Bestand wählen
Merken

KRACKing WPA2 by Forcing Nonce Reuse

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
to that and
and the and and the it and we happy to be able to introduce our next pizza a match is a postdoc in network security and applied cryptid he took pride in discovering and implementing quite some attacks in this field and especially in the wireless sector and today you so as that all our Wi-Fi devices and vulnerable especially the ones with Linux end right the so I don't I going to the technical details because he would Jesus and I think if you interested in even learning more about it he even linked to the research paper as well as the scripts and a website fathers attack in the power cell phone I'll give a big round of applause format see fun of and thank you for the introduction and thank you all for attending the talk even though it's already a bit later in the evening on thank you CCC for allowing me to speak here so today I'm going to talk about my research on W K 2 onto probably have already heard about this under the name of greg attacks not the history of this research is quite interesting because during my PhD I was already researching the security of wireless networks on so during my PhD
defence last year when I was finishing up on writing my thesis 1 of the jury members in my PhD est hate your recommending W K 2 with AES in your pieces but are you sure it's really a secure solution of last year my answer was yes I mean it seems secure and has been around for more than a decade on the if we ignore some brute force attacks against the password if you select a secure password than there are no real weaknesses that are known on top of that there are also mathematical proofs that states that if you have the 4 way handshake and encryption algorithm that it's supposed to be secure unfortunately in a year later I was
staring at some open BSD coat of
and in particular I was looking at this function called I key about the details aren't important here yet but this key installs the encryption key for use by the driver so frames get encrypted aren't I was wondering what would happen if this function is called twice I was thinking like bullet reinstall the key on what will happen when you reinstall the key on the turns out that answering this question led to detect I found on as you know by now this uh uncovered the floor and W UK 2 so in a sense this talk is all about how I give the wrong answer during my PhD defence so to explain that decade uh
I will illustrate it against the 4 way handshake and after that I will discuss the impact of the attack in practice that I will go over some
common misconceptions 11 floating around the Internet on finally I will discuss some lessons that we can learn from this research on from our findings so let's get started with explaining the attack against the 4 way handshake on the 1st question I have to answer here is what exactly is this for handshake the
of the 4 and shake it is executed whenever you connect to a protected Wi-Fi network so it's use when you connect to your home Wi-Fi network where you just have appreciated phosphatase resource use an enterprise network networks where you for example have a user name and a password to login onto the purpose of this handshake is to verify that you possess the correct credentials in order to connect to the network on at the same time this for a handshake negotiates a fresh session key that will be used to encrypt data frames on the session key is called the BTK the pairwise temporal key as I mentioned this handshake it seemed to be really secure because for over a
decade no attacks have been founded against its assuming that is secure password is being used on of on top of that the 4 way handshake was uh formally proven to be secure and encryption algorithm that is used after a 4 way handshake which generally is ASC cmp that was also formally proven to be secure yet somehow we did find attack even tho we have all these formal proofs even though this protocol has been around for that long so what went wrong to explain this I'm going to explain how the 4 way
handshake works and using this specific example so let's say we have the clients on the right here that wants to connect to the axis point on the left now in order to start the 4 we handshake their 1st needs to be some shared secret between the client on the X point on if you have a network at home this pre-shared secret is basically the password of a network but if you have an enterprise or a more professional network then when you for example have to log in using user on the password the 1st on 802 to adopt 1 x with indication of uh algorithm is executed which in practice is commonly some form of radius authentication at the details of that are unimportant uh what's important here is the results namely after his authentication face there is a shared sequence between the client on the axis point on once we have this shared secrets we can execute the four-way handshake ons what the 1st 2 messages in the 4 way handshake do is they transport a random number between both devices so in particular the access point will generate a random number called the access point nonsedating norms on it'll transported to client then in reaction to that the client will generate its own random number called the supply could nonsense Blake and is basically a synonym for clients ons it'll center that random number the S norms du dx is point in the 2nd message of the handshake of one's both devices have each other a random number then we can derive this unique per session key of quality is derived it's very simple we
take the pre-shared key uh that that is that is known between these 2 devices we combine that with both of these random numbers on the result is PTK uh this fresh encryption key that will later be used to encrypt data frames the no I wanna clarify 1 thing and you might have heard about his research under the name of key reinstallation attacks forcing knowledge for use and W Plato I wanna highlight here that the norms we use does not refer to the monster use about 2 a month or as norms during before we handshake so here we're going to assume that he's anal some as norms that the Ark random answer not predictable the monster use refers to announce reuse that will happen during the encryption algorithm which what I will explain and a bit OK so that's it
for the 1st stage of the 4 4 way handshake the 2nd states stage of the 4 way handshake a bit simplified it basically confirms that the boats parties negotiated the same PTK the same encryption keys on a particular the access point will send message 3 to the clients the client will fight authenticity of that frame on the everything looks OK declines will reply using message for to the access point of one's these 4 messages have been exchanged uh boat to the client on the axis point will install the PTK uh for use by the driver so now what data frames can be exchanged on these data frames will be encrypted OK so now we covered before we handshake we know uh the highlights of how it works now the final thing I need to explain before we can get into the details of the attack is How does encryption work in a Wi-Fi network arms to explain this let's take the
example here where we want to send some plain text data from for example from the client to the access point then the 1st thing that will happen is that we will take the the decaying the fresh session key that before we Hanczyc just negotiated on the will combine that with a packet number on the year this packet number is called nonce arms the packet number is incremented by 1 for every frame that is transmitted on the idea is that by combining the session key with the packet number we get unique per-packet key for every every key uh for every packet that we want to transmit on the weight encryption now works it's very simple we this per-packet key as inputs to streamcipher we get outputs some key
