WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) - - PowerPoint PPT Presentation

Advanced Network Security

WiFi security

Harald Vranken

1

Agenda

• WiFi security
• WEP
• WPA(2)
• WPA3

2

WiFi

• IEEE 802.11 standard

– Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications – original version 1997; latest version 2016 – ~3500 pages!

• Some terminology:

– Station (STA) is a device with WiFi capability – Access Point (AP) is a station that other stations can connect to to get access to a network, also referred to as authenticator – Supplicant, used to indicate the client when authenticating – SSID (Service Set Identifier) is the name of the network – MIC: Message Integrity Check (is in fact Message Authentication Code (MAC), but prevents confusion with MAC addresses)

3

WiFi security

• Open networks
• Security

– Wireless Equivalent Privacy (WEP, 1999) – WiFi Protected Access (WPA, 2003)

• Hidden networks and MAC address whitelists

– Does not provide real security

• WPA certification by the WiFi Alliance

4

WiFi security

• Security of public WiFi hotspots

across the world (2016)

Source: https://securelist.com/research-on-unsecured-wi-fi-networks-across-the-world/76733/

5

Open network security

• No encryption of traffic

– Also used for public hotspots with captive portal – Attacker can eavesdrop on all network traffic

• Typically anyone can connect to the network

– Possible to filter based on MAC address, but can easily be spoofed

6

Open network security

• Evil twin attack

– Malicious access point pretends to be a preferred network of user – When user connects, attacker can sniff all traffic and act as man-in-the-middle

• KARMA: special case of evil twin attack

– Vulnerable client devices broadcast ‘preferred network list’ (PNL), containing SSIDs of access points to which client has previously connected – Malicious access point receives PNL and takes an SSID from PNL

Dai Zovi, D. A., & Macaulay, S. A. (2005). Attacking Automatic Wireless Network Selection Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop, p. 365–372

7

WEP security

Authentication

• 4-step challenge–response handshake

between client and access point

• preshared WEP key

8

Data encryption – Rivest Cipher 4 (RC4) stream cipher – preshared WEP key

WEP security

• Secret keys can be cracked in a few minutes using a basic laptop computer
• Security is easy to crack and about as good as an open network
• Stop using it!

A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP) by A. Stubbleleld, J. Ioannidis, and A. D. Rubin ACM Trans. Inf. Syst. Security, vol. 7, no. 2, pp. 319–332, May 2004 Breaking 104 bit WEP in less than 60 seconds by E. Tews, R.-P. Weinmann, and A. Pyshkin Information Security Applications, Lecture Notes in Computer Science, vol. 4867, pp. 188–202, 2007

9

WPA(2) security: authentication

• WPA(2) personal

– Personal network – Pre-shared key (PSK)

• WPA(2) Enterprise

– Enterprise network – Authentication server – IEEE 802.1x authentication using Extensible Authentication Protocol (EAP)

10

Authentication WPA Personal PSK WPA Enterprise 802.1x WPA2 Personal PSK WPA2 Enterprise 802.1x

WPA(2) security: data confidentiality

• Temporary Key Integrity Protocol (TKIP)

– As WEP, based on RC4 stream cipher – Also included in WPA2 for backwards compatibility – Deprecated in IEEE 802.11 standard – Known to have biases that can be exploited to break it – Possible to inject and decrypt packets – Attack only takes about an hour, relies on generation of identical packets

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS by Mathy Vanhoef and Frank Piessens, Usenix Security 2015

• Counter Mode Cipher-Block Chaining Message Authentication Code Protocol (CCMP)

– Most widely-used – Based on AES

• Galois/Counter Mode Protocol (GCMP)

– Being rolled out (WiGig)

11

Confidentiality WPA Personal TKIP WPA Enterprise TKIP WPA2 Personal CCMP WPA2 Enterprise CCMP

CCMP/ GCMP encryption Construct CCMP/GCMP header

WPA(2)

12

Authentication Confidentiality WPA Personal PSK TKIP WPA Enterprise 802.1x TKIP WPA2 Personal PSK CCMP WPA2 Enterprise 802.1x CCMP

WiFi connection phases

• Discovery

– Find nearby networks – Networks announce capabilities

• Authentication

– Typically ‘Open’ (designed for WEP)

• (Re)Association

– Cipher suites – Agreement on security algorithms

• Optional: 802.1x authentication
• Optional: 4-way handshake

– Mutual authentication

• Data exchange

13

Authentication request Authentication response Association request(security parameters) Association response 802.1x authentication 4-way handshake Data Probe request Probe response (security parameters)

Keys

• PMK (Pairwise Master Key): secret key shared between client and access point
• PTK (Pairwise Transient Key): concatenation of the following session keys

