Hovemeyer 18 November 2019 David Hovemeyer Computer Systems

Application protocols David Hovemeyer 18 November 2019 David Hovemeyer Computer Systems Fundamentals: Application Protocols 18 November 2019 Application layer 1 In the network protocol stack, the application layer is at the top Consists

782 views • 46 slides
Ajith Suresh CrIS Lab, IISc * Indian Institute of Science (IISc), Bangalore

Ajith Suresh CrIS Lab, IISc * Indian Institute of Science (IISc), Bangalore

Ajith Suresh CrIS Lab, IISc * Indian Institute of Science (IISc), Bangalore https://www.csa.iisc.ac.in/~cris ^ Aarhus University, Denmark Outline q Privacy Preserving Machine Learning (PPML) q Secure Multi-party Computation (MPC) q Overview of

715 views • 52 slides
1 The purpose of the Quality Improvement Protocol is to engage prekindergarten programs in

1 The purpose of the Quality Improvement Protocol is to engage prekindergarten programs in

1 The purpose of the Quality Improvement Protocol is to engage prekindergarten programs in creating and maintaining a high-quality program, and to be used as an ongoing tool by the Department for technical assistance and support. 2 I.

543 views • 32 slides
Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to Computer Security Announcements intermission Day 17: Crypto protocols and S protocols SSH Stephen McCamant University of Minnesota, Computer

338 views • 7 slides
ISDA IBOR Fallbacks July 2018 IBOR Fallbacks: Background Per the request of the FSB OSSG in

ISDA IBOR Fallbacks July 2018 IBOR Fallbacks: Background Per the request of the FSB OSSG in

ISDA IBOR Fallbacks July 2018 IBOR Fallbacks: Background Per the request of the FSB OSSG in 2016, ISDA will amend the 2006 ISDA Definitions to implement fallbacks for: LIBOR in USD, GBP, JPY, CHF and EUR; EURIBOR, JPY TIBOR, Euroyen TIBOR,

317 views • 6 slides
NFS-RODS: A Tool for Accessing iRODS via the NFS Protocol Presenter: Danilo Oliveira -

NFS-RODS: A Tool for Accessing iRODS via the NFS Protocol Presenter: Danilo Oliveira -

NFS-RODS: A Tool for Accessing iRODS via the NFS Protocol Presenter: Danilo Oliveira - dmo4@cin.ufpe.br D.Oliveira, I. F, A. Lobo Jr., F. Silva, G. Stephen Worth Jason Coposky Callou, V. Alves, P. Maciel EMC Corporation iRODS Consortium

645 views • 26 slides
Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of

Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of

Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of fair exchange protocols Electronic purchase of goods exchange of an electronic item against an electronic payment Digital contract signing exchange

353 views • 20 slides
Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work with: Joint work with: Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Distance Bounding 2

370 views • 16 slides

More recommend