Wireless Security

Wireless
Security
Supervisor: Prof. Alfredo De Santis
Students: Lino Sarto, Giorgio Vitiello

Contents
1. Security Overview
2. IEEE 802.11i Security
3. Challenges
4. “KRACKing” WPA2

1.
Security Overview
Let’s to introduce main wireless
network security solutions

CIA
Confidentiality
Integrity
Availability

WLAN Family of Technologies
◎IEEE 802.11 Open System Authentication
◎WEP
◎802.11 Shared Key Authentication
◎Wi-Fi Protected Access (WPA), WPA2, WPA3
◎WPA/WPA2/WPA3 Personal Mode
◎WPA/WPA2/WPA3 Enterprise

Encryption type used in public Wi-Fi hotspots

Share of Wi-Fi hotspots that use WPA/WPA2

Industry Organizations
IEEE
The IEEE is a
nonprofit
organization
responsible for
generating a variety
of technology
standards. Most
important of these
to us is the 802.11
standard.
Wi-Fi Alliance
The Wi-Fi Alliance is
responsible for
many WLAN
interoperability
certifications, such
WPA,WPA2 and
WPA3.
IETF
The IETF is
responsible for
creating Internet
standards and
promoting Internet
technology and
usage through the
adoption of Request
for Comment (RFC)
documents.

Wi-Fi Alliance Certification Process
Proprietary
Protocols and
Features Sets
WLAN
Manufactures
IEEE 2012 Specs
Products From Wireless
Industry
Bypass
Compliance
Testing
Wi-Fi Alliance
Compliance
Assurance
Programs
Consumer
Market

Home Office Security
◎Typically consist of one wireless AP and a
limited number of devices that associate to
the network
◎WPA2/WPA3 passphrase is adequate
◎As a best practice, reconfigure the WLAN AP
or router to use a strong passphrase

Small Business Security
◎Small business Wi-Fi may be controller-
based or cloud-based, which provide the
opportunity to use stronger security
mechanisms such as 802.1X/EAP
◎Small business security should consider
using only WPA2/WPA3 for CCMP/AES and
not TKIP/RC4

Large Enterprise Security
◎At this scale, security needs are much more
policy-driven and granular than in small
networks
◎ May use port-based access control
○ Virtual ports used within the AP
◎Should not rely on the WPA2/WPA3
authentication and encryption provided by
the WLAN as your only security
○ Security should be properly implemented
throughout the network (layered security)

OSI Model Security
Security techniques
work at various levels
of the OSI model from
the lowest, the
Physical layer, to the
highest, the
Application layer.

OSI Model Security Application Layer
Use of secure
applications assists in
network security
Network (IP) Layer
Use of secure infrastructures
and protocols. One common
way is to use VPN
Data Link (MAC) Layer
Data encryption and
authentication should be use.
Encryption must occur within
the data payload of the data
frames that traverse the air.
Layer 2 security types include
WEP, TKIP/RC4, CCMP/AES, and
802.1X/EAPThe Physical Layer
Monitoring and alert systems
should be used. Potential
vulnerabilities include
eavesdropping on unsecured
communications and intentional
RF interference (jamming)

“
If you do not need a particular
technology or capability for some
beneficial business purpose, do not
use it or leave it in place for others
to use.

Attack Wireless Reduction: Points of Entry

One Simple Attack Scenario
Imagine that an
individual posing as a
copy machine repair
person. He pulls out a
small-footprint tablet
or laptop PC and
connects it to the
Ethernet port in the
office.