stream we simply soared at keystream with the plain text of the result is the
encrypted data the cyphertext now we have propensity plaintext Heather which some metadata and also the packet number 2 months value that we used so the receiver will be able to the crypt the the packets so essentially this is just a streamcipher where analysis used to always derive unique per-packet king so there's 1 essential requirements in this encryption key on th that is that's under a particular session the unknowns value should only be used once because if you ever reuse and non value you will generate the same per-packet key you will generate the same keystream on this will allow you to decrepit packets that our sense of depending on the specific airstream cyphered is that is being used but also allow you to are forged frames in it's not a question here is is the smallest value indeed all need only used once and we already know is incremented by 1 for every packet is transmitted so the only question that remains is to what value is the expected number initialized on the answer is quite
simple when the PKK is installed this uh transmit norms is initialized to 0 on all at 1st sight this makes a lot of sense I mean you initially that that number 2 0 you incremented by 1 for every packet so surely this norms is a specific norms value is only used once unfortunately this is not the case um on the reason this nonce value or a particular nonce value is sometimes used more than once is because we can force re installations of the PD game on those 3 insulations will again reset the monster 0 on then nonce value will be reused so How can we foresee Dioscuri installations as an attacker that's again take the example where we have
a client on the left that wants to connect to the axis point on the rights of in this case we also have an attacker it sits in the middle of this attacker will assume a so-called channel-based man in the middle position on In this man in the middle position the adversary is indeed able to décrit any packets this man in the middle position is purely there so we can reliably blocked packets from arriving on that we can reorder the packet on so long we we are not breaking encryption yet on the way we obtain this man in the middle position is we simply take all the frames that the access point which for example is on channel 6 we take all the frames that is broadcasting of as an attacker we capture them onto be rebroadcast and we transmit them on a different channel for example channel 1 so we are effectively cloning the real axis points on a rope channel of then we forced the victim into connecting to stroke access points on this different channels so let's assume noted that Decker uh obtains this position this man in the middle position of the 1st stage of the 4 way handshake um we don't modify any frames at all so for example if the client is using it on another and to a point X with indication we simply forwards all the frames between these 2 different channels on to do the same thing with the 1st 3 messages on the for handshake we simply forward and unmodified the where the attack starts if this if the client sends a message for all the 4 we handshake instead of forwarding this message through the axis point we don't forward which and our situation is equivalent to blocking the message from arriving at the access point the now what's interesting in this situation is that from the perspective of the client the handshake know successfully completed after all it received message 3 and replied using message for answers things that the handshake is done needed now installed encryption key and installs the PTK for use so let's make some space here there things that the handshake was computed as installed the key but the axis point hasn't received message Fourier once the axis point will try to recover from this situation a little do that by retransmitting a new message 3 ons as they as we as the attacker will forward this message to the client the client will accept this retransmitted message 3 on then the wife standard says that if you receive a retransmitted message 3 you will reply using a new message for of after that you will also have installed the encryption key again no 1 remark that I want to make here is that when we receive the retransmitted message 3 we reply using a new message for however this message for will be already encrypted at the link layer of the reason it's already in print that is because these handshake messages are normal data frames of well we already installed encryption key to and predict the friends so nearly all implementations we tested will send a message for the retransmitted message for a unencrypted fashion now I want to remark here that the Wi-Fi standard actually demands that message for if it is retransmitted should be sent in plaintext so according to the specification this shouldn't happen but nearly all implementation implementations we tested since a retransmitted message street using encryption on 3 will abuses observation later so as I mentioned after declines receives as we transmit the message string you right using message for it will again install the encryption key and as a result of that this transmit norms will be reset which means that if the client now sense another DataFrame it will again use this smallest value of 1 to encrypt a frame the meaning we have norms for use on we have keystream we use meaning we can now try to abuse this to secret the DataFrame now how are we uh precisely going to abuse this because we we do some allowed me to recover keystream that was used on the we go back to our observation that we have a message for here that this initially sent in plaintext on a retransmission of message for his later sent an unencrypted fashion but there is a small difference between these 2 messages but essentially we have a message sent in plaintext on we have a message sense uh and cryptids on all we need to do is make sorties to message messages on 3 have the keystream corresponding to the most value of 1 of this data frame here at the bottom it also uses nonce value of 1 meaning it uses the exact same keystream so weak Saudis packet with the keystream aren't there you go read the cryptids at the packets of we have now defeated WPA to so it thank thank you so that describes the attack
against the 4 we handshake on before we handshake is not the only Wi-Fi handshake that as vulnerable there are also other handshakes with K which can be attacked in a similar manner but I'm not going to explain all of them in detail if you want all the nitty-gritty details um I'm going to refer you to our academic paper here I'm just going to discuss uh more the high level concepts on the ideas behind attack so for example 1 handshake that is also vulnerable is the group key handshake on that handshake is used to transport the group you from the X . 2 clients on that key is used to encrypt broadcast and multicast traffic and we also have the st handshake on the FT handshake is used when you roam from 1 axis points to another axis point of the same Wi-Fi network is to you so you can quickly switch from 1 access points to the not to another without a longtime and finally another handshake that's also vulnerable is the beauty handshake on this use when to clients want to communicate directly with 1 another the the yeah gave so I'm now
going to discuss in a bit more detail what the practical impact of our attacks are on so I'm 1st going to start with
