group keys
play

Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm - PowerPoint PPT Presentation

Oct 13, 2023 •24 likes •534 views

Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm Observation General Wi-Fi crypto is widely studied Predictable pre-shared Recover pre-shared key & dictionary attack key(s) protecting

  1. Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm

  2. Observation General Wi-Fi crypto is widely studied Predictable pre-shared Recover pre-shared key & dictionary attack key(s) protecting all against handshake WEP traffic Rogue AP against Tornado Attack: enterprise networks Recover WPA-TKIP to steal credentials session keys (theoretic)  Mainly targets pre-shared and session keys 2

  3. What about group keys? Group keys protect broadcast and multicast frames:  All clients posses a copy of the group key Security of group keys not yet properly studied!  In contrast with pre- shared & session (=pairwise) keys … We analyze security of group key during its full lifetime! 3

  4. Background: group key lifetime 4

  5. Background: group key lifetime Three important stages: Group Key 1. Generation (flawed RNG) 5

  6. Background: group key lifetime Three important stages: Group Key Session Key 1 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) Encrypted group key sent to client Group Key Session Key 6

  7. Background: group key lifetime Three important stages: Group Key Session Key 1 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) 3. Usage (abuse to decrypt all traffic) Addressing some of these issues: Group Key  New RNG for Wi-Fi platforms? Session Key 7

  8. Background: sending group frames Client A Group Key Session Key Group Key Session Key A Session Key B Group Key Session Key Client B 8

  9. Background: sending group frames 1. Client uses pairwise key to send group frame to AP Client A Recv: AP Session Key FF: ⋯ :FF Dest: Src: Client A Session Key A Client B 9

  10. Background: sending group frames 1. Client uses pairwise key to send group frame to AP 2. AP broadcasts group frame using group key Client A  Only AP sends real group frames Group Key FF: ⋯ :FF Recv: FF: ⋯ :FF Dest: Group Key Src: Client A Group Key Client B 10

  11. Agenda: security of group keys Flawed generation Inject & decrypt all traffic Force RC4 in handshake New Wi-Fi tailored RNG 11

  12. Agenda: security of group keys Flawed generation Inject & decrypt all traffic Force RC4 in handshake New Wi-Fi tailored RNG 12

  13. How are group keys generated? Based on a key hierarchy: Sampled only at boot!  AP randomly generates public Public Private counter and secret master key counter master key  Derives group temporal key (GTK) +1 from these values every hour SHA-1 Entropy only introduced at boot  Bad design: if master key is leaked, all group keys become known! Group Temporal Key (GTK) 13

  14. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness “ Each STA can generate cryptographic-quality random numbers . This assumption is fundamental, as cryptographic methods require a source of randomness. See M.5 for suggested hardware and software methods to achieve randomness suitable for this purpose . ” 14

  15. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only “ This clause suggests two sample techniques that can be combined with the other recommendations of IETF RFC 4086 to harvest randomness. [..] These solutions are expository only , to demonstrate that it is feasible to harvest randomness on any IEEE 802.11 platform. [..] they do not preclude the use of other sources of randomness when available [..] ; in this case, the more the merrier. As many sources of randomness as possible should be gathered into a buffer, and then hashed, to obtain a seed for the PRNG. ” 15

  16. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only Inconsistent description of RNG’s security guarantees!  How secure is the 802.11 RNG?  How many platforms implement this RNG? 16

  17. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution 17

  18. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand Deviates from traditional RNG design:  No entropy pools being maintained  Entropy is only collected when the RNG is being invoked 18

  19. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand  Based on frame arrival timestamps and clock jitter 19

  20. 802.11 RNG: entropy sources Frame arrival times:  Collected by starting & aborting handshakes  Problem: AP will be blacklisted by clients Clock jitter and drift:  No minimum time resolution  small clock jitter  Hence contains only low amount of randomness ¯\_( ツ )_/¯ 20

  21. Surely no one implemented this…? Weakened 802.11 RNG Depends on OS Estimated ~22% of Wi-Fi networks Open Firmware Custom RNG Hostapd: /dev/random 21

  22. Surely no one implemented this…? Weakened 802.11 RNG Depends on OS Estimated ~22% of Wi-Fi networks Open Firmware Custom RNG Hostapd: /dev/random 22

  23. MediaTek RNG: overview Uses custom Linux drivers:  Implements 802.11’s group key hierarchy  But GNONCE “counter” is randomly refreshed on GTK rekey  Based on the 802.11 RNG using only clock jitter  Uses jiffies for current time: equals uptime of the AP  Predict both GMK and GNONCE to determine group key! At boot Group master key (GMK) Group Temporal SHA-1 Key (GTK) RNG Counter (GNONCE) 23

  24. MediaTek RNG: key search  Jiffies have at best millisecond accuracy  GMK: generated at boot  limited set of possible values  GNONCE: depends on uptime of router (and clock skew)  Uptime is leaked in beacons  Capture encrypted broadcast packet and search for key  RT-AC51U OpenCL ~3 mins GMK & GTK 24

  25. MediaTek: predicting the GTK DEMO 25

  26. Surely no one implemented this…? Weakened 802.11 RNG Depends on OS Estimated ~22% of Wi-Fi networks Open Firmware Custom RNG Hostapd: /dev/random 26

  27. Broadcom: Linux When running on a Linux kernel:  Implements 802.11’s group key hierarchy  Randomness from /dev/urandom “Mining your Ps and Qs” by Heninger et al.:  /dev/urandom might be predictable at boot  All group keys might be predictable on old kernels 27

  28. Broadcom: VxWorks and eCos Proprietary Open Source 28

  29. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds) Group master key (GMK) Group Temporal RNG SHA-1 Key (GTK) Counter (GNONCE) 29

  30. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) At boot Group master key (GMK) Group Temporal RNG SHA-1 Key (GTK) Counter (GNONCE) 30

  31. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) OpenCL ~4 mins GMK & GTK WRT54Gv5 31

  32. Surely no one implemented this…? Weakened 802.11 RNG Depends on OS Estimated ~22% of Wi-Fi networks Open Firmware Custom RNG Hostapd: /dev/random 32

  33. Open Firmware Open Firmware:  An open source BIOS  Supports client Wi-Fi functionality in BIOS (!)  Randomness from boot time & linear congruential generator Hostapd:  Based on 802.11 group key hierarchy  Also injects new entropy on group rekeys!  Reads from /dev/random on boot & when clients join  If not enough entropy available, connections are rejected 33

  34. Agenda: security of group keys Flawed generation Inject & decrypt all traffic Force RC4 in handshake New Wi-Fi tailored RNG 34

  35. Injecting unicast packets?  Put unicast IP packet in a broadcast frame? Flags Receiver FF: ⋯ :FF Source IP Destination IP Data to client 802.11 specific  Detected by “Hole 196” check Hole 196 check done at network- layer … … but an AP works at link -layer! 35

  36. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: Victim Attacker AP Sender Destination Data 36

  37. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP Victim Attacker AP Flags Receiver Final dest. FF: ⋯ :FF Victim Sender Destination Data To AP 802.11 specific Encrypted using group key 37

  38. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame Victim Attacker AP Flags Receiver Final dest. FF: ⋯ :FF Victim Sender Destination Data To AP 802.11 specific Decrypted using group key 38

Recommend

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, iMinds-DistriNet, KU Leuven USENIX Security 2016 Security of Wi-Fi group keys? Protect broadcast and multicast Wi-Fi frames: All clients share a

564 views • 29 slides
2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse Countermeasures: slow login, close after several

563 views • 14 slides
Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower

Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower

The Keys Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower keys Upper keys Miami Rocklands (Everglades Keys) Sea of saw grass. Sea of pine trees sea of tropical

201 views • 9 slides
Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3-

Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3-

Smith System Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3- Keep Your Eyes Moving 4- Leave Yourself an Out 5- Make Sure They See You Aim im Hig igh The first rule for this method is

682 views • 10 slides
Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1 ,

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1 ,

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1 , Celine Chevalier 2 , Mark Manulis 3 , David Pointcheval 1 1 cole Normale Suprieure CNRS INRIA, Paris, France 2 Telecom ParisTech, France 3

400 views • 15 slides
(CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys

(CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys

Napster: central search engine (CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys to linear search space Stoica, R. Morris, D. Karger, F. Kaashoek, and Keep pointers (fingers) into

281 views • 12 slides
AVL Trees All keys in left subtree smaller than nodes key 2 6 10 12 All keys in

AVL Trees All keys in left subtree smaller than nodes key 2 6 10 12 All keys in

1/21/2016 Review: Binary Search Tree (BST) Structure property (binary tree) Each node has 2 children 8 Result: keeps operations simple CSE373: Data Structures and Algorithms Order property 5 11 AVL Trees All keys in

414 views • 5 slides
Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary

Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary

Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary operations (insertItem, removeItem, findElement) and maintain an order relation for the keys we use an external comparator for keys New

452 views • 31 slides
Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1 2 2047 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR9983950

768 views • 53 slides
Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler August 2018 DEF CON 26 Public keys what for? Break them! Retrieve the private keys Show how easy it is If we can do it

684 views • 31 slides
4D transponder coil creating new dimensions for multifunctional car keys Leopoldo Bertossi

4D transponder coil creating new dimensions for multifunctional car keys Leopoldo Bertossi

TDK Technologies & Products Press Conference 2018 4D transponder coil creating new dimensions for multifunctional car keys Leopoldo Bertossi Product Marketing Director Transponder Coils TDK Magnetics Business Group In the era of IoT and

227 views • 3 slides
Keys to Develop and Secure Potential Prospects Keys to Develop and Secure Potential Prospects

Keys to Develop and Secure Potential Prospects Keys to Develop and Secure Potential Prospects

Keys to Develop and Secure Potential Prospects Keys to Develop and Secure Potential Prospects Presenters Joe Butler, Vice President Justin Brown, Vice President The Keys Ask Connect Develop Secure Conclusion

604 views • 18 slides
Keys to French FOLD-OUT & BOOKLET (a complement, not a substitute to any FSL programmes)

Keys to French FOLD-OUT & BOOKLET (a complement, not a substitute to any FSL programmes)

Keys to French FOLD-OUT & BOOKLET (a complement, not a substitute to any FSL programmes) Monique MacKinnon momackinnon@gmail.com Keys to French Resources have been designed to assist English speaking Canadians to quickly and easily become

472 views • 4 slides
D&O Insurance: Best Practices and Keys to Success NACD New England June 9, 2009 1

D&O Insurance: Best Practices and Keys to Success NACD New England June 9, 2009 1

D&O Insurance: Best Practices and Keys to Success NACD New England June 9, 2009 1 Panelists & Moderator Moderator Jordan D. Hershman, Esq. Co-chair of the Securities Litigation Practice Group at Bingham McCutchen LLP

716 views • 24 slides
The Magic of Stenography MARY MCKEON, RMR, CRR, CBC 18 Letters 24 Keys Shorthand on a

The Magic of Stenography MARY MCKEON, RMR, CRR, CBC 18 Letters 24 Keys Shorthand on a

The Magic of Stenography MARY MCKEON, RMR, CRR, CBC 18 Letters 24 Keys Shorthand on a machine Different combinations make different words and sounds Can press a lot of keys at the same time Its how often I hit the keyboard

526 views • 10 slides
Databases and keys Integer keys A database stores records with various attributes. Lets make

Databases and keys Integer keys A database stores records with various attributes. Lets make

CS206 CS206 Databases and keys Integer keys A database stores records with various attributes. Lets make a keyed table of all the students in the class, with the student number as the key. The database can be represented as a table, where

96 views • 5 slides
Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6

Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6

Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6 (actual k 6 k 5 keys) k 7 k 8 k 3 k 7 k 3 k 8 m 1 Expected Cost of an Search Theorem: An unsuccessful search takes expected time (1+). Proof

466 views • 33 slides
Jamming-resistant Broadcast Communication without Shared Keys Christina P opper Joint work

Jamming-resistant Broadcast Communication without Shared Keys Christina P opper Joint work

Motivation Uncoordinated DSSS UDSSS Application Conclusion Jamming-resistant Broadcast Communication without Shared Keys Christina P opper Joint work with Mario Strasser and Srdjan Capkun System Security Group ETH Z urich August

519 views • 20 slides
On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos Cid Information Security Group, Royal Holloway, University of London Our Contributions 1 Study the underlying algebraic structure of

409 views • 24 slides
Relational join operator 1 Preliminaries 1.a Keys and partitioning Recall from our last reading

Relational join operator 1 Preliminaries 1.a Keys and partitioning Recall from our last reading

Relational join operator 1 Preliminaries 1.a Keys and partitioning Recall from our last reading that tuples have keys, often consisting of a subset of attributes, and that we can also apply the notion of a partial key, which identifies groups

233 views • 7 slides
BST property: for each node v with key k , nodes in left subtree have keys k nodes in

BST property: for each node v with key k , nodes in left subtree have keys k nodes in

BST property: for each node v with key k , nodes in left subtree have keys k nodes in right subtree have keys k Have seen simple BST operations : Search Minimum Maximum Predecessor Successor Insert Delete

325 views • 18 slides
RIOT and CAN Vincent Dupont OTA keys RIOT Summit September 25-26, 2017 Vincent Dupont (OTA

RIOT and CAN Vincent Dupont OTA keys RIOT Summit September 25-26, 2017 Vincent Dupont (OTA

RIOT and CAN Vincent Dupont OTA keys RIOT Summit September 25-26, 2017 Vincent Dupont (OTA keys) RIOT and CAN RIOT Summit 2017 1 / 34 Who am I? What is OTA keys? Me: Embedded software engineer: 6 years, 3 at OTA keys RIOT: 1.5 year

1.09k views • 64 slides
Reconstructing RSA Private Keys from Random Key Bits Nadia Heninger and Hovav Shacham

Reconstructing RSA Private Keys from Random Key Bits Nadia Heninger and Hovav Shacham

Reconstructing RSA Private Keys from Random Key Bits Nadia Heninger and Hovav Shacham Princeton UCSD August 17, 2009 Motivation:Cold boot or memory attacks A new side-channel attack on cryptographic keys that leaks information

359 views • 23 slides

More recommend