◎ He notices that the port is active. So
opens a command prompt and types the
command ipconfig/renew to see if a
DHCP server is available on the network
◎ The attacker now has an IP address on
your network, along with additional
information like gateway (router), subnet
mask, and DNS servers in use

◎ The next step might be to begin looking
for devices to access on the network,
using a scanning tools as nmap

◎ The attacker runs a script that tries to
connect to port 80 using HTTP on all the
discovered devices
◎ The attacker can reasonably assume
that these might be infrastructure
devices like switches or APs, which could
potentially be configured through a web
interface on printers

◎ Even if he did not know the default
credentials could easily look them up
online where many lists of network
default information are openly shared
◎ Attack surface reduction, applied to this
scenario, demands that the Ethernet
port in the spare office be disabled until
it is needed

Wireless Traversal Points
◎ After the data has traveled the network to
its final destination, it is processed in
some way
◎ In many cases, the data is stored in live
storage. It has two points of access
○ Network
○ Storage device
◎ Attacker may breach the network access
portion of your security
○ You should use secure authorization at
the point of live storage (permissions)

2.
IEEE 802.11i
Security
Preview the IEEE 802 protocol
architecture and describe general
network attacks common to wired
and wireless networks

IEEE 802 vs OSI
Physical
Data Link
Network
Physical
IEEE 802 Reference
Model
Logical Link
Control
Medium Access
Control
Transport
Session
Presentation
Application

802.11 Frame with WPA2 Header (Simplified)
Frame
Control
Addr 1
Key ID,
Packet
Number
MSDU
Mac address of
wireless host or
AP to receive
this frame
Mac address of
wireless host or AP
transmitting this
frame
Mac address of
router interface to
which AP is
attached
Packet Number stores
the replay counter,
KeyID identifies which
key is used
Specifies frame
type and further
details
Addr 2 Addr 3 FCS
Used to detect
errors

IEEE 802.11 Network Components and
Architectural Model
Distribution System (DS)

IEEE 802.11 Services
Service Provider Used to Support
Association Distribution system MSDU delivery
Authentication Station LAN access and security
Deauthentication Station LAN access and security
Disassociation Distribution system MSDU delivery
Distribution Distribution system MSDU delivery
Integration Distribution system MSDU delivery
MSDU delivery Station MSDU delivery
Privacy Station LAN access and security
Reassociation Distribution system MSDU delivery

Distribution of Messages Within a DS
◎Distribution service
○ Used to exchange MAC frames from station in one
BSS to station in another BSS
◎Integration service
○ Transfer of data between station on IEEE 802.11
LAN and station on integrated IEEE 802.x LAN

Transition Types Based On Mobility
◎No transition
○ Stationary or moves only within BSS
◎BSS transition
○ Station moving from one BSS to another BSS in
same ESS
◎ESS transition
○ Station moving from BSS in one ESS to BSS within
another ESS

Association-Related Services
◎Association
○ Establishes initial association between station and
AP
◎Reassociation
○ Enables transfer of association from one AP to
another, allowing station to move from one BSS to
another
◎Disassociation
○ Association termination notice from station or AP

IEEE 802.11i Wireless LAN Security
The significant
differences between
wired and wireless
LANs suggest the
increased need for
robust security
services and
mechanisms for
wireless LANs

Access and Privacy Services
◎Authentication
○ Establishes identity of stations to each other
◎Deauthentication
○ Invoked when existing authentication is
terminated

Access and Privacy Services
◎Access control
○ Enforces the use of the authentication function,
routes the messages properly, and facilitates key
exchange
◎Privacy
○ Prevents message contents from being read by
unintended recipient

IEEE 802.11i Phases of Operation
STA AP AS End
Station

Security Capabilities
◎STA and AP decide on specific techniques
in the following areas
○ Confidentiality and MPDU integrity protocols for
protecting unicast traffic
○ Authentication method
○ Cryptography key management approach
◎Confidentiality and integrity protocols for
protecting multicast/broadcast traffic are
dictated by the AP

◎The options for the confidentiality and
integrity cipher suite are
○ WEP, with either a 40-bit or 104-bit key, which
allows backward compatibility with older IEEE
802.11 implementations
○ TKIP
○ CCMP
○ Vendor-specific methods

◎Authentication and key management
(AKM)
○ IEEE 802.1X
○ Pre-shared key
○ Vendor-specific methods

Network and Security Capability Discovery
Station sends a
request to join
network
AP periodically
broadcast its security
capabilities in a specific
channel through the
Beacon frame
STA AP
Probe request
Probe response

Open System Authentication
Station sends a
request to join
network
Probe request
Probe response
Station sends a
request to perform
null authentication
Open system
authentication request
Open system
authentication response
Provides no security, is
simply to maintain
backward compatibility
with the IEEE 802.11
state machine
STA AP

