kracking wpa2 by forcing
play

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm - PowerPoint PPT Presentation

Apr 15, 2023 •475 likes •1.17k views

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

  1. KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef — @vanhoefm Nullcon, 2 March 2018

  2. Introduction PhD Defense, July 2016: “You recommend WPA2 with AES, but are you sure that’s secure?” Seems so! No attacks in 14 years & proven secure. 2

  4. Introduction Key reinstallation when ic_set_key is called again? 4

  5. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 5

  6. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 6

  7. The 4-way handshake Used to connect to any protected Wi-Fi network › Provides mutual authentication › Negotiates fresh PTK: pairwise transient key Appeared to be secure: › No attacks in over a decade (apart from password guessing) › Proven that negotiated key (PTK) is secret 1 › And encryption protocol proven secure 7 7

  8. 4-way handshake (simplified) 8

  9. 4-way handshake (simplified) 9

  10. 4-way handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 10

  11. 4-way handshake (simplified) Attack isn’t about ANonce or SNonce reuse PTK = Combine(shared secret, ANonce, SNonce) 11

  12. 4-way handshake (simplified) 12

  13. 4-way handshake (simplified) 13

  14. 4-way handshake (simplified) 14

  15. 4-way handshake (simplified) PTK is installed 15

  16. 4-way handshake (simplified) 16

  17. Frame encryption (simplified) Nonce Plaintext data (packet number) Packet key PTK Mix (session key) Nonce  Nonce reuse implies keystream reuse (in all WPA2 ciphers) 17

  18. 4-way handshake (simplified) Installing PTK initializes nonce to zero 18

  19. Reinstallation Attack Channel 1 Channel 6 19

  20. Reinstallation Attack 20

  21. Reinstallation Attack 21

  22. Reinstallation Attack Block Msg4 22

  23. Reinstallation Attack 23

  24. Reinstallation Attack 24

  25. Reinstallation Attack In practice Msg4 is sent encrypted 25

  26. Reinstallation Attack Key reinstallation! nonce is reset 26

  27. Reinstallation Attack 27

  28. Reinstallation Attack Same nonce is used! 28

  29. Reinstallation Attack Keystream Decrypted! 29

  30. Key Reinstallation Attack Other Wi-Fi handshakes also vulnerable: › Group key handshake › FT handshake › TDLS PeerKey handshake For details see our CCS’17 paper 12 : › “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” 30

  31. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 31

  32. General impact Transmit nonce reset Decrypt frames sent by victim Receive replay counter reset Replay frames towards victim 32

  33. Cipher suite specific AES-CCMP: No practical frame forging attacks WPA-TKIP: › Recover Message Integrity Check key from plaintext 4,5 › Forge/inject frames sent by the device under attack GCMP (WiGig): › Recover GHASH authentication key from nonce reuse 6 › Forge/inject frames in both directions 33

  34. Handshake specific Group key handshake: › Client is attacked, but only AP sends real broadcast frames Unicast 34

  35. Handshake specific Group key handshake: › Client is attacked, but only AP sends real broadcast frames › Can only replay broadcast frames to client 4-way handshake: client is attacked  replay/decrypt/forge FT handshake (fast roaming = 802.11r): › Access Point is attacked  replay/decrypt/forge › No MitM required, can keep causing nonce resets 35

  36. FT Handshake 36

  37. FT Handshake 37

  38. FT Handshake 38

  39. FT Handshake 39

  40. FT Handshake 40

  41. FT Handshake 41

  42. FT Handshake 42

  43. FT Handshake 43

  44. FT Handshake Nonce reuse! Use to decrypt frames 44

  45. Implementation specific iOS 10 and Windows: 4-way handshake not affected › Cannot decrypt unicast traffic (nor replay/decrypt) › But group key handshake is affected (replay broadcast) › Note: iOS 11 does have vulnerable 4-way handshake 8 wpa_supplicant 2.4+ › Client used on Linux and Android 6.0+ › On retransmitted msg3 will install all-zero key 45

  46. 46

  47. Android (victim) 47

  48. 48

  49. 49

  50. 50

  51. 51

  52. 52

  53. Now trivial to intercept and manipulate client traffic 53

  54. Is your devices affected? github.com/vanhoefm/krackattacks-scripts › Tests clients and APs › Works on Kali Linux Remember to: › Disable hardware encryption › Use a supported Wi-Fi dongle! 54

  55. Countermeasures M any clients won’t get updates… AP can prevent (most) attacks on clients! › Don’t retransmit message 3/4 › Don’t retransmit group message 1/2 However: › Impact on reliability unclear › Clients still vulnerable when connected to unmodified APs 55

  56. Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 56

  57. Misconceptions I Updating only the client or AP is sufficient › Both vulnerable clients & vulnerable APs must apply patches Need to be close to network and victim › Can use special antenna from afar Must be connected to network as attacker (i.e. have password) › Only need to be nearby victim and network 57

