KRACK Attack Team 05 Duncan Yee Eric Kwok Derrick Lee 1 Content - - PowerPoint PPT Presentation

KRACK Attack

Team 05

1

Duncan Yee Eric Kwok Derrick Lee

Content

Introduction Overview Problem Implementation Discussion References

2

Introduction

The IEEE 802.11 wireless network protocol is the most common protocol used to connect wirelessly to the network This includes computers, laptops, network connected home locks, and electronic devices that connect wirelessly to the internet Various authentication schemes are used to provide a secure Wireless Local Area Network (WLAN) The most secure and commonly used method of authentication scheme is the Wi-Fi Protected Access 2 (WPA2) In 2017, a method to exploit the WPA2 authentication scheme has been discovered called the Key Reinstallation Attack (KRACK) WPA3 which was announced in 2018, is the successor to WPA2 which provides a more secure handshake, but it has yet been implemented to a large scale

3

Goal:

We will simulate the transmission of packets through a wireless network and demonstrate how the KRACK attack can be implemented Numerous patches have been provided by network providers to counteract the KRACK attack We will discuss what these patches do to provide details on the measures used to protect against this attack

4

Content

Introduction Overview Problem Implementation Discussion References

5

Overview

WPA2 supersedes the previous WPA and Wired Equivalent Privacy (WEP) It is a security protocol that provides authentication for clients prior to being granted access to the network WPA2 supports the Temporal Key Integrity Protocol (TKIP), CCM mode Protocol (CCMP), and Advanced Encryption Standard (AES) encryption modes to securely encrypt packets in transmission

6

Proof of Concept attack against Android

When the attack was released in October 2017, researchers were able to demonstrate decryption of WiFi packets and were able to acquire login information

7

8

9

i.e. router; provides supplicants access to wireless network i.e. your device; laptop, desktop, tablet

4-Way Handshake

The supplicant knows the wireless network passphrase (user entered) The authenticator knows the wireless network passphrase The 4-way handshake provides a means for the two devices to prove that they both know the passphrase (Client) (AP)

10

4-Way Handshake

1) AP generates and sends an Authenticator Number used

• nce (ANonce) to client

2) Client constructs the Pairwise Transient Key (PTK) with the ANonce, sends its own SNonce, and protects the frame with a Message Integrity Code (MIC) value 3) AP calculates the PTK, constructs and sends the Group Temporal Key (GTK) and sequence number. A MIC value is also used to protect frame and PTK is directed to be installed 4) Client sends confirmation to AP and is ready to configure its hardware Data port is now open and data can be unicasted using the PTK and multicasted with the GTK.

11

Content

Introduction Overview Problem Implementation Discussion References

12

Problem

The vulnerability of the WPA2 security protocol is from the third step of the 4-way handshake, where the access point constructs and sends the GTK and sequence number The attacker doesn’t require the passphrase to implement the attack and instead, tries to degrade the shared encryption keys This means changing passphrases to connect to the network will not help

13

Krack

Once a target network is selected, the attacker clones the real AP onto a separate channel called the Rogue Access Point Attacker will send spoofed 802.11 management frames from the Rogue AP in an attempt to get clients to connect to it instead of the real AP, resulting in a man-in-the-middle position Right before the 3rd step of the 4-way handshake, a forged ANonce from the Rogue AP is sent forcing the target to re-install the shared key, essentially repeating step 1 As this process repeats multiple times, the key becomes predictable allowing the attacker to decrypt packet data. It may also be possible for the attacker to inject malicious packets.

14

Man-In-The-Middle Position

After spoofing 802.11 management frames to trick a client into connecting to the malicious attacker’s AP, packets between the client and AP are intercepted. The attacker is free to resend message 3 of the handshake to the client and capture multiple encrypted messages.

15

Android and Linux

Wpa_supplicant version 2.4 and above: Once the encryption key has been installed on the client for the first time, it is cleared from memory for security reasons. If message 3 is received again, the client will “reinstall” the encryption key, however it has been cleared. An all-zero key will be installed a result, making it trivial to decrypt subsequent packets. (XOR with an all-zero key produces the exact same message)

16

More Details on Decryption

E1 and E2 are encrypted packets captured from the client. P1 and P2 are the plaintext contents of the packets KS is the keystream used to encrypt the messages. By capturing multiple packets and correctly guessing P1, all subsequent packets P2 can be decrypted

17

Content

Introduction Overview Problem Implementation Discussion References

18

EAP Protocol Captured by Wireshark

19

Simulation of WiFi Network

20

Simulation of Man In The Middle Packets

21

Content

Introduction Overview Problem Implementation Discussion References

22

Prevention

Use wired Ethernet connection

• > not always viable

Make sure security patches are up to date and installed

23

A Closer Look On Security Patches

Linux has an open-source patch while the DD-WRT open router firmware has a design patch available to be analyzed Implementations of its patch:

