kracking wpa2 and mitigating
play

KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm - PowerPoint PPT Presentation

Apr 14, 2023 •132 likes •646 views

KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on Attacks (WAC), Santa Barbara, 18 August 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 2

  1. KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef — @vanhoefm CRYPTO Workshop on Attacks (WAC), Santa Barbara, 18 August 2018

  2. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 2

  3. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 3

  4. The 4-way handshake Used to connect to any protected Wi-Fi network › Provides mutual authentication › Negotiates fresh PTK: pairwise transient key Appeared to be secure: › No attacks in over a decade (apart from password guessing) › Proven that negotiated key (PTK) is secret › Encryption protocol also proven secure 4

  5. 4-way handshake (simplified) 5

  6. 4-way handshake (simplified) 6

  7. 4-way handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 7

  8. 4-way handshake (simplified) Attack isn’t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 8

  9. 4-way handshake (simplified) 9

  10. 4-way handshake (simplified) 10

  11. 4-way handshake (simplified) PTK is installed 11

  12. 4-way handshake (simplified) 12

  13. Frame encryption (simplified) Nonce Plaintext data (packet number) Packet key PTK Mix (session key) Nonce  Nonce reuse implies keystream reuse (in all WPA2 ciphers) 13

  14. 4-way handshake (simplified) Installing PTK initializes nonce to zero 14

  15. Reinstallation Attack Channel 1 Channel 6 15

  16. Reinstallation Attack 16

  17. Reinstallation Attack 17

  18. Reinstallation Attack Block Msg4 18

  19. Reinstallation Attack 19

  20. Reinstallation Attack In practice Msg4 is sent encrypted 20

  21. Reinstallation Attack Key reinstallation! nonce is reset 21

  22. Reinstallation Attack Same nonce is used! 22

  23. Reinstallation Attack Keystream Decrypted! 23

  24. Key Reinstallation Attack Other Wi- Fi handshakes also vulnerable (CCS’17) › Group key, FT, and PeerKey handshake Lesser- known handshakes also vulnerable (CCS’18) › TDLS, FILS, and WNM handshake 24

  25. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 25

  26. General impact Transmit nonce reset Decrypt frames sent by victim Receive replay counter reset Replay frames towards victim 26

  27. Cipher suite specific AES-CCMP: No practical frame forging attacks WPA-TKIP: › Recover Message Integrity Check key from plaintext › Forge/inject frames sent by the device under attack GCMP (WiGig): › Recover GHASH authentication key from nonce reuse › Forge/inject frames in both directions 27

  28. Handshake specific Group key handshake: › Client is attacked (only AP sends real broadcast frames) › Can only replay broadcast frames to client 4-way handshake: client is attacked  replay/decrypt/forge FT handshake (fast roaming = 802.11r): › Access Point is attacked  replay/decrypt/forge › No MitM required, can keep causing nonce resets 28

  29. Implementation specific iOS 10 and Windows: 4-way handshake not affected › Cannot decrypt unicast traffic (nor replay/decrypt) › But group key handshake is affected (replay broadcast) › Note: iOS 11 does have vulnerable 4-way handshake wpa_supplicant 2.4+ › Client used on Linux and Android 6.0+ › On retransmitted msg3 will install all-zero key 29

  30. 30

  31. Android (victim) 31

  32. 32

  33. 33

  34. 34

  35. 35

  36. Now trivial to intercept and manipulate client traffic 36

  37. Is your device (still) affected? github.com/vanhoefm/krackattacks-scripts › Tests clients and APs › Works on Kali Linux Remember to: › Disable hardware encryption › Use a supported Wi-Fi dongle! 37

  38. Countermeasures M any clients won’t get updates… AP can prevent (most) attacks on clients! › Don’t retransmit message 3/4 › Don’t retransmit group message 1/2 However: › Impact on reliability unclear › Clients still vulnerable when connected to unmodified APs 38

  39. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 39

  40. Misconceptions I Updating only the client or AP is sufficient › Both vulnerable clients & vulnerable APs must apply patches Need to be close to network and victim › Can use special antenna from afar No useful data is transmitted after handshake › Trigger new handshakes during TCP connection 40

  41. Misconceptions II Obtaining channel-based MitM is hard › Can use channel switch announcements Using (AES-)CCMP mitigates the attack › Still allows decryption & replay of frames Enterprise networks (802.1x) aren’t affected › Also use 4-way handshake & are affected Image from “ KRACK: Your Wi-Fi is no longer secure” by Kaspersky 41