the general impact that a key reinstallation attack has so let's assume we have a device that's vulnerable this device can either be a client device for example can be a smartphone or a laptop or these days it can even be a toaster they have Wi-Fi as well or did it can also be a nexus point so if a client or access point is vulnerable to our key reinstallation attack the 1st thing that generally always happens if that if this device ever since encrypted data frames we can force it to reuse the nonce which in turn we can use to decrypt frames but that's not the only thing we can do when the devices vulnerable another thing we can do is we can replay encrypted frames sense towards justifies now why is that the case that's because if a key is reinstalled that not only is this transmit norms resets to 0 but not a parametric parameter which is called the replay counter is also we receptors 0 on this replay counted as a name of implies is used to detect retransmissions or its use detect malicious we on if this if this counter is reset yeah we can also read the frames at the wars of honorable device so that's the general impact of the Kiwi insulation effect but there are a lot of other factors which also our influence the exact impact of the attack on the 1 of the things uh that's probably has the biggest influence is the encryptions uh
deciphered is being used so for example these days it is quite common that Wi-Fi networks use a and is the most widely used encryption algorithm and Wi-Fi networks of against this algorithm the impact in a sense stays limited to only the crippling of replaying frames it's not possible to abuse or query insulation effect in all 4 sure frames on really we got lucky here because the it because this is the most widely used cypher of against decipher we cannot start to forge frames because if we would have been using the all
the encryption algorithm for it which is WPT Kip against at the algorithm we would be able to recover the message integrity cheque key which is basically just a fancy word for the authentication key on once we have that authentication key you would be able to forge frames that appear to be sent by the device under attack interestingly lately there's also been uh a new encryption algorithm that is being introduced on that album is called
G cmp it's fairly new so only a few devices currently supported on the currently is being rolled out under the name of uh why did of against this algorithm the impact of the Kiwi insulation effect is really the worst because here we can again recover the authentication key that's when we used the champagne the same authentication key is used in both communication directions so against the CMB you would be able to forge frames that are sent from the client to the access point on also for trains there appear to be sent from the access points to a client while for WKT keep elegant we would only be able to forge frames that appear to be sent by the device that is under attack so my opinion this is a bit surprising because g c and is the latest encryption algorithm that is defined in the Wi-Fi standard yet the impact against that would be the highest so this is also why I think we got lucky here because if we were found attacking say maybe 5 or 10 years later on everyone would be using this algorithm the impact it would have been a lot worse another
thing that influences the impact of the attack is which specific handshake we are attacking for example if we attack the group key handshake then the only thing we can do is we can only reed-plate broadcast or multicast frames now why is that the case why can't we did correct broadcast or multicast frames if a key reinstallation a curse on felt the reason is that if we attack at the group key handshake we are attacking the clients of the client is never sending actual encrypted broadcast frames so will never reuse the transmit when it's and groups frames because it's never encrypting frames so why is it that the client never sends real encrypted broadcast frames while the reason is quite simple let's say we have the network layout shown here on the client on the left wants to send a broadcast frames to all the other clients now what happens here is that this client will send the data it wants to broadcast as a unique cost frame to the access point only meaning it won't encrypted yet under the group key its the axis points that will broadcast this frame to all connected clients on only the access point will then encrypted using the group key on this is to assure that all clients within range of the axis point will receive this broadcast message now for us this means that only the access point is transmitting real encrypted broadcast frames of well in the group g handshake we cannot detect the actors point where only attacking the client
meaning in practice we can only replay broadcast frames to declined at least if you're targeting to group handshake so really the impact is limited in practice uh if we attacked is and shake because generally we playing Broca's data doesn't have a high impact so I do wanna note that some of what maiden automation systems use broadcast traffic to for example send commands to turn a device on or off the for example to do on your fridge on to reliance on or off so although the impacts of replaying broadcast frame lower their our situation in practice where it does have some impact but it really depends on your network setup of devices that you use so a handshake as vulnerable as a 4 way handshake but we already discussed that's um against a four-way handshake we can detect the clients on the impact is that we can replay on the correct frames of depending on the encryption algorithm being used we can possibly forged frames as well the situation is a lot more interesting for the FT handshake don't of remembered essentially is used when you roam from 1 access point to another of the same network of against FT handshake it's not the client we can attack but here we can detect the axis point on on top of that when attacking the FT handshake we no longer need this man in the middle position now why is that the case well let's again explain this
using a common example where a client wants to connect arms where is executing the FT handshake arms at a higher level the FT handshake is the same as before we handshake meaning you also have 4 frames that are transmitted but the big difference here is that with the FDA handshake it's the client that sense the 1st message in there and shake off for a for energy was acts point but since the 1st message so the handshake is practically the same as the 4 way handshake meaning initially we have 2 messages that transporters random number seeds nonsense between both devices but then boat that these endpoints can generate the fresh encryption key of then the last 2 frames there again used to confirm that both parties negotiated the same encryption key now I wanna go a bit more detail here on this last based on what happens here is that the 1st frame of the handshake is no sent from the client to the axis point on that is it we reassociation request of acid axis received this frame a troubled by using we association response frame on the dual install the encryption key on the wanted us and install the encryption key it can of course uh start sending encrypted data frames so that again make some room here what we can now do as an attacker is we can take this we association of request that declines previously transmitted or we can simply replay at that's because in FT handshake there's no replay transmission no replay protection against messages of the handshake so we can just take that frame we can send it again to the access point the access point will receive a little except that the others were applied using a reassociation response 0 so far this is not a problem the problem here is that again the access point will reinstall the encryption key on goes wrong because we are reinstalling this encryption key to transmit nonces again receptors 0 meaning if we know send data-frame against the most value of 1 is used to encrypt the data frames being the same keystreamis use meaning we can start applying the same tricks to 1st derive some known keystream under then abuse to attack the handshake so I wanna highlight here a few things on the 1st is the reason why we don't need a man in the middle position is because handshake messages in the FT handshake they're not protected against replaced while in the 4 way handshake every handshake messages contains uh a sequence counter where on the receiver uses this sequence counter to detect replaced but for DFT handshake that's not the case so we can just status messages we can reclaim of we don't need an amendment position to block packets onto trigger retransmissions OK and so that's explanation for the FT handshake another factor that can
