What’s new in Wifi - Wi-Fi 6 and WPA3 Tom Isaacson @parsley72 

Wi-Fi Alliance Version IEEE Year Wi-Fi 1 802.11b 1999 Wi-Fi 2 802.11a 1999 Wi-Fi 3 802.11g 2003 Wi-Fi 4 802.11n 2009 Wi-Fi 5 802.11ac 2014 Wi-Fi 6 802.11ax 2018 

Wi-Fi 6 • Orthogonal Frequency Division Multiple Access (OFDMA) • Improves speed and multiple device support. • 1024 quadrature amplitude modulation mode (1024-QAM) • Improves speed. • Target Wake Time (TWT) • Improves battery life. • Multiple Users Multiple Input Multiple Output (MU-MIMO) • Improves multiple device support. • Basic Service Set (BSS) Coloring • Improves speed and battery life. • 6 GHz band • WPA3 

Basic Service Set (BSS) Coloring • Enables each AP to add a unique color to each transmitting channel. With 63 different colors available, coloring ensures that neighboring APs can all be assigned unique colors. • With each AP transmitting a locally-unique color, a device can easily distinguish transmissions coming from its AP from that of a neighboring AP. This distinction enables a device to ignore a neighboring AP’s transmissions when attempting to transmit. Coloring leads to increased capacity by enabling simultaneous transmissions between APs on the same channel. • Improves battery life for IoT and mobile devices. A device can ignore all transmissions with colors different than the color of the connected AP thereby increasing battery life. 

6 GHz band • September 24th 2019 - FCC Chairman Ajit Pai: • “This past October, the FCC began to explore opening up 1,200 megahertz of spectrum in the 6 GHz band for different types of unlicensed uses. This band is currently populated by microwave services that are used to support utilities, public safety, and wireless backhaul. But studies have shown that sharing this band with unlicensed operations is feasible—and can put massive amounts of new spectrum into the hands of consumers.” • Expectation is that this will be approved in 2020. • Will only be used by Wi-Fi 6. 

Wi-Fi 6 Implementation • Wi-Fi Alliance certified database has: • 5 Computers and accessories from Broadcom, Intel, Qualcomm. • 28 Phones from Samsung. • 7 Routers from Buffalo, Ruckus, Intel, Marvell, Qualcomm, Broadcom. • 8 Other (adapters, reference designs) from Marvell, Cypress, Broadcom, Qualcomm, Intel. 

WPA3 

Live Demo SSID: OpenWrt-WPA3 Passphrase: password 

Wired Equivalent Privacy (WEP), 1999-2004 • Used stream cipher RC4 for confidentiality. • US restrictions on export of cryptographic technology limited key length to 64 bits. • Once restrictions were lifted manufacturers moved to 128 bits. 

WEP hacks • Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24-bit initialization vector (IV) to form the RC4 key. • Because RC4 is a stream cipher the same traffic key must never be used twice, but this isn’t long enough to prevent repetition on a busy network. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets. • Café Latte attack (2007, Vivek Ramachandran) • A WEP key could be obtained from a café Wi-Fi in the time it takes to drink your cafe latte. 

Wi-Fi Protected Access (WPA), 2003 - Draft IEEE 802.11i • Intended as an intermediate measure. • Could be implemented on HW that was built for WEP by still using RC4. • Added Temporal Key Integrity Protocol (TKIP) • Per-packet 128-bit key, generated for each packet. 

Wi-Fi Protected Access II (WPA2), since 2004 – Full IEEE 802.11i / 802.11i-2004 • Mandatory support for CCMP, an AES-based encryption mode. • Replaced TKIP (although this is still supported). • WPA2 Personal – Pre-Shared Key (PSK). • WPA2 with no password is unencrypted. • Firesheep, 2010. • WPA2 security is dependent on the length of the password. • WPA2 Enterprise – Requires Remote Authentication Dial-In User Service (RADIUS) server for authentication (802.1x) • Hard to setup correctly. 