Association
Station sends a
request to join
network
AP sends the associated
security parameters
Station sends a
request to perform
null authentication
Station sends a
request to associate
with AP with security
parameters
Association request
Association response
Station sets
selected
security
parameters
If there is no match in
capabilities between the
AP and the STA, the AP
refuses the Association
Request and STA blocks
controlled ports
STA AP
Probe request
Probe response
Open system
authentication request
Open system
authentication response

“
If your
authentication is weak, little else
matters in your security
Tom Carpenter (Wireless Expert)

AAA
Authentication
Authentication can
be accomplished in a
variety of ways
including
username/password
pair and user
certificates.
Authorization
Authentication
confirms a user’s
identity, and
authorization
provides access to
network resources
according to policy.
Accounting
Accounting includes
monitoring, analysis,
and reporting of
network events.

◎IETF requires support for mutual
authentication in the creation of a robust
security network association (RSNA)
◎If the server is authenticating the client, but
the client is not authenticating the server,
evil twin attacks and other impersonation
attacks are much easier
Mutual Authentication

IEEE 802.1X Access Control Approach

MPDU Exchange
Connect to AS
The STA sends a
request to its AP for
connection to the
AS. The AP
acknowledges this
request and sends
an access request to
the AS.
EAP exchange
This exchange
authenticates the
STA and AS to each
other.
Secure key delivery
Once authentication
is established, the AS
generates a master
session key (MSK)
and sends it to the
STA.

Typical 802.1X Exchange on 802.11
STA AP Radius
1: Eapol-Start
3: Response Identity
5: EAP-Response/Method
2: Request/Identity
7: EAPOL-Key
EAP-Response/Method
EAP-Request/Method
EAP-Success
EAP-Request/Method
Radius-Access-Request
8: Data
......
9: EAPOL- Logoff
4: Radius-Access-Challenge
Radius-Access-Challenge
6: Radius-Access-Accept
...
embeddedauth.protocol

Common EAP Authentication Methods
Type Code Authentication Protocol
4 MD5 Challenge
6 GTC
13 EAP-TLS
21 TTLS
25 PEAP
18 EAP-SIM
29 MS-CHAP-V2

EAP Cryptographic Methods
Code 25:
EAP-PEAP
Code 13:
EAP-TLS
Code 21:
EAP-TTLS
LEAP

EAP No-Cryptographic Methods
Code 18:
EAP-SIM
Code 4:
MD5-Challenge
Code 23:
EAP-AKA
Code 29:
EAP-MSCHAP-V2
Code 6:
Generic Token Card

EAP Other Inner Authentication Methods
Challenge Handshake
Authentication Protocol
(CHAP)
Password
Authentication Protocol
(PAP)
MS-CHAP-V1

Wired Equivalent Privacy (WEP)
WEP is a security
algorithm for IEEE 802.11
wireless networks.
Introduced as part of the
original 802.11 standard
ratified in 1997. WEP was
at one time widely in use
and was often the first
security choice presented
to users by router
configuration tools

WEP Cryptographic Operations
User Data
CRC32
Initialization
Vector (IV)
WEP Key
WEP Key
+
Initialization
Vector (IV)
RC4
IV
Encrypted
Data
User Data +
ICV

WEP weaknesses
◎802.11 allows for using a different IV for
each frame, but it is not required
◎WEP uses CRC that is not cryptographically
secure
○ It is easy to predict how changing a single bit will
affect the result of the CRC calculation
◎In 2001, Fluhrer, Mantin and Shamir
published the paper “Weaknesses in the
key Scheduling Algorithm of RC4”
○ FMS attack assumes the ability to recover the first
byte of the encrypted payload

The Temporal key Integrity Protocol (TKIP)
The major motivation for
the development of TKIP
was to upgrade the
security of WEP-based
hardware. TKIP retains
the basic architecture
and operations of WEP
because it was designed
to be a software upgrade
to WEP-based solutions

