key reinstallation attacks
play

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy - PowerPoint PPT Presentation

Aug 14, 2023 •530 likes •894 views

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

  1. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

  2. Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi security?

  3. The 4-way handshake Two main purposes: › Mutual authentication › Negotiate fresh PTK: pairwise temporal key Appeared to be secure: › No attacks in more than a decade › Proven as secure in 2005 1 › That is: negotiated key (PTK) is secret

  4. Wi-Fi handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 4

  5. Wi-Fi handshake (simplified) A ttack isn’t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 5

  6. Wi-Fi handshake (simplified) 6

  7. Wi-Fi handshake (simplified) PTK is installed 7

  8. Wi-Fi handshake (simplified) 8

  9. Encrypting data frames (simplified) Nonce Plaintext data = Packet Number Nonce Keystream should never be reused  Each nonce results in a unique keystream 9

  10. Wi-Fi handshake (simplified) Installing PTK resets nonce to zero 10

  11. Key Reinstallation Attack 11

  12. 12

  13. Block Msg4 13

  14. 14

  15. In practice Msg4 is sent encrypted 15

  16. 16

  17. Key reinstallation! nonce is reset 17

  18. 18

  19. Same nonce is used! 19

  20. keystream 20

  21. keystream Decrypted! 21

  22. Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi security?

  23. Misconceptions I No useful data is transmitted after handshake › Trigger handshakes during TCP connection Difficult to derive keystream › Already have 82 bytes from encrypted Msg4 Need high signal strength to get MitM › Use channel switch announcements, BSS Transition Requests, jammers, …

  24. Misconceptions II Need to be close to network › Can use special antenna 2,3 Using (AES-)CCMP mitigates the attack › No, still allows decryption & replay of frames Enterprise networks (802.1x) are not vulnerable › Also use 4-way handshake and are affected

  25. Misconceptions III You need the password to perform attacks › Nope. Then you could decrypt all already … Updating only client or AP is sufficient › Both vulnerable clients and vulnerable APs need to apply patches Attack complexity is hard › Script only needs to be written once

  26. “ Attacks only get better, they never get worse. ” — Bruce Schneier

  27. Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi security?

  28. Countermeasures Problem: many clients will not get updated Solution: AP can prevent attacks on clients! › Don’t retransmit message 3/4 › Don’t retransmit group message 1/2 However: › Impact on reliability currently unclear › Clients still vulnerable when connected to other unmodified APs 28

  29. Fuzzing Basic fuzzing as part of device certification › Test against key reinstallations › Fuzzing length fields: avoid well-known bugs › Plaintext frames rejected if encryption enabled? › … Advanced fuzzing of widely used tools: › Can do more costly fuzzing on specific tools › Make these fuzzing tools open source

  30. “ Millions of dollars saved (for Microsoft and the world). ” Patrice Godefroid, Microsoft Research

  31. Other recommendations Not Wi- Fi Alliance task, but … › Make standards easier to access. Just a download link, nothing on top. › Anyone should be able to easily follow discussions. Mailing list?

  32. Need open source firmware Code is getting more closed: › Functionality is offloaded to closed firmware › E.g. 4-way handshake is being offloaded › We cannot trust this code! At least open source security critical parts? › Catch problems earlier & get help

  33. Long-term: formal verification Programming is hard. Are patches correct? › Missed attack against wpa_supplicant 2.6 Collaboration with academia: › Create formal and precise state machines › Formal verification of core code › E.g. prove correctness of open source tools

  34. Thank you! Questions? krackattacks.com

  35. References 1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005. 2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008. 3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer- cantenna/ 3 5

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat Europe, 7 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

857 views • 56 slides
KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat

KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat

KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat IL, 24 January 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in

726 views • 47 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
Weighted Automata Extraction from Recurrent Neural Networks via Regression on State Spaces

Weighted Automata Extraction from Recurrent Neural Networks via Regression on State Spaces

Weighted Automata Extraction from Recurrent Neural Networks via Regression on State Spaces Takamasa Okudono, Masaki Waga, Taro Sekiyama, Ichiro Hasuo SOKENDAI, the Graduate University for Advanced Studies, Japan /National Institute of

809 views • 48 slides
OpenStreetMap and Wikimedia: A quick overview State of the Map 2018 Eugene Alvin Villar

OpenStreetMap and Wikimedia: A quick overview State of the Map 2018 Eugene Alvin Villar

OpenStreetMap and Wikimedia: A quick overview State of the Map 2018 Eugene Alvin Villar [[User:seav]] OpenStreetMap is like Wikipedia for maps OpenStreetMap is like Wikidata for geographical data OpenStreetMap has nodes, ways,

833 views • 30 slides
1 Hello! Lizzie Newcombe Implementation Manager Phone: (718) 852-0105

1 Hello! Lizzie Newcombe Implementation Manager Phone: (718) 852-0105

1 Hello! Lizzie Newcombe Implementation Manager Phone: (718) 852-0105 lizzie.newcombe@flocabulary.com 2 Our Mission Flocabulary is committed to increasing achievement by bringing joy to every classroom 3 Engagement Engagement and

541 views • 15 slides
12 A Column Generation Approach for the post Enrolment Course Timetabling Problem of the ITC

12 A Column Generation Approach for the post Enrolment Course Timetabling Problem of the ITC

12 A Column Generation Approach for the post Enrolment Course Timetabling Problem of the ITC John van den Broek and Cor Hurkens June 18 2008 12 Input set E of events. set T of timeslots ( 5 days of 9 hours each). set R of rooms

726 views • 18 slides
requires a far-reaching & coherent ecosystem working at a determined pace. Mission : Driving a

requires a far-reaching & coherent ecosystem working at a determined pace. Mission : Driving a

Motivation : Delivering the benefits of ubiquitous Light Communications to serve people & technologies, requires a far-reaching & coherent ecosystem working at a determined pace. Mission : Driving a consistent, focused & concise

175 views • 6 slides
Wait-Freedom with Advice Carole Delporte Hugues Fauconnier U Paris Diderot Eli Gafni

Wait-Freedom with Advice Carole Delporte Hugues Fauconnier U Paris Diderot Eli Gafni

Wait-Freedom with Advice Carole Delporte Hugues Fauconnier U Paris Diderot Eli Gafni Petr Kuznetsov UCLA TU Berlin/Telekom InnovaDon Labs PODC 2012 Solving a task: correctness 2 Distributed tasks (I,O, ) I

578 views • 23 slides
A Burnside Approach to the Termination of Mohris Algorithm for Polynomially Ambiguous

A Burnside Approach to the Termination of Mohris Algorithm for Polynomially Ambiguous

A Burnside Approach to the Termination of Mohris Algorithm for Polynomially Ambiguous Min-Plus-Automata Daniel Kirsten Dresden University of Technology Institut for Algebra August 31, 2006 Definition: An automaton A is called polynomially

785 views • 40 slides
Investment Review & Outlook __________________ Decem ber 31, 20 11 1 Investment Review and

Investment Review & Outlook __________________ Decem ber 31, 20 11 1 Investment Review and

Investment Review & Outlook __________________ Decem ber 31, 20 11 1 Investment Review and Outlook Wed like to provide you with a perspective of the equity markets for the past year as well as common and uncommon themes for 2012. The

282 views • 10 slides

More recommend