WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) - - PowerPoint PPT Presentation

wifi security
SMART_READER_LITE
LIVE PREVIEW

WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) - - PowerPoint PPT Presentation

Dec 03, 2022 19 likes •479 views

Advanced Network Security WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise WPA3 Key reinstallaton aaacas 2 WiFi IEEE 802.11 standard Some terminology: Staton (STA) is a

slide-1
SLIDE 1

Advanced Network Security

WiFi security

Joeri de Ruiter

slide-2
SLIDE 2

2

Agenda

  • WiFi security
  • WPA(2)
  • Personal
  • Enterprise
  • WPA3
  • Key reinstallaton aaacas
slide-3
SLIDE 3

3

WiFi

  • IEEE 802.11 standard
  • Some terminology:
  • Staton (STA) is a device sith WiFi capability
  • Access Point (AP) is a staton that other statons can connect to to get access to a

netsora, also referred to as authentcator

  • Supplicant, used to indicate the client shen authentcatng
  • SSID (Service Set Identfer) is the name of the netsora
  • MIC: Message Integrity Checa

Prevents confusion sith MAC (Media Access Control) addresses

slide-4
SLIDE 4

4

WiFi security

  • Open netsoras
  • Wireless Equivalent Privacy (WEP)
  • WiFi Protected Access (WPA)
  • Personal
  • Enterprise
  • Hidden netsoras and MAC address shitelists
  • Does not provide real security
slide-5
SLIDE 5

5

WiFi security

slide-6
SLIDE 6

6

Open netsora security

  • No encrypton on the trafc
  • Also used for public hotspots sith captve portal
  • Possible for an aaacaer to eavesdrop on all netsora trafc
  • Typically anyone can connect to the netsora
  • Possible to flter based on MAC address, but can easily be spoofed
  • Evil tsin aaacas: a malicious access point pretend to be a preferred netsora
  • f the user
  • User sill connect to the aaacaer’s netsora, putng the aaacaer in a man-in-the-

middle positon

  • KARMA: special case of the evil tsin aaaca
  • Observe probe requests by clients and pretend to be that netsora
slide-7
SLIDE 7

7

WEP security

  • Cryptographic algorithm based on RC4 used to protect data

trafc

  • Broaen since a long tme
  • Easy to craca and about as good as an open netsora
  • Stop using it!
slide-8
SLIDE 8

8

WPA(2) security

  • Data confdentality algorithms
  • Temporary Key Integrity Protocol (TKIP)

Uses same hardsare as WEP

Also included in WPA2 for bacasards compatbility

  • Counter Mode sith CBC-MAC Protocol (CCMP)

Based on AES

  • Authentcaton methods
  • Pre-shared aey (PSK)
  • IEEE 802.1x authentcaton

Uses Extensible Authentcaton Protocol (EAP)

Encrypton Authentcaton WPA Personal TKIP PSK WPA Enterprise TKIP 802.1x WPA2 Personal CCMP PSK WPA2 Enterprise CCMP 802.1x

slide-9
SLIDE 9

9

TKIP security

  • Deprecated in the IEEE 802.11 standard
  • Based on the RC4 stream cipher
  • Knosn to have biases that can be exploited to breaa it
  • Possible to inject and decrypt pacaets1
  • Only taaes about an hour to perform the aaaca
  • Relies on the generaton of identcal pacaets

1 All Your Biases Belong To Us: Breaaing RC4 in WPA-TKIP and TLS by Mathy Vanhoef and Frana

Piessens, Usenix Security 2015

slide-10
SLIDE 10

10

Key hierarchy

  • Pairsise master aey (PMK): secret aey shared betseen the client and access

point

  • Pairsise transient aey (PTK): a concatenaton of the follosing session aeys

Key Confrmaton Key (KCK): used for message authentcaton in 4-say handshaae

Key Encrypton Key (KEK): used for encrypton of aeys

Temporal Key (TK): aey used for confdentality and integrity of the data

  • Group master aey (GMK): optonal aey used to derive GTK
  • Group temporal aey (GTK): aey shared betseen all connected clients and

the access point

– Used for broadcast and multcast trafc

slide-11
SLIDE 11

11

WiFi connecton phases

  • Discovery
  • Find nearby netsoras
  • Netsoras announce capabilites
  • Authentcaton
  • Typically “Open”
  • (Re)Associaton
  • Agreement on security algorithms
  • Optonal: 802.1x authentcaton
  • Optonal: 4-say handshaae
  • Data exchange