WPA/WPA2 hacks • WPA2 Personal – Pre-Shared Key (PSK) dictionary attack. • Too complicated to explain • Hacking Your Neighbour's Wifi by the hacker known as “Alex”. • WPA2 Enterprise • Involves capturing handshakes as devices join the network. • Couldn’t find a picture explaining this. 

WPA2 Key Reinstallation AttaCK (KRACK), Mathy Vanhoef, October 2017 • 4-way handshake is executed when a client wants to join a protected Wi-Fi network. • Used to confirm that both the client and access point possess the pre-shared password. • Negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. • Client will install this key after receiving message 3 of the 4-way handshake. However, because messages may be lost or dropped, AP will retransmit message 3 if it did not receive an appropriate response as acknowledgment. • As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. 

WPA2 Key Reinstallation AttaCK (KRACK), October 2017 (cont) • https://www.krackattacks.com/ • “Breaking WPA2 by forcing nonce reuse” - Mathy Vanhoef • Attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. • Decryption of packets is possible because the transmit nonces (initialization vectors) are reset to their initial value. As a result, the same encryption key is used with nonce values that have already been used in the past. • Especially bad against Android and Linux because client will install an all-zero encryption key instead of reinstalling the provided key. 

KRACK part 2, 2018 • Most vendors properly updated their products, in certain cases attacks were still possible. • Also discovered techniques to bypass Wi-Fi's official defence against KRACK, allowing an adversary to replay broadcast and multicast frames. • Good news is that the impact of replaying broadcast and multicast frames is low in practice. New paper and results are not as serious as the original key reinstallation attacks. • Release the Kraken: New KRACKs in the 802.11 Standard – Mathy Vanhoef and Frank Piessens, CCS, October 2018. 

WiFi Protected Setup (WPS), 2006 • Help non-technical users setup WPA2. • Make it easier to add new devices to an existing network. • Methods: • PIN (mandatory) • PIN is read from sticker or display on new device. • PIN is entered on access point of existing network. • Push-button (mandatory) • User has to push a button on the access point of the existing network. • Near-field communication (NFC) (optional) • User has to bring the new device close to the access point to allow NFC. • USB (optional, deprecated) • USB drive is used to transfer data between new device and existing network access point. • Obviously Push-button, NFC and USB methods are vulnerable with physical access. 

WPS hacks • Online - PIN Brute force attack, 2011 • 8 digit number used to add new devices. • Last digit is checksum so 107 = 10,000,000 possible combinations. • Validity of PIN for first and second halves reported separately: • First half is 104 = 10,000 combinations. • Second half is 103 = 1000 combinations. • Offline - Pixie Dust attack, 2014 • Default implementation of several manufacturers, including Ralink, MediaTek, Realtek and Broadcom. • Lack of randomization when generating the E-S1 and E-S2 "secret" nonces. Knowing these two nonces, the PIN can be recovered within a couple of minutes. 

Hotel Bastardos • Marriott fined $600,000 after a complaint in 2003 that it wasn’t allowing guests at a convention to use their mobile hotspots. • Using Wi-Fi Deathentication Attack • 802.11 protocol includes deauthentication frame for telling a device it’s been disconnected. • Frame does not require encryption even when the network is using WEP/WPA/WPA2. • Attacker only needs to know device’s MAC address which can be sniffed. • Others have been fined, does appear to still be happening. 

Skateboarding dog story Standard problem: • Have a device (e.g. mobile phone) on a protected Wi-Fi network • Want to add another device (e.g. IoT lightbulb) – need SSID and keyphrase. TI CC3000 Smart Config by George Hawkins • Someone who cannot decrypt the wifi traffic can still see: • Source and receiver MAC addresses of every packet sent. • Length of the data portion of the packets. Encryption affects that size of the packets sent but in a consistent manner. • Basic type of packet, e.g. QoS can be ignored. • Solution is to run an app that encodes the data (keyphrase) in the size of UDP packets being transmitted. 