influence the impacts of our attack in practice is which operating system onto which device precisely we are attacking on in particular we see that I was on windows they're not vulnerable against attacks against 4 handshake of why is that the case well that's because these 2 devices don't really follow the standard on they don't accept retransmissions of message 3 meaning we cannot abuse these retransmissions of messages 3 to trigger Dioscuri installations now I wanna make 2 remarks here on the first one is that against these devices we can still at DEC the group the handshake on particularly when looking at i was if you look at i Western version 11 it does implement the standard properly other does accept retransmissions of measures 3 meaning that 1 is vulnerable to attacks against the 4 way handshake no Linux is not much better because if we look at uh Wi-Fi clients that is used on Linux on for example on and right it's called WPA supply cans of begins WPA simply can't do for the higher we notice that if we tried to perform a key reinstallation effect it won't installed the secret key that was negotiated but no in steps that also the install an all-zero encryption key and then of course becomes very trivial to start the crippling data that that this device is transmitting no why does this happen bounds it it's connection sort of understand why this went wrong so I'm going to
explain uh what implementation wrong to why it installs all's you will keep on to explain this I'm going to assume that we have an Android device that is connecting to an access point on her going zoom in a bit on the implementation of the and on 4 going to look at the 2 entities were 1st going to look at that WPA supercond which is represented by the handshake I can hear onto also going to look at another entity namely the Linux kernel of that's the Linux kernel that will be responsible for encrypting data frames onto W. basically will be responsible for executing the before we handshake on of course uh we assume that we as an attacker are nearby on 3 again have this man in the middle position so what is a vector have to do to cause this installation on all 0 encryption key well again we simply that the 1st phase of the we handshake execute normally arms when x is point sends message 3 of the 4 we handshake we forwarded to the android android role the prior using message for and we will again message for from arriving at the access point now completely similar to the case with the 4 we handshake decline things that their hand should now successfully completed meaning it will install the encryption key of how it will install the encryption key is as follows it's commands the Linux kernel into uh installing the encryption key in the driver the driver itself will make a copy of the encryption key ontol stored locally on the driver can then encrypt frames so this means that the BPS applicants which is just a user land program no longer needs to stored encryption key meaning it will clear it from memory what will happen now if we continue with the deck is that in the axis point will retransmit 3 because it did not receive message for the client will again happily accept this we transmit message 3 to apply using message for of again at and struck the Linux kernel saying hey please install this encryption key that is located at this address the memory of course that memory is now all zeros because that's key has just been cleared from memory now is basically commanding the Linux kernel into installing an holds you encryption key on the linux-kernel and driver will happily obey this command of they will install moles you encryption key meaning at this point all the data that the client is sending is encrypted using a known key so we can easily integrate all the traffic of course we can also sent any traffic we wanted a client basically we are now a Roque access point on we can manipulate the traffic of the client as we wish thank you so after this the you might be
wondering well G is my device formal um and you can test your own devices using the following script it's on get up I If test the script on on archlinux on also on the to so I could using 1 of these distributions of I also recommends the use of a wife I don't know that we or someone else has tested self because we notice that if you use our testing scripts with some older of Wi-Fi devices then there are some books in these Wi-Fi devices which calls our as scripts to fail and 1 way to also prevent our scripts to fail is to disable transcription or how you should do it this also explained on this page on using the scripts you can't as boat your client devices you can test against attacks against the 4 we handshake at a group can shake on there's also a script test access point uh where it's vulnerable against attacks against FT handshake no if you're going to try to see which devices are vulnerable you are most likely going to see
that quite some clients are still vulnerable to our attacks luckily we can modify the access points to prevent
attacks against declined In particular we can make additional modifications to the access point such that the actors point never retransmits message 3 of the 4 we handshake onto that also never retransmits the 1st message of the group he handshake on if we do that and clients that are connected to such a modified access points there are no longer vulnerable against most attacks there's still some edge cases where the device is vulnerable but these have a very low impact so if we modify a nexus point in this way then connected clients are no longer vulnerable 1 downside here is that because we are no longer retransmitting certain messages that could be that's uh especially in a noisy environment because we don't we transmit these messages anymore that uh the handshake may fail because you had the reliability is now are less now 1 thing also want to remark here that if you have a router which is vulnerable against uh attack on the vendor sets a rebadged our rotor so we patched our access point to defend against attacks that then this does not mean that this axis point implements these countermeasures because these countermeasures there are additional modifications on top of the normal patches to defend against attacks so only if a vendor explicitly says that our patches of the axis point also prevent attacks against clients can only if they explicitly say that uh are our attacks against a client also presented OK so now I want to cover
some misconceptions that have been floating around the Internet the first one is that some
people claim if you only patch declines or if you only patchy access point then your fine but that's not the case because if you only patch declined on the axis point is vulnerable but we can still attack the X point of if the axis point only contains the normal patches the normal patch to defend against attacks then connected lines are also still vulnerable to as a mentioned connected clients are only at the found that if the axis point contains really extra modifications on top of the default batch no another common misconception is that some people might say but yeah
it's a call attack but you have to be close to the network in order to pull off these attacks unfortunately that's not the case because we can use a special and on the special in that it can be made to really cheap Otto for example just a can on the with the special antenna we can manipulate Wi-Fi trapped traffic from up to say 2 miles on the they're even need and as a document word and as a is able to exploit a Wi-Fi network is in other attacks from up to 8 miles away now that's of course with a clear line of sight which still this shows that you don't have to be physically close to the network you can still be relatively far away another strange remarked that I sometimes here is that you need to be connected to the network in order to pull off these attacks which would basically mean you need to know the password of the network to carry out the attacks but that's not the case as I mentioned during the text you only need to be close enough you need to be able to manipulate some encrypted uh packets which you don't need to know anything about the network and you simply need to know the network is there aren't there's of honorable climb the nexus point and then you can start attacking them 1 of remark that I can
understand is that some people say that the OK you can detect this handshakes onto candy crypt data that a sense right up there he's handshakes but generally right after you connect to and Wi-Fi network you're not really standing interesting data because at that point your device sending for example pop requests or attending the HTTP requests or is just creating TCP connections but no useful information is transmitted at this time unfortunately at least for a the defender the this is again not true because what we can do as an attacker is we can 1st let the combined connects but a manipulating any traffic declined to fit the mold and for example stockbro sick browsing the Internet chart opening TCP connections in the middle of that while the victim for example surfing the internet we can do authenticate declined from the network of all operating system will then immediately executed new for a handshake of ones that for we handshake is then completed it will send all the Beaufort TCP packets again to the access point on also in reverse direction so basically what we as an attacker can do we can wait until we expect the victim descent interesting information than we do authenticate the victim little executed new handshake on then we can decrypt the data that will be transmitted right after that handshake another thing that makes that that possibly hard is that obtaining this channel-based man in the middle is difficult of for example you might be thinking that in order to force a client to connect to the rock access point you need a stronger signal strength in a real access points but again that's not the case on the reason this is not the case is because we can use a special Wi-Fi packets on so-called channels which owns men's which command declined into switching to a different Wi-Fi channel on the effective but into a rogue access point so we don't need a high signal strength we can simply commands a victim into saying hey switch this channel on connect to our access point of these frames are not authenticated so we can just forge them as an attacker the alerting you might say that uh the complexity of the deck is hot meaning it requires some expertise to implement this on this is true you do need to know a bit about a Wi-Fi in order to make a proof of concept reliable but as usual you only need to write this attack once and then people can use your scripts in order to attack others on this is similar to for example memory corruption of textures such buffer overflows or stack overflows writing in the proof of concept may be hot but if you don't give it to someone else or if you put a Metasploit or some other tool all user has to do is basically uh start a script and you can start attacking people 1
over a misconception that I sometimes and encountered is that people say uh if you use a CIA ASC simply this mitigates the effect uh again unfortunately this is not true because the only advantage of using a CMB is that the attacker can no longer for traits the decorous still able to dig grips on the replay frames and finally the last misconception is that some people say that enterprise networks are and vulnerable because they for example don't execute before we handshake uh but again unfortunately that's wrong because even these networks use the before we handshake of they can be attacked as well the so then you have some people that say OK WKT was now
completely broken it's the end of the world on the world don't um let's not get carried away there um we can patch decipher abilities in a backwards compatible way onto as a illustrated here in my talk the impact also really depends on the devices that you're using on your own network set up so sometimes impact is actually really low but of course sometimes that can be very high for example if you have a Linux device than attacker can do what your xi which is essentially Over the last part of the talk
i'm going to discuss some lessons that we can learn from this attack on also at the research on I think 1 of the most
important some interesting observations on it's also the reason why I really like this attack myself is that the 4 way handshake was proven to be secure the encryption protocol in particular areas has also been proven as secure however if we
combine these 2 things then suddenly we use all security yeah and this is quite unfortunate um the of what this teaches us is that even though individual parts of a system where really investigated on perhaps formerly analyzed we also need to analyze the combination of these different entities on models and we also need to prove that these combinations are secure as well on another way to look at this is that in the proof of the 4 we handshake the alters they modeled the handshake and a rather abstract way in their proofs specifically they did not mobile retransmissions of handshake messages on that's 1 of the things we've used so on 1 hand we need to assure that the we also look at the combinations of combinations of these different entities but we also need to assure that the abstract models that we use reflect reality another thing that
we can learn is that we should keep the particles of also the implementations simple for example if you look at w w case implicants to 6 when we were studying this version of ourselves we thought it wasn't the vulnerable to peer insulation effect however when we where uh modifying companies of the abilities another as a researcher found an attack against this versions with which the work of the reason we missed this attack against version 2 . 6 is because WPA simply can't use the very complex implementation of the 4 we handshake on the state machine is very complex to reason about aren't there are 2 ways to combat this the 1st is to keep the protocol simple the 2nd way to combat this is to formally verify implementations of course we cannot formally verify all the codes um but what we can do is really these uh cryptographic protocols which play a very important role at least we should pay enough attention to that arms what's also interesting is that I encountered document of the CIA which also