– KCK (Key Confirmation Key): used for message authentication in 4-way handshake – KEK (Key Encryption Key): used for encryption of keys – TK (Temporal Key): key used for confidentiality and integrity of the data

• GMK (Group Master Key): optional key used to derive GTK
• GTK (Group Temporal Key): key shared between all connected clients and access point,

used for broadcast and multicast traffic

14

WPA(2) Personal

• Uses pre-shared key (PSK) for authentication
• Can be derived from an ASCII password

using a key derivation function (KDF) – PSK = KDF(password, SSID)

• ‘Open’ method used in authentication phase
• Actual authentication takes place in the 4-way handshake
• PSK used directly as PMK in the 4-way handshake

15 KDF Password SSID PRF ANonce, MAC address A, SNonce, MAC address S KCK KEK TK 4-way handshake PTK PSK/PMK Authentication request Authentication response Association request(security parameters) Association response 802.1x authentication 4-way handshake Data Probe request Probe response (security parameters)

WPA(2) Personal: Attacks

• Passive attacker can

1.

• btain SSID, MAC addresses, nonces

2. perform offline brute-force attack on password (eg. dictionary attack or rainbow table attack) 3.

• btain PSK
• Often WPA(2) password is shared, eg. in coffee bars or restaurants...
• What can an attacker do once the PSK is known?

– Connect to the network – Eavesdrop on other users, if 4-way handshake is observed (can be enforced by sending a deauthentication message to the client and access point)

16 KDF Password SSID PRF ANonce, MAC address A, SNonce, MAC address S KCK KEK TK 4-way handshake PTK PSK/PMK

WPA(2) Enterprise

• Not always convenient (or secure) to share one key/password with all users
• Re-use existing credentials

– Usernames and passwords – Certificates

• Authentication using IEEE 802.1x

– Eg. used in eduroam

17

IEEE 802.1x

• Extensible Authentication Protocol (EAP) over LAN (EAPOL)
• Actual authentication done by authentication server

– Typically a RADIUS server (Remote Authentication Dial-In User Service)

• PMK provided by authentication server to client and access point
• Common EAP (inner authentication) methods used

– TLS (Transport Layer Security) – PEAP (Protected Extensible Authentication Protocol) – TTLS (Tunnelled TLS)

18

EAPOL/RADIUS EAP TLS EAP inner authentication method EAPOL RADIUS Supplicant (client) Authenticator (AP) Authentication server (Identity provider)

EAP-TLS (Transport Layer Security)

• Mutual authentication between client and authentication server via TLS using certificates
• Key management difficult

– All users need a public key pair and corresponding certificate

• Important to properly check certificates

19

EAPOL RADIUS Supplicant (client) Authenticator (AP) Authentication server (Identity provider)

EAP-PEAP (Protected Extensible Authentication Protocol)

20

4-way handshake EAP request: Identity EAP response: Identity EAP Start: EAP-PEAP RADIUS Access request: identity Authentication and key exchange inside TLS tunnel RADIUS Access accepted: key material RADIUS Start: EAP-PEAP EAP Success Anonymous identity (if configured) 802.11 Association

EAP-PEAP (Protected Extensible Authentication Protocol)

• TLS tunnel between client and authentication server

– Typically only server authentication

• Provides a protection layer for legacy EAP methods (inner authentication method)

– In particular MS-CHAPv2 (Microsoft Challenge-Handshake Authentication Protocol v2) (mutual authentication using username/password combination)

• Again, important to check certificate

21

EAP-TTLS (Tunnelled TLS)

• Similar to PEAP

– provide a TLS tunnel to use legacy authentication methods (inner authentication method)

• More flexible and allows for more authentication methods

– Not only ones that have EAP support – Eg. PAP (Password Authentication Protocol) and MS-CHAPv2

• Once again, important to verify certificates

22

eduroam

• Enables users to roam between participating institutes

– RFC 7593 ‘The eduroam Architecture for Network Roaming’

• Authentication

– 801.2x authentication – Users authenticate with the login data of their home institutes – Federated authentication: authentication delegated to home institute – Routing based on domain (eg. ru.nl in anonymous@ru.nl)

• EAP messages forwarded to home institution’s RADIUS server
• Similar system for governments: govroam

23

eduroam Federated authentication (1/2)

Outer authentication 1. User requests network access (eg. anonymous@ru.nl) 2. AP forwards user identity to home AS

• f network (identity is proxied, based on

user's identity, until user's home AS (RU) is found) – Top-level RADIUS Server (eg. Europe or Asia and Pacific region) – Federation-Level RADIUS servers (eg. SURF for .nl) 3. Check identity, tunnel establishment, servers sends certificate, user validates server certificate

24

eduroam Federated authentication (2/2)

Inner authentication 4. Authentication inside tunnel between client and user’s home AS, using user’s credentials of home institution 5. User's home AS validates login data and passes result to the AP, which grants or refuses access

25

Issues with eduroam

• Who uses eduroam?
• Who configured an anonymous identity?
• Who configured a CA?
• Who configured a hostname for the RADIUS server?

A Practical Investigation of Identity Theft Vulnerabilities in Eduroam

• S. Brenza, A. Pawlowski, and C. Pöpper

Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, 2015

26

Issues with eduroam

• Client without anonymous identity configured → sending real username in plaintext
• Client without CA configured → may accept any server certificate
• Client with CA configured will check certificate, right?

– With TLS in HTTPS, certificate should be bound to domain (CN-common name); with WPA(2) Enterprise, CN should contain hostname of RADIUS server – Client may accept certificates signed by intermediate CAs (and such certificate can easily be obtained) – Client that trusts certificate on first use, stores it (has to be removed)

27

Issues with eduroam

• Outer authentication depends on CA certificate configured on client

– None → anyone can impersonate your network (evil twin attack) – Public CA → anyone can impersonate your network, as long as you do not configure the RADIUS hostnames – Dedicated/private CA → impersonation is not possible (assuming no keys are compromised)

• If outer authentication is cracked, there still is inner authentication, right?

– Client using PAP → username/password are sent in plaintext – Client using MSCHAPv2 → may still be cracked (depends on password strength) – Potentially worse than no encryption!

• All depends on the configuration by the users

28

Recap

29

Authentication WPA Personal PSK WPA Enterprise 802.1x WPA2 Personal PSK WPA2 Enterprise 802.1x

Authentication request Authentication response Association request(security parameters) Association response 802.1x authentication 4-way handshake Data Probe request Probe response (security parameters)

SNonce, MIC ANonce, MIC, EncKEK(GTK) MIC Derive PTK Derive PTK Encrypted data frames Install PTK and GTK Install PTK ANonce

4-way handshake

• Provides mutual authentication of user and access point

– Based on a shared secret (PMK-Pairwise Master Key) – Can be pre-shared key (in personal network)

• r output of 802.1x authentication (in enterprise network)

– Verify whether both know PMK

• Negotiates fresh session key (PTK-Pairwise Transient Key)

– Derived from PMK, nonces of user (supplicant) and access point (authenticator), and their MAC addresses – Split into KCK, KEK, and TK

30

Authentication request Authentication response Association request(security parameters) Association response 802.1x authentication 4-way handshake Data Probe request Probe response (security parameters)

4-way handshake (simplified)

31

2: SNonce, MIC 3: ANonce, MIC, EncKEK(GTK) 4: MIC Derive PTK Derive PTK Encrypted data frames Install PTK and GTK Install PTK 1: ANonce

Key Reinstallation Attacks

• Discovered by Mathy Vanhoef in 2017
• Known as ‘KRACK’
• Targets 4-way handshake
• Problems in both

specifications and implementations

• Independent from authentication method
• Attacks data encryption algorithm

– WiFi designed to cope with packet loss (replay counters) – Forces nonce reuse (of encrypted data frames) – All WPA(2) methods use stream ciphers for encryption

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 by M. Vanhoef and F. Piessens Proceedings of the 24th ACM Conference on Computer and Communication Security (CCS 2017)

32

SNonce, MIC ANonce, MIC, EncKEK(GTK) MIC Derive PTK Derive PTK Encrypted data frames Install PTK and GTK Install PTK ANonce

Recap: 4-way handshake (simplified)

33

Replay counter

Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg4(r+1, MIC) Derive PTK Derive PTK Encrypted data frames Install PTK and GTK Install PTK Msg1(r, ANonce)

Recap: 4-way handshake (simplified)

34

Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg4(r+1, MIC) Derive PTK Derive PTK Encrypted data frames Install PTK and GTK Install PTK Msg1(r, ANonce) Reset nonce and replay counter

Reinstallation attack

35

Establish MITM between supplicant and authenticator (AP clone with same MAC address on different channel) block Retransmit Msg3

Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg4(r+1, MIC) Install PTK and GTK Msg1(r, ANonce) Msg1(r, ANonce) Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK)) EncPTK(1, Msg4(r+2, MIC)) Install PTK and GTK

Key reinstalled and nonce reset

Reinstallation attack

36

Establish MITM between supplicant and authenticator (AP clone with same MAC address on different channel) block

Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg4(r+1, MIC) Install PTK and GTK Msg1(r, ANonce) Msg1(r, ANonce) Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK)) EncPTK(1, Msg4(r+2, MIC)) Install PTK and GTK EncPTK(1, Data(…)) EncPTK(1, Data(…))

Same nonce is used!

Frame encryption (simplified)

• Nonce reuse implies keystream reuse (in all WPA2 ciphers)

37

Keystream Plaintext data Encrypted data Mix PTK (session key) Nonce (packet number) Packet key Keystream Encrypted data

Reinstallation attack

38

Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg4(r+1, MIC) Install PTK and GTK Msg1(r, ANonce) Msg1(r, ANonce) Msg2(r, SNonce, MIC) Msg3(r+1, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK)) Msg3(r+2, ANonce, MIC, EncKEK(GTK)) EncPTK(1, Msg4(r+2, MIC)) Install PTK and GTK EncPTK(1, Data(…)) EncPTK(1, Data(…))

Keystream Decrypted data!

Reinstallation attack: impact

• Messages can be replayed and decrypted

– Replay towards victim – Decrypted from victim

• Access points can be attacked if IEEE 802.11r is supported

– Used for fast roaming within corporate networks

• Data confidentiality algorithm specific

– TKIP: recover MIC key from plaintext → forge/inject frames from victim – CCMP: no practical forging attacks – GCMP: recover authentication key → forge/inject frames from and to victim

• Particular version of Android and wpa_supplicant reinstalled all zero keys

39

Reinstallation attack: countermeasures

• Do not reset nonces and replay counter when reinstalling the current key
• Only install one key per 4-way handshake

– Do not allow resending Msg3

40

WiFi risks

• Broadcasts medium → everyone can listen and send traffic
• Client can easily be tracked → privacy risks

– MAC address – Broadcasted SSIDs by client – 802.1x identity

• Security relies heavily on correct configuration of clients

– Wrong configuration can lead to compromise of network access and credentials

• In general good idea to use VPN when using WiFi networks → 802.1x

41

WiFi advantages

• WiFi authenticates all users
• Encrypts all traffic on link layer
• Can control access to resources based on user identity

42

WPA3

• Announced in January 2018 by Wi-Fi alliance
• Several new security features
• Individualised data encryption in open networks

– Opportunistic Wireless Encryption (OWE)

• Resilient password-based authentication

– Simultaneous Authentication of Equals (SAE)

• Stronger cryptographic algorithm (192 bits security)

43

Opportunistic Wireless Encryption (OWE)

• Specified in RFC8110
• Intended to make eavesdropping a bit harder in public networks

(open or with publicly known pre-shared key)

• Based on Diffie-Hellman
• Part of the association step

– Client adds public Diffie-Hellman value to association request – Access point adds public Diffie-Hellman value to association response

• PMK derived from the result of the Diffie-Hellman key exchange
• PMK then used as input for the 4-way handshake
• Does not protect against evil twin attacks

44

Simultaneous Authentication of Equals (SAE)

• Improve security of PSK method when using a password
• Password-authenticated key exchange method based on Diffie-Hellman

– Based on zero-knowledge proof – Prevents dictionary attacks – One guess per session – Forward secrecy

• Takes place in authentication phase
• Originally intended to provide authentication between peers in a mesh networks

45

Simultaneous Authentication of Equals (SAE)

• Two message exchanges

– Commitment exchange – Confirmation exchange

• PWE (Password Element)

– group element derived from password and MAC addresses of both parties involved

• Protocol results in a PMK shared between the two parties

– Subsequently used in the 4-way handshake to establish session keys

46

Simultaneous Authentication of Equals (SAE)

47 47 commitScalarS, commitElementS Generate random scalars randA and maskA Derive PWE commitScalarA = (randA + maskA) mod r commitElementA = PWE-maskA commitScalarA, commitElementA HMACKCK(commitScalarS, commitElementS, commitScalarA, commitElementA) Generate random scalars randS and maskS Derive PWE commitScalarS = (randS + maskS) mod r commitElementS = PWE-maskS HMACKCK(commitScalarA, commitElementA, commitScalarS, commitElementS) Compute shared secret K = (PWEcommitScalarA * commitElementA)randS Derive KCK and PMK Compute shared secret K = (PWEcommitScalarS * commitElementS)randA Derive KCK and PMK Authentication accepted

Further reading

Read the following paper (mandatory):

• A Practical Investigation of Identity Theft Vulnerabilities in Eduroam
• S. Brenza, A. Pawlowski, and C. Pöpper

Proceedings 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, 2015

• Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
• M. Vanhoef and F. Piessens

Proceedings 24th ACM Conference on Computer and Communication Security, 2017 (Note: you may skip sections 4, 5, and 7)

48