TKIP, IV Use and Key Mixing
◎To mitigate the attacks against IV, TKIP
doubles the length of the IV from 24 to 48
bits
○ Increase the size of IV space from 16 million to 281
trillion
◎TKIP performs key mixing to mitigate
attacks against WEP
○ Every frame is encrypted with an RC4 key unique
to that frame
○ Extends IV (incorporating sending MAC address)

TKIP Sequence Number and Replay Protection
◎TKIP IV serves as a sequence counter
○ When a new master key is installed the
IV/sequence counter is set to 1
◎TKIP maintains the most recent sequence
counter value received from each station
○ It defends against replay attacks

The Michael Integrity Check
◎WEP’s integrity check is a linear hash value
○ Unsuitable for cryptographic operations
◎Michael is stronger than a simple linear
hash
◎Michael is implemented entirely with
bitwise operations
○ It is better than CRC but it does not offer security
against a determined attack

TKIP Frame Processing Encryption
Michael
User
Data
MIC Key
Transmitted
Address (TA)
Destination
Address (DA)
Priority
Field
MIC +
User Data
Message
Transmitted
Address (TA)
Temporal Key
(TK)
Phase 1
Key Mixing
Phase 2
Key Mixing
48-bit IV
Key RC4

Counter Mode with CBC-MAC (CCMP)
CCMP is an encryption
protocol designed for
Wireless LAN products
that implements the
standards of the IEEE
802.11i amendment. It is
based upon the Counter
Mode with CBC-MAC
(CCM mode) of the
Advanced Encryption
Standard (AES) standard

CCMP Frame Processing Encryption
Plaintext MPDU
MAC Header
Construct
Additional
Authentication Data
CCM
Enc
||Data Encrypted
MPDU
Construct
CCMP
Header
TK
PN
Key ID
Increment
Packet
Number
Construct
Nonce
MAC_send,
Priority

CCM Encryption and Integrity
AESAES AES AES AES AES
AES AES AES AES
IV Data Integrity Key
Header 128 bits 128 bits...128 bits MIC
Header Data Data Data Data MIC FCSEncryption
Integrity Check
CTR
Data Encryption
Key

CCMP Encryption and Integrity
AESAES AES AES AES AES
AES AES AES AES
IV Data Integrity Key
Header 128 bits 128 bits...128 bits MIC
Header Data Data Data Data MIC FCSEncryption
Integrity Check
CTR
Data Encryption
Key
IV = Flag1 || Flag || MAC_send || Nonce || Length
(Data + Plaintext)16
CTR = Flag2 || Flag || MAC_send || Nonce || 016
Nonce = PRF (Random Number, “InitCounter”,
MAC_send || Time, 256)

RSN: Cryptographic Algorithms
Confidentiality
● TKIP (RC4)
● CCM (AES-CTR)
● NIST Key Wrap
Integrity and Data
Origin Authentication
● HMAC-SHA1
● HMAC-MD5
● TKIP (Michael MIC)
● CCM (AES-CBC-MAC)
Key Generation
● HMAC-SHA1
● RFC 1750

Pairwise Keys
Pairwise keys are used for
communication between
STA and AP. There are two
possibilities:
◎ pre-shared key (PSK)
◎ master session key
(MSK)
A pairwise master key
(PMK) is derived from the
master key.
Key Management Phase
Group Keys
Group keys are used for
multicast communication.
At the top level of the
group key hierarchy is the
group master key (GMK).
The GMK is a key-
generating key used with
other inputs to derive the
group temporal key (GTK).

Derive the PTK (for CCMP)
PTK =
PRF (PMK, “Pairwise key expansion”,
min (AMAC, SMAC) ||
max (AMAC, SMAC) ||
min (Anonce, Snonce) ||
max (Anonce, Snonce),
384)

IEEE 802.11i Pseudorandom Function
HMAC-SHA1
| |
PRF (K, A, B, Len):
R = null
for i = 0 to ((Len + 159)/160 − 1)
R = R || HMAC-SHA1 (K, A || 0 || B || i)
return Truncate-to-Len (R, Len)
A 0
B i
i++
K
R = HMAC-SHA1(K, A || 0 || B || i)