agrees that complex implementations or protocols are bad specifically they have a document it's CIA advises people are how to properly implement backdoors essentially on there saying that yeah if you want to send data back to us um but of course use encryption but in that encryption algorithm don't enabled we keep functionality because that enables an additional features of the encryption algorithm algorithm on these additional features that cause unnecessary GE Complexity on that generally each 2 bucks another thing that we can learn is that
the standard needs to be specified rigorously arms as precisely as possible because the original W standard it was a bit fake it didn't really defined state machine while state machine that define says what an implementation are in
1 implementations you should do if it receives a message let's go back decide
but a doesn't define what an implementation uh should do when it receives an unexpected message so it doesn't define the order in its in which messages should be accepted now there is a member
of the amendment of the Wi-Fi standard with which better defines how and when to handle messages but even that standard is a bit fake I wanna remark here that because the original WP 2 standard was a bit fake I can forgive I was on the windows for deviating a bit from the standard because the standard was difficult to interpret correctly not on a bit of a related nodes I wanna briefly mention a
workshop that's where we are organizing which is exactly about how to implement these security protocols properly how to for example for security protocols how to prove that they are correct how to make sure that we specify them rigorously so if you are working in this field you consider submitting to this um now the last thing that I
want to mention of what we can learn from this research is how we can coordinates the disclosure of a vulnerability like exists because this is not an ordinary vulnerability there's just effects 1 vendor it's really affects possibly every Wi-Fi devices that is around so how on earth are you going to start not defined companies who are you going to notify what would be the debt lies on so long as well going to discuss a bit about their strategy that we used on the what we used 1st is we 1st wanted to determine
you know is this really a widespread issue we wanted to be sure of that before we started to modify a lot of companies on the old the way we tackle the problem is we 1st contacted a few selected and the Sandra we told them that OK possibly followed this uh floor and the W P 2 protocol but we weren't able to test your devices but you should check this out on quite quickly we got a few responsible re responses from vendor saying that yes we looked at your attacked on or indeed some of our devices are available on this really confirmed to us that a device that we didn't test or self was vulnerable to detect that we found as we confirmed that the issue is widespread on 3 also got a bit of feedback on the reports that we sent towards them all description of our attack so at this point we were convinced ourselves that this really was a floor and standards on that a lot of companies will be affected then the next question we we had this OK who are we know all going to notify you of course not the fight the big names on the big companies but who else do we have to
modify at this point our tactic was to rely on asserting um specific research from the US on day that's all the coordination for us but 1 other thing that you can do is that if you're not sure who always effect this or what's who all the vendor spots then you can just ask offended at you contacted already for other vendors that also might be affected by the book that you find for example now 1 thing that is more difficult here is that on 1 hand you want to notify as much vendors as possibly on the other hand you also can't multiply everyone because if you are going to notify everyone the chance of the details of the king they become close to 1 on a difficult thing to
decide is how long should you give them time to companies in order to patch test on against here your a mix between 2 decisions um on 1 and you can do you give them a long period to patch everything but then again the risk of this details these things at leaking increase on the other hand if the embargo period is too short people won't have time to patch it so this is quite a hard decision and the and what we did is constant which I will begin with a future it's it's hard to pick at that line but still do bickered that line to avoid any uncertainty on so that people know what to expect and finally I want
to uh thank uh certainty Ghazi for helping with the coordination on I also want to have uh I think yeah Cisco for some of the advice that they give so with
that I can conclude the talk so what we discussed as a floor and the WPA to standard itself of the most surprising thing about his research is that WPA 2 was proven to be correct yet we still found is attack after more than a decade on more than that not only is just a theoretic attack it that DEC has actual uh impact in practice and finally in order to defend against is you should of did all your clients of also check if your access points are affected
so with that thank you for your attention and if there any questions feel free to ask few if so do we have any question does might as well as so please I'm count front and I think we already have this question directly in front like number 1 and in the to the M P years most 1 of the you know if there is an EU standardization going on the boats which on this useful is being like in this case here and syntactic civilization worked on yes so there have been some some proposals in order to make the encryption algorithm uh defend against known use of impression I have that this still a bit of ongoing research so there are proposals uh where you have an algorithm that you can use but I'm not aware of actual encryption protocols for example TLS or Wi-Fi that are using them but they exist but they're not yet been really used this going on in uh in this use of the soul of local form research group in tried finalization of what I was asking of all too old white house from the decision is still planning to do this and uh the related question would be if you would use in a year's GCN instead of 2 students that stick it in its realization made from uh the vessel random the possible if you use of 96 with uh then uh the topic would want view parliament has to answer the 1st question I'm not aware of the idea of the Wi-Fi standards from uh really modifying the standard user monsters misuse resistant encryption for they are modifying the standard to defend against Qere insulation text but I think they're not yet going to incorporate the most misuse misses an encryption cypher because they still have the impression that they're going to wait probably a while of once the technology is more mature they're going to use that um if I understood your 2nd question you also have encryption algorithms where you don't have a deterministic norms but you have a non which for every encryption operation for example is random um actually in a GCM stand there 2 possibilities of 1 to mistake here uh and this thing running so did the risk of using random initialization vector is that you may have may have about a random generator of that can go wrong there on that but you still have enormous re-use uh so even with the random randomly generated norms it can also go back but then there are different the attacks I think there's been a paper um that analyzes a certain kinase libraries where they do find the text where in that case in the GCM algorithm can still be a not through Kiwi insulation effect but because they say because basically the monster is really random for example sometimes about implementations always uses the same random norms on direct taxes right answer to this question number 1 come because I asked whether there's right now on and approach to modify the standard false-alarm some being no resistance against this attack right now there is no um my tripoli task group working on amendment which will fix this the um well there is that they are working to prevent the cure insulation effect of that there was no official acts of task group right now OK that could be but there still people working on the asset working on that but note that has the right to I thank you and he and I think is thankful thanks very amazing so I just for my personal understanding could could you live briefly go back to the slide with the with the following handshake like right in the beginning to
