WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open - - PowerPoint PPT Presentation

Advanced Network Security (2019-2020)

WiFi security

Harald Vranken

1

Agenda

• Introduction to WiFi
• Open WiFi networks
• Home WiFi network
• IEEE 802.11

– WEP – WPA/WPA2/WPA3 Personal/Enterprise – Eduroam – Attacks

2

Introduction to WiFi

• IEEE 802.11 standard

– Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications – Original version 1997; latest version 2016 (~3500 pages!)

• Numerous amendments, eg. 802.11i Medium Access Control (MAC) Security Enhancements
• Security certification programs by WiFi Alliance, eg. WPA2 and WPA3

– ensure that Wi-Fi products from multiple manufacturers work well together

• Some terminology:

– Station (STA): device with WiFi capability – Access Point (AP): station that other stations can connect to to get access to a network (also referred to as authenticator) – Supplicant: indicates client when authenticating – SSID (Service Set Identifier): name of the network – MIC (Message Integrity Check): is Message Authentication Code (MAC); to prevent confusion with Medium Access Control (MAC)

3

WiFi security

• Open access
• Protected access

– Wireless Equivalent Privacy (WEP) – WiFi Protected Access (WPA/WPA2/WPA3)

Source: https://securelist.com/research-on-unsecured-wi-fi-networks-across-the-world/76733/

Security of public WiFi hotspots across the world (2016)

4

Open networks

• Public hotspots for free WiFi

– May provide captive portal – May use pre-shared key (PSK)

• PSK is announced publically (on paper/wall/…)
• PSK is used in "4-way handshake" to derive encryption keys for bulk wireless data
• No encryption of traffic

– Attacker can eavesdrop on all network traffic – Also in case of PSK, because

• PSK is known by everyone
• Attacker can eavesdrop on 4-way handshake and derive encryption keys
• In case attacker missed 4-way handshake, a forged "deauthenticate" can be issued that

will cause client and AP to redo 4-way handshake

5

Open networks

• New in WPA3 (2018): Opportunistic Wireless Encryption (OWE)

– Specified in RFC 8110 – Intended to make eavesdropping a bit harder in public networks (open or with PSK) – Client and AP perform Diffie-Hellman key exchange to obtain shared key (instead of PSK) – Provides data encryption (but no authentication)

6

Open networks

• Broken access control measures

– Hidden network (security by obscurity; access requires knowing SSID)

• Access point continuously sends beacon packets; may hide by not including SSID
• Easy to eavesdrop on clients that have SSID

(not only when client actually connects to network; client also constantly sends connection requests to ‘saved networks’ in order to improve connectivity) – Filter based on whitelist of MAC addresses

• Client can easily spoof its MAC address

7

Open networks

• Evil twin attack

– Malicious access point pretends to be a preferred network of user – When user connects, attacker can sniff all traffic and act as man-in-the-middle

• KARMA: special case of evil twin attack

– Vulnerable client devices broadcast ‘preferred network list’ (PNL) containing SSIDs of access points to which client has previously connected – Malicious access point receives PNL and takes an SSID from PNL

Dai Zovi, D. A., & Macaulay, S. A. (2005). Attacking Automatic Wireless Network Selection Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop, p. 365–372

• OWE offers no protection against evil twin attack

8

Wireless home network

• WPS (Wi-Fi Protected Setup)

– security specification certified by WiFi Alliance to create a secure wireless home network

• Connect wireless device to AP by entering PIN on device

– easily retrieved by brute-force attack due to vulnerabilities in WPS protocol

• In case attacker has physical access to AP

– PIN is written on AP – Connect wireless device to AP by pushing (virtual) button on device and AP

9

IEEE 802.11-1999

• WEP (Wired Equivalent Privacy)

10

Authentication

• 4-step challenge–response handshake

between client and access point

• preshared WEP key

Data encryption – Rivest Cipher 4 (RC4) stream cipher – preshared WEP key

WEP security

• Secret keys can be cracked in a few minutes using a basic laptop computer
• Security is easy to crack and about as good as an open network
• Stop using it!

A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP) by A. Stubblefield, J. Ioannidis, and A. D. Rubin ACM Trans. Inf. Syst. Security, vol. 7, no. 2, pp. 319–332, May 2004 Breaking 104 bit WEP in less than 60 seconds by E. Tews, R.-P. Weinmann, and A. Pyshkin Information Security Applications, Lecture Notes in Computer Science, vol. 4867, pp. 188–202, 2007

11

IEEE 802.11-2016

• Establishment

– Discovery: find nearby networks by monitoring beacons or active probing – Authentication: typically ‘Open’ (included for WEP) – Association: agreement on cipher suites and security algorithms

• Optional: 802.1x EAP authentication

– Mutual authentication using EAP (Extensible Authentication Protocol) – Generation of PMK (shared secret key)

• Optional: 4-way handshake

– Confirmation that PMK is known – Exchange of session keys

• Data exchange

12

Authentication request Authentication response Association request(security parameters) Association response 802.1x EAP authentication 4-way handshake Data Probe request Probe response (security parameters)

WPA (WiFi Protected Access)

Certified by WiFi Alliance

• WPA (2003): based on subset of IEEE 802.11i draft
• WPA2 (2004): based on IEEE 802.11i std.

– Uses AES instead of RC4 and provides stronger authentication

• WPA3 (WiFi Alliance, 2018):

– Prevents eavesdropping and forging of unicast management action frames; prevents forging of multicast management action frames – Stronger cryptography (192-bit mode)

• Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256)
• Key derivation and confirmation: HMAC-SHA384
• Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and

Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve

13

WPA security: data confidentiality

• TKIP (Temporary Key Integrity Protocol)

– As WEP, based on RC4 stream cipher – Also included in WPA2 for backwards compatibility – Deprecated in IEEE 802.11-2016 standard – Known to have biases that can be exploited to break it – Possible to inject and decrypt packets – Attack only takes about an hour, relies on generation of identical packets

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS by Mathy Vanhoef and Frank Piessens, Usenix Security 2015

• CCMP (Counter Mode – Cipher Block Chaining Message Authentication Code Protocol)

– Most widely-used – Based on AES

• GCMP (Galois/Counter Mode Protocol)

– Being rolled out (WiGig) Confidentiality Personal/Enterprise WPA TKIP WPA2 CCMP WPA3 GCMP

CCMP/ GCMP encryption Construct CCMP/GCMP header

14

WPA security: authentication

• WPA personal

– Personal network – WPA/WPA2: Pre-shared key (PSK) – WPA3: Simultaneous Authentication of Equals (SAE)

• WPA Enterprise

– Enterprise network – IEEE 802.1x authentication using Extensible Authentication Protocol (EAP) and Authentication server Authentication Personal Enterprise WPA PSK 802.1x WPA2 PSK 802.1x WPA3 SAE 802.1x

15

PSK (WPA/WPA2 Personal)

16 Authentication request Authentication response Association request(security parameters) Association response 802.1x EAP authentication 4-way handshake Data Probe request Probe response (security parameters)

SNonce, MIC ANonce, MIC, EncKEK(GTK) MIC Encrypted data frames ANonce

Supplicant/station Authenticator/AP

Derive PTK Derive PTK Install PTK Install PTK

‘Open’ method in authentication phase

• Authentication takes place in 4-way handshake
• Uses pre-shared key (PSK) for authentication
• PSK used directly as PMK in 4-way handshake

Keys and 4-way handshake

• Before starting 4-way handshake, client and

access point share secret key PMK (Pairwise Master Key)

• During 4-way handshake, client and access point

derive a fresh session key PTK (Pairwise Transient Key) – Derived from PMK, ANonce, SNonce, and MAC addresses of client and access point – Split into

• KCK (Key Confirmation Key): for generating MIC
• KEK (Key Encryption Key): for encryption of keys
• TK (Temporal Key): for data confidentiality and integrity
• Also group keys

– GMK (Group Master Key) – GTK (Group Temporal Key): shared between all connected clients and access point, used for broadcast and multicast traffic

17

SNonce, MIC ANonce, MIC, EncKEK(GTK) MIC Encrypted data frames ANonce

Supplicant/station Authenticator/AP

Derive PTK Derive PTK Install PTK Install PTK

PSK attack

• PMK is derived from an ASCII password using a key derivation function (KDF):

PMK = KDF(password, SSID)

• Passive attacker can
• 1. obtain SSID, MAC addresses, nonces, MIC (HMAC using KCK)
• 2. perform offline brute-force attack on password (eg. dictionary attack or rainbow table attack)
• 3. obtain PMK and PTK
• Often password is shared, eg. in coffee bars or restaurants...
• What can an attacker do once the PSK is known?

