Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy - - PowerPoint PPT Presentation

predicting decrypting and abusing
SMART_READER_LITE
LIVE PREVIEW

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy - - PowerPoint PPT Presentation

Jun 14, 2023 270 likes •565 views

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, iMinds-DistriNet, KU Leuven USENIX Security 2016 Security of Wi-Fi group keys? Protect broadcast and multicast Wi-Fi frames: All clients share a

slide-1
SLIDE 1

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys

Mathy Vanhoef and Frank Piessens, iMinds-DistriNet, KU Leuven

USENIX Security 2016

slide-2
SLIDE 2

Security of Wi-Fi group keys?

2

Protect broadcast and multicast Wi-Fi frames:

  • All clients share a copy of the group key

Security of groups keys not yet properly investigated!

  • In contrast with preshared & pairwise keys …

Analyze security of group key during its full lifetime!

slide-3
SLIDE 3

Contributions: Security of Group Keys

3

Flawed generation Force RC4 in handshake New Wi-Fi tailored RNG Inject & decrypt all traffic

slide-4
SLIDE 4

Contributions: Security of Group Keys

4

Flawed generation Force RC4 in handshake New Wi-Fi tailored RNG Inject & decrypt all traffic

slide-5
SLIDE 5

How are group keys generated?

5

Group key hierarchy:

  • AP generates public counter and

secret master key

  • Derive group temporal keys (GTKs)

Entropy only introduced at boot

  • If master key is leaked, all group

keys become known

Public counter Private master key +1

PRF-X

Group Temporal Key (GTK)

Sampled only at boot!

slide-6
SLIDE 6

How are random numbers generated?

6

802.11 standard has example Random Number Generator

  • §11.1.6a: “… can generate cryptographic-quality randomness”
  • Annex M.5: “This solution is expository only”

Inconsistent description of RNG’s security guarantees!

  • How secure is the design of the 802.11 RNG?
  • How many platforms implement this RNG?
slide-7
SLIDE 7

802.11 RNG: Main Design

7

The 802.11 RNG is a stateless function returning 32 bytes

  • Collects entropy on-demand
  • Entropy extracted from frame arrival times and clock jitter

Deviates from traditional RNG design:

  • No entropy pools being maintained
  • Entropy only extracted from events

when the RNG is being invoked

slide-8
SLIDE 8

802.11 RNG: Entropy sources

8

Frame arrival times:

  • Collected by repeatedly starting & aborting 4-way handshake
  • Problem: AP is blacklisted after several handshake failures

Clock jitter and drift:

  • Note: Router’s current time is leaked in beacons
  • Problem: No minimum time resolution  small clock jitter
slide-9
SLIDE 9

Surely no one implemented this…?

9

Weakened 802.11 RNG Depends on OS

slide-10
SLIDE 10

Surely no one implemented this…?

10

Weakened 802.11 RNG Depends on OS

slide-11
SLIDE 11

MediaTek RNG: Linux-based APs

11

Uses custom Linux drivers:

  • Implements 802.11’s RNG using only clock jitter
  • Uses jiffies for current time: at best millisecond accuracy

OpenCL

~3 mins

GMK & GTK

RT-AC51U

slide-12
SLIDE 12

Contributions: Security of Group Keys

12

Flawed generation Force RC4 in handshake New Wi-Fi tailored RNG Inject & decrypt all traffic

slide-13
SLIDE 13

Simplified 4-way hanshake

13

slide-14
SLIDE 14

Simplified 4-way hanshake

14

Group key encrypted and transmitted … … before downgrade attack detection!

slide-15
SLIDE 15

Simplified 4-way hanshake

15

Group key encrypted and transmitted … … before downgrade attack detection!

Pairwise Cipher GTK encryption WPA-TKIP RC4 AES-CCMP AES Key Wrap

slide-16
SLIDE 16

Downgrade attack

16

  • 1. Rogue AP: Only

advertise WPA-TKIP

  • 2. Client picks

WPA-TKIP

  • 3. Encrypted

with RC4!