up so the attack on a handshake itself in the idea get on the attack so let's go to this slide yeah
so all you get from this is the keystream um but that that that and that is used to encrypt the message for right that's all you get yes so that you can already use that to start the cryptand frames or what you can do as detector you have several options the 1st thing you can do is you can keep a triggering new handshakes by do authenticating the client so you can always and the crypts 1 packet at the time at what you can also do is you can uh weights which sending this retransmitted message 3 to declined because sometimes you node encrypted data that is sense so you know that a packet is an opera question notice 58 request you can capture quite some packets where you know content to derive some known keystream on the once you have that you can add 4 water message the tree to trigger a Q insulation and then you have collected quite simply stream to be able to decrypt several packets at a time and so you can use tactics like that uh you can rely on the packet length to basically determined by what the type of packet is where you have a known plaintext and you can use that to derive new keystream on there are a lot of ways to play around with that it only get here is that because the key that you get is already being used immediately because it's used to increase in MS system before well we we note accounted of message for on we abuse that message for is encrypted to derive known keystream and we can then use that to encode data frames which we do not know and we should discuss offline demonstrate that this is the latest cousin was my decay and we it's see as I'm number 2 about make that number for Ising it yeah thanks or is a great flying really and also talk and could you may be elaborated it's all know how to still used yields fall textual formal verification in this sense all for the sake of losses has a his gives a very false sense of security in a sense hockey still benefit from formal verification well I think the attitude we should adopt this that formal verrucae cation all go or all of the algorithms increases the amount of trust we can put into a program or into a political but it's not just because it's formally verified that it secure perhaps so 1 of their attitudes that people had was always formally verified it must be fine we should abandon that attitude and instead we should say OK it's formally verified but you know let's check if the model they used reflects reality let's see if the proof is correct and so on and so we should still employ a formal verification but we should just treated as additional evidence that something looks secure OK there's another question I'm mike number t the and the 1st part is on the slide you're currently on as far as I understood and talk of their retransmission of methods for is not supposed to be encrypted by the standard it kernel if you follow the standards you shouldn't have a problem here but then you still have a problem because what you can then you can do is just wait for a data packet where you know the contents of for example it can be an opera request you can derive most fields of that it can be a D H B request again via TCP SYN packets or it can be um sampling take this as the mel frames for example there's been work 2 fingerprints but the lengths of HTTP request to be able to determine which states you're visiting so purely based on the length of we can determine the contents of the website and you are looking for we can then derive known planes known-plaintext arms basically there are a lot of ways to predict the content of a frame to then derive known keystream onto then trigger a key reinstallation attack the then abuse this I think we have time for 1 last question magna Milan arms so as far as as I understood your research and so we have if we have a like some 11 W deployed in network we is still vulnerable to the attack because as 11 WD specifies and the encryption and suppose by this amendment is also done by some encryption use on the network like before so 11 W is not really EIT and wait to secure the network but if I gotta right 11 W is uh 1 of the things does is protected management frames find correct yes yes and so using that does not defend against these attacks I I'm I think this is still quite decays where people are curious about because it's everywhere citing this quest as far as it would instead say and I think this was a really nice comprehensive target I wanna thank you and everybody who has more classes has confined you here and ask you more or have a look into the paper perhaps read everything in detail there so please another they can run of a blast format it has amazing type have the so what the want to
thank you thank the freedom to the that people the
Bit
Web Site
Datennetz
Matching <Graphentheorie>
Computersicherheit
Unrundheit
Information
Eins
Kartesische Abgeschlossenheit
Datenfeld
XML
Dateiformat
Skript <Programm>
Drahtloses lokales Netz
Leistung <Physik>
Lineares Funktional
Rahmenproblem
Computersicherheit
Schätzung
Statistische Hypothese
Advanced Encryption Standard
Druckertreiber
Chiffrierung
Forcing
Softwareschwachstelle
Offene Menge
Beweistheorie
Passwort
Installation <Informatik>
Schlüsselverwaltung
Transinformation
Chiffrierung
Datennetz
Rahmenproblem
Authentifikation
Datennetz
Temporale Logik
Temporale Logik
Paarvergleich
Passwort
Paarvergleich
Ordnung <Mathematik>
Unternehmensarchitektur
Schlüsselverwaltung
Internetworking
Resultante
Folge <Mathematik>
Punkt
Eins
Chiffrierung
Client
Bildschirmmaske
Algorithmus
Authentifikation
Datennetz
Temporale Logik
Protokoll <Datenverarbeitungssystem>
Passwort
Indexberechnung
Umwandlungsenthalpie
Radius
Transinformation
Ontologie <Wissensverarbeitung>
Netzwerk <Graphentheorie>
Protokoll <Datenverarbeitungssystem>
Datennetz
Paarvergleich
Zufallsgenerator
Chiffrierung
Rechter Winkel
Beweistheorie
Authentifikation
Ordnung <Mathematik>
Normalvektor
Schlüsselverwaltung
Unternehmensarchitektur
Message-Passing
Resultante
Bit
Punkt
Datennetz
Rahmenproblem
Installation <Informatik>
Eins
Zufallsgenerator
Monster-Gruppe
Client
Druckertreiber
Chiffrierung
Randomisierung
Authentifikation
Normalvektor
Schlüsselverwaltung
Message-Passing
Aggregatzustand
Resultante
Gewicht <Mathematik>
Punkt
Rahmenproblem
Eindeutigkeit
Zahlenbereich
Ein-Ausgabe
Chiffrierung
Streaming <Kommunikationstechnik>
Rahmenproblem
Client
Chiffrierung
Schlüsselverwaltung
Funktion <Mathematik>
Umwandlungsenthalpie
Rahmenproblem
Installation <Informatik>
Eindeutigkeit
Chiffre
Zahlenbereich
Derivation <Algebra>