Probe request Probe response(security parameters) Authentcaton request Authentcaton response Associaton request(security parameters) Associaton response 802.1x authentcaton 4-say handshaae Data

slide-12
SLIDE 12

12

4-say handshaae

  • Based on a shared secret PMK
  • Can be the pre-shared aey or the output of the 802.1x authentcaton
  • Mutual authentcaton of user and access point
  • Verify shether both anos PMK
  • Also used for negotaton of fresh aeys
  • Negotaton of Pairsise Transient Key (PTK)
  • If a MIC (Message Integrity Code) is included, it is computed using the Key

Confrmaton Key (KCK)

  • If a aey is included, it is encrypted using the Key Encrypton Key (KEK)
slide-13
SLIDE 13

13

4-say handshaae (simplifed)

Supplicant Authentcator

ANonce SNonce, MIC ANonce, MIC, EncKEK(GTK) MIC

Derive PTK Derive PTK

Encrypted data frames

Install PTK and GTK Install PTK

slide-14
SLIDE 14

14

Key derivaton

PRF PMK ANonce, MAC address A, SNonce, MAC address S PTK KCK KEK TK

  • PRF (pseudo-random functon) is typically a SHA-based HMAC
  • PTK is split into the KCK, the KEK and the TK
slide-15
SLIDE 15

15

WPA(2) Personal

  • Uses pre-shared aey (PSK) for authentcaton
  • Can be derived from an ASCII passsord using a aey derivaton functon

(KDF): PSK = KDF(passsord, SSID)

  • “Open” method used in the authentcaton phase
  • Actual authentcaton taaes place in the 4-say handshaae
  • PSK used directly as PMK in the 4-say handshaae
slide-16
SLIDE 16

16

WPA(2) Personal – Key derivaton

KDF Passsord SSID PRF PSK / PMK ANonce, MAC address A, SNonce, MAC address S PTK KCK KEK TK 4-say handshaae Key derivaton for authentcaton based on passsord

slide-17
SLIDE 17

17

WPA(2) Personal - Aaacas

  • Which informaton is available to a passive aaacaer that observes a

successful connecton including the 4-say handshaae?

  • SSID, MAC addresses, nonces
  • Enough informaton to perform ofine brute-force aaacas
  • For example, dictonary aaacas or rainbos table aaacas
  • What is the problem sith rainbos tables?
  • What can an aaacaer do once the PSK is anosn?
  • Connect to the netsora
  • Eavesdrop on other users

If 4-say handshaae is observed, shich might be possible to force by sending a deauthentcaton message to the client and access point

  • Ofen WPA passsord is shared, for example, in cofee bars or restaurants...
slide-18
SLIDE 18

18

WPA(2) Enterprise

  • Not alsays convenient (or secure) to share one aey/passsord

sith all users

  • Re-use existng credentals
  • Usernames and passsords
  • Certfcates
  • Authentcaton using IEEE 802.1x
  • For example, used in eduroam
slide-19
SLIDE 19

19

IEEE 802.1x

  • Extensible Authentcaton Protocol (EAP) over LAN (EAPOL)
  • Actual authentcaton done by authentcaton server
  • Typically a RADIUS server (Remote Authentcaton Dial-In User

Service)

  • Anonymous identty used to select RADIUS server
  • Common EAP methods used
  • TLS
  • PEAP
  • TTLS
  • Key provided by the authentcaton server to the client and

access point

slide-20
SLIDE 20

20

EAP: TLS

  • Mutual authentcaton betseen user and authentcaton server via TLS using

certfcates

  • Key management difcult
  • All users need a public aey pair and corresponding certfcate
  • Important to properly checa certfcates
slide-21
SLIDE 21

21

EAP: PEAP

  • Protected Extensible Authentcaton Protocol (PEAP)
  • Provides a protecton layer for legacy EAP methods (inner authentcaton

method)

  • In partcular MS-CHAPv2
  • TLS tunnel betseen user and authentcaton server
  • Typically only server authentcaton
  • MS-CHAPv2 can be used to authentcate using username/passsord

combinaton

  • Again, important to checa certfcate
slide-22
SLIDE 22

22

EAP: TTLS

  • Tunnelled TLS (TTLS)
  • Similar to PEAP: provide a TLS tunnel to use legacy authentcaton methods

(inner authentcaton method)

  • More fexible and alloss for more authentcaton methods
  • Not only ones that have EAP support
  • Once again, important to verify certfcates
slide-23
SLIDE 23

23

EAP-PEAP

Supplicant Authentcator Authentcaton server (RADIUS)

