Chaotic Channel

Transcript

1. CHAOTIC CHANNEL OWASP SAITAMA MTG #20, TALK #1 Image by

   Denkrahm on flickr, CC-BY-ND 2.0

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND ▸ What is Wi-Fi? ▸ ϫΠϠϨεωοτϫʔΫ ▸ IEEE

   802.11ܥͰنఆ Image by erikadotnet on flickr, CC-BY-NC 2.0

7. TEXT SNIFFING ▸ ৴߸๣डʹΑΔ௨৴๣ड ▸ WEP: ҉߸Խ (RC4/CRC32)

8. TEXT WEAK CRYPTOGRAPHY ▸ ҉߸ܥͷڧ౓ෆ଍ʹΑΔ౪ௌվ᜵ ▸ WEP: ൵ࢂͳ΄Ͳͷແཧղ RC4 ..

   伴௚઀ࢦఆ, IVෆ଍, ༌ग़ن੍etc. CRC32 .. ࿦֎; Compensation attack (sshnuke..!) ▸ WPA: 伴؅ཧڧԽʴೝূ͕ೖ͕ͬͨ… RC4 .. PBKDF2-MD5, statistical bias Michael .. invertible (※), related-keys, birthday ※C = Michael(K, M)ʹ͓͍ͯC,M͔ΒKΛܾఆՄೳ ▸ WPA2: ೝূ҉߸Խ (AES-CCMP) બ୒Մ Image by Steve Bowbrick on flickr, CC-BY 2.0

9. TEXT WIFI PROTECTED SETUP ▸ PINͷਪଌ →Personal Identi fi cation

   Number…ͩͱʁ →ͨͬͨ7ܻͷ਺஋͔ͭΦϑϥΠϯ߈ܸՄೳʂ ▸ Pixie dust attack (Bongard 2014) ▸ WPS: PBCͷΈͷӡ༻ Image by alvinchanphotography on flickr, CC-BY 2.0

10. TEXT DOWNGRADE ATTACKS ▸ KRACK attacks (Vanhoef, 2017) ▸ 4-way

    handshakeΛҰ෦վ᜵ɾϦϓϨΠ͠… ɾnonceΛ࠶ར༻ͤ͞Δ Image by Archetype Fotografie on flickr, CC-BY-SA 2.0

11. TEXT DOWNGRADE ATTACKS ▸ KRACK attacks (Vanhoef, 2017) ▸ 4-way

    handshakeΛҰ෦վ᜵ɾϦϓϨΠ͠… ɾnonceΛ࠶ར༻ͤ͞Δ → RC4/AES-CCMPʹର ͠յ໓తͳӨڹ (key/nonce reuse) ▸ ύονͷద༻͋Δ͍͸WPA3 Image by Archetype Fotografie on flickr, CC-BY-SA 2.0

12. TEXT DOWNGRADE ATTACKS ▸ Dragonblood (Vanhoef, 2019) ͷҰͭ ▸ WPA3-TransitionϞʔυωοτϫʔΫʹ͓͍ͯ

    WPA2Λબ୒͠ɺMICΛୣऔ ▸ WPA3ͷڧ੍: ޓ׵Ϟʔυͷ໋॓ Image by Archetype Fotografie on flickr, CC-BY-SA 2.0

13. TEXT DENIAL OF SERVICE 1 ▸ ͍ΘΏΔdeauth߈ܸ ؅ཧϑϨʔϜͷૹ෇ʹΑΔDoS ▸ ؅ཧϑϨʔϜ͕ೝূΛཁٻ͠ͳ͍͜ͱ͕ݪҼ

    ▸ WPA3: Protected Management Frames (802.11w) Image by jyri on flickr, CC-BY 2.0

14. TEXT DENIAL OF SERVICE 2 ▸ Dragonblood (Vanhoef, 2019) ͷҰͭ

    ▸ ϥϯμϜͳMACΞυϨε͔ΒSAE Commitϑ ϨʔϜΛେྔʹૹ෇͠ɺDragonFlyॲཧίετΛ ૿෯ →ପԁۂઢܥͷ఺Λ൓෮తʢHunting-and- PeckingʣʹٻΊ͍ͯΔ͜ͱͳͲ͕ݪҼ →΋ͱ΋ͱ͸λΠϛϯά߈ܸରࡦ͕ͩ… Image by jyri on flickr, CC-BY 2.0