• prevent TK reinstallation if TK has already been set
• track current GTK and prevent further reinstallation attempts

(prevents resetting of sequence counter)

• track whether PTK has been installed and prevent installation of an all-zero TK

(also prevents re-installation of the same PTK to the driver)

• generation of a new ANonce when starting a new 4-way handshake to rekey PTK

24

Additionally:

WPA2 with CCMP and AES is still more secure than TKIP or WEP TKIP is similar to the deprecated WEP standard for backwards compatibility Because WEP has been proven to be insecure, TKIP is also vulnerable

25

Future Work

Continuation to add more nodes to the simulation Implementation of the prevention methods Improvements to the aforementioned prevention techniques

26

Questions?

27

Content

Introduction Overview Problem Implementation Discussion References

28

References

• Images.theconversation.com. (2019). [online] Available at:

https://images.theconversation.com/files/190426/original/file-20171016-30954-gq7cfn.png?ixlib=rb-1.1.0&q=45&auto=format [Accessed 19

• Mar. 2019].
• thecybersecurityman, V. (2019). All Wi-Fi Networks are Currently Vulnerable to Attack. [online] The Cybersecurity Man. Available at:

https://thecybersecurityman.com/2017/11/03/all-wi-fi-networks-are-currently-vulnerable-to-attack/ [Accessed 23 Mar. 2019].

• W1.fi. (2019). Index of /security/2017-1. [online] Available at: https://w1.fi/security/2017-1/ [Accessed 7 Mar. 2019].
• Svn.dd-wrt.com. (2019). Changeset 33525 – DD-WRT. [online] Available at: https://svn.dd-wrt.com//changeset/33525 [Accessed 10 Mar.

2019].

• Chacos, B. and Simon, M. (2019). KRACK Wi-Fi attack threatens all networks: How to stay safe and what you need to know. [online]
• PCWorld. Available at: https://www.pcworld.com/article/3233308/krack-wi-fi-security-flaw-faq-tips.html [Accessed 16 Mar. 2019].
• Hitchhikersguidetolearning.com. (2019). EAPOL 4-Way Handshake | Hitch Hiker's Guide to Learning. [online] Available at:

http://www.hitchhikersguidetolearning.com/2017/09/17/eapol-4-way-handshake/ [Accessed 15 Mar. 2019].

• L. Epia Realpe, O. Parra and J. Velandia, "Use of KRACK Attack to Obtain Sensitive Information", Mobile, Secure, and Programmable

Networking, pp. 270-276, 2019. Available: https://link-springer-com.proxy.lib.sfu.ca/chapter/10.1007/978-3-030-03101-5_22. [Accessed 10 February 2019].

• C. Kohlios and T. Hayajneh, "A Comprehensive Attack Flow Model and Security Analysis for Wi-Fi and WPA3", Electronics, vol. 7, no. 11, p.

284, 2018. Available: https://www.mdpi.com/2079-9292/7/11/284/htm. [Accessed 10 February 2019].

• S. Naitik, P. Vernekar and V. Shetty, "Mitigation of KeyReinstallation Attackin WPA2 Wi-Fi networks by detection of Nonce Reuse",

International Research Journal of Engineering and Technology(IRJET), vol. 05, no. 05, p. 1531, 2018. Available: https://www.irjet.net/archives/V5/i5/IRJET-V5I5290.pdf. [Accessed 10 February 2019]. 29

References

• T. Chin and K. Xiong, "KrackCover: A Wireless Security Framework for Covering KRACK Attacks", Wireless Algorithms, Systems, and

Applications, vol. 10874, pp. 733-739, 2018. Available: https://link-springer-com.proxy.lib.sfu.ca/chapter/10.1007/978-3-319-94268-1_60. [Accessed 10 February 2019].

• R. Fontes and C. Rothenberg, "On theKrack Attack: Reproducing Vulnerabilityand a Software-Defined Mitigation Approach",

Pdfs.semanticscholar.org, 2017. [Online]. Available: https://pdfs.semanticscholar.org/75a9/0c06511671f0d3e9175c8cfb3ce5ed3ebd84.pdf. [Accessed: 10- Feb- 2019].

• M. Vanhoef and F. Piessens, "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2", Papers.mathyvanhoef.com, 2017. [Online].

Available: https://papers.mathyvanhoef.com/ccs2017.pdf. [Accessed: 10- Feb- 2019]. 30