4-way handshake
AMAC, ANonce, sn, Msg1
SMAC, SNonce, sn, Msg2
MICKCK(SNonce, sn, Msg2)
Derive
PTK
Derive PTK,
Verify MIC
optional 802.1X authentication

4-way handshake
Derive
PTK
Derive PTK,
Verify MIC
PTK =
PRF (PMK, “Pairwise key expansion”,
min (AMAC, SMAC) ||
max (AMAC, SMAC) ||
min (Anonce, Snonce) ||
max (Anonce, Snonce),
384 [key length])

4-way handshake
AMAC, ANonce, sn+1, Msg3,
EncKEK(GTK), MICKCK(ANonce,
sn+1, Msg3)
SMAC, SNonce, sn+1, Msg4
MICKCK(sn+1, Msg4)
Derive
PTK
Derive PTK,
Verify MIC
Verify MIC,
Install PTK &
GTK, Update
sn
Install PTK
Update sn
encrypted data frame can now be exchanged

3.
Challenges
We’ll use Aircrack-ng to recover
WEP and WPA2 personal wireless
keys by eavesdropping on,
injecting traffic into a wireless
network and we’ll use Bully to
brute-force a WPS pin

Weak Key
Web application security,
firewalls, security-
awareness training, and so
on can do nothing to
protect an internal
network if there’s an
attacker sitting on a bench
in front of the target
organization’s building and
the organization provides
wireless access with weak
encryption to the internal
network

Viewing Available Wireless Interfaces

Open Wireless
Open wireless networks
are a real disaster from a
security perspective
because anyone within
antenna range of the
access point can connect
to that network. Also, the
wireless packets traveling
through an open network
are not encrypted, and
anyone listening can see
any data in plaintext

Wired Equivalent Privacy
◎L'operazione XOR bit a bit ha quattro
possibilità:
○ 0 XOR 0 = 0
○ 1 XOR 0 = 1
○ 0 XOR 1 = 1
○ 1 XOR 1 = 0

Encryption
Decryption

The shared WEP key can be
either 64 or 148 bits.
An initialization vector (IV)
makes up the first 24 bits of
the key to add
randomness, making the
effective key length really
only 40 or 104 bits

Encryption

Decryption

Cracking WEP Keys with Aircrack-ng
◎ Base Station MAC Address: 00:23:69:F5:B4:2B
◎ SSID: linksys
◎ Channel: 6

Injecting Packets
◎ -1 tells Aireplay-ng to fake authentication
◎ 0 is the retransmission time
◎ -e is the SSID; in my case linksys
◎ -a is the MAC address of the access point
◎ -h is the MAC address of our card
◎ mon0 is the interface to use for the fake authentication

Generating IVs with the ARP Request Relay attack
◎ -3 performs the ARP request replay attack
◎ -b is the base station MAC address
◎ -h is our Alfa card MAC address
◎ mon0 is the interface

Generating an ARP Request
◎ #Data (IV) increases rapidly
◎ Aireplay-ng continues to retransmit the ARP packet

Challenges with WEP Cracking
Access points could use
MAC filtering to allow only
wireless cards with certain
MAC addresses to connect,
and if your Alfa card isn’t
on the list, your fake
authentication attempt will
fail

WPA2
It implements an
encryption protocol built
specifically for wireless
security called Counter
Mode with Cipher Block
Chaining Message
Authentication Code
Protocol (CCMP). CCMP is
built on the Advanced
Encryption Standard (AES)

The Enterprise Connection Process
◎ First the client and AP agree on mutually supported security protocols
◎ AP and the RADIUS server exchange messages to generate a master key
◎ A message that authentication was successful is sent to the AP and
passed on to the client, and the master key is sent to the AP
◎ The AP and the client exchange and verify keys for mutual
authentication, message encryption, and message integrity via a 4-way
handshake

The Personal Connection Process
◎ No RADIUS server is required
◎ WPA/WPA2 personal use pre-shared keys, which are
generated using pre-shared passphrases
◎ The WPA/WPA2 personal passphrase that you enter when
you connect to a secured network is static

