SlideShare a Scribd company logo

Predicting and Abusing WPA2/802.11 Group Keys

V
V

We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network. First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.

Predicting and Abusing WPA2/802.11 Group Keys

1 of 51
Download to read offline
Predicting and Abusing WPA2/802.11
Group Keys
Mathy Vanhoef - imec-DistriNet, KU Leuven
@vanhoefm
Observation
General Wi-Fi crypto is widely studied
2
Recover pre-shared
key(s) protecting all
WEP traffic
Tornado Attack:
Recover WPA-TKIP
session keys (theoretic)
Rogue AP against
enterprise networks
to steal credentials
Predictable pre-shared
key & dictionary attack
against handshake
 Mainly targets pre-shared and session keys
What about group keys?
Group keys protect broadcast and multicast frames:
 All clients posses a copy of the group key
Security of group keys not yet properly studied!
 In contrast with pre-shared & session (=pairwise) keys …
3
We analyze security of group
key during its full lifetime!
Background: group key lifetime
4
Background: group key lifetime
5
Group Key Three important stages:
1. Generation (flawed RNG)
Background: group key lifetime
6
Group Key
Session Key 1
Encrypted group
key sent to client
Three important stages:
1. Generation (flawed RNG)
2. Session key agreement and group
key transport (force usage of RC4)
Group Key
Session Key
Ad

Recommended

Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network DefenseSalvatore Lentini
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 

More Related Content

What's hot

Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast TrackNovizul Evendi
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemnewbie2019
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking   Chapter 6 - Port Scanning - Eric VanderburgEthical hacking   Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEric Vanderburg
 
Media Files : Android's New Nightmare
Media Files :  Android's New NightmareMedia Files :  Android's New Nightmare
Media Files : Android's New NightmareOguzhan Topgul
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Infecting the Embedded Supply Chain
 Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 

What's hot (20)

Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast Track
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection system
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking   Chapter 6 - Port Scanning - Eric VanderburgEthical hacking   Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
 
Media Files : Android's New Nightmare
Media Files :  Android's New NightmareMedia Files :  Android's New Nightmare
Media Files : Android's New Nightmare
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Best!
Best!Best!
Best!
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
 
Port scanning
Port scanningPort scanning
Port scanning
 
Side Channel Attacks on AES
Side Channel Attacks on AESSide Channel Attacks on AES
Side Channel Attacks on AES
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautam
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Infecting the Embedded Supply Chain
 Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 

Viewers also liked

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu ExploitationAhmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitationbarcamp.my
 
Unl intro presentation fin
Unl intro presentation finUnl intro presentation fin
Unl intro presentation fineucariot
 
Free Download Powerpoint Slides
Free Download Powerpoint SlidesFree Download Powerpoint Slides
Free Download Powerpoint SlidesGeorge
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentationelliehood
 
State of the Word 2011
State of the Word 2011State of the Word 2011
State of the Word 2011photomatt
 

Viewers also liked (6)

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu ExploitationAhmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
 
Unl intro presentation fin
Unl intro presentation finUnl intro presentation fin
Unl intro presentation fin
 
Free Download Powerpoint Slides
Free Download Powerpoint SlidesFree Download Powerpoint Slides
Free Download Powerpoint Slides
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentation
 
State of the Word 2011
State of the Word 2011State of the Word 2011
State of the Word 2011
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 

Similar to Predicting and Abusing WPA2/802.11 Group Keys

Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfYuChianWu
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
03 Dissecting WPA3 Sharkfest '22 US Megumi Takeshita
03 Dissecting WPA3 Sharkfest '22 US Megumi Takeshita03 Dissecting WPA3 Sharkfest '22 US Megumi Takeshita
03 Dissecting WPA3 Sharkfest '22 US Megumi TakeshitaMegumi Takeshita
 
Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Rimba Ari
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavthc2cat
 

Similar to Predicting and Abusing WPA2/802.11 Group Keys (20)

Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
 
amrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdfamrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdf
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Martin Novotny and Timo Kasper
Martin Novotny and Timo KasperMartin Novotny and Timo Kasper
Martin Novotny and Timo Kasper
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Day2
Day2Day2
Day2
 
03 Dissecting WPA3 Sharkfest '22 US Megumi Takeshita
03 Dissecting WPA3 Sharkfest '22 US Megumi Takeshita03 Dissecting WPA3 Sharkfest '22 US Megumi Takeshita
03 Dissecting WPA3 Sharkfest '22 US Megumi Takeshita
 
Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamav
 

More from vanhoefm

Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...vanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
Stateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven ProgramsStateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven Programsvanhoefm
 
HacknamStyle Plaid CTF write-up
HacknamStyle Plaid CTF write-upHacknamStyle Plaid CTF write-up
HacknamStyle Plaid CTF write-upvanhoefm
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
TEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hackedTEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hackedvanhoefm
 

More from vanhoefm (9)

Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
Stateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven ProgramsStateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven Programs
 
HacknamStyle Plaid CTF write-up
HacknamStyle Plaid CTF write-upHacknamStyle Plaid CTF write-up
HacknamStyle Plaid CTF write-up
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
TEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hackedTEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hacked
 

Recently uploaded

CW 2 - Frustrated Lewis Pair - Molly winterbottom.pdf
CW 2 - Frustrated Lewis Pair - Molly winterbottom.pdfCW 2 - Frustrated Lewis Pair - Molly winterbottom.pdf
CW 2 - Frustrated Lewis Pair - Molly winterbottom.pdfMollyWinterbottom
 
Geological evidence of extensive N-fixation by volcanic lightning during very...
Geological evidence of extensive N-fixation by volcanic lightning during very...Geological evidence of extensive N-fixation by volcanic lightning during very...
Geological evidence of extensive N-fixation by volcanic lightning during very...Sérgio Sacani
 
PROSTHETIC FEET description and its types
PROSTHETIC FEET description and its typesPROSTHETIC FEET description and its types
PROSTHETIC FEET description and its typeseshasmalik27
 
Pineal region.pptx
Pineal region.pptxPineal region.pptx
Pineal region.pptxRunBalaB
 
Advancing CAM Assay Image Analysis Using Deep Learning Software
Advancing CAM Assay Image Analysis Using Deep Learning SoftwareAdvancing CAM Assay Image Analysis Using Deep Learning Software
Advancing CAM Assay Image Analysis Using Deep Learning SoftwareKML Vision
 
Quality safety and legislations of cosmetics.pptx
Quality safety and legislations of cosmetics.pptxQuality safety and legislations of cosmetics.pptx
Quality safety and legislations of cosmetics.pptxDeviSky1
 
dkNET Webinar: An Encyclopedia of the Adipose Tissue Secretome to Identify Me...
dkNET Webinar: An Encyclopedia of the Adipose Tissue Secretome to Identify Me...dkNET Webinar: An Encyclopedia of the Adipose Tissue Secretome to Identify Me...
dkNET Webinar: An Encyclopedia of the Adipose Tissue Secretome to Identify Me...dkNET
 
Fair and just food systems enabling local midstream businesses? What does it ...
Fair and just food systems enabling local midstream businesses? What does it ...Fair and just food systems enabling local midstream businesses? What does it ...
Fair and just food systems enabling local midstream businesses? What does it ...SIANI
 
Physics Chapter Three - Electric Fields and Charges
Physics Chapter Three - Electric Fields and ChargesPhysics Chapter Three - Electric Fields and Charges
Physics Chapter Three - Electric Fields and Chargesalinford
 
From Leaf to Lab: Uncovering the Molecular Mysteries of Cannabis
From Leaf to Lab: Uncovering the Molecular Mysteries of CannabisFrom Leaf to Lab: Uncovering the Molecular Mysteries of Cannabis
From Leaf to Lab: Uncovering the Molecular Mysteries of CannabisMarkus Roggen
 
IM-1 Press Kit - Kit de Imprensa do Lançmento da Missão IM-1
IM-1 Press Kit - Kit de Imprensa do Lançmento da Missão IM-1IM-1 Press Kit - Kit de Imprensa do Lançmento da Missão IM-1
IM-1 Press Kit - Kit de Imprensa do Lançmento da Missão IM-1Sérgio Sacani
 
Duchenne Muscular Dystrophy or DMD .pptx
Duchenne Muscular Dystrophy or DMD .pptxDuchenne Muscular Dystrophy or DMD .pptx
Duchenne Muscular Dystrophy or DMD .pptxNavanidhan.M
 
transgenics_17b.pptx
transgenics_17b.pptxtransgenics_17b.pptx
transgenics_17b.pptxridhi124788
 
Analytical Coursework - Molly Winterbottom.pdf
Analytical Coursework - Molly Winterbottom.pdfAnalytical Coursework - Molly Winterbottom.pdf
Analytical Coursework - Molly Winterbottom.pdfMollyWinterbottom
 
Thornyissue testing of slideshow for website
Thornyissue testing of slideshow for websiteThornyissue testing of slideshow for website
Thornyissue testing of slideshow for websitesuelcarter1
 