WPA3, June 2018 • Improved testing of certificate chains • Simultaneous Authentication of Equals (SAE) • Protected Management Frames (PMF) Optional rather than mandatory: • Improved encryption? • Commercial National Security Algorithm (CNSA) Suite • Wi-Fi Enhanced Open • Wi-Fi Easy Connect WPA3: A Missed Opportunity, Mathy Vanhoef, June 2018 

WPA3: Improved testing of certificate chains • In WPA2 authenticating a server based on a certificate often did not check the certificate chain all the way to the root. • WPA3 requires this and adds a specific test for it. 

WPA3: Simultaneous Authentication of Equals (SAE) • Replaces WPA2 Personal - Pre-Shared Key (PSK). • Variant of the Dragonfly Key Exchange, defined in RFC 7664. • The SAE handshake negotiates a fresh Pairwise Master Key (PMK) using Diffie-Hellman (DH) key exchange which is then used in a traditional 4-way handshake to generate session keys. • Resistant to dictionary attack. • Provides perfect forward secrecy. • Can’t decrypt past (recorded) traffic when you get decryption key in present. 

WPA3: Improved encryption? Standard WEP WPA WPA2 WPA3 Release 1997 2003 2004 2018 Encryption RC4 TKIP with RC4 AES-CCMP AES-CCMP & AES-GCMP Key Size(s) 64 and 128-bit 128-bit 128-bit 128 and 256-bit Cipher Type Stream Stream Block Block Authentication Open System & Shared Key Pre-Shared Key (PSK) & 802.1x with EAP variant Pre-Shared Key (PSK) & 802.1x with EAP variant Simultaneous Authentication of Equals (SAE) & 802.1x with EAP variant Support for the increased key length, for enterprise networks, will require an upgrade to the current devices hardware encryption engines. 

WPA3: Commercial National Security Algorithm (CNSA) Suite • Based on NSA’s Suite B for Top Secret classification. • Intended for WPA3 Enterprise. • Optional on top of WPA3 Enterprise. • Doesn’t work alongside WPA2 Enterprise. 

WPA3: Commercial National Security Algorithm (CNSA) Suite (cont) Algorithm Function Specification Parameters Advanced Encryption Standard (AES) Block cipher used for information protection FIPS Pub 197 Use 256-bit keys Elliptic Curve Diffie-Hellman (ECDH) Key Exchange Asymmetric algorithm user for key establishment NIST SP 800-56A Use Curve P-384 Elliptic Curve Digital Signature Algorithm (ECDSA) Asymmetric algorithm used for digital signatures FIPS Pub 186-4 Use Curve P-384 Secure Hash Algorithm (SHA) Used for computing a condensed representation of information FIPS Pub 180-4 Use SHA-384 Diffie-Hellman (DH) Key Exchange Algorithm used for key establishment IETF RFC 3526 Min. 3073-bit modulus RSA Algorithm used for key establishment NIST SP 800-56B rev 1 Min. 3072-bit modulus RSA Asymmetric algorithm used for digital signatures FIPS PUB 186-4 Min. 3072-bit modulus 

WPA2/WPA3: Protected Management Frames (PMF) • IEEE 802.11w-2009 • Mandatory in WPA2 enhanced and WPA3. • Management frames are used for initiating and terminating Wi-Fi connections. Without PMF, management frames are transmitted unencrypted and their integrity is not verified. PMF ensures integrity of network management traffic. It provides protection against eavesdropping, replay and forging of management action frames. This protects against traffic-based DoS attacks that use forged deauthentication/disassociation frames to kick clients from a network and force them to authenticate again, a tactic which is used at the initial stage of some wireless attacks. 