15. TEXT DENIAL OF SERVICE 2 ▸ WPA3: SAE-H2E (Hash-to-Element) αΠυνϟωϧ߈ܸճආͱܭࢉྔܰݮͷͨΊʹ

    ପԁۂઢܥͷ఺Λϋογϡؔ਺ܦ༝ͰٻΊΔΑ ͏ʹվྑͨ͠΋ͷ ※WPA3ݻ༗ͷ໰୊ Image by jyri on flickr, CC-BY 2.0

16. TEXT COVERT CHANNELS ▸ Dragonblood (Vanhoef, 2019) ͷҰͭ ▸ ପԁۂઢܥͷ఺Λ൓෮తʹٻΊΔࡍͷॲཧ͕

    ɾKDFͷग़ྗ஋ҬͰ෼ذ͍ͯ͠Δ ɾBrainpoolۂઢܥͷಛ௃͔Β෼ذʹภΓ →ύεϫʔυͷ಺༰ʹΑΓॲཧ͕࣌ؒόϥͭ͘ →ύεϫʔυ͕ޮ཰ྑ͘ਪఆՄೳ Image by Neil. Moralee on flickr, CC-BY-NC-ND 2.0

17. TEXT COVERT CHANNELS ▸ WPA3: SAE-H2E ※WPA3ݻ༗ͷ໰୊ ▸ ͳΜͱͳ͘: ҉߸ܥ΁ͷཧղ͕ෆ଍͍ͯ͠Δʁ

    ʢʹ͍ͩͿ͓ૈ຤͡Όͳ͍͔ʁʣ Image by Neil. Moralee on flickr, CC-BY-NC-ND 2.0

18. TEXT INTER-FRAME INTEGRITY FAILURE ▸ FragAttack (Vanhoef, 2021) ▸ ϑϨʔϜؒͷೝূ͕؁͍໰୊

    ɾis aggregatedϑϥά͕ະೝূ ɾPairwise session keyߋ৽ΛڬΜͰϑϨʔϜ͕ assemble͞ΕΔ ɾΫϥΠΞϯτ੾அ࣌ʹ΋fragment cache͕Ϋ ϦΞ͞Εͳ͍ ɾTKIPʹ͓͍ͯfragmentsͷMICΛݕূ͠ͳ͍ ɾetc .. Image by James Marvin Phelps on flickr, CC-BY-NC 2.0

19. TEXT INTER-FRAME INTEGRITY FAILURE ▸ FragAttack (Vanhoef, 2021) ▸ ϑϨʔϜؒͷೝূ͕؁͍໰୊

    ɾis aggregatedϑϥά͕ະೝূ → ϑϨʔϜૠೖՄೳ ɾPairwise session keyߋ৽ΛڬΜͰϑϨʔϜ͕assemble ͞ΕΔ → લͷkeyͰ҉߸Խͯ͋ͬͨ͠৘ใ͕࿙ΕΔՄೳ ੑ ɾΫϥΠΞϯτ੾அ࣌ʹ΋fragment cache͕ΫϦΞ͞Ε ͳ͍ → ϑϨʔϜૠೖՄೳ ɾTKIPʹ͓͍ͯfragmentͷMICΛݕূ͠ͳ͍ → վ᜵Մೳ ɾetc .. Image by James Marvin Phelps on flickr, CC-BY-NC 2.0

