SlideShare una empresa de Scribd logo

Predicting and Abusing WPA2/802.11 Group Keys

V
vanhoefm

We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network. First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.

Ciencias
1 de 51
Descargar para leer sin conexión
Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm
Observation General Wi-Fi crypto is widely studied 2 Recover pre-shared key(s) protecting all WEP traffic Tornado Attack: Recover WPA-TKIP session keys (theoretic) Rogue AP against enterprise networks to steal credentials Predictable pre-shared key & dictionary attack against handshake  Mainly targets pre-shared and session keys
What about group keys? Group keys protect broadcast and multicast frames:  All clients posses a copy of the group key Security of group keys not yet properly studied!  In contrast with pre-shared & session (=pairwise) keys … 3 We analyze security of group key during its full lifetime!
Background: group key lifetime 4
Background: group key lifetime 5 Group Key Three important stages: 1. Generation (flawed RNG)
Background: group key lifetime 6 Group Key Session Key 1 Encrypted group key sent to client Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) Group Key Session Key
Background: group key lifetime 7 Group Key Session Key 1 Group Key Session Key Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) 3. Usage (abuse to decrypt all traffic) Addressing some of these issues:  New RNG for Wi-Fi platforms?
Background: sending group frames 8 Group Key Session Key Group Key Session Key Group Key Session Key A Session Key B Client A Client B
Background: sending group frames 9 1. Client uses pairwise key to send group frame to AP Session Key Session Key A Client A Client B Recv: AP Dest: FF:⋯:FF Src: Client A
Background: sending group frames 10 1. Client uses pairwise key to send group frame to AP 2. AP broadcasts group frame using group key  Only AP sends real group frames Group Key Group Key Group Key Client B Client A Recv: FF:⋯:FF Dest: FF:⋯:FF Src: Client A
Agenda: security of group keys 11 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
Agenda: security of group keys 12 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
How are group keys generated? Based on a key hierarchy:  AP randomly generates public counter and secret master key  Derives group temporal key (GTK) from these values every hour Entropy only introduced at boot  Bad design: if master key is leaked, all group keys become known! 13 Public counter Private master key +1 SHA-1 Group Temporal Key (GTK) Sampled only at boot!
How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness 14 “Each STA can generate cryptographic-quality random numbers. This assumption is fundamental, as cryptographic methods require a source of randomness. See M.5 for suggested hardware and software methods to achieve randomness suitable for this purpose.”
How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 15 “This clause suggests two sample techniques that can be combined with the other recommendations of IETF RFC 4086 to harvest randomness. [..] These solutions are expository only, to demonstrate that it is feasible to harvest randomness on any IEEE 802.11 platform. [..] they do not preclude the use of other sources of randomness when available [..] ; in this case, the more the merrier. As many sources of randomness as possible should be gathered into a buffer, and then hashed, to obtain a seed for the PRNG.”
How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 16 Inconsistent description of RNG’s security guarantees!  How secure is the 802.11 RNG?  How many platforms implement this RNG?
802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution 17
802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand 18 Deviates from traditional RNG design:  No entropy pools being maintained  Entropy is only collected when the RNG is being invoked
802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand  Based on frame arrival timestamps and clock jitter 19
802.11 RNG: entropy sources Frame arrival times:  Collected by starting & aborting handshakes  Problem: AP will be blacklisted by clients Clock jitter and drift:  No minimum time resolution  small clock jitter  Hence contains only low amount of randomness 20 ¯_(ツ)_/¯
Surely no one implemented this…? 21 Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks Weakened 802.11 RNG
Surely no one implemented this…? 22 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks
MediaTek RNG: overview Uses custom Linux drivers:  Implements 802.11’s group key hierarchy  But GNONCE “counter” is randomly refreshed on GTK rekey  Based on the 802.11 RNG using only clock jitter  Uses jiffies for current time: equals uptime of the AP  Predict both GMK and GNONCE to determine group key! 23 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1 RNG At boot
MediaTek RNG: key search  Jiffies have at best millisecond accuracy  GMK: generated at boot  limited set of possible values  GNONCE: depends on uptime of router (and clock skew)  Uptime is leaked in beacons  Capture encrypted broadcast packet and search for key  24 OpenCL ~3 mins GMK & GTKRT-AC51U
MediaTek: predicting the GTK DEMO 25
Surely no one implemented this…? 26 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
Broadcom: Linux When running on a Linux kernel:  Implements 802.11’s group key hierarchy  Randomness from /dev/urandom “Mining your Ps and Qs” by Heninger et al.:  /dev/urandom might be predictable at boot  All group keys might be predictable on old kernels 27
Broadcom: VxWorks and eCos 28 Open SourceProprietary
Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds) 29 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG
Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) 30 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG At boot
Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) OpenCL ~4 mins GMK & GTKWRT54Gv5 31
Surely no one implemented this…? 32 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
Open Firmware Open Firmware:  An open source BIOS  Supports client Wi-Fi functionality in BIOS (!)  Randomness from boot time & