Security of Wireless Protocols Mati Vait December 15, 2010 1 / 21 - - PowerPoint PPT Presentation

Security of Wireless Protocols

Mati Vait December 15, 2010

1 / 21

Security of Wireless Protocols

Contents WPA and WPA2? Common parts in WPA & WPA2 WPA Encryption and Decryption WPA2 Encryption and Decryption Attacks on WPA Attacks on WPA and WPA2 Conclusion

2 / 21

WPA and WPA2

What is WPA?

◮ RC4, Michael MIC

What is WPA2?

◮ CCMP

3 / 21

Common parts in WPA & WPA2

◮ association ◮ authentication ◮ 4-Way Handshake ◮ Group-Key Handshake

4 / 21

WPA Encryption

5 / 21

WPA Decryption

6 / 21

WPA2 Encryption

7 / 21

WPA2 Decryption

8 / 21

Attacks on WPA

◮ Beck-Tews Attack ◮ Enhanced Message Falsification Attack ◮ TKIP Michael Reset Attack

9 / 21

Beck-Tews Attack

Retrieve RC4 keystream from short encrypted packet, which is used to encrypt custom packet and falsify the original captured packet. Attack is possible since QoS provides multiple channels and each channel has its own TCV which is incremented independently.

10 / 21

Beck-Tews Attack

• 1. capture short packet with known plaintext e.g. ARP packet
• 2. extract parts of keystream using known plaintext
• 3. use Chopchop-like technique to extract last unknown 12

bytes(MIC, ICV) of ciphertext (12-15 minutes)

◮ if ICV is incorrect, then packet is silently discarded ◮ if MIC is incorrect then MIC failure report frame is sent

(attacker has to wait 60s before sending another guess)

• 4. reverse MIC from decrypted packet to get the MIC key
• 5. assemble the new packet

◮ calculate new MIC’ over new plaintext P ◮ calculate new ICV’ over P||MIC’ ◮ encrypt new packet with old IV and keystream ◮ send the new packet on another channel that has lower TSC

If IV ≤ TSC holds, MIC’ and ICV’ are correct, then the original packet is falsified.

11 / 21

Enhanced Message Falsification Attack

Toshihiro Ohigashi and Masakatu Morii suggested not to use different channels provided by QoS but to launch a MITM attack instead in a following way:

◮ attacker acts as repeater between access point and client ◮ attacker forwards messages selectively, during the guessing

phase everything is blocked (TSC!)

12 / 21

TKIP Michael Reset Attack

◮ IEEE 802.11 allows to send packets in up to 16 fragments ◮ two different ways to get IV/keystream pairs needed to encrypt

new packet (known plaintext from APR/IP packets or using another malicious party connected to the external network)

◮ find MIC magic words! ◮ build the new packet(old headers, new content, magic words, old

packet, old MIC)

◮ requires QoS

13 / 21

Attacks on WPA and WPA2

◮ Dictionary Attack on Weak PSKs ◮ 4-Way Handshake DoS Attack ◮ Hole-196 Vulnerability

14 / 21

Dictionary Attack on Weak PSKs

Used Pre-shared keys are not strong enough and can be bruteforced using dictionary or rainbow tables

15 / 21

4-Way Handshake DoS Attack

◮ AP sends ANonce to STA, based on which STA calculates PTK ◮ Adversary X sends another ANonce’ ,packaged as message #1 ,to

STA and STA calculates PTK’

◮ STA drops every packet from AP and 4-way handshake is blocked

16 / 21

Hole-196 Vulnerability

Page 196 of IEEE 802.11-2007 standard. There it is stated that ”Group keys do not provide per packet authentication ...”. So what?

◮ Group Keys protect multicast and broadcast communication ◮ all of the connected clients share the same Group Key ◮ nothing in the standard forbids some connected client to send

multicast or broadcast messages pretending to be the AP

◮ possible attacks: ARP poisoning, DoS, MITM

17 / 21

Conclusion

◮ use WPA2 ◮ on WPA disable QoS ◮ on WPA use short rekeying intervals e.g. 120s

18 / 21

Questions?

19 / 21

Thank you!

20 / 21

21 / 21