Cracking WPA/WPA2 Keys
The cryptographic algorithms
used in WPA and WPA2 are
robust enough to stop
attackers from recovering the
key simply by capturing
enough traffic and
performing cryptanalysis. The
Achilles’ heel in WPA / WPA2
personal networks lies in the
quality of the pre-shared key
(passphrase) used

Using Aircrack-ng to Crack WPA/WPA2 Keys
◎ Airodump-ng -c 6 for the channel
◎ --bssid with the base station MAC address
◎ -w to specify the filename for output
◎ mon0 for the monitor interface

◎ -0 means deauthentication
◎ 1 is the number of deauthentication requests to send
◎ -a 00:14:6C:7E:40:80 is the MAC address of the base station
◎ -c 00:0F:B5:FD:FB:C2 is the MAC address of the client to deauthenticate

◎ If the Airodump-ng capture sees a four-way handshake with a client, it
records it in the first line of the captured output

◎ Open the .cap file in Wireshark with File → Open → filename.cap. Once in
Wireshark, filter for the eapol protocol to see the four packets that
make up the handshake

◎ Aircrack-ng to test the keys in the wordlist
◎ -w option to specific a list

Cracking WPS with Bully
◎ -b flag to specify the MAC address
◎ -e flag for the SSID
◎ -c flag for the channel
◎ Kali provides tools that you can use to implement a
brute-force attack against WPS. One such tool is Bully

4.
Key Reinstallation
Attacks: Forcing
Nonce Reuse in
WPA2
https://papers.mathyvanhoef.com/ccs2017.pdf

KRACK Overview
Concretely, attackers can
use this novel attack
technique to read
information that was
previously assumed to be
safely encrypted. This can
be abused to steal sensitive
information such as credit
card numbers, passwords,
chat messages, emails,
photos, and so on

About Authors
Frank Piessens is a professor in the
research group DistriNet (Distributed
Systems and Computer Networks) at the
Computer Science department of the
Katholieke Universiteit Leuven (BE).
Mathy Vanhoef is a postdoctoral researcher at
Katholieke Universiteit Leuven (BE), where he currently
performs research on automatically discovering
logical vulnerabilities in network protocol
implementations.

Assigned CVEs Identifiers
◎ CVE-2017-13077
◎ CVE-2017-13078
◎ CVE-2017-13079
◎ CVE-2017-13080
◎ CVE-2017-13081
◎ CVE-2017-13082
◎ CVE-2017-13084
◎ CVE-2017-13086
◎ CVE-2017-13087
◎ CVE-2017-13088

Frame Encryption (Simplified)
Enc
Nonce (packet number)
PTK (TK)
Encrypted Data
Keystream
Nonce
Plaintext Data
Packet Key
Nonce reuse implies keystream
reuse (in all WPA2 ciphers)

Frame Encryption: CCMP Example
AES AES AES
CTR CTR + 1 CTR + N
. . .
PTK (TK) PTK (TK) PTK (TK)
Plaintext 1 Plaintext 2 Plaintext N
Encrypted Data
Keystream
Nonce
. . .

Frame Encryption: CCMP Example
AES AES AES. . .
PTK (TK)
Plaintext 1 Plaintext 2 Plaintext N
Encrypted Data
Keystream
Nonce
CTR = Flag2 || Flag || MAC_send || Nonce || 016
CTR CTR + 1 CTR + N
PTK (TK)PTK (TK)
. . .

4-way handshake
AMAC, ANonce, sn+1, Msg3,
EncKEK(GTK), MICKCK(ANonce,
sn+1, Msg3)
SMAC, SNonce, sn+1, Msg4
MICKCK(sn+1, Msg4)
Derive
PTK
Derive PTK,
Verify MIC
Verify MIC,
Install PTK &
GTK, Update
sn
Install PTK
Update sn
encrypted data frame can now be exchanged
Installing PTK initializes
Nonce to 0

Key Reinstallation Attack - Complications
◎Not all Wi-Fi clients properly implement the
state machine
○ Still vulnerable against the group key handshake
and FT handshake
◎We must obtain a MitM position between
the client and AP
○ It is difficult due to 4-way handshake
○ The solution is to employ a channel-based MitM
attack