– Connect to the network – Eavesdrop on other users

KDF Password SSID PRF ANonce, SNonce, MAC addresses KCK KEK TK 4-way handshake PTK PSK/PMK 18

Simultaneous Authentication of Equals (SAE)

• Improve security of PSK method when using a password
• Password-authenticated key exchange method based on Diffie-Hellman

19

Simultaneous Authentication of Equals (SAE)

20 20 commitScalarS, commitElementS Generate random scalars randA and maskA Derive PWE commitScalarA = (randA + maskA) mod r commitElementA = PWE-maskA commitScalarA, commitElementA HMACKCK(commitScalarS, commitElementS, commitScalarA, commitElementA) Generate random scalars randS and maskS Derive PWE commitScalarS = (randS + maskS) mod r commitElementS = PWE-maskS HMACKCK(commitScalarA, commitElementA, commitScalarS, commitElementS) Compute shared secret K = (PWEcommitScalarA * commitElementA)randS Derive KCK and PMK Compute shared secret K = (PWEcommitScalarS * commitElementS)randA Derive KCK and PMK Authentication accepted Shared PMK subsequently used in the 4-way handshake to establish session keys Commitment exchange Confirmation exchange PWE (Password Element): derived from password and MAC addresses of STA and AP

WPA Enterprise

21 Authentication request Authentication response Association request(security parameters) Association response 802.1x EAP authentication 4-way handshake Data Probe request Probe response (security parameters)

Derive PTK Derive PTK Install PTK and GTK Install PTK SNonce, MIC ANonce, MIC, EncKEK(GTK) MIC Encrypted data frames ANonce EAP response EAP request Authentication exchange

Supplicant/station Authenticator/AP Authentication server

request Key material EAP success

• Inconvenient/unsecure to share one key/password

with all users; re-use existing credentials (usernames and passwords; certificates)

• Authentication using IEEE 802.1x (eg. eduroam)

IEEE 802.1x

• Extensible Authentication Protocol (EAP) over LAN (EAPOL)
• Actual authentication done by authentication server

– Typically a RADIUS server (Remote Authentication Dial-In User Service) – Authentication server provides PMK to client and access point

22

EAPOL RADIUS

Supplicant/station

EAP response identity EAP request identity Authentication exchange

Authenticator/AP Authentication server

request Key material EAP success

Any authentication exchange protocol may be used here (not fixed in 802.1x),

• eg. applying
• certificates
• username-password
• challenge-response with security

token

EAP-TLS (Transport Layer Security)

• Mutual authentication between client and authentication server via TLS using certificates
• Key management difficult: all users need a public key pair and corresponding certificate
• Important to properly check certificates

Supplicant/station

EAP response identity EAP request identity Authentication exchange

Authenticator/AP Authentication server

request Key material EAP success

23

RFC 5216

EAP-TTLS (Tunnelled TLS)

• Handshake phase (outer authentication)

– Server is authenticated to client by server certificate (or mutual authentication)

• Data phase (inner authentication)

– Client is authenticated to the server (or mutual authentication) using an arbitrary authentication mechanism encapsulated within the secure tunnel – Eg. PAP (Password Authentication Protocol) and MS-CHAPv2

• Important to verify certificate!