Monster-Gruppe
Chiffrierung
Metadaten
Rahmenproblem
Erwartungswert
Spieltheorie
Kryptologie
Installation <Informatik>
Normalvektor
Schlüsselverwaltung
Analysis
Subtraktion
Punkt
Ortsoperator
Rahmenproblem
Hochdruck
Gruppenkeim
Implementierung
Kartesische Koordinaten
Broadcastingverfahren
Raum-Zeit
Übergang
Chiffrierung
Client
Perspektive
Reelle Zahl
Minimum
Luenberger-Beobachter
Indexberechnung
Peer-to-Peer-Netz
Metropolitan area network
Umwandlungsenthalpie
Datennetz
Ontologie <Wissensverarbeitung>
Installation <Informatik>
Ähnlichkeitsgeometrie
Binder <Informatik>
Arithmetisches Mittel
Chiffrierung
Gruppenkeim
Softwareschwachstelle
p-Block
Normalvektor
Schlüsselverwaltung
Message-Passing
Standardabweichung
Zeichenkette
Soundverarbeitung
Parametersystem
Bit
Punkt
Rahmenproblem
Teilbarkeit
Chiffrierung
Rahmenproblem
Client
Chiffrierung
Notebook-Computer
Normalvektor
Schlüsselverwaltung
Smartphone
Soundverarbeitung
Datennetz
Rahmenproblem
Abfrage
Wiederherstellung <Informatik>
Konsistenz <Informatik>
Chiffrierung
Message-Passing
Rahmenproblem
Advanced Encryption Standard
Umwandlungsenthalpie
Algorithmus
Chiffrierung
Suite <Programmpaket>
Dechiffrierung
Konsistenz <Informatik>
Authentifikation
Wort <Informatik>
Schlüsselverwaltung
Telekommunikation
Bit
Punkt
Wellenpaket
Rahmenproblem
Gruppenkeim
Kartesische Koordinaten
Broadcastingverfahren
Wiederherstellung <Informatik>
Richtung
Chiffrierung
Message-Passing
Client
Spannweite <Stochastik>
Umwandlungsenthalpie
Algorithmus
Konsistenz <Informatik>
Authentifikation
Reelle Zahl
Soundverarbeitung
Datennetz
Eindeutigkeit
Advanced Encryption Standard
Rahmenproblem
Chiffrierung
Gruppenkeim
Suite <Programmpaket>
Unicastingverfahren
Client
Authentifikation
Richtung
Schlüsselverwaltung
Message-Passing
Standardabweichung
Bit
Subtraktion
Folge <Mathematik>
Punkt
Ortsoperator
Rahmenproblem
Atomarität <Informatik>
Gruppenkeim
Kartesische Koordinaten
Diskrete Fourier-Transformation
Broadcastingverfahren
Übergang
Chiffrierung
Client
Umwandlungsenthalpie
Endogene Variable
Punkt
Metropolitan area network
Assoziativgesetz
Datennetz
Installation <Informatik>
Datentransfer
Prozessautomation
p-Block
Teilbarkeit
Zufallsgenerator
Arithmetisches Mittel
Energiedichte
Rahmenproblem
Chiffrierung
Gruppenkeim
Softwareschwachstelle
Surjektivität
Client
Schlüsselverwaltung
Message-Passing
Humanoider Roboter
Bit
Punkt
Ortsoperator
Rahmenproblem
Adressraum
Versionsverwaltung
Gruppenkeim
Implementierung
Kartesische Koordinaten
Gebundener Zustand
Kernel <Informatik>
Chiffrierung
Client
Umwandlungsenthalpie
Bildschirmfenster
Installation <Informatik>
Optimierung
Phasenumwandlung
Einflussgröße
Normalvektor
Implementierung
Metropolitan area network
Einfach zusammenhängender Raum
Soundverarbeitung
Strahlensätze
Schlüsselverwaltung
Installation <Informatik>
Zoom
Vektorraum
Physikalisches System
Quick-Sort
Digital Equipment Corporation
Teilmenge
Arithmetisches Mittel
Druckertreiber
Gruppenkeim
Rechter Winkel
Surjektivität
Festspeicher
Unicastingverfahren
Client
Schlüsselverwaltung
Message-Passing
Standardabweichung
Softwaretest
Distributionstheorie
Dongle
Punkt
Gruppenkeim
Formale Grammatik
Homepage
Chiffrierung
Client
Softwaretest
Softwareschwachstelle
Client
Skript <Programm>
Skript <Programm>
Hardware
Addition
Message-Passing
Client
Punkt
Gruppenkeim
Client
Gruppenkeim
Router
Programmierumgebung
Message-Passing
Internetworking
Punkt
Datennetz
Systemaufruf
Patch <Software>
Client
Datennetz
Client
Wort <Informatik>
Passwort
Passwort
Stapelverarbeitung
Ordnung <Mathematik>
Default
Gerade
Bit
Punkt
Rahmenproblem
Keller <Informatik>
Kolmogorov-Komplexität
Komplex <Algebra>
Internetworking
Eins
Richtung
Unternehmensarchitektur
Chiffrierung
Textur-Mapping
Client
Reelle Zahl
Kryptologie
Datennetz
Gradientenverfahren
Skript <Programm>
Skript <Programm>
Metropolitan area network
Soundverarbeitung
Einfach zusammenhängender Raum
Datennetz
Physikalisches System
Arithmetisches Mittel
Advanced Encryption Standard
Rahmenproblem
Pufferüberlauf
Rechter Winkel
Festspeicher
Beweistheorie
Surjektivität
Information
Ordnung <Mathematik>
Unternehmensarchitektur
Formale Grammatik
Datennetz
Protokoll <Datenverarbeitungssystem>
Unternehmensarchitektur
Spezialrechner
Chiffrierung
Advanced Encryption Standard
Rahmenproblem
Chiffrierung
Dechiffrierung
Flächeninhalt
Surjektivität
Datennetz
Mereologie
Protokoll <Datenverarbeitungssystem>
Luenberger-Beobachter
Beweistheorie
Formale Grammatik
Soundverarbeitung
Subtraktion
Zustandsmaschine
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Schaltnetz
Mobiles Internet
Programmverifikation
Versionsverwaltung
Programmverifikation
Implementierung
Peer-to-Peer-Netz
Physikalisches System
Chiffrierung
Informationsmodellierung
Beweistheorie
Mereologie
Protokoll <Datenverarbeitungssystem>
Codierung
Partikelsystem
Beweistheorie
Message-Passing
Formale Grammatik
Lineares Funktional
Bit
Protokoll <Datenverarbeitungssystem>
Zustandsmaschine
Hintertür <Informatik>
Programmverifikation
Implementierung
Kolmogorov-Komplexität
Komplex <Algebra>
Message-Passing
Chiffrierung
Algorithmus
Standardabweichung
Protokoll <Datenverarbeitungssystem>
Zustandsmaschine
Standardabweichung
Message-Passing
Bit
Knotenmenge
Standardabweichung
Machsches Prinzip
Bildschirmfenster
Implementierung
Ordnung <Mathematik>
Term
Message-Passing
Zustandsmaschine
Standardabweichung
Soundverarbeitung
Bit
Datenfeld
Protokoll <Datenverarbeitungssystem>
Softwareschwachstelle
Computersicherheit
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Strategisches Spiel
Analysis
Leck
Softwaretest
Soundverarbeitung
Umwandlungsenthalpie
Rückkopplung
Bit
Punkt
Protokoll <Datenverarbeitungssystem>
Deskriptive Statistik
Rückkopplung
Endogene Variable
Verkehrsinformation
Koordinaten
Standardabweichung
Softwaretest
Blockade <Mathematik>
Blockade <Mathematik>
Mixed Reality
Ordnung <Mathematik>
Frequenz
Koordinaten
Gerade
Entscheidungstheorie
Bit
Punkt
t-Test
Gruppenkeim
Implementierung
Zahlenbereich
Baumechanik
Zählen
Richtung
Task
Monster-Gruppe
Bildschirmmaske
Client
Algorithmus
Standardabweichung
Randomisierung
Programmbibliothek
Soundverarbeitung
Nichtlinearer Operator
Sichtenkonzept
Protokoll <Datenverarbeitungssystem>
Stellenring
Vektorraum
TLS
Digital Equipment Corporation
Entscheidungstheorie
Zufallsgenerator
Rechenschieber
Chiffrierung
Rechter Winkel
Client
Ordnung <Mathematik>
Normalvektor
Standardabweichung
Ebene
Einfügungsdämpfung
Web Site
Gewicht <Mathematik>
Rahmenproblem
Wasserdampftafel
Klasse <Mathematik>
Formale Grammatik
Zahlenbereich
Euler-Winkel
Kernel <Informatik>
Netzwerktopologie
Streaming <Kommunikationstechnik>
Informationsmodellierung
Client
Algorithmus
Datenmanagement
Kryptologie
Datentyp
Elektronischer Fingerabdruck
Inhalt <Mathematik>
Addition
Dicke
Datennetz
Installation <Informatik>
Computersicherheit
Programmverifikation
Physikalisches System
Konfiguration <Informatik>
Rechenschieber
Chiffrierung
Rechter Winkel
Beweistheorie
Mereologie
Dateiformat
Decodierung
Schlüsselverwaltung
Message-Passing
Standardabweichung
Hypermedia
Medianwert
Systemprogrammierung

Metadaten

Formale Metadaten

Titel KRACKing WPA2 by Forcing Nonce Reuse
Serientitel 34th Chaos Communication Congress
Autor Vanhoef, Mathy
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34911
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract We introduce key reinstallation attacks (KRACKs). These attacks abuse features of a protocol to reinstall an already in-use key, thereby resetting nonces and/or replay counters associated to this key. We show that our novel attack technique breaks several handshakes that are used in a WPA2-protected network.
Schlagwörter Security

Zugehöriges Material

Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback