Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef - - PowerPoint PPT Presentation

key reinstallation attacks
SMART_READER_LITE
LIVE PREVIEW

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef - - PowerPoint PPT Presentation

Jul 05, 2023 279 likes •860 views

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat Europe, 7 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

slide-1
SLIDE 1

Key Reinstallation Attacks: Breaking the WPA2 Protocol

Mathy Vanhoef — @vanhoefm Black Hat Europe, 7 December 2017

slide-2
SLIDE 2

Introduction

2

PhD Defense, July 2016: “You recommend WPA2 with AES, but are you sure that’s secure?” Seems so! No attacks in 14 years & proven secure.

slide-3
SLIDE 3
slide-4
SLIDE 4

Introduction

4

Key reinstallation when ic_set_key is called again?

slide-5
SLIDE 5

Overview

5

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-6
SLIDE 6

Overview

6

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-7
SLIDE 7

The 4-way handshake

Used to connect to any protected Wi-Fi network › Provides mutual authentication › Negotiates fresh PTK: pairwise temporal key Appeared to be secure: › No attacks in over a decade (apart from password guessing) › Proven that negotiated key (PTK) is secret1 › And encryption protocol proven secure7

7

slide-8
SLIDE 8

4-way handshake (simplified)

8

PTK = Combine(shared secret, ANonce, SNonce)

slide-9
SLIDE 9

4-way handshake (simplified)

9

PTK = Combine(shared secret, ANonce, SNonce)

Attack isn’t about ANonce or SNonce reuse

slide-10
SLIDE 10

4-way handshake (simplified)

10

slide-11
SLIDE 11

4-way handshake (simplified)

11

PTK is installed

slide-12
SLIDE 12

4-way handshake (simplified)

12

slide-13
SLIDE 13

Frame encryption (simplified)

13

Plaintext data

 Nonce reuse implies keystream reuse (in all WPA2 ciphers)

Nonce Mix PTK

(session key)

Nonce

(packet number) Packet key

slide-14
SLIDE 14

4-way handshake (simplified)

14

Installing PTK initializes nonce to zero

slide-15
SLIDE 15

Channel 1

15

Reinstallation Attack

Channel 6

slide-16
SLIDE 16

16

Reinstallation Attack

slide-17
SLIDE 17

17

Reinstallation Attack

Block Msg4

slide-18
SLIDE 18

18

Reinstallation Attack

slide-19
SLIDE 19

19

Reinstallation Attack

slide-20
SLIDE 20

20

Reinstallation Attack

In practice Msg4 is sent encrypted

slide-21
SLIDE 21

21

Reinstallation Attack

slide-22
SLIDE 22

22

Reinstallation Attack

Key reinstallation! nonce is reset

slide-23
SLIDE 23

23

Reinstallation Attack

slide-24
SLIDE 24

24

Reinstallation Attack

Same nonce is used!

slide-25
SLIDE 25

25

Reinstallation Attack Keystream

slide-26
SLIDE 26

26

Reinstallation Attack Keystream Decrypted!

slide-27
SLIDE 27

Key Reinstallation Attack

Other Wi-Fi handshakes also vulnerable: › Group key handshake › FT handshake › TDLS PeerKey handshake For details see our CCS’17 paper12: › “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”

27

slide-28
SLIDE 28

Overview

28

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-29
SLIDE 29

General impact

29

Receive replay counter reset Replay frames towards victim Transmit nonce reset Decrypt frames sent by victim

slide-30
SLIDE 30

Cipher suite specific

AES-CCMP: No practical frame forging attacks WPA-TKIP: › Recover Message Integrity Check key from plaintext4,5 › Forge/inject frames sent by the device under attack GCMP (WiGig): › Recover GHASH authentication key from nonce reuse6 › Forge/inject frames in both directions

30

slide-31
SLIDE 31

Unicast

Handshake specific

Group key handshake: › Client is attacked, but only AP sends real broadcast frames

31

slide-32
SLIDE 32

Handshake specific

Group key handshake: › Client is attacked, but only AP sends real broadcast frames › Can only replay broadcast frames to client 4-way handshake: client is attacked  replay/decrypt/forge FT handshake (fast roaming = 802.11r): › Access Point is attacked  replay/decrypt/forge › No MitM required, can keep causing nonce resets

32

slide-33
SLIDE 33

Implementation specific

iOS 10 and Windows: 4-way handshake not affected › Cannot decrypt unicast traffic (nor replay/decrypt) › But group key handshake is affected (replay broadcast) › Note: iOS 11 does have vulnerable 4-way handshake8 wpa_supplicant 2.4+ › Client used on Linux and Android 6.0+ › On retransmitted msg3 will install all-zero key