Kavita Punekar: Illuminating Minds and Igniting Passion in Science Education
Kavita Punekar: Illuminating Minds and Igniting Passion in Science EducationKavita Punekar: Illuminating Minds and Igniting Passion in Science Education
Kavita Punekar: Illuminating Minds and Igniting Passion in Science Educationdsnow9802
 
FINAL Shehnaz and Thane Interview PowerPoint ;-).pdf
FINAL Shehnaz and Thane Interview PowerPoint ;-).pdfFINAL Shehnaz and Thane Interview PowerPoint ;-).pdf
FINAL Shehnaz and Thane Interview PowerPoint ;-).pdfThane Heins
 
Agroecology as an approach to design sustainable Food Systems
Agroecology as an approach to design sustainable Food SystemsAgroecology as an approach to design sustainable Food Systems
Agroecology as an approach to design sustainable Food SystemsSIANI
 

Recently uploaded (20)

CW 2 - Frustrated Lewis Pair - Molly winterbottom.pdf
CW 2 - Frustrated Lewis Pair - Molly winterbottom.pdfCW 2 - Frustrated Lewis Pair - Molly winterbottom.pdf
CW 2 - Frustrated Lewis Pair - Molly winterbottom.pdf
 
Geological evidence of extensive N-fixation by volcanic lightning during very...
Geological evidence of extensive N-fixation by volcanic lightning during very...Geological evidence of extensive N-fixation by volcanic lightning during very...
Geological evidence of extensive N-fixation by volcanic lightning during very...
 
PROSTHETIC FEET description and its types
PROSTHETIC FEET description and its typesPROSTHETIC FEET description and its types
PROSTHETIC FEET description and its types
 
Pineal region.pptx
Pineal region.pptxPineal region.pptx
Pineal region.pptx
 
Advancing CAM Assay Image Analysis Using Deep Learning Software
Advancing CAM Assay Image Analysis Using Deep Learning SoftwareAdvancing CAM Assay Image Analysis Using Deep Learning Software
Advancing CAM Assay Image Analysis Using Deep Learning Software
 
Quality safety and legislations of cosmetics.pptx
Quality safety and legislations of cosmetics.pptxQuality safety and legislations of cosmetics.pptx
Quality safety and legislations of cosmetics.pptx
 
dkNET Webinar: An Encyclopedia of the Adipose Tissue Secretome to Identify Me...
dkNET Webinar: An Encyclopedia of the Adipose Tissue Secretome to Identify Me...dkNET Webinar: An Encyclopedia of the Adipose Tissue Secretome to Identify Me...
dkNET Webinar: An Encyclopedia of the Adipose Tissue Secretome to Identify Me...
 
Fair and just food systems enabling local midstream businesses? What does it ...
Fair and just food systems enabling local midstream businesses? What does it ...Fair and just food systems enabling local midstream businesses? What does it ...
Fair and just food systems enabling local midstream businesses? What does it ...
 
Physics Chapter Three - Electric Fields and Charges
Physics Chapter Three - Electric Fields and ChargesPhysics Chapter Three - Electric Fields and Charges
Physics Chapter Three - Electric Fields and Charges
 
From Leaf to Lab: Uncovering the Molecular Mysteries of Cannabis
From Leaf to Lab: Uncovering the Molecular Mysteries of CannabisFrom Leaf to Lab: Uncovering the Molecular Mysteries of Cannabis
From Leaf to Lab: Uncovering the Molecular Mysteries of Cannabis
 
VEM 023- LESSON 1.pdf
VEM 023- LESSON 1.pdfVEM 023- LESSON 1.pdf
VEM 023- LESSON 1.pdf
 
IM-1 Press Kit - Kit de Imprensa do Lançmento da Missão IM-1
IM-1 Press Kit - Kit de Imprensa do Lançmento da Missão IM-1IM-1 Press Kit - Kit de Imprensa do Lançmento da Missão IM-1
IM-1 Press Kit - Kit de Imprensa do Lançmento da Missão IM-1
 
Duchenne Muscular Dystrophy or DMD .pptx
Duchenne Muscular Dystrophy or DMD .pptxDuchenne Muscular Dystrophy or DMD .pptx
Duchenne Muscular Dystrophy or DMD .pptx
 
transgenics_17b.pptx
transgenics_17b.pptxtransgenics_17b.pptx
transgenics_17b.pptx
 
Analytical Coursework - Molly Winterbottom.pdf
Analytical Coursework - Molly Winterbottom.pdfAnalytical Coursework - Molly Winterbottom.pdf
Analytical Coursework - Molly Winterbottom.pdf
 
Thornyissue testing of slideshow for website
Thornyissue testing of slideshow for websiteThornyissue testing of slideshow for website
Thornyissue testing of slideshow for website
 
ALL the evidence webinar: Appraising and using evidence about community conte...
ALL the evidence webinar: Appraising and using evidence about community conte...ALL the evidence webinar: Appraising and using evidence about community conte...
ALL the evidence webinar: Appraising and using evidence about community conte...
 