  58. Misconceptions II No useful data is transmitted after handshake › Trigger new handshakes during TCP connection Obtaining channel-based MitM is hard › Nope, can use channel switch announcements Attack complexity is hard › Script only needs to be written once … › … and some are (privately) doing this! 58

  59. Misconceptions III Using (AES-)CCMP mitigates the attack › Still allows decryption & replay of frames Enterprise networks (802.1x) aren’t affected › Also use 4-way handshake & are affected It’s the end of the world! › Let’s not get carried away  Image from “ KRACK: Your Wi-Fi is no longer secure” by Kaspersky 59

  60. Overview Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact 60

  61. Limitations of formal proofs › 4-way handshake proven secure › Encryption protocol proven secure The combination was not proven secure! 61

  62. Keep protocols simple The wpa_supplicant 2.6 case: › Complex state machine & turned out to still be vulnerable › Need formal verification of implementations “ Re-keying introduces unnecessary complexity (and therefore opportunities for bugs or other unexpected behavior) without delivering value in return.” 9 62

  63. Disclosure coordination: preparation Flawed standard! How to disclose? Is it truly a widespread issue? › Contacted vendors we didn’t test ourselves › They’re vulnerable + feedback on report Determining who to inform? › Notifying more vendors  higher chance of leaks › We relied on CERT/CC to contact vendors 63

  64. Disclosure coordination: planning Duration of embargo: › Long: risk of details leaking › Short: not enough time to patch › Avoid uncertainty: set clear deadline Open source patches? › Developed and tested in private › Shared 1 week in advance over private mailing lists 64

  65. Multi-party vulnerability coordination For more advice see: Guidelines and Practices for Multi-Party Vulnerability Coordination (Draft) 11 Remember: › Goal is to protect users › There are various opinions 65

  66. Conclusion › Flaw is in WPA2 standard › Proven correct but is insecure! › Attack has practical impact › Update all clients & check APs 66

  67. Thank you! Questions? krackattacks.com

  68. References 1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005. 2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008. 3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/ 4. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009. 5. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013. 6. A. Joux. Authentication failures in NIST version of GCM. 2016. 7. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002. 8. Apple. About the security content of iOS 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/en- us/HT208222 9. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf 10. J. Salowey and E. Rescorla. TLS Renegotiation Vulnerability. Retrieved 5 December 2017 from https://www.ietf.org/proceedings/76/slides/tls-7.pdf 11. Bhargavan et al. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In IEEE S&P, 2014. 12. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017. 68

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

679 views • 63 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress (CCC), 27 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

845 views • 67 slides
KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on

KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on

KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on Attacks (WAC), Santa Barbara, 18 August 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 2

646 views • 51 slides
KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat

KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat

KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat IL, 24 January 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in

726 views • 47 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino, Managing Director, Systems Engineering Dr. Kaustubh Phanse, Principal Wireless Architect Md. Sohail Ahmad, Senior Security Researcher Moderator: Della

314 views • 29 slides
Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat Europe, 7 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

857 views • 56 slides
Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer

Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer

Capturing WPA2 Enterprise credentials with a Pi Capturing WPA2 Enterprise credentials with a Pi Richard Frovarp Principal Software Engineer North Dakota State University Standard disclaimer What I say is my own opinion and not that of my

196 views • 18 slides
Coherent adequate forcing and preserving CH Miguel Angel Mota Joint work with John Krueger

Coherent adequate forcing and preserving CH Miguel Angel Mota Joint work with John Krueger

Coherent adequate forcing and preserving CH Miguel Angel Mota Joint work with John Krueger Forcing and its applications retrospective workshop Introduction The method of side conditions, invented by Todorcevic, describes a style of forcing in

710 views • 54 slides
Forcing axioms in P max extensions Paul Larson Department of Mathematics Miami University

Forcing axioms in P max extensions Paul Larson Department of Mathematics Miami University

Forcing axioms in P max extensions Paul Larson Department of Mathematics Miami University Oxford, Ohio 45056 larsonpb@miamioh.edu March 12, 2014 Forcing axioms in P max extensions P.B. Larson Forcing axioms Large cardinals Martins

820 views • 39 slides
Security of Wireless Protocols Mati Vait December 15, 2010 1 / 21 Security of Wireless

Security of Wireless Protocols Mati Vait December 15, 2010 1 / 21 Security of Wireless

Security of Wireless Protocols Mati Vait December 15, 2010 1 / 21 Security of Wireless Protocols Contents WPA and WPA2? Common parts in WPA & WPA2 WPA Encryption and Decryption WPA2 Encryption and Decryption Attacks on WPA Attacks on

235 views • 21 slides
Empirical Estimates of CCN: Observations from the field Anne Jefferson Cooperative Institute for

Empirical Estimates of CCN: Observations from the field Anne Jefferson Cooperative Institute for

Empirical Estimates of CCN: Observations from the field Anne Jefferson Cooperative Institute for Environmental Research The aerosol influence on cloud radiative forcing (indirect forcing) is the largest uncertainty in current climate forcing