20. TEXT INTER-FRAME INTEGRITY FAILURE ▸ WPA3: Ұ෦ରࡦ Image by James

    Marvin Phelps on flickr, CC-BY-NC 2.0

21. TEXT OFFLINE CRACKING ▸ 4-way handshakeͷMIC͔ΒύεϫʔυΛਪଌ (802.11i-2004) ▸ ύεϫʔυ͔ΒPMKΛPBKDF2Ͱ೿ੜ͢Δ ▸

    PMK͔ΒPTKΛɺ·ͨPTK͔ΒMICΛٻΊΔ ▸ ͭ·Γ: ύεϫʔυ͔ΒMIC͕Ұҙʹܾ·Δ →ΦϑϥΠϯ߈ܸՄೳʂGPU΋࢖༻Մೳʂ Image by massdistraction on flickr, CC-BY-NC-ND 2.0

22. TEXT OFFLINE CRACKING ▸ ࢀߟ: WPA-TKIPͷ৔߹: PMK = PBKDF2(HMAC-SHA1, passphrase,

    ssid, 4096, 256) PTK = PRF512(PMK, "Pairwise key expansion", min(CL_MAC, AP_MAC) || max(CL_MAC, AP_MAC) || min(SNONCE, ANONCE) || max(SNONCE, ANONCE)) MKr, MKs = PTK[48:56], PTK[56:64] MICs = Michael(MKs, payload) ← ͜Ε Image by massdistraction on flickr, CC-BY-NC-ND 2.0

23. TEXT OFFLINE CRACKING ▸ ࢀߟ: WPA-AESͷ৔߹: PMK = PBKDF2(HMAC-SHA1, passphrase,

    ssid, 4096, 256) PTK = PRF384(PMK, "Pairwise key expansion", min(CL_MAC, AP_MAC) || max(CL_MAC, AP_MAC) || min(SNONCE, ANONCE) || max(SNONCE, ANONCE)) KCK = PTK[:16] MIC = HMAC-MD5(KCK, payload) ← ͜Ε Image by massdistraction on flickr, CC-BY-NC-ND 2.0

24. TEXT OFFLINE CRACKING ▸ ࢀߟ: WPA2-AESͷ৔߹: PMK = PBKDF2(HMAC-SHA1, passphrase,

    ssid, 4096, 256) PTK = PRF384(PMK, "Pairwise key expansion", min(CL_MAC, AP_MAC) || max(CL_MAC, AP_MAC) || min(SNONCE, ANONCE) || max(SNONCE, ANONCE)) KCK = PTK[:16] MIC = HMAC-SHA1(KCK, payload) ← ͜Ε Image by massdistraction on flickr, CC-BY-NC-ND 2.0

25. TEXT OFFLINE CRACKING ▸ WPA3: Password authenticated key exchange ▸

    ύεϫʔυͷࣄલ߹ҙͷΈΛར༻ͨ͠伴ަ׵ ʢECC: Brainpoolʣ Image by massdistraction on flickr, CC-BY-NC-ND 2.0

26. TEXT EVIL TWIN ▸ ෆਖ਼ͳAP΁઀ଓͤ͞Δ߈ܸ ▸ ߈ܸऀ͕APΛ༻ҙ SSID/BSSIDΛিಥͤͯ͞઀ଓΛୣऔ Image by

    surfzone™ on flickr, CC-BY-NC-ND 2.0

27. TEXT EVIL TWIN ▸ ͦ΋ͦ΋઀ଓ৘ใΛ͍࣋ͬͯͳ͘ͱ΋… ▸ ϑΟογϯά →captive portalͱͯ͠ৼ෣ͬͯ΋ྑ͍ ▸

    MICͷୣऔ →ύεϫʔυͷਪଌ΁ ▸ ߈ܸର৅͔ΒPreferred Network ListΛ๣डͯ͠ ೳಈతʹ࢓ֻ͚ͯ΍Δͱ͞Βʹָ͍͠ (KARMA attack) Image by surfzone™ on flickr, CC-BY-NC-ND 2.0