Kavita Punekar: Illuminating Minds and Igniting Passion in Science Education
Kavita Punekar: Illuminating Minds and Igniting Passion in Science EducationKavita Punekar: Illuminating Minds and Igniting Passion in Science Education
Kavita Punekar: Illuminating Minds and Igniting Passion in Science Education
 
FINAL Shehnaz and Thane Interview PowerPoint ;-).pdf
FINAL Shehnaz and Thane Interview PowerPoint ;-).pdfFINAL Shehnaz and Thane Interview PowerPoint ;-).pdf
FINAL Shehnaz and Thane Interview PowerPoint ;-).pdf
 
Agroecology as an approach to design sustainable Food Systems
Agroecology as an approach to design sustainable Food SystemsAgroecology as an approach to design sustainable Food Systems
Agroecology as an approach to design sustainable Food Systems
 

Predicting and Abusing WPA2/802.11 Group Keys

  • 1. Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm
  • 2. Observation General Wi-Fi crypto is widely studied 2 Recover pre-shared key(s) protecting all WEP traffic Tornado Attack: Recover WPA-TKIP session keys (theoretic) Rogue AP against enterprise networks to steal credentials Predictable pre-shared key & dictionary attack against handshake  Mainly targets pre-shared and session keys
  • 3. What about group keys? Group keys protect broadcast and multicast frames:  All clients posses a copy of the group key Security of group keys not yet properly studied!  In contrast with pre-shared & session (=pairwise) keys … 3 We analyze security of group key during its full lifetime!
  • 5. Background: group key lifetime 5 Group Key Three important stages: 1. Generation (flawed RNG)
  • 6. Background: group key lifetime 6 Group Key Session Key 1 Encrypted group key sent to client Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) Group Key Session Key
  • 7. Background: group key lifetime 7 Group Key Session Key 1 Group Key Session Key Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) 3. Usage (abuse to decrypt all traffic) Addressing some of these issues:  New RNG for Wi-Fi platforms?
  • 8. Background: sending group frames 8 Group Key Session Key Group Key Session Key Group Key Session Key A Session Key B Client A Client B
  • 9. Background: sending group frames 9 1. Client uses pairwise key to send group frame to AP Session Key Session Key A Client A Client B Recv: AP Dest: FF:⋯:FF Src: Client A
  • 10. Background: sending group frames 10 1. Client uses pairwise key to send group frame to AP 2. AP broadcasts group frame using group key  Only AP sends real group frames Group Key Group Key Group Key Client B Client A Recv: FF:⋯:FF Dest: FF:⋯:FF Src: Client A
  • 11. Agenda: security of group keys 11 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 12. Agenda: security of group keys 12 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 13. How are group keys generated? Based on a key hierarchy:  AP randomly generates public counter and secret master key  Derives group temporal key (GTK) from these values every hour Entropy only introduced at boot  Bad design: if master key is leaked, all group keys become known! 13 Public counter Private master key +1 SHA-1 Group Temporal Key (GTK) Sampled only at boot!
  • 14. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness 14 “Each STA can generate cryptographic-quality random numbers. This assumption is fundamental, as cryptographic methods require a source of randomness. See M.5 for suggested hardware and software methods to achieve randomness suitable for this purpose.”
  • 15. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 15 “This clause suggests two sample techniques that can be combined with the other recommendations of IETF RFC 4086 to harvest randomness. [..] These solutions are expository only, to demonstrate that it is feasible to harvest randomness on any IEEE 802.11 platform. [..] they do not preclude the use of other sources of randomness when available [..] ; in this case, the more the merrier. As many sources of randomness as possible should be gathered into a buffer, and then hashed, to obtain a seed for the PRNG.”
  • 16. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 16 Inconsistent description of RNG’s security guarantees!  How secure is the 802.11 RNG?  How many platforms implement this RNG?
  • 17. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution 17
  • 18. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand 18 Deviates from traditional RNG design:  No entropy pools being maintained  Entropy is only collected when the RNG is being invoked
  • 19. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand  Based on frame arrival timestamps and clock jitter 19
  • 20. 802.11 RNG: entropy sources Frame arrival times:  Collected by starting & aborting handshakes  Problem: AP will be blacklisted by clients Clock jitter and drift:  No minimum time resolution  small clock jitter  Hence contains only low amount of randomness 20 ¯_(ツ)_/¯
  • 21. Surely no one implemented this…? 21 Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks Weakened 802.11 RNG