24 Supplicant/station

EAP response identity EAP request identity Authentication exchange

Authenticator/AP Authentication server

request Key material EAP success

RFC 5281

EAP-PEAP (Protected Extensible Authentication Protocol)

• Similar to EAP-TTLS
• TLS tunnel between client and authentication server

– Typically only server authentication

• Provides a protection layer for legacy EAP methods (inner authentication method)

– In particular MS-CHAPv2 (Microsoft Challenge-Handshake Authentication Protocol v2) (mutual authentication using username/password combination)

• Again, important to check certificate

25 Supplicant/station

EAP response identity EAP request identity Authentication exchange

Authenticator/AP Authentication server

request Key material EAP success

Example of EAP-PEAP: eduroam

• Enables users to roam between participating institutes

– RFC 7593 ‘The eduroam Architecture for Network Roaming’

• Authentication

– 801.2x authentication – Users authenticate with the login data of their home institutes

• Federated authentication: authentication delegated to home institute
• Routing based on domain (eg. ru.nl in anonymous@ru.nl)
• Similar system for governments: govroam

26

EAP-PEAP (Protected Extensible Authentication Protocol)

27

4-way handshake EAP request: Identity EAP response: Identity EAP Start: EAP-PEAP RADIUS Access request: identity Authentication and key exchange inside TLS tunnel RADIUS Access accepted: key material RADIUS Start: EAP-PEAP EAP Success Anonymous identity (if configured) 802.11 Association

Federated authentication in eduroam (1/2)

Outer authentication 1. User requests network access (eg. anonymous@ru.nl) 2. AP forwards user identity to home AS

• f network

– Proxied, based on user's identity, until user's home AS (RU) is found – Top-level RADIUS Server (eg. Europe or Asia and Pacific region) – Federation-Level RADIUS servers (eg. SURF for .nl) 3. Check identity, tunnel establishment, servers sends certificate, user validates server certificate

28

Federated authentication in eduroam (1/2)

Inner authentication 4. Authentication inside tunnel between client and user’s home AS, using user’s credentials of home institution 5. User's home AS validates login data and passes result to the AP, which grants or refuses access

29

Issues with eduroam

• Client without anonymous identity configured

– Sending real username in plaintext

• Client without CA configured

– May accept any server certificate

• Client may accept certificates signed by intermediate CAs

(and such certificate can easily be obtained)

• Client that trusts certificate on first use, stores it (has to be removed)

A Practical Investigation of Identity Theft Vulnerabilities in Eduroam

• S. Brenza, A. Pawlowski, and C. Pöpper

Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, 2015

30

Issues with eduroam

• Outer authentication depends on CA certificate checking on client

– With TLS in HTTPS, certificate should be bound to domain (CN-common name); with WPA(2) Enterprise, CN should contain hostname of RADIUS server – None: anyone can impersonate your network (evil twin attack) – Public CA: anyone can impersonate your network, as long as you do not configure the RADIUS hostnames – Dedicated/private: → impersonation is not possible (assuming no keys are compromised)

• If outer authentication is cracked, there still is inner authentication, right?

– Client using PAP → username/password are sent in plaintext – Client using MSCHAPv2 → may still be cracked (depends on password strength) – Potentially worse than no encryption!

• All depends on the configuration by the users

31

Key Reinstallation Attack

• Discovered by Mathy Vanhoef in 2017
• Known as ‘KRACK’
• Targets 4-way handshake
• Problems in both

specifications and implementations

• Attack

– Considers WPA2 use stream cipher for encryption – Forces nonce reuse (not ANonce/SNonce, but in encrypted data frames)

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 by M. Vanhoef and F. Piessens Proceedings of the 24th ACM Conference on Computer and Communication Security (CCS 2017)

32

SNonce, MIC ANonce, MIC, EncKEK(GTK) MIC Derive PTK Derive PTK Encrypted data frames Install PTK and GTK Install PTK ANonce

Recap: 4-way handshake (simplified)

33

Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg4(MIC) Derive PTK Derive PTK Encrypted data frames Install PTK and GTK Install PTK Msg1(ANonce) Reset nonce (and replay counter)

Reinstallation attack

34

Establish MITM between supplicant and authenticator (AP clone with same MAC address on different channel) block

Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg4(MIC) Msg1(ANonce) Msg1(ANonce) Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Install PTK and GTK

Reinstallation attack

35

Establish MITM between supplicant and authenticator (AP clone with same MAC address on different channel) block Retransmit Msg3

Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg4(MIC) Install PTK and GTK Msg1(ANonce) Msg1(ANonce) Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) EncPTK(1, Msg4(MIC))

Reinstallation attack

36

Establish MITM between supplicant and authenticator (AP clone with same MAC address on different channel) block Retransmit Msg3

Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg4(MIC) Install PTK and GTK Msg1(ANonce) Msg1(ANonce) Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) EncPTK(1, Msg4(MIC))

Same message in plaintext and ciphertext!