WPA3: Wi-Fi Enhanced Open - Opportunistic Wireless Encryption (OWE) • RFC 8110 • Not mandatory for WPA3 • Replaces unencrypted open networks. • Uses an unauthenticated Diffie-Hellman key exchange during association, resulting in a Pairwise Master Key (PMK) used to derive the session keys. • Better than WPA3 Personal / PSK because the password isn’t public (e.g. in a café). • Legacy support – transition mode creates a hidden SSID for OWE. OWE- capable devices will see information from legacy SSID telling them to connect to the hidden SSID. 

WPA2/WPA3: Wi-Fi Easy Connect • Device Provisioning Protocol (DPP) • The configurator is typically a smart phone or tablet that is already part of the trusted network and can provision new devices. • The enrolee will be authenticated and provisioned into the network through an initial bootstrapping process done through the following methods: • Scanning a QR code • Negotiation of a trusted public key using a passphrase/code (PKEX) • Near Field Communication (NFC) • Bluetooth • DPP will allow for mutual authentication. 

WPA2/WPA3: Wifi Easy Connect (cont) 

WPA3 Implementation • Linux – Already added to hostap on master, not yet had an official release added in v2.7. • OpenWRT supports it: Trying to deploy WPA3 on my home network • Microsoft – Added support in Windows 10 1903 (May 2019) • “A warning message will appear when connecting to Wi-Fi networks secured with WEP or TKIP, which are not as secure as those using WPA2 or WPA3. In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3.” • Apple – Wi-Fi Alliance has nothing yet • Android/Other – Wi-Fi Alliance has: • 127 34 phones, all Samsung, LG. • 1 Intel internal adapter. • 1 Marvell eval kit. • 234 141 routers from Dell, Aruba (HP), Marvell, Netgear, Qualcomm, Ruckus, Ruijie, Synology, Buffalo, FortiAP, Allied Telesis, Marvell, Huawei, Panasonic, Yamaha, Linksys, Kaon, D-Link, Broadcom, Intel, SoftBank and EnGenius. • 2 Qualcomm reference designs. • 4 media – Braun speakers and StreamVienna. • 9 tablets – all Samsung. 

Live Demo SSID: OpenWrt-WPA3 Passphrase: password Can’t connect from: • iPhone running iOS 13.1.2 • Laptop running Ubuntu 18.04 LTS 

WPA3 Vulns? • Schneier on Security - WPA3 • SAE password protection uses Dragonfly which caused some controversy • Question regarding Crypto Forum Research Group (CFRG) process • Response • Opportunistic Wireless Encryption (OWE) is still susceptible to MITM • “Evil Twin” • Wi-Bear: Intelligent Autonomous Wi-Fi Honeypot Detection - Vivek Ramachandran, BSides Canberra 2019 

Dragonblood, Mathy Vanhoef and Eyal Ronen • April 2019 – Vulnerabilities in DragonFly handshake: • CERT ID #VU871675: Downgrade attack against WPA3-Transition mode leading to dictionary attacks. • CERT ID #VU871675: Security group downgrade attack against WPA3's Dragonfly handshake. • CVE-2019-9494: Timing-based side-channel attack against WPA3's Dragonfly handshake. • CVE-2019-9494: Cache-based side-channel attack against WPA3's Dragonfly handshake. • CERT ID #VU871675: Resource consumption attack (i.e. denial of service) against WPA3's Dragonfly handshake. 

Dragonblood (cont) • August 2019 – Vulnerabilities in fixes: • CVE-2019-13377: Timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves. • CVE-2019-13456: Information leak in FreeRADIUS' EAP-pwd due to aborting when needing more than 10 iterations. 

Final takes • Wi-Fi 6 includes WPA3 but for best security you need: • Wi-Fi Enhanced Open • Wi-Fi Easy Connect • Use best encryption • Standards need to do a better job at checking security before the first release. • If a researcher finds a vulnerability in a pre-release beta build that is reported to Apple ahead of its public release, they stand to earn a bonus of up to 50% on top. • Better to find security issues before new standards become widely adopted. • Cisco: By 2022, 51 percent of total IP traffic will be Wi-Fi. 

Pie-Fi