419 views • 11 slides
1 2 3 AB 982 (Bloom and Chiu) Forcing Landlords to Stay in Business for One Year The Ellis

1 2 3 AB 982 (Bloom and Chiu) Forcing Landlords to Stay in Business for One Year The Ellis

1 2 3 AB 982 (Bloom and Chiu) Forcing Landlords to Stay in Business for One Year The Ellis Act prohibits any public entity from forcing owners of residential rental property to continue to offer their property for rent or lease. AB 982

775 views • 28 slides
Computational interpretation of classical forcing Lionel R ieg Collge de France July 22 nd ,

Computational interpretation of classical forcing Lionel R ieg Collge de France July 22 nd ,

Formal proof system: PA + Forcing in PA + An example of computation by forcing Computational interpretation of classical forcing Lionel R ieg Collge de France July 22 nd , 2016 July 22 nd , 2016 Lionel R ieg (Collge de France)

868 views • 69 slides
WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru Mohammed Rajkumar Ramadhin Alexander Martin Introduction With growing advancement in the "Internet of Things" we must take a look at the

468 views • 29 slides
Meta-Programming in KDE The technology behind KConfig XT and friends Cornelius Schumacher The

Meta-Programming in KDE The technology behind KConfig XT and friends Cornelius Schumacher The

Meta-Programming in KDE The technology behind KConfig XT and friends Cornelius Schumacher The KDE Project KDE Developer Conference 2004 p.1 Overview What is Meta-Programmig? Flavors of Meta-Programming Code Generators in KDE libkabc

514 views • 34 slides
A Virtualization-Based Retrieval and Update API for XML-Encoded Corpora Cyril Briquet (1) (2),

A Virtualization-Based Retrieval and Update API for XML-Encoded Corpora Cyril Briquet (1) (2),

A Virtualization-Based Retrieval and Update API for XML-Encoded Corpora Cyril Briquet (1) (2), Pascale Renders (2) (3), Etienne Petitjean (2) (1) McMaster U, ON, Canada (2) CNRS, Nancy, France (3) U of Lige, Belgium Take-home message

792 views • 26 slides
Lectures 3/ 4: Requirements Analysis Statements about requirements: Brooks Source*: Brooks 87

Lectures 3/ 4: Requirements Analysis Statements about requirements: Brooks Source*: Brooks 87

Chair of Softw are Engineering Software engineering for outsourced and offshore development Peter Kolb, Bertrand Meyer Fall semester 2007 Lectures 3/ 4: Requirements Analysis Statements about requirements: Brooks Source*: Brooks 87 The

1.23k views • 111 slides
Overview of Geant4 Examples Fermilab Geant4 Tutorial 27-29 October 2003 Dennis Wright (SLAC) 1

Overview of Geant4 Examples Fermilab Geant4 Tutorial 27-29 October 2003 Dennis Wright (SLAC) 1

Overview of Geant4 Examples Fermilab Geant4 Tutorial 27-29 October 2003 Dennis Wright (SLAC) 1 Types of Examples Novice Simple: trivial detector with non-interacting particles Detailed: complex detector with full physics

628 views • 14 slides
Expressing Type-Flaw Attacks in a Strongly Typed Language Iliano Cervesato

Expressing Type-Flaw Attacks in a Strongly Typed Language Iliano Cervesato

Expressing Type-Flaw Attacks in a Strongly Typed Language Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ 2 nd International Workshop on Foundations for

891 views • 45 slides
T1 T in: (T1,1); (T2,3) wit: sig 1 ; sig 2 out: 1 BTC: fun(x) . e1 2 BTC: fun(y) . e2

T1 T in: (T1,1); (T2,3) wit: sig 1 ; sig 2 out: 1 BTC: fun(x) . e1 2 BTC: fun(y) . e2

T1 T in: (T1,1); (T2,3) wit: sig 1 ; sig 2 out: 1 BTC: fun(x) . e1 2 BTC: fun(y) . e2 absLock: after 2018.12.17 T2 relLock: 2 days after T1 Block n-2 Block n-1 Block n Transactions: T1 Transactions: Transactions: T2

764 views • 47 slides
ZKPs as a Solution 2nd ZKProof Workshop, 2019 Andrew Poelstra Director of Research, Blockstream

ZKPs as a Solution 2nd ZKProof Workshop, 2019 Andrew Poelstra Director of Research, Blockstream

Fragile Nonce Selection and ZKPs as a Solution 2nd ZKProof Workshop, 2019 Andrew Poelstra Director of Research, Blockstream 1 / 11 Schnorr Signatures P = xG k $ R = kG e = H ( P , R , m ) s = k + ex In practice $ is by far the most

378 views • 11 slides
Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke

Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke

Tokyo Institute of Technology Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke Nagayama, Ryohei Banno, Kazuyuki Shudo Tokyo Tech Blockchain A distributed ledger on P2P network A node generates a

439 views • 19 slides

More recommend