NZISIG - WPA3, what is it good for?

Transcript

1. WPA3: What is it good for? (With a little bit

   of Bluetooth and a soupçon of GPS) Tom Isaacson @parsley72

2. Wired Equivalent Privacy (WEP), 1999-2004 • Used stream cipher RC4

   for confidentiality. • US restrictions on export of cryptographic technology limited key length to 64 bits. • Once restrictions were lifted manufacturers moved to 128 bits.

3. WEP hacks • Standard 64-bit WEP uses a 40 bit

   key (also known as WEP-40), which is concatenated with a 24-bit initialization vector (IV) to form the RC4 key. • Because RC4 is a stream cipher the same traffic key must never be used twice, but this isn’t long enough to prevent repetition on a busy network. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.

4. Wi-Fi Protected Access (WPA), 2003 - Draft IEEE 802.11i •

   Intended as an intermediate measure. • Could be implemented on HW that was built for WEP by still using RC4. • Added Temporal Key Integrity Protocol (TKIP) • Per-packet 128-bit key, generated for each packet.

5. Wi-Fi Protected Access II (WPA2), since 2004 – Full IEEE

   802.11i / 802.11i-2004 • Mandatory support for CCMP, an AES-based encryption mode. • Replaced TKIP (although this is still supported). • WPA2 Personal – Pre-Shared Key (PSK). • WPA2 Enterprise – Requires Remote Authentication Dial-In User Service (RADIUS) server for authentication (802.1x)

6. WPA/WPA2 hacks • WPA2 Personal – Pre-Shared Key (PSK) dictionary

   attack. • Too complicated to explain • Hacking Your Neighbour's Wifi by the hacker known as “Alex”. • WPA2 Enterprise • Involves capturing handshakes as devices join the network. • Couldn’t find a picture explaining this.

7. WPA2 Key Reinstallation AttaCK (KRACK), October 2017 • 4-way handshake

   is executed when a client wants to join a protected Wi-Fi network. • Used to confirm that both the client and access point possess the pre-shared password. • Negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. • Client will install this key after receiving message 3 of the 4-way handshake. However, because messages may be lost or dropped, AP will retransmit message 3 if it did not receive an appropriate response as acknowledgment. • As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol.

8. WPA2 Key Reinstallation AttaCK (KRACK), October 2017 (cont) • https://www.krackattacks.com/

   • “Breaking WPA2 by forcing nonce reuse” - Mathy Vanhoef • Attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. • Decryption of packets is possible because the transmit nonces (initialization vectors) are reset to their initial value. As a result, the same encryption key is used with nonce values that have already been used in the past. • Especially bad against Android and Linux because client will install an all-zero encryption key instead of reinstalling the provided key.

9. KRACK part 2, 2018 • Most vendors properly updated their

   products, in certain cases attacks were still possible. • Also discovered techniques to bypass Wi-Fi's official defense against KRACK, allowing an adversary to replay broadcast and multicast frames. • Good news is that the impact of replaying broadcast and multicast frames is low in practice. New paper and results are not as serious as the original key reinstallation attacks. • Release the Kraken: New KRACKs in the 802.11 Standard

10. WiFi Protected Setup (WPS), 2006 • Help non-technical users setup

    WPA2. • Make it easier to add new devices to an existing network. • Methods: • PIN (mandatory) • PIN is read from sticker or display on new device. • PIN is entered on access point of existing network. • Push-button (mandatory) • User has to push a button on the access point of the existing network. • Near-field communication (optional) • User has to bring the new device close to the access point to allow NFC. • USB (optional, deprecated) • USB drive is used to transfer data between new device and existing network access point. • Obviously Push-button, NFC and USB methods are vulnerable with physical access.

11. WPS hacks • Online - PIN Brute force attack, 2011

    • 8 digit number used to add new devices. • Last digit is checksum so 107 = 10,000,000 possible combinations. • Validity of PIN for first and second halves reported separately: • First half is 104 = 10,000 combinations. • Second half is 103 = 1000 combinations. • Offline - Pixie Dust attack, 2014 • Default implementation of several manufacturers, including Ralink, MediaTek, Realtek and Broadcom. • Lack of randomization when generating the E-S1 and E-S2 "secret" nonces. Knowing these two nonces, the PIN can be recovered within a couple of minutes.

12. Hotel Bastardos • Marriott fined $600,000 after a complaint in

    2003 that it wasn’t allowing guests at a convention to use their mobile hotspots. • Using Wi-Fi Deathentication Attack • 802.11 protocol includes deauthentication frame for telling a device it’s been disconnected. • Frame does not require encryption even when the network is using WEP/WPA/WPA2. • Attacker only needs to know device’s MAC address which can be sniffed. • Others have been fined, does appear to still be happening.

13. Skateboarding dog story Standard problem: • Have a device (e.g.

    mobile phone) on a protected Wi-Fi network • Want to add another device (e.g. IoT lightbulb) – need SSID and keyphrase. TI CC3000 Smart Config by George Hawkins • Someone who cannot decrypt the wifi traffic can still see: • Source and receiver MAC addresses of every packet sent. • Length of the data portion of the packets. Encryption affects that size of the packets sent but in a consistent manner. • Basic type of packet, e.g. QoS can be ignored. • Solution is to run an app that encodes the data (keyphrase) in the size of UDP packets being transmitted.

14. WPA3, June 2018 • Improved testing of certificate chains •

    Simultaneous Authentication of Equals (SAE) • Improved encryption? • Protected Management Frames (PMF) • Commercial National Security Algorithm (CNSA) Suite • Wi-Fi Enhanced Open • Wi-Fi Easy Connect

15. WPA3: Improved testing of certificate chains • In WPA2 authenticating

    a server based on a certificate often did not check the certificate chain all the way to the root. • WPA3 requires this and adds a specific test for it.

16. WPA3: Simultaneous Authentication of Equals (SAE) • Replaces WPA2 Personal

    - Pre-Shared Key (PSK). • Variant of the Dragonfly Key Exchange, defined in RFC 7664. • The SAE handshake negotiates a fresh Pairwise Master Key (PMK) using Diffie-Hellman (DH) key exchange which is then used in a traditional 4-way handshake to generate session keys. • Resistant to dictionary attack.

17. WPA3: Improved encryption? Standard WEP WPA WPA2 WPA3 Release 1997

    2003 2004 2018 Encryption RC4 TKIP with RC4 AES-CCMP AES-CCMP & AES-GCMP Key Size(s) 64 and 128-bit 128-bit 128-bit 128 and 256-bit Cipher Type Stream Stream Block Block Authentication Open System & Shared Key Pre-Shared Key (PSK) & 802.1x with EAP variant Pre-Shared Key (PSK) & 802.1x with EAP variant Simultaneous Authentication of Equals (SAE) & 802.1x with EAP variant

18. WPA3: Commercial National Security Algorithm (CNSA) Suite • Based on

    NSA’s Suite B for Top Secret classification. • Intended for WPA3 Enterprise. • Optional on top of WPA3 Enterprise. • Doesn’t work alongside WPA2 Enterprise.

19. WPA3: Commercial National Security Algorithm (CNSA) Suite (cont) Algorithm Function

    Specification Parameters Advanced Encryption Standard (AES) Block cipher used for information protection FIPS Pub 197 Use 256-bit keys Elliptic Curve Diffie-Hellman (ECDH) Key Exchange Asymmetric algorithm user for key establishment NIST SP 800-56A Use Curve P-384 Elliptic Curve Digital Signature Algorithm (ECDSA) Asymmetric algorithm used for digital signatures FIPS Pub 186-4 Use Curve P-384 Secure Hash Algorithm (SHA) Used for computing a condensed representation of information FIPS Pub 180-4 Use SHA-384 Diffie-Hellman (DH) Key Exchange Algorithm used for key establishment IETF RFC 3526 Min. 3073-bit modulus RSA Algorithm used for key establishment NIST SP 800-56B rev 1 Min. 3072-bit modulus RSA Asymmetric algorithm used for digital signatures FIPS PUB 186-4 Min. 3072-bit modulus

20. WPA2/WPA3: Protected Management Frames (PMF) • IEEE 802.11w-2009 • Mandatory

    in WPA2 enhanced and WPA3. • Management frames are used for initiating and terminating Wi-Fi connections. Without PMF, management frames are transmitted unencrypted and their integrity is not verified. PMF ensures integrity of network management traffic. It provides protection against eavesdropping, replay and forging of management action frames. This protects against traffic-based DoS attacks that use forged deauthentication/disassociation frames to kick clients from a network and force them to authenticate again, a tactic which is used at the initial stage of some wireless attacks.

21. WPA3: Wi-Fi Enhanced Open - Opportunistic Wireless Encryption (OWE) •

    RFC 8110 • Not mandatory for WPA3 • Replaces unencrypted open networks. • Uses an unauthenticated Diffie-Hellman key exchange during association, resulting in a Pairwise Master Key (PMK) used to derive the session keys. • Better than WPA3 Personal / PSK because the password isn’t public (e.g. in a café). • Legacy support – transition mode creates a hidden SSID for OWE. OWE- capable devices will see information from legacy SSID telling them to connect to the hidden SSID.

22. WPA2/WPA3: Wi-Fi Easy Connect • Device Provisioning Protocol (DPP) •

    The configurator is typically a smart phone or tablet that is already part of the trusted network and can provision new devices. • The enrollee will be authenticated and provisioned into the network through an initial bootstrapping process done through the following methods: • Scanning a QR code • Negotiation of a trusted public key using a passphrase/code (PKEX) • NFC • Bluetooth • DPP will allow for mutual authentication.

23. WPA2/WPA3: Wifi Easy Connect (cont)

24. WPA3 Vulns? • "WPA3: A Missed Opportunity“ by Mathy Vanhoef

    Complains only Simultaneous Authentication of Equals (SAE) is mandatory. • Schneier on Security - WPA3 • SAE password protection uses Dragonfly which caused some controversy • Question regarding Crypto Forum Research Group (CFRG) process • Response • Opportunistic Wireless Encryption (OWE) is still susceptible to MITM

25. WPA3 Implementation • Linux – Already added to hostap on

    master, not yet had an official release. • OpenWRT supports it • Trying to deploy WPA3 on my home network • Microsoft – Expected to add support in Windows 10 19H1 (Spring 2019) • Apple – Wi-Fi Alliance has nothing yet • Android/Other – Wi-Fi Alliance has: • 34 phones, all Samsung. • 1 Intel internal adapter. • 1 Marvell eval kit. • 141 routers from Dell, Aruba (HP), Marvell, Netgear, Qualcomm, Ruckus, Ruijie and Synology. • 2 Qualcomm reference designs.

26. Bluetooth Bluetooth 5.1 presented on 21st January 2019 • Angle

    of Arrival (AoA) and Angle of Departure (AoD)

27. Bluetooth deprecation and withdrawal Specifications to be withdrawn on 28

    January 2019: • Bluetooth Specification Version 2.0 + EDR Specifications to be deprecated on 28 January 2019: • Bluetooth Specification Version 2.1 + EDR • Bluetooth Core Specification Addendum 1 • Bluetooth Specification Version 3.0 + HS • Bluetooth Specification Version 4.0 • Bluetooth Core Specification Addendum 2 • Bluetooth Core Specification Addendum 3 revision 2 • Bluetooth Core Specification Addendum 4 • Bluetooth Specification Version 4.1

28. Bluetooth security BlueBorne • Affected implementations in Android, iOS, Linux

    and Windows https://armis.com/blueborne/ Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie- Hellman key exchange https://www.kb.cert.org/vuls/id/304725/ A Story About Three Bluetooth Vulnerabilities in Android • Issue 74882215: Bluetooth L2CAP L2CAP_CMD_CONN_REQ Remote Memory Disclosure • Issue 74889513: Bluetooth L2CAP L2CAP_CMD_DISC_REQ Remote Memory Disclosure • Issue 74917004: Bluetooth SMP smp_sm_event() OOB Array Indexing https://blog.quarkslab.com/a-story-about-three-bluetooth-vulnerabilities-in-android.html

29. New Work Proposal: “End-to-End Security” Submitted by Ravishankar Srinivasan at

    Apt-e-Security. Not exactly fast – first draft submitted 15th Feb 2016, now on revision 9. 1. Strong and varied encryption mechanisms. • Make encryption simultaneously dynamic and user customizable. 2. Centrally controlled security management element. • Acting as a gatekeeper for all access, data transfers, and controls. • Act as a gateway that monitors, manages, and marks up all transfers in a targeted fashion. • Provide a platform for ensuring direct exchange in an obfuscated manner for specific devices as targeted. • Assists in linking, controlling, validating, and isolating device types, as well as routing-handling and ensuring all device types communicate securely. 3. Unpredictable use of radio spectrum to prevent eavesdropping and man-in-the-middle attacks. • Uses control packets to check the RF environment and incorporates random sequencer logic for packet sequencing, filtering, and validating. • Also uses other methods of regenerating the packet in a noisy RF environment, which helps the system deliver quality, safety, and interoperability.

30. GPS Uses a 10 bit field to encode the week

    number in each GPS time message, which means that a maximum of 1,024 weeks (19.7 years), can be handled. Each of these periods is known in GPS terms as an “epoch”. At the end of each epoch the receiver resets the week number to zero and starts counting again.

31. GPS History First GPS satellites went live on 6th January

    1980. • Robert Muldoon was PM. • Sinclair ZX80 would be released in February. • Apple III would be released on 19th May. • IBM PC wasn’t released until 1981. • Windows 1.0 wasn’t released until 1985. • Linus Torvalds was 11. First epoch of GPS time lasted until 21st August 1999. Second epoch ends on the 6th April 2019 (Saturday next week).

32. GPS Lost? • Feedback From GPS Timing Users: Relayed Observations

    From 2 SOPS (1999) • Prior to the actual GPS week rollover of 21-22 August 1999, the Master Control Station (MCS), on several occasions, set vehicles unhealthy to permit testing and validation of various rollover events. During these tests, the MCS simulated: • GPS Week rollover • 1999-2000 rollover • Leap Day 2000 rollover • 2000-2001 rollover • These tests served the primary purpose of validating the MCS’s ability to control and interface with GPS satellites during and after these respective rollovers. The MCS experienced no major problems during these tests and successfully demonstrated its preparedness for these rollovers. • However, communication with several users, during and after the above activities, gave clear indication that not all GPS user equipment works as one would desire.

33. It depends… Manufacturers use a “pivot date” from when products

    were actually released. So if a product was released in 2010 it might add a value of ~520 to the week number, which means its epoch will end in ~2029. So basically a GPS device could fail at any time.

34. End on a happy note “The GPS modernization program is

    an ongoing, multibillion-dollar effort to upgrade the features and overall performance of the Global Positioning System. The upgraded features include new civilian and military GPS signals. To improve the situation regarding Week Number Roll Over, message types (CNAV and MNAV) use a 13-bit field to represent the GPS week number and newer GPS receivers that utilise that 13-bit field will not have a problem with 1,024-week epochs.”