Security of Wireless Protocols Mati Vait December 15, 2010 1 / 21
Security of Wireless Protocols Contents WPA and WPA2? Common parts in WPA & WPA2 WPA Encryption and Decryption WPA2 Encryption and Decryption Attacks on WPA Attacks on WPA and WPA2 Conclusion 2 / 21
WPA and WPA2 What is WPA? ◮ RC4, Michael MIC What is WPA2? ◮ CCMP 3 / 21
Common parts in WPA & WPA2 ◮ association ◮ authentication ◮ 4-Way Handshake ◮ Group-Key Handshake 4 / 21
WPA Encryption 5 / 21
WPA Decryption 6 / 21
WPA2 Encryption 7 / 21
WPA2 Decryption 8 / 21
Attacks on WPA ◮ Beck-Tews Attack ◮ Enhanced Message Falsification Attack ◮ TKIP Michael Reset Attack 9 / 21
Beck-Tews Attack Retrieve RC4 keystream from short encrypted packet, which is used to encrypt custom packet and falsify the original captured packet. Attack is possible since QoS provides multiple channels and each channel has its own TCV which is incremented independently. 10 / 21
Beck-Tews Attack 1. capture short packet with known plaintext e.g. ARP packet 2. extract parts of keystream using known plaintext 3. use Chopchop-like technique to extract last unknown 12 bytes(MIC, ICV) of ciphertext (12-15 minutes) ◮ if ICV is incorrect, then packet is silently discarded ◮ if MIC is incorrect then MIC failure report frame is sent (attacker has to wait 60s before sending another guess) 4. reverse MIC from decrypted packet to get the MIC key 5. assemble the new packet ◮ calculate new MIC’ over new plaintext P ◮ calculate new ICV’ over P || MIC’ ◮ encrypt new packet with old IV and keystream ◮ send the new packet on another channel that has lower TSC If IV ≤ TSC holds, MIC’ and ICV’ are correct, then the original packet is falsified. 11 / 21
Enhanced Message Falsification Attack Toshihiro Ohigashi and Masakatu Morii suggested not to use different channels provided by QoS but to launch a MITM attack instead in a following way: ◮ attacker acts as repeater between access point and client ◮ attacker forwards messages selectively, during the guessing phase everything is blocked (TSC!) 12 / 21
TKIP Michael Reset Attack ◮ IEEE 802.11 allows to send packets in up to 16 fragments ◮ two different ways to get IV/keystream pairs needed to encrypt new packet (known plaintext from APR/IP packets or using another malicious party connected to the external network) ◮ find MIC magic words! ◮ build the new packet(old headers, new content, magic words, old packet, old MIC) ◮ requires QoS 13 / 21
Attacks on WPA and WPA2 ◮ Dictionary Attack on Weak PSKs ◮ 4-Way Handshake DoS Attack ◮ Hole-196 Vulnerability 14 / 21
Dictionary Attack on Weak PSKs Used Pre-shared keys are not strong enough and can be bruteforced using dictionary or rainbow tables 15 / 21
4-Way Handshake DoS Attack ◮ AP sends ANonce to STA, based on which STA calculates PTK ◮ Adversary X sends another ANonce’ ,packaged as message #1 ,to STA and STA calculates PTK’ ◮ STA drops every packet from AP and 4-way handshake is blocked 16 / 21
Hole-196 Vulnerability Page 196 of IEEE 802.11-2007 standard. There it is stated that ”Group keys do not provide per packet authentication ...”. So what? ◮ Group Keys protect multicast and broadcast communication ◮ all of the connected clients share the same Group Key ◮ nothing in the standard forbids some connected client to send multicast or broadcast messages pretending to be the AP ◮ possible attacks: ARP poisoning, DoS, MITM 17 / 21
Conclusion ◮ use WPA2 ◮ on WPA disable QoS ◮ on WPA use short rekeying intervals e.g. 120s 18 / 21
Questions? 19 / 21
Thank you! 20 / 21
21 / 21
Recommend
More recommend