  42. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 42

  43. Background: new attacks require MitM Traffic Analysis › Capture all encrypted frames › Block certain encrypted frames Attacking broadcast WPA-TKIP › Block MIC failures › Modify encrypted frames 43

  44. Background: new attacks require MitM Exploit implementation bugs › Block certain handshake messages › E.g. bugs in 4-way handshake Other attack scenarios › See WiSec’18 paper [VBDOP18] › E.g. modify advertised capabilities 44

  45. Observed threat model › Attacker manipulates channel and bandwidth › Exclude low-layer attacks (e.g. beamforming) › Exclude relay attacks (e.g. AP and client out of range) Want to make attacks harder, not impossible ≈ stack canaries. Solution: verify operating channel when connecting 45

  46. Verifying the current operating channel Simple, just verify channel number element? › Say hello to the 802.11 standard › HT element defines optional 40 MHz bandwidth › VHT element defines more bandwidths › And so on … › Non-trivial to unambiguously encode channel  We introduce the OCI element to encode a channel 46

  47. Problem: Channel Switch Announcements (CSAs) Unauthenticated CSAs › Need to verify securely Authenticated CSAs › May not arrive  verify reception Solution: verify CSA using SA query 47

  48. Limitations Other (partial) MitM attacks still possible: › Adversary can act as repeater › Physical-layer tricks (e.g. beamforming) So why use this defense? › Remaining attacks are harder & not always possible › Straightforward implementation 48

  49. Standardization & implementation Part of the upcoming 802.11 standard Implementation is being pushed upstream: github.com/vanhoefm/hostap-channel-validation 49

  50. Conclusion › Flaw is in WPA2 standard › Proven correct but is insecure! › Update all clients & check Aps › New defense: channel validation 50

  51. Thank you! Questions? krackattacks.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

679 views • 63 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

1.17k views • 68 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress (CCC), 27 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

845 views • 67 slides
KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat

KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat

KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat IL, 24 January 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in

726 views • 47 slides
1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino, Managing Director, Systems Engineering Dr. Kaustubh Phanse, Principal Wireless Architect Md. Sohail Ahmad, Senior Security Researcher Moderator: Della

314 views • 29 slides
Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat Europe, 7 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

857 views • 56 slides
Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer

Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer

Capturing WPA2 Enterprise credentials with a Pi Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer North Dakota State University Standard disclaimer What I say is my own opinion and not that of my

196 views • 18 slides
Security of Wireless Protocols Mati Vait December 15, 2010 1 / 21 Security of Wireless

Security of Wireless Protocols Mati Vait December 15, 2010 1 / 21 Security of Wireless

Security of Wireless Protocols Mati Vait December 15, 2010 1 / 21 Security of Wireless Protocols Contents WPA and WPA2? Common parts in WPA & WPA2 WPA Encryption and Decryption WPA2 Encryption and Decryption Attacks on WPA Attacks on

235 views • 21 slides
Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl

Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl

Mitigating Seabird Mitigating Seabird Interactions with Interactions with Trawl Nets Trawl Nets Clement & Associates Ltd FISHERIES ADVISORS & ANALYSTS Objectives Objectives Characterise the nature and extent of

730 views • 35 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru Mohammed Rajkumar Ramadhin Alexander Martin Introduction With growing advancement in the "Internet of Things" we must take a look at the

468 views • 29 slides
802.11 Security: WPA/WPA2 Cracking Constan'nos Kolias George Mason University kkolias@gmu.edu

802.11 Security: WPA/WPA2 Cracking Constan'nos Kolias George Mason University kkolias@gmu.edu

802.11 Security: WPA/WPA2 Cracking Constan'nos Kolias George Mason University kkolias@gmu.edu Wireless Communica>ons Transmission of data without the use of wires Few cm to several km Modula'on of radio waves modula'on is the

892 views • 31 slides
Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers Radboud University Nijmegen

Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers Radboud University Nijmegen

Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers Radboud University Nijmegen (The Netherlands) MSc Eduardo Novella MSc Carlo Meijer Dr. ir. Roel Verdult { ednolo@alumni.upv.es , carlo@youcontent.nl , rverdult@cs.ru.nl }

1.05k views • 57 slides
Eduroam in a box Eduroam in a box (take 3) (take 3) Rok Pape, ARNES, Barcelona, 06.09.2005