33

slide-34
SLIDE 34

34

Android (victim)

slide-35
SLIDE 35

35

slide-36
SLIDE 36

36

slide-37
SLIDE 37

37

slide-38
SLIDE 38

38

slide-39
SLIDE 39

39

slide-40
SLIDE 40

40

Now trivial to intercept and manipulate client traffic

slide-41
SLIDE 41

Is your devices affected?

github.com/vanhoefm/krackattacks-scripts

41

› Tests clients and APs › Works on Kali Linux Remember to: › Disable hardware encryption › Use a supported Wi-Fi dongle!

slide-42
SLIDE 42

Countermeasures

Problem: many clients won’t get updates Solution: AP can prevent (most) attacks on clients! › Don’t retransmit message 3/4 › Don’t retransmit group message 1/2 However: › Impact on reliability unclear › Clients still vulnerable when connected to unmodified APs

42

slide-43
SLIDE 43

Overview

43

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-44
SLIDE 44

Misconceptions I

Updating only the client or AP is sufficient › Both vulnerable clients & vulnerable APs must apply patches Need to be close to network and victim › Can use special antenna from afar Must be connected to network as attacker (i.e. have password) › Only need to be nearby victim and network

44

slide-45
SLIDE 45

Misconceptions II

No useful data is transmitted after handshake › Trigger new handshakes during TCP connection Obtaining channel-based MitM is hard › Nope, can use channel switch announcements Attack complexity is hard › Script only needs to be written once … › … and some are (privately) doing this!

45

slide-46
SLIDE 46

Misconceptions III

Using (AES-)CCMP mitigates the attack › Still allows decryption & replay of frames Enterprise networks (802.1x) aren’t affected › Also use 4-way handshake & are affected It’s the end of the world! › Let’s not get carried away 

46

Image from “KRACK: Your Wi-Fi is no longer secure” by Kaspersky

slide-47
SLIDE 47

Overview

47

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-48
SLIDE 48

Limitations of formal proofs I

› 4-way handshake proven secure › Encryption protocol proven secure

48

The combination was not proven secure!

slide-49
SLIDE 49

Limitations of formal proofs II

Were the proofs too abstract? › They did not model retransmissions › Abstract model ≠ real code

49

“In theory, theory and practice are the same. In practice, they are not.”

slide-50
SLIDE 50

Keep protocols simple I

The wpa_supplicant 2.6 case: › Complex state machine & turned out to still be vulnerable › Need formal verification of implementations Discovered other vulnerabilities: › Hostapd reuses ANonce during rekey › $POPULAR_CLIENT reuses SNonce during rekey › When combined, rekeying reinstalls the existing PTK

50

slide-51
SLIDE 51

Keep protocols simple II

Network Operations Division Cryptographic Requirements9: “Re-keying introduces unnecessary complexity (and therefore opportunities for bugs or other unexpected behavior) without delivering value in return.”

51

 Keep the protocol and code simple!

slide-52
SLIDE 52

Need rigorous specifications

Original WPA2 standard (802.11i amendment) › State machine described in pseudo code › Doesn’t define when messages are accepted

52

slide-53
SLIDE 53

Need rigorous specifications

Original WPA2 standard (802.11i amendment) › State machine described in pseudo code › Doesn’t define when messages are accepted 802.11r amendment (FT handshake) › Better defines how/when to handle messages › But some terms and cases still unclear

53

S1KH state machine

slide-54
SLIDE 54

On a related note…

Workshop on:

Security Protocol Implementations: Development and Analysis (SPIDA)

Co-located with EuroS&P 2018 “focuses on improving development & analysis

  • f security protocol implementations”

54

slide-55
SLIDE 55

Questions?

krackattacks.com

Thank you!

slide-56
SLIDE 56

References

1.

  • C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005.

2.

  • S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008.

3.

  • M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/

4.

  • E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009.

5.

  • M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013.

6.

  • A. Joux. Authentication failures in NIST version of GCM. 2016.

7.

  • J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002.

8.

  • Apple. About the security content of iOS 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/en-

us/HT208222 9. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf

  • 10. J. Salowey and E. Rescorla. TLS Renegotiation Vulnerability. Retrieved 5 December 2017 from

https://www.ietf.org/proceedings/76/slides/tls-7.pdf

  • 11. Bhargavan et al. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In IEEE S&P, 2014.
  • 12. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017.

56