  • 22. Surely no one implemented this…? 22 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks
  • 23. MediaTek RNG: overview Uses custom Linux drivers:  Implements 802.11’s group key hierarchy  But GNONCE “counter” is randomly refreshed on GTK rekey  Based on the 802.11 RNG using only clock jitter  Uses jiffies for current time: equals uptime of the AP  Predict both GMK and GNONCE to determine group key! 23 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1 RNG At boot
  • 24. MediaTek RNG: key search  Jiffies have at best millisecond accuracy  GMK: generated at boot  limited set of possible values  GNONCE: depends on uptime of router (and clock skew)  Uptime is leaked in beacons  Capture encrypted broadcast packet and search for key  24 OpenCL ~3 mins GMK & GTKRT-AC51U
  • 26. Surely no one implemented this…? 26 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
  • 27. Broadcom: Linux When running on a Linux kernel:  Implements 802.11’s group key hierarchy  Randomness from /dev/urandom “Mining your Ps and Qs” by Heninger et al.:  /dev/urandom might be predictable at boot  All group keys might be predictable on old kernels 27
  • 28. Broadcom: VxWorks and eCos 28 Open SourceProprietary
  • 29. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds) 29 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG
  • 30. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) 30 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG At boot
  • 31. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) OpenCL ~4 mins GMK & GTKWRT54Gv5 31
  • 32. Surely no one implemented this…? 32 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
  • 33. Open Firmware Open Firmware:  An open source BIOS  Supports client Wi-Fi functionality in BIOS (!)  Randomness from boot time & linear congruential generator Hostapd:  Based on 802.11 group key hierarchy  Also injects new entropy on group rekeys!  Reads from /dev/random on boot & when clients join  If not enough entropy available, connections are rejected 33
  • 34. Agenda: security of group keys 34 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 35. Injecting unicast packets?  Put unicast IP packet in a broadcast frame? 35 Hole 196 check done at network-layer … … but an AP works at link-layer! Flags Receiver to client FF:⋯:FF Source IP Destination IP Data 802.11 specific  Detected by “Hole 196” check
  • 36. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 36 AP Victim Attacker Sender Destination Data
  • 37. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 37 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Encrypted using group key
  • 38. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 38 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Decrypted using group key
  • 39. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 39 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Encrypted using session (pairwise) key
  • 40. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 4. Victim sees normal unicast frame 40 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Decrypted using session (pairwise) key
  • 41. Decrypting all traffic ARP poison to broadcast MAC address  Poison both router and clients  Can decrypt network-layer protocols: IPv4, IPv6, … Countermeasure:  Don’t forward broadcast frames to a unicast destination  Even better: AP should simply ignore frames received on broadcast or multicast MAC address. 41
  • 42. Agenda: security of group keys 42 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 44. The 4-way handshake 44 Group key encrypted and transmitted … … before downgrade attack detection!
  • 45. The 4-way handshake 45 Group key encrypted and transmitted … … before downgrade attack detection! Session cipher GTK encryption WPA-TKIP RC4 AES-CCMP AES key wrap
  • 46. Attacking RC4 encryption of GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped 46
  • 47. Attacking RC4 encryption of GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped Recover repeated encryptions of GTK:  Similar in spirit to RC4 NOMORE attack  Requires ~231 handshakes: takes >50 years Countermeasures:  Disable WPA-TKIP & RC4  Send GTK after handshake 47
  • 48. Agenda: security of group keys 48 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 49. An improved 802.11 RNG Entropy present on al Wi-Fi chips?  Wi-Fi signals & background noise Spectral scan feature in commodity chips:  Can generate 3 million samples / second  First XOR samples in firmware  Extract & manage resulting entropy using known approaches Additional research needed: performance under jamming? 49
  • 50. Conclusion Lessons learned: 1. Always check quality of RNG 2. Let AP ignore group-addressed frames 3. Don’t put “expository” security algo’s in a specification 4. Don’t transmit sensitive data before downgrade detection 50
  • 51. Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - @vanhoefm Questions?