  • 4. Rogue AP

detected

slide-17
SLIDE 17

Attacking RC4 encryption of GTK

17

  • RC4 Key: 16-byte IV ||16-byte secret key
  • First 256 keystream bytes are dropped

Recover repeated encryptions of GTK:

  • Requires ~231 handshakes: takes >50 years

Countermeasures:

  • Disable WPA-TKIP & RC4
  • Send GTK after handshake
slide-18
SLIDE 18

Contributions: Security of Group Keys

18

Flawed generation Force RC4 in handshake New Wi-Fi tailored RNG Inject & decrypt all traffic

slide-19
SLIDE 19

Abusing the group key: Hole 196?

19

  • Inject unicast IP packet in broadcast Wi-Fi frame
  • Detected by “Hole 196” check

Hole 196 check done at network-layer… … but an AP works at link-layer!

Victim Attacker

(has GTK)

AP

slide-20
SLIDE 20

AP

Forging unicast frames using group key

20

Abuse AP to bypass Hole 196 check:

Victim Attacker

Sender Destination Data

slide-21
SLIDE 21

AP

Forging unicast frames using group key

21

Abuse AP to bypass Hole 196 check:

  • 1. Inject as group frame to AP

Victim Attacker

Flags Receiver To AP

FF:⋯:FF Sender Destination Data

802.11 specific Encrypted using group key

slide-22
SLIDE 22

Forging unicast frames using group key

22

Abuse AP to bypass Hole 196 check:

  • 1. Inject as group frame to AP
  • 2. AP processes and routes frame

AP Victim Attacker

Flags Receiver To AP

FF:⋯:FF Sender Destination Data

Decrypted using group key 802.11 specific

slide-23
SLIDE 23

Forging unicast frames using group key

23

Abuse AP to bypass Hole 196 check:

  • 1. Inject as group frame to AP
  • 2. AP processes and routes frame
  • 3. AP transmits it to destination

Victim Attacker AP

Flags Receiver To STA

Destination Sender Destination Data

Encrypted using pairwise key 802.11 specific

slide-24
SLIDE 24

Forging unicast frames using group key

24

Abuse AP to bypass Hole 196 check:

  • 1. Inject as group frame to AP
  • 2. AP processes and routes frame
  • 3. AP transmits it to destination
  • 4. Victim sees normal unicast frame

Victim Attacker

Flags Receiver To STA

Destination Sender Destination Data

Decrypted using pairwise key

AP

802.11 specific

slide-25
SLIDE 25

Forging unicast frames using group key

25

Abuse AP to bypass Hole 196 check:

  • 1. Inject as group frame to AP
  • 2. AP processes and routes frame
  • 3. AP transmits it to destination
  • 4. Victim sees normal unicast frame

Victim Attacker

Flags Receiver To STA

Destination Sender Destination Payload

Decrypted using pairwise key

AP

802.11 specific

slide-26
SLIDE 26

Decrypting all traffic

26

ARP poison to broadcast MAC address

  • Poison both router and clients
  • Targets network-layer protocols: IPv4, IPv6, …

Countermeasure:

  • AP should ignore frames received on broadcast
  • r multicast MAC address.
slide-27
SLIDE 27

Contributions: Security of Group Keys

27

Flawed generation Force RC4 in handshake New Wi-Fi tailored RNG Inject & decrypt all traffic

slide-28
SLIDE 28

An improved 802.11 RNG

28

Entropy present on al Wi-Fi chips?

  • Wi-Fi signals & background noise

Spectral scan feature in commodity chips:

  • Can generate 3 million samples / second
  • First XOR samples in firmware
  • Extract & manage resulting entropy using known approaches

Additional research needed: performance under jamming?

slide-29
SLIDE 29

Conclusion: lessons learned

29

1. Use a proper RNG 2. Let AP ignore group-addressed frames 3. Don’t put “expository” security algos in a specification 4. Don’t transmit sensitive data before downgrade detection

Questions?