Uploaded byvanhoefm
PDF, PPTX3,280 views

Predicting and Abusing WPA2/802.11 Group Keys

The document discusses vulnerabilities in the WPA2/802.11 group key security, highlighting flaws in key generation, transport, and usage stages which can be exploited by attackers. It examines the shortcomings of the 802.11 random number generator, revealing that predictable group keys can compromise network security. The author suggests several countermeasures to enhance the security of group keys during their full lifecycle.

Embed presentation

Download as PDF, PPTX
Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm
Observation General Wi-Fi crypto is widely studied 2 Recover pre-shared key(s) protecting all WEP traffic Tornado Attack: Recover WPA-TKIP session keys (theoretic) Rogue AP against enterprise networks to steal credentials Predictable pre-shared key & dictionary attack against handshake  Mainly targets pre-shared and session keys
What about group keys? Group keys protect broadcast and multicast frames:  All clients posses a copy of the group key Security of group keys not yet properly studied!  In contrast with pre-shared & session (=pairwise) keys … 3 We analyze security of group key during its full lifetime!
Background: group key lifetime 4
Background: group key lifetime 5 Group Key Three important stages: 1. Generation (flawed RNG)
Background: group key lifetime 6 Group Key Session Key 1 Encrypted group key sent to client Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) Group Key Session Key
Background: group key lifetime 7 Group Key Session Key 1 Group Key Session Key Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) 3. Usage (abuse to decrypt all traffic) Addressing some of these issues:  New RNG for Wi-Fi platforms?
Background: sending group frames 8 Group Key Session Key Group Key Session Key Group Key Session Key A Session Key B Client A Client B
Background: sending group frames 9 1. Client uses pairwise key to send group frame to AP Session Key Session Key A Client A Client B Recv: AP Dest: FF:⋯:FF Src: Client A
Background: sending group frames 10 1. Client uses pairwise key to send group frame to AP 2. AP broadcasts group frame using group key  Only AP sends real group frames Group Key Group Key Group Key Client B Client A Recv: FF:⋯:FF Dest: FF:⋯:FF Src: Client A
Agenda: security of group keys 11 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
Agenda: security of group keys 12 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
How are group keys generated? Based on a key hierarchy:  AP randomly generates public counter and secret master key  Derives group temporal key (GTK) from these values every hour Entropy only introduced at boot  Bad design: if master key is leaked, all group keys become known! 13 Public counter Private master key +1 SHA-1 Group Temporal Key (GTK) Sampled only at boot!
How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness 14 “Each STA can generate cryptographic-quality random numbers. This assumption is fundamental, as cryptographic methods require a source of randomness. See M.5 for suggested hardware and software methods to achieve randomness suitable for this purpose.”
How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 15 “This clause suggests two sample techniques that can be combined with the other recommendations of IETF RFC 4086 to harvest randomness. [..] These solutions are expository only, to demonstrate that it is feasible to harvest randomness on any IEEE 802.11 platform. [..] they do not preclude the use of other sources of randomness when available [..] ; in this case, the more the merrier. As many sources of randomness as possible should be gathered into a buffer, and then hashed, to obtain a seed for the PRNG.”
How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 16 Inconsistent description of RNG’s security guarantees!  How secure is the 802.11 RNG?  How many platforms implement this RNG?
802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution 17
802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand 18 Deviates from traditional RNG design:  No entropy pools being maintained  Entropy is only collected when the RNG is being invoked
802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand  Based on frame arrival timestamps and clock jitter 19
802.11 RNG: entropy sources Frame arrival times:  Collected by starting & aborting handshakes  Problem: AP will be blacklisted by clients Clock jitter and drift:  No minimum time resolution  small clock jitter  Hence contains only low amount of randomness 20 ¯_(ツ)_/¯
Surely no one implemented this…? 21 Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks Weakened 802.11 RNG
Surely no one implemented this…? 22 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks
MediaTek RNG: overview Uses custom Linux drivers:  Implements 802.11’s group key hierarchy  But GNONCE “counter” is randomly refreshed on GTK rekey  Based on the 802.11 RNG using only clock jitter  Uses jiffies for current time: equals uptime of the AP  Predict both GMK and GNONCE to determine group key! 23 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1 RNG At boot
MediaTek RNG: key search  Jiffies have at best millisecond accuracy  GMK: generated at boot  limited set of possible values  GNONCE: depends on uptime of router (and clock skew)  Uptime is leaked in beacons  Capture encrypted broadcast packet and search for key  24 OpenCL ~3 mins GMK & GTKRT-AC51U
MediaTek: predicting the GTK DEMO 25
Surely no one implemented this…? 26 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
Broadcom: Linux When running on a Linux kernel:  Implements 802.11’s group key hierarchy  Randomness from /dev/urandom “Mining your Ps and Qs” by Heninger et al.:  /dev/urandom might be predictable at boot  All group keys might be predictable on old kernels 27
Broadcom: VxWorks and eCos 28 Open SourceProprietary
Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds) 29 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG
Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) 30 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG At boot
Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) OpenCL ~4 mins GMK & GTKWRT54Gv5 31
Surely no one implemented this…? 32 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
Open Firmware Open Firmware:  An open source BIOS  Supports client Wi-Fi functionality in BIOS (!)  Randomness from boot time & linear congruential generator Hostapd:  Based on 802.11 group key hierarchy  Also injects new entropy on group rekeys!  Reads from /dev/random on boot & when clients join  If not enough entropy available, connections are rejected 33
Agenda: security of group keys 34 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
Injecting unicast packets?  Put unicast IP packet in a broadcast frame? 35 Hole 196 check done at network-layer … … but an AP works at link-layer! Flags Receiver to client FF:⋯:FF Source IP Destination IP Data 802.11 specific  Detected by “Hole 196” check
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 36 AP Victim Attacker Sender Destination Data
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 37 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Encrypted using group key
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 38 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Decrypted using group key
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 39 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Encrypted using session (pairwise) key
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 4. Victim sees normal unicast frame 40 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Decrypted using session (pairwise) key
Decrypting all traffic ARP poison to broadcast MAC address  Poison both router and clients  Can decrypt network-layer protocols: IPv4, IPv6, … Countermeasure:  Don’t forward broadcast frames to a unicast destination  Even better: AP should simply ignore frames received on broadcast or multicast MAC address. 41
Agenda: security of group keys 42 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
The 4-way handshake 43
The 4-way handshake 44 Group key encrypted and transmitted … … before downgrade attack detection!
The 4-way handshake 45 Group key encrypted and transmitted … … before downgrade attack detection! Session cipher GTK encryption WPA-TKIP RC4 AES-CCMP AES key wrap
Attacking RC4 encryption of GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped 46
Attacking RC4 encryption of GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped Recover repeated encryptions of GTK:  Similar in spirit to RC4 NOMORE attack  Requires ~231 handshakes: takes >50 years Countermeasures:  Disable WPA-TKIP & RC4  Send GTK after handshake 47
Agenda: security of group keys 48 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
An improved 802.11 RNG Entropy present on al Wi-Fi chips?  Wi-Fi signals & background noise Spectral scan feature in commodity chips:  Can generate 3 million samples / second  First XOR samples in firmware  Extract & manage resulting entropy using known approaches Additional research needed: performance under jamming? 49
Conclusion Lessons learned: 1. Always check quality of RNG 2. Let AP ignore group-addressed frames 3. Don’t put “expository” security algo’s in a specification 4. Don’t transmit sensitive data before downgrade detection 50
Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - @vanhoefm Questions?

More Related Content

PDF
Aircrack
byNithin Sathees
 
PDF
Ceh v5 module 20 buffer overflow
byVi Tính Hoàng Nam
 
PPTX
ShinoBOT Suite
byShota Shinogi
 
PDF
Lucas apa pacsec slides
byPacSecJP
 
PDF
IDS & Passive Network Defense
bySalvatore Lentini
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
PPT
Dynamic Port Scanning
byamiable_indian
 
PDF
Hardening Three - IDS/IPS Technologies
bySalvatore Lentini
 
Aircrack
byNithin Sathees
 
Ceh v5 module 20 buffer overflow
byVi Tính Hoàng Nam
 
ShinoBOT Suite
byShota Shinogi
 
Lucas apa pacsec slides
byPacSecJP
 
IDS & Passive Network Defense
bySalvatore Lentini
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
Dynamic Port Scanning
byamiable_indian
 
Hardening Three - IDS/IPS Technologies
bySalvatore Lentini
 

What's hot

PDF
Ch 5: Port Scanning
bySam Bowne
 
PPTX
1300 david oswald id and ip theft with side-channel attacks
byPositive Hack Days
 
PPT
Port Scanning
byamiable_indian
 
PPTX
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
byCODE BLUE
 
PDF
Wireless Hacking Fast Track
byNovizul Evendi
 
PDF
Side Channel Attacks on AES
byRavi Prakash Giri
 
PDF
NMAP by Shrikant Antre & Shobhit Gautam
byn|u - The Open Security Community
 
PPT
Best!
bygofortution
 
PDF
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
byCanSecWest
 
PPT
Nmap(network mapping)
bySSASIT
 
PDF
Pertemuan 9 intrusion detection system
bynewbie2019
 
PDF
Reverse Engineering the TomTom Runner pt. 2
byLuis Grangeia
 
PPTX
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
byEric Vanderburg
 
PPT
Port scanning
byHemanth Pasumarthi
 
PDF
Infecting the Embedded Supply Chain
byPriyanka Aash
 
PDF
Shusei tomonaga pac_sec_20171026
byPacSecJP
 
PDF
Media Files : Android's New Nightmare
byOguzhan Topgul
 
PDF
Placing backdoors-through-firewalls
byAkapo Damilola
 
PDF
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
byFFRI, Inc.
 
PDF
Farewell, Stagefright bugs!
byTsukasa Oi
 
Ch 5: Port Scanning
bySam Bowne
 
1300 david oswald id and ip theft with side-channel attacks
byPositive Hack Days
 
Port Scanning
byamiable_indian
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
byCODE BLUE
 
Wireless Hacking Fast Track
byNovizul Evendi
 
Side Channel Attacks on AES
byRavi Prakash Giri
 
NMAP by Shrikant Antre & Shobhit Gautam
byn|u - The Open Security Community
 
Best!
bygofortution
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
byCanSecWest
 
Nmap(network mapping)
bySSASIT
 
Pertemuan 9 intrusion detection system
bynewbie2019
 
Reverse Engineering the TomTom Runner pt. 2
byLuis Grangeia
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
byEric Vanderburg
 
Port scanning
byHemanth Pasumarthi
 
Infecting the Embedded Supply Chain
byPriyanka Aash
 
Shusei tomonaga pac_sec_20171026
byPacSecJP
 
Media Files : Android's New Nightmare
byOguzhan Topgul
 
Placing backdoors-through-firewalls
byAkapo Damilola
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
byFFRI, Inc.
 
Farewell, Stagefright bugs!
byTsukasa Oi
 

Viewers also liked

PPTX
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
bybarcamp.my
 
PPTX
Unl intro presentation fin
byeucariot
 
PPT
Free Download Powerpoint Slides
byGeorge
 
PPT
Slideshare Powerpoint presentation
byelliehood
 
PPTX
Slideshare ppt
byMandy Suzanne
 
PDF
State of the Word 2011
byphotomatt
 
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
bybarcamp.my
 
Unl intro presentation fin
byeucariot
 
Free Download Powerpoint Slides
byGeorge
 
Slideshare Powerpoint presentation
byelliehood
 
Slideshare ppt
byMandy Suzanne
 
State of the Word 2011
byphotomatt
 

Similar to Predicting and Abusing WPA2/802.11 Group Keys

PPT
Wireless security837
bymark scott
 
PPTX
WLAN Security-2new.pptxmmmmmmmmmmmmmmmmmmmmmmmmmmm
byiit2022057
 
PPTX
Wireless Security null seminar
byNilesh Sapariya
 
PPT
Security Issues of IEEE 802.11b
bySreekanth GS
 
PPS
Sheetal - Wirelesss Hacking - ClubHack2008
byClubHack
 
PPTX
DevLink - WiFu: You think your wireless is secure?
byRob Gillen
 
PPT
chapter 8.ppt
byKidaneKenenisa1
 
PPT
Security Issues of 802.11b
byguestd7b627
 
PPT
wireless security ppt by david wagner UCB
byHimaniP19CSE013
 
PDF
KRACK attack
byVadimDavydov3
 
PDF
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
byYuChianWu
 
PPT
5169 wireless network_security_amine_k
byRama Krishna M
 
PPS
Workshop on Wireless Security
byamiable_indian
 
PDF
Informal Presentation on WPA-TKIP
byvanhoefm
 
PPT
4 wifi security
byal-sari7
 
PPT
Wireless hacking septafiansyah
bySeptafiansyah P
 
PPT
Wireless and WLAN Secuirty, Presented by Vijay
bythevijayps
 
PDF
Y36146148
byIJERA Editor
 
PDF
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
byIDES Editor
 
PDF
Wireless Security Needs For Enterprises
byshrutisreddy
 
Wireless security837
bymark scott
 
WLAN Security-2new.pptxmmmmmmmmmmmmmmmmmmmmmmmmmmm
byiit2022057
 
Wireless Security null seminar
byNilesh Sapariya
 
Security Issues of IEEE 802.11b
bySreekanth GS
 
Sheetal - Wirelesss Hacking - ClubHack2008
byClubHack
 
DevLink - WiFu: You think your wireless is secure?
byRob Gillen
 
chapter 8.ppt
byKidaneKenenisa1
 
Security Issues of 802.11b
byguestd7b627
 
wireless security ppt by david wagner UCB
byHimaniP19CSE013
 
KRACK attack
byVadimDavydov3
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
byYuChianWu
 
5169 wireless network_security_amine_k
byRama Krishna M
 
Workshop on Wireless Security
byamiable_indian
 
Informal Presentation on WPA-TKIP
byvanhoefm
 
4 wifi security
byal-sari7
 
Wireless hacking septafiansyah
bySeptafiansyah P
 
Wireless and WLAN Secuirty, Presented by Vijay
bythevijayps
 
Y36146148
byIJERA Editor
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
byIDES Editor
 
Wireless Security Needs For Enterprises
byshrutisreddy
 

More from vanhoefm

PDF
New flaws in WPA-TKIP
byvanhoefm
 
PDF
Practical Verification of TKIP Vulnerabilities
byvanhoefm
 
PDF
HacknamStyle Plaid CTF write-up
byvanhoefm
 
PDF
Advanced WiFi Attacks Using Commodity Hardware
byvanhoefm
 
PDF
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
byvanhoefm
 
PDF
Advanced WiFi Attacks Using Commodity Hardware
byvanhoefm
 
PDF
Stateful Declassification Policies for Event-Driven Programs
byvanhoefm
 
PDF
TEDxUHasselt Salon: How you can be hacked
byvanhoefm
 
New flaws in WPA-TKIP
byvanhoefm
 
Practical Verification of TKIP Vulnerabilities
byvanhoefm
 
HacknamStyle Plaid CTF write-up
byvanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
byvanhoefm
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
byvanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
byvanhoefm
 
Stateful Declassification Policies for Event-Driven Programs
byvanhoefm
 
TEDxUHasselt Salon: How you can be hacked
byvanhoefm
 

Recently uploaded

PDF
The Moon-forming impactor Theia originated from the inner Solar System
bySérgio Sacani
 
PDF
Qualitative Analysis BSc 5th Sem.pdf World of Wisdom
byWorld of Wisdom
 
PDF
Cognitive Reserve Can Be Induced Through Environmental Enrichment in Aged Org...
byedvaldosoares15
 
PDF
Sharing complex research through effective communication techniques
byZachary Labe
 
PPTX
Uses of Metal in drugs:unique properties
byaditiraghav25
 
PDF
What is UN CBD Reporting? Definitions, Key UN CBD Decisions, Timeframe
bypensoftservices
 
PPTX
Ontologies for Semantic Interoperability in the Age of AI
byMichel Dumontier
 
PDF
A Rastogi Correctness of LLM Chatbot.pdf
byAyushi Rastogi
 
PDF
Supporting Countries to Implement the Monitoring Framework​
bypensoftservices
 
PDF
ESUD_CIESUD25AI_Leadership_Conf_Presentation_Proactive_final.pdf
byEbba Ossiannilsson
 
PDF
Target 2 and Headline Indicator: Area Under Restoration
bypensoftservices
 
PDF
Latest Updates from SBSTTA-27 and the IAG-TSC and Reminder of KM GBF Steps an...
bypensoftservices
 
PDF
Glyoxylate Cycle- Basic idea and biochemical cycle with importane
byNistarini College, Purulia (W.B) India
 
PPTX
carbohydrates food molecules in our body.pptx
byThelleTalosig
 
PPTX
ANATOMY OF MUSCULOSKELETAL.pptx The muscle
by24mscfn002
 
PPTX
Chloroplast Photosynthesis PowerPoint Presentation
byHaniaAbdul2
 
PPTX
Chapter 1 Environmental Psychology History and Methods.pptx
byAminaJaved26
 
PPTX
Lec.3. ROCKS-DEFINITION-FORMATION, CLASSIFICATION – IGNEOUS, SEDIMENTARY AND....
byPingaleswaran Sudhakaran
 
PPTX
Variability and its measures mean mode and median standard deviation and coe...
byDr Showkat Ahmad Wani
 
PPTX
Transgenic plants Types, benefits, public concerns and future.pptx
byBrijesh Kushwaha
 
The Moon-forming impactor Theia originated from the inner Solar System
bySérgio Sacani
 
Qualitative Analysis BSc 5th Sem.pdf World of Wisdom
byWorld of Wisdom
 
Cognitive Reserve Can Be Induced Through Environmental Enrichment in Aged Org...
byedvaldosoares15
 
Sharing complex research through effective communication techniques
byZachary Labe
 
Uses of Metal in drugs:unique properties
byaditiraghav25
 
What is UN CBD Reporting? Definitions, Key UN CBD Decisions, Timeframe
bypensoftservices
 
Ontologies for Semantic Interoperability in the Age of AI
byMichel Dumontier
 
A Rastogi Correctness of LLM Chatbot.pdf
byAyushi Rastogi
 
Supporting Countries to Implement the Monitoring Framework​
bypensoftservices
 
ESUD_CIESUD25AI_Leadership_Conf_Presentation_Proactive_final.pdf
byEbba Ossiannilsson
 
Target 2 and Headline Indicator: Area Under Restoration
bypensoftservices
 
Latest Updates from SBSTTA-27 and the IAG-TSC and Reminder of KM GBF Steps an...
bypensoftservices
 
Glyoxylate Cycle- Basic idea and biochemical cycle with importane
byNistarini College, Purulia (W.B) India
 
carbohydrates food molecules in our body.pptx
byThelleTalosig
 
ANATOMY OF MUSCULOSKELETAL.pptx The muscle
by24mscfn002
 
Chloroplast Photosynthesis PowerPoint Presentation
byHaniaAbdul2
 
Chapter 1 Environmental Psychology History and Methods.pptx
byAminaJaved26
 
Lec.3. ROCKS-DEFINITION-FORMATION, CLASSIFICATION – IGNEOUS, SEDIMENTARY AND....
byPingaleswaran Sudhakaran
 
Variability and its measures mean mode and median standard deviation and coe...
byDr Showkat Ahmad Wani
 
Transgenic plants Types, benefits, public concerns and future.pptx
byBrijesh Kushwaha
 

Predicting and Abusing WPA2/802.11 Group Keys

  • 1.
    Predicting and AbusingWPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm
  • 2.
    Observation General Wi-Fi cryptois widely studied 2 Recover pre-shared key(s) protecting all WEP traffic Tornado Attack: Recover WPA-TKIP session keys (theoretic) Rogue AP against enterprise networks to steal credentials Predictable pre-shared key & dictionary attack against handshake  Mainly targets pre-shared and session keys
  • 3.
    What about groupkeys? Group keys protect broadcast and multicast frames:  All clients posses a copy of the group key Security of group keys not yet properly studied!  In contrast with pre-shared & session (=pairwise) keys … 3 We analyze security of group key during its full lifetime!
  • 4.
  • 5.
    Background: group keylifetime 5 Group Key Three important stages: 1. Generation (flawed RNG)
  • 6.
    Background: group keylifetime 6 Group Key Session Key 1 Encrypted group key sent to client Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) Group Key Session Key
  • 7.
    Background: group keylifetime 7 Group Key Session Key 1 Group Key Session Key Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) 3. Usage (abuse to decrypt all traffic) Addressing some of these issues:  New RNG for Wi-Fi platforms?
  • 8.
    Background: sending groupframes 8 Group Key Session Key Group Key Session Key Group Key Session Key A Session Key B Client A Client B
  • 9.
    Background: sending groupframes 9 1. Client uses pairwise key to send group frame to AP Session Key Session Key A Client A Client B Recv: AP Dest: FF:⋯:FF Src: Client A
  • 10.
    Background: sending groupframes 10 1. Client uses pairwise key to send group frame to AP 2. AP broadcasts group frame using group key  Only AP sends real group frames Group Key Group Key Group Key Client B Client A Recv: FF:⋯:FF Dest: FF:⋯:FF Src: Client A
  • 11.
    Agenda: security ofgroup keys 11 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 12.
    Agenda: security ofgroup keys 12 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 13.
    How are groupkeys generated? Based on a key hierarchy:  AP randomly generates public counter and secret master key  Derives group temporal key (GTK) from these values every hour Entropy only introduced at boot  Bad design: if master key is leaked, all group keys become known! 13 Public counter Private master key +1 SHA-1 Group Temporal Key (GTK) Sampled only at boot!
  • 14.
    How are randomnumbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness 14 “Each STA can generate cryptographic-quality random numbers. This assumption is fundamental, as cryptographic methods require a source of randomness. See M.5 for suggested hardware and software methods to achieve randomness suitable for this purpose.”
  • 15.
    How are randomnumbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 15 “This clause suggests two sample techniques that can be combined with the other recommendations of IETF RFC 4086 to harvest randomness. [..] These solutions are expository only, to demonstrate that it is feasible to harvest randomness on any IEEE 802.11 platform. [..] they do not preclude the use of other sources of randomness when available [..] ; in this case, the more the merrier. As many sources of randomness as possible should be gathered into a buffer, and then hashed, to obtain a seed for the PRNG.”
  • 16.
    How are randomnumbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 16 Inconsistent description of RNG’s security guarantees!  How secure is the 802.11 RNG?  How many platforms implement this RNG?
  • 17.
    802.11 RNG: maindesign The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution 17
  • 18.
    802.11 RNG: maindesign The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand 18 Deviates from traditional RNG design:  No entropy pools being maintained  Entropy is only collected when the RNG is being invoked
  • 19.
    802.11 RNG: maindesign The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand  Based on frame arrival timestamps and clock jitter 19
  • 20.
    802.11 RNG: entropysources Frame arrival times:  Collected by starting & aborting handshakes  Problem: AP will be blacklisted by clients Clock jitter and drift:  No minimum time resolution  small clock jitter  Hence contains only low amount of randomness 20 ¯_(ツ)_/¯
  • 21.
    Surely no oneimplemented this…? 21 Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks Weakened 802.11 RNG
  • 22.
    Surely no oneimplemented this…? 22 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks
  • 23.
    MediaTek RNG: overview Usescustom Linux drivers:  Implements 802.11’s group key hierarchy  But GNONCE “counter” is randomly refreshed on GTK rekey  Based on the 802.11 RNG using only clock jitter  Uses jiffies for current time: equals uptime of the AP  Predict both GMK and GNONCE to determine group key! 23 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1 RNG At boot
  • 24.
    MediaTek RNG: keysearch  Jiffies have at best millisecond accuracy  GMK: generated at boot  limited set of possible values  GNONCE: depends on uptime of router (and clock skew)  Uptime is leaked in beacons  Capture encrypted broadcast packet and search for key  24 OpenCL ~3 mins GMK & GTKRT-AC51U
  • 25.
  • 26.
    Surely no oneimplemented this…? 26 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
  • 27.
    Broadcom: Linux When runningon a Linux kernel:  Implements 802.11’s group key hierarchy  Randomness from /dev/urandom “Mining your Ps and Qs” by Heninger et al.:  /dev/urandom might be predictable at boot  All group keys might be predictable on old kernels 27
  • 28.
    Broadcom: VxWorks andeCos 28 Open SourceProprietary
  • 29.
    Broadcom: VxWorks andeCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds) 29 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG
  • 30.
    Broadcom: VxWorks andeCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) 30 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG At boot
  • 31.
    Broadcom: VxWorks andeCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) OpenCL ~4 mins GMK & GTKWRT54Gv5 31
  • 32.
    Surely no oneimplemented this…? 32 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
  • 33.
    Open Firmware Open Firmware: An open source BIOS  Supports client Wi-Fi functionality in BIOS (!)  Randomness from boot time & linear congruential generator Hostapd:  Based on 802.11 group key hierarchy  Also injects new entropy on group rekeys!  Reads from /dev/random on boot & when clients join  If not enough entropy available, connections are rejected 33
  • 34.
    Agenda: security ofgroup keys 34 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 35.
    Injecting unicast packets? Put unicast IP packet in a broadcast frame? 35 Hole 196 check done at network-layer … … but an AP works at link-layer! Flags Receiver to client FF:⋯:FF Source IP Destination IP Data 802.11 specific  Detected by “Hole 196” check
  • 36.
    Forging unicast framesusing group key Abuse AP to bypass Hole 196 check: 36 AP Victim Attacker Sender Destination Data
  • 37.
    Forging unicast framesusing group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 37 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Encrypted using group key
  • 38.
    Forging unicast framesusing group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 38 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Decrypted using group key
  • 39.
    Forging unicast framesusing group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 39 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Encrypted using session (pairwise) key
  • 40.
    Forging unicast framesusing group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 4. Victim sees normal unicast frame 40 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Decrypted using session (pairwise) key
  • 41.
    Decrypting all traffic ARPpoison to broadcast MAC address  Poison both router and clients  Can decrypt network-layer protocols: IPv4, IPv6, … Countermeasure:  Don’t forward broadcast frames to a unicast destination  Even better: AP should simply ignore frames received on broadcast or multicast MAC address. 41
  • 42.
    Agenda: security ofgroup keys 42 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 43.
  • 44.
    The 4-way handshake 44 Groupkey encrypted and transmitted … … before downgrade attack detection!
  • 45.
    The 4-way handshake 45 Groupkey encrypted and transmitted … … before downgrade attack detection! Session cipher GTK encryption WPA-TKIP RC4 AES-CCMP AES key wrap
  • 46.
    Attacking RC4 encryptionof GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped 46
  • 47.
    Attacking RC4 encryptionof GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped Recover repeated encryptions of GTK:  Similar in spirit to RC4 NOMORE attack  Requires ~231 handshakes: takes >50 years Countermeasures:  Disable WPA-TKIP & RC4  Send GTK after handshake 47
  • 48.
    Agenda: security ofgroup keys 48 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 49.
    An improved 802.11RNG Entropy present on al Wi-Fi chips?  Wi-Fi signals & background noise Spectral scan feature in commodity chips:  Can generate 3 million samples / second  First XOR samples in firmware  Extract & manage resulting entropy using known approaches Additional research needed: performance under jamming? 49
  • 50.
    Conclusion Lessons learned: 1. Alwayscheck quality of RNG 2. Let AP ignore group-addressed frames 3. Don’t put “expository” security algo’s in a specification 4. Don’t transmit sensitive data before downgrade detection 50
  • 51.
    Predicting and Abusing WPA2/802.11Group Keys Mathy Vanhoef - @vanhoefm Questions?