Key Reinstallation Attack
Msg1(r, Anonce)
Msg2(r,
Snonce)
Msg3(r+1, GTK)
Msg1(r, Anonce)
Msg2(r,
Snonce)
Msg3(r+1, GTK)
Msg4(r+1)
Install PTK
& GTK
Block Msg4
Channel 3 Channel 5

Msg4(r+1)Install PTK
& GTK
Msg3(r+2, GTK)Msg3(r+2, GTK)
Enc1
PTK(Msg4(r+2))
Reinstall
PTK & GTK
Key Reinstallation!
Nonce is reset

& GTK
Enc1
PTK(Msg4(r+2))
Reinstall
PTK & GTK
Enc1
PTK(Data(...)) Enc1
PTK(Data(...))

& GTK
Enc1
PTK(Msg4(r+2))
Reinstall
PTK & GTK
Enc1
PTK(Data(...)) Enc1
PTK(Data(...))
Same Nonce
is used

& GTK
Enc1
PTK(Msg4(r+2))
Reinstall
PTK & GTK
Enc1
PTK(Data(...)) Enc1
PTK(Data(...))
Keystream

& GTK
Enc1
PTK(Msg4(r+2))
Reinstall
PTK & GTK
Enc1
PTK(Data(...)) Enc1
PTK(Data(...))
Keystream
Decrypted!

Encrypted Retransmission of frame 3
◎There are some clients that, once they
installed the PTK, they do only accept
encrypted retransmissions of message 3
◎To attack them, we exploit an inherent race
condition between the entity executing the
4-way handshake, and the entity
implementing the data-confidentiality
protocol

Warm-up: Android Attack
Msg1(r, Anonce)Msg1(r, Anonce)
Msg2(r, Snonce) Msg2(r, Snonce)
Msg3(r+1, GTK)
Msg3(r+2, GTK)
Msg3(r+1, GTK)
Msg3(r+2, GTK)

Warm-up: Android Attack
Msg4(r+1) Msg4(r+1)
Install keys command
Install PTK
& GTK
Msg4(r+2) Enc1
PTK(Msg4(r+2))
Reinstall
PTK & GTK
next transmitted frame will reuse Nonce 1

Attack macOS: encrypted message 3 retransmissions
initial 4-way handshake
Install PTK
& GTK
pairwise rekey in progress
Encx
PTK(Msg3(r+1, GTK))
Encx+1
PTK(Msg3(r+2, GTK))
Msg3(r+1, GTK)
Msg3(r+2, GTK)

Attack macOS: encrypted message 3 retransmissions
Msg4(r+1)
Ency
PTK(Msg4(r+1))
Install
PTK’ &
GTKMsg4(r+2)
Enc1
PTK’(Msg4(r+2))
Reinstall
PTK’ &
GTKnext transmitted frame will reuse Nonce 1

Breaking the Group Key Handshake
Prerequisites:
◎ Clients will reinitialize the replay counter when
installing an already-in-use group key
○ All Wi-Fi clients are vulnerable
◎ We must be able to collect a group message 1 that the
client (still) accepts, and that contains a group key
that is already in use by the AP
○ According to the standard, the new group key should be installed
after all stations replied with a group message 2

Breaking the Group Key Handshake
◎ Client is attacked, but only AP sends real broadcast
frames
◎ Can only replay broadcast frames to client
Unicast Broadcast

Group Key Handshake
Initial 4-way handshake
Encx
PTK(Group1(r+2, GTK))
Refresh
GTK
Ency
PTK(Group2(r+2))
Install
GTK?
Install
GTK
Install
GTK?

GK Handshake: Immediate Key Installation Attack
Encx
PTK(Group1(r, GTK))
Encx
PTK(Group1(r, GTK))
Ency
PTK(Group2(r))
Encx+1
Refresh
GTK
Install
GTK
Install
GTK

GK Handshake: Immediate Key Installation Attack
Enc1
GTK(GroupData(...))
Encx+1
Enc1
GTK(GroupData(...)
)
Reinstall
GTK
Reinitialize
replay counter
Enc1
GTK(GroupData(...))
Replay Broadcast
Data Frame!

GK Handshake: Delay Key Installation Attack
Encx
PTK(Group1(r, GTK))
Encx
PTK(Group1(r, GTK))
Ency
PTK(Group2(r))
Encx+1
Refresh
GTK
Install
GTK
NOT Install
GTK again

GK Handshake: Delay Key Installation Attack
Ency
PTK(Group2(r))
Enc1
GTK(GroupData(...))
Encx+1
Enc1
GTK(GroupData(...))
Reinstall
GTK
Reinitialize
replay counter
Install
GTK
Enc1
GTK(GroupData(...))
Replay Broadcast
Data Frame!

The Fast BSS Transition (FT) Handshake
◎Fast Roaming = 802.11r
◎Its goal is to reduce the roaming time when
a client moves from one AP to another of
the same Basic Service Set
◎A new 802.1x handshake is not required
◎It embeds the 4-way handshake stage in
the authentication and reassociation
frames

FT Handshake
AuthReq(Snonce)
ReassReq(ANonce, SNonce, MIC)
Install
PTK?
Install
PTK & GTK
AuthResp(Anonce, Snonce)
Install
PTK?
Install
PTK
ReassResp(ANonce, SNonce, MIC, GTK)

802.11r FT Handshake Attack
◎Access Point is attacked
○ Replay, Decrypt, Forge
◎No MitM required
◎Can keep causing Nonce resets
◎If the reassociation response is lost due to
background noise, the client will retransmit
the reassociation request
○ APs may already be reusing Nonces

AuthReq(Snonce)
Install
PTK & GTK
Install
PTK
Enc1
PTK(Data(...))
next transmitted frames will reuse Nonces
Reinstall
PTK

AuthReq(Snonce)
Install
PTK & GTK
Install
PTK
Enc1
PTK(Data(...))
next transmitted frames will reuse Nonces
Reinstall
PTK
Do NOT contain
Replay Counter!

Cipher suite specific
◎ AES-CCMP
○ No practical frame forging attacks
◎ WPA-TKIP
○ Recover Message Integrity Check key from
plaintext
○ Forge/inject frames sent by the device under
attack
◎ GCMP (WiGig)
○ Recover GHASH authentication key from nonce
reuse
○ Forge/inject frames in both directions

Implementation specific
◎ iOS 10 and Windows: 4-way handshake not affected
○ Cannot decrypt unicast traffic (nor replay/decrypt)
○ But group key handshake is affected (replay
broadcast)
○ Note: iOS 11 does have vulnerable 4-way
handshake
◎wpa_supplicant 2.4+
○ Client used on Linux and Android 6.0+
○ On retransmitted msg3 will install all-zero key

Android all-zero key Attack
Initial stage 4-way handshake
Derive PTK
Msg4(r+1) Msg4(r+1)
Install-key(PTK)
Clear PTK Install PTK
Msg3(r+2, GTK)
Enc1
PTK(Msg4(r+2))
Msg3(r+2, GTK)
Msg4(r+2)
Install-key(0…0) Install all-
zero PTK

Limitation of
the Security
Proofs
Both encryption protocols
and 4-way handshake have
been proven secure...

Limitation of
the Security
Proofs
...but not their
combination!

“
In theory, theory and practice are
the same. In practice, they are not.

Thanks!
Any questions?
Contacts:
l.sarto1@studenti.unisa.it
g.vitiello24@studenti.unisa.it

References
◎ W. Stallings - Cryptography and Network Security, 7-th
edition
◎ CWSP ®Certified Wireless Security Professional Official
Study Guide: Second Edition (CWSP-205)
◎ M. Vanhoef, Frank Piessens - Key Reinstallation
Attacks: Forcing Nonce Reuse in WPA2
◎ G. Weidman - Penetration Testing: A Hands-On
Introduction to Hacking

Wireless Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Wireless Security

Similar to Wireless Security (20)

More from Università Degli Studi Di Salerno

More from Università Degli Studi Di Salerno (9)

Recently uploaded

Recently uploaded (20)

Wireless Security