802.11 Associaton 4-say handshaae EAP: request identty EAP: identty EAP: Start EAP-PEAP RADIUS: Access request, identty Authentcaton and aey exchange inside TLS tunnel RADIUS: Access accepted, aey material RADIUS: Start EAP-PEAP EAP: Success Anonymous identty (if confgured)

slide-24
SLIDE 24

24

eduroam

  • Alloss users from one insttute to use the sireless netsora at another

insttute

  • Uses 801.2x authentcaton
  • Explained in RFC 7593
  • Federated authentcaton: authentcaton delegated to home insttuton
  • Routng based on domain (e.g. ru.nl in anonymous@ru.nl)
  • EAP messages forsarded to home insttuton’s RADIUS server
  • Similar system for governments: govroam
slide-25
SLIDE 25

25

eduroam hierarchy

  • Confederaton top-level RADIUS Server (TLR)
  • E.g. Europe or Asia and Pacifc region
  • Federaton-Level RADIUS servers (FLRs)
  • E.g. SURF for .nl
  • Identty provider (IdP)
  • E.g. Radboud University for ru.nl
slide-26
SLIDE 26

26

eduroam

Source: haps:/ /sss.bsc.es/marenostrum/access-to-eduroam

slide-27
SLIDE 27

27

Issues sith PEAP and TTLS

  • Who uses eduroam?
  • Who confgured an anonymous identty?
  • Who confgured a CA?
  • Who confgured a hostname for the RADIUS server?
slide-28
SLIDE 28

28

Issues sith PEAP and TTLS

  • If no anonymous identty is confgured, you are sending your real username in

plaintext

  • Most inner authentcaton methods are broaen
  • MSCHAPv2 can easily be cracaed
  • PAP (Passsord Authentcaton Protocol): plaintext username/passsord
  • But this inner authentcaton is protected using a TLS tunnel, right?
  • Hos do you checa the certfcate?
slide-29
SLIDE 29

29

Issues sith PEAP and TTLS

  • Which CA certfcate do you confgure on the clients?
  • None → anyone can impersonate your netsora
  • Public CA → anyone can impersonate your netsora, as long as you do not

confgure the RADIUS hostnames

  • Dedicated/private CA → impersonaton is not possible (assuming no aeys are

compromised)

  • Trust on frst use: accept a certfcate on frst connecton and store it
  • What happens if verifcaton is not done properly?
  • Evil tsin aaacas are possible
  • Aaacaer gets access to the inner authentcaton
  • Potentally sorse than no encrypton!
  • All depends on the confguraton by the users
slide-30
SLIDE 30

30

WPA3

  • Announced in January 2018 by Wi-Fi alliance
  • Several nes security features
  • Individualised data encrypton in open netsoras
  • Using Opportunistc Wireless Encrypton (OWE)
  • Resilient passsord-based authentcaton
  • Use of Simultaneous Authentcaton of Equals (SAE)
  • Stronger cryptographic algorithm (192 bits security)
slide-31
SLIDE 31

31

Opportunistc Wireless Encrypton (OWE)

  • Specifed in RFC8110
  • Intended to maae eavesdropping a bit harder in public netsoras (open
  • r sith publicly anosn pre-shared aey)
  • Based on Dife-Hellman
  • Part of the associaton step
  • Client adds public Dife-Hellman value to associaton request
  • Access point add public Dife-Hellman value to associaton response
  • PMK derived from the result of the Dife-Hellman aey exchange
  • PMK then used as input for the 4-say handshaae
slide-32
SLIDE 32

32

Simultaneous Authentcaton of Equals (SAE)

  • Improve security of PSK method shen using a passsord
  • Passsord-authentcated aey exchange method based on Dife-Hellman
  • Based on zero-anosledge proof
  • Prevents dictonary aaacas
  • One guess per session
  • Forsard secrecy
  • Taaes place in authentcaton phase
  • Originally intended to provide authentcaton betseen peers in a mesh

netsoras

slide-33
SLIDE 33

33

Simultaneous Authentcaton of Equals (SAE)

  • Tso message exchanges
  • Commitment exchange
  • Confrmaton exchange
  • PWE (Passsord Element): group element derived from passsord

and MAC addresses of both partes involved

  • The protocol results in a PMK shared betseen the tso partes
  • Subsequently used in the 4-say handshaae to establish session aeys
slide-34
SLIDE 34