28. TEXT EVIL TWIN ▸ WPA3: SAE-PK (December 2020 update) APʹެ։伴Λ෇༩ɺSAE࠷ऴஈ֊Ͱॺ໊͠؃ഁ

    Image by surfzone™ on flickr, CC-BY-NC-ND 2.0

29. TEXT WHAT IS SAE ▸ Simultaneous Authentication of Equals ▸

    DragonFly (RFC7447) ͷมछ ▸ Password authenticated key exchange ▸ Dif fi e-Hellman key agreementʹ͓͚Δೝূ ͷ໰୊Λ૬ޓͷMACΞυϨεͱPSKͰղܾ Image by Just_hobby on flickr, CC-BY-NC 2.0

30. TEXT WHAT IS SAE ▸ Simultaneous Authentication of Equals ▸

    DragonFly (RFC7447) ͷมछ ▸ Password authenticated key exchange ▸ Dif fi e-Hellman key agreementʹ͓͚Δೝূ ͷ໰୊Λ૬ޓͷMACΞυϨεͱPSKͰղܾ ▸ SSIDʹ͸ґଘ͠ͳ͍: ύεϫʔυͱ౰ࣄऀ͕ ಉ͡Ͱ͋Ε͹ೝূ͕੒ཱ͢Δ Image by Just_hobby on flickr, CC-BY-NC 2.0

31. TEXT EVIL TWIN RETURNS ▸ SSID Confusion attack (Vanhoef, 2023)

    ▸ ෆਖ਼ͳAPͷΤΫεςϯμͱͯ͠ػೳͰ͖Δ߈ ܸऀ͕ਖ਼౰ͳAPͷSSIDΛِ૷ɺ઀ଓΛ༠Ҿ ʢِ૷=தܧ࣌ʹϑϨʔϜΛॻ͖׵͑ʣ ▸ ΋ͪΖΜύεϫʔυΛ஌͍ͬͯΔ͜ͱ͕৚݅ ▸ SAE͕SSIDΛೝূ͠ͳ͍ͨΊ Image by bearexposed on flickr, CC-BY-NC-ND 2.0

32. TEXT EVIL TWIN RETURNS ▸ WPA3 Personal: SAE-H2E ※WPA3 EnterpriseͰ͸ରࡦͰ͖ͳ͍

    ※WPA3ݻ༗ͷ໰୊ (WPA2ҎલͰ͸PMK derive࣌ʹSSIDΛߟྀ) ▸ SAE-H2E: ຊདྷ͜Ε΁ͷରࡦͱͯ͠ߟ͑ΒΕͨ΋ ͷͰ͸ͳͦ͞͏͕ͩSSID͕ೖྗཁૉʹೖΔͨΊ ※Vanhoef 2023ʹ΋S-loopʹର͢ΔS-constͱͷ ΈදهͳͷͰ͜Εͷ͜ͱͳͷ͔͸एׯඍົ Image by bearexposed on flickr, CC-BY-NC-ND 2.0

33. TEXT TAKEAWAYS ▸ ௕Β͘ΨλΨλͩͬͨ… ͕WPA3Ͱରࡦ͞Ε͖ͯͨ ▸ SAE͸ͳ͔ͳ͔ͷΫηϞϊΒ͍͠ ▸ Evil twinରࡦʹ͸ҎԼΛ༗ޮʹ

    ▸ SAE-PK ▸ SAE-H2Eʢ˞Wi-Fi 7/6GHzͰ͸ඞਢʣ ▸ WPA3-Enterpriseͷ৔߹͸ରࡦࠔ೉ →ଓใΛ଴ͯ Image by letmebeyourswearword on flickr, CC-BY 2.0

34. FIN. 25.6.2024 TAKAHIRO YOSHIMURA (@ALTERAKEY) Image by MarwanYoussef on flickr,

    CC-BY 2.0