Reinstallation attack

37

Establish MITM between supplicant and authenticator (AP clone with same MAC address on different channel)

Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg4(MIC) Install PTK and GTK Msg1(ANonce) Msg1(ANonce) Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) EncPTK(1, Msg4(MIC)) Install PTK and GTK EncPTK(1, Data(…)) EncPTK(1, Data(…))

Same nonce is used! Key reinstall and nonce reset

Frame encryption (simplified)

• Nonce reuse implies keystream reuse (in all WPA2 ciphers)

38

Keystream Plaintext data Encrypted data Mix PTK (session key) Nonce (packet number) Packet key Keystream Encrypted data

Reinstallation attack

39

Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg4(MIC) Install PTK and GTK Msg1(ANonce) Msg1(ANonce) Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) EncPTK(1, Msg4(MIC)) Install PTK and GTK EncPTK(1, Data(…)) EncPTK(1, Data(…))

Keystream

Reinstallation attack

40

Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg4(MIC) Install PTK and GTK Msg1(ANonce) Msg1(ANonce) Msg2(SNonce, MIC) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) Msg3(ANonce, MIC, EncKEK(GTK)) EncPTK(1, Msg4(MIC)) Install PTK and GTK EncPTK(1, Data(…)) EncPTK(1, Data(…))

Keystream Decrypted data!

Reinstallation attack: impact

• Messages can be replayed and decrypted

– Replay towards victim – Decrypted from victim

• Data confidentiality algorithm specific

– TKIP: recover MIC key from plaintext → forge/inject frames from victim – CCMP: no practical forging attacks – GCMP: recover authentication key → forge/inject frames from and to victim

• Particular version of Android and wpa_supplicant reinstalled all zero keys

41

Reinstallation attack: countermeasures

• Do not reset nonces and replay counter when reinstalling the current key
• Only install one key per 4-way handshake

– Do not allow resending Msg3

42

Disassociation/reassociation attack

• Known as ‘Kr∅∅k’ (RSA 2020)
• Disassociation: connection between client and AP is

terminated (eg. when user turns off Wi-Fi , or due to signal interference)

• Reassociation: reconnection after disassociation

(eg. when client roams from one Wi-Fi AP to another)

• Association/disassociation governed by management

frames (unauthenticated and unencrypted in WPA2) – Attacker can forge a management frame to trigger disassociation – Some WiFi chips set TK (key for data confidentiality and integrity) to all zero – Data frames still left in transmit buffer in chips are encrypted with all-zero key and transmitted, which can easily be decrypted by attacker

43

Authentication request Authentication response Association request(security parameters) Association response 802.1x EAP authentication 4-way handshake Data Probe request Probe response (security parameters)

https://www.welivesecurity.com/2020/02/26/krook-serious- vulnerability-affected-encryption-billion-wifi-devices/

WiFi pro and con

• Pro

– WiFi authenticates all users – Encrypts all traffic on link layer – Can control access to resources based on user identity

• Con

– Broadcasts medium → everyone can listen and send traffic – Client can easily be tracked → privacy risks

• MAC address
• Broadcasted SSIDs by client
• 802.1x identity

– Security relies heavily on correct configuration of clients

• Wrong configuration can lead to compromise of network access and credentials
• In general good idea to use VPN when using WiFi networks

44

Further reading

Read the following paper (mandatory):

• A Practical Investigation of Identity Theft Vulnerabilities in Eduroam
• S. Brenza, A. Pawlowski, and C. Pöpper

Proceedings 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, 2015

• Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
• M. Vanhoef and F. Piessens

Proceedings 24th ACM Conference on Computer and Communication Security, 2017 (Note: you may skip sections 4, 5, and 7)

45