34

Simultaneous Authentcaton of Equals (SAE)

commitScalarS, commitElementS Generate random scalars randA and masaA Derive PWE commitScalarA = (randA + masaA) mod r commitElementA = PWE-masaA commitScalarA, commitElementA HMACKCK(commitScalarS, commitElementS, commitScalarA, commitElementA) Generate random scalars randS and masaS Derive PWE commitScalarS = (randS + masaS) mod r commitElementS = PWE-masaS HMACKCK(commitScalarA, commitElementA, commitScalarS, commitElementS) Compute shared secret K = (PWEcommitScalarA * commitElementA)randS Derive KCK and PMK Compute shared secret K = (PWEcommitScalarS * commitElementS)randA Derive KCK and PMK

Authentcaton accepted

slide-35
SLIDE 35

35

Key Reinstallaton Aaacas

  • Discovered by Mathy Vanhoef in 2017
  • Force nonce reuse for the data confdentality algorithm
  • Impact depends on algorithm
  • Independent from authentcaton method
  • Targets 4-say handshaae
  • Problems in both the specifcatons and implementatons
  • WiFi designed to cope sith pacaet loss
slide-36
SLIDE 36

36

Recap: 4-say handshaae

S A

Msg1(r, ANonce) Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg4(r+1, MIC)

Derive PTK Derive PTK

Encrypted data frames

Replay counter

Install PTK and GTK Install PTK

slide-37
SLIDE 37

37

Frame encrypton (simplifed)

Based on slide by Mathy Vanhoef

Nonce reuse implies aeystream reuse!

Keystream Plaintext data Nonce

Encrypted data

Mix

PTK (session aey) Nonce (pacaet number) Pacaet aey

slide-38
SLIDE 38

38

Recap: 4-say handshaae

S A

Msg1(r, ANonce) Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg4(r+1, MIC)

Derive PTK Derive PTK Install PTK and GTK Install PTK

Encrypted data frames

Nonce set to zero

slide-39
SLIDE 39

39

Reinstallaton aaaca

S A Msg1(r, ANonce) Msg2(r, SNonce) Msg1(r, ANonce) Msg2(r, SNonce)

Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg3(r+1, ANonce, MIC, EncKEK(GTK))

Msg4(r+1, MIC) Install PTK and GTK

Msg3(r+2, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK))

EncPTK(1, Msg4(r+2, MIC)) Install PTK and GTK

Key reinstalled and nonce set to zero!

slide-40
SLIDE 40

40

Reinstallaton aaaca

S A Msg1(r, ANonce) Msg2(r, SNonce) Msg1(r, ANonce) Msg2(r, SNonce)

Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg3(r+1, ANonce, MIC, EncKEK(GTK))

Msg4(r+1, MIC) Install PTK and GTK

Msg3(r+2, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK))

EncPTK(1, Msg4(r+2, MIC)) Install PTK and GTK EncPTK(1, Data(...)) EncPTK(1, Data(...))

Same nonce is used!

slide-41
SLIDE 41

41

Reinstallaton aaaca

S A Msg4(r+1, MIC) Install PTK and GTK

Msg3(r+2, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK))

EncPTK(1, Msg4(r+2, MIC)) Install PTK and GTK EncPTK(1, Data(...)) EncPTK(1, Data(...))

Keystream Decrypted data!

slide-42
SLIDE 42

42

Impact

  • Messages can be replayed and decrypted
  • Replay tosards victm
  • Decrypted from victm
  • Access points can be aaacaed if IEEE 802.11r is supported
  • Used for roaming sithin corporate netsoras
  • Data confdentality algorithm specifc
  • CCMP: no practcal forging aaacas
  • TKIP: recover MIC aey from plaintext → forge/inject frames from victm
  • GCMP: recover authentcaton aey → forge/inject frames from and to victm
  • Partcular version of Android and spa_supplicant reinstalled all zero

aeys

slide-43
SLIDE 43

43

Countermeasures

  • Do not reset nonces and replay counter shen reinstalling the current

aey

  • Only install one aey per 4-say handshaae
slide-44
SLIDE 44

44

WiFi risas

  • Broadcasts medium → everyone can listen and send trafc
  • Client can easily be tracaed → privacy risas
  • MAC address
  • Broadcasted SSIDs by client
  • 802.1x identty
  • Security relies heavily on correct confguraton of clients
  • Wrong confguraton can lead to compromise of netsora access and

credentals

slide-45
SLIDE 45

45

WiFi advantages

  • WiFi authentcates all users
  • As opposed to netsora socaets
  • Encrypts all trafc on lina layer
  • Can control access to resources based on user identty
slide-46
SLIDE 46

46

Further actvites

  • Read the follosing paper:

Key Reinstallaton Aaacas: Forcing Nonce Reuse in WPA2

  • M. Vanhoef and F. Piessens

Proceedings of the 24th ACM Conference on Computer and Communicaton Security (CCS 2017)