Eduroam in a box Eduroam in a box (take 3) (take 3) Rok Pape, ARNES, Barcelona, 06.09.2005

Eduroam in a box Eduroam in a box (take 3) (take 3) Rok Pape, ARNES, Barcelona, 06.09.2005 ARNES EduRoam 1/2 ARNES EduRoam 1/2 WPA/WPA2 Wireless network WPA Enterprise ( + WPA2 where available) Dynamic VLANs Support for

329 views • 17 slides
Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, iMinds-DistriNet, KU Leuven USENIX Security 2016 Security of Wi-Fi group keys? Protect broadcast and multicast Wi-Fi frames: All clients share a

564 views • 29 slides
Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

991 views • 56 slides
d Consumers and Producers Surplus i E 2 Lectures a l l u d b Dr. Abdulla Eid A .

d Consumers and Producers Surplus i E 2 Lectures a l l u d b Dr. Abdulla Eid A .

Section 14.10 d Consumers and Producers Surplus i E 2 Lectures a l l u d b Dr. Abdulla Eid A . College of Science r D MATHS 104: Mathematics for Business II Dr. Abdulla Eid (University of Bahrain) Surplus 1 / 20

719 views • 20 slides
Tariff Metre Metre AED / Cubic Metre metre 10.55 metre kWh kWh kWh fils kWh fils

Tariff Metre Metre AED / Cubic Metre metre 10.55 metre kWh kWh kWh fils kWh fils

Water & Electricity Tariff of Expats Water & Electricity Tariff of Nationals Average Daily Average Daily Tariff Tariff Consumption Consumption AED/ Cubic Metre AED/ Cubic Metre Cubic Metre/Day Cubic Metre/Day 10.55 Average Daily

405 views • 3 slides
Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents

Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents

Types for complexity-checking Franc ois Pottier January 31, 2011 1 / 57 Contents Introduction Simple analysis Amortized analysis Amortized analysis in a lazy setting Conclusion Bibliography 2 / 57 The traditional use of types

590 views • 57 slides
0117401: Operating System Chapter 9: Virtual Memory()

0117401: Operating System Chapter 9: Virtual Memory()

0117401: Operating System Chapter 9: Virtual Memory() xlanchen@ustc.edu.cn http://staff.ustc.edu.cn/~xlanchen Computer Application Laboratory, CS, USTC @ Hefei Embedded System Laboratory, CS, USTC @

1.15k views • 111 slides
Frequency and ridge estimation using structure tensor Anna Mikaelyan and Josef Bigun October 15,

Frequency and ridge estimation using structure tensor Anna Mikaelyan and Josef Bigun October 15,

Frequency and ridge estimation using structure tensor Anna Mikaelyan and Josef Bigun October 15, 2013 Estimation of image orientation In some image processing scenarios it is necessary to use orientation image: motion estimation noise

537 views • 40 slides
EI331 Signals and Systems Lecture 9 Bo Jiang John Hopcroft Center for Computer Science Shanghai

EI331 Signals and Systems Lecture 9 Bo Jiang John Hopcroft Center for Computer Science Shanghai

EI331 Signals and Systems Lecture 9 Bo Jiang John Hopcroft Center for Computer Science Shanghai Jiao Tong University March 26, 2019 Contents 1. Eigenvalues and Eigenfunctions 2. CT Fourier Series 3. Properties of CT Fourier Series 1/31

943 views • 47 slides
workin progress The M in CoPaR From Partition Refjnement to Minimization Hans-Peter Deifel

workin progress The M in CoPaR From Partition Refjnement to Minimization Hans-Peter Deifel

workin progress The M in CoPaR From Partition Refjnement to Minimization Hans-Peter Deifel Oberseminar 09.06.2020 1 / 26 The M in CoPaR From Partition Refjnement to Minimization Hans-Peter Deifel Oberseminar 09.06.2020 1 / 26 workin

499 views • 49 slides
Language and Literacy Experiences Webinar August 20, 2014 2:00 pm 3:30 pm Welcome and

Language and Literacy Experiences Webinar August 20, 2014 2:00 pm 3:30 pm Welcome and

Language and Literacy Experiences Webinar August 20, 2014 2:00 pm 3:30 pm Welcome and Introduction Logistics Questions? Comments? USE THE CHAT BOX Press *6 to mute or unmute your phone SCRIPT-NC Supporting Change and Reform in

625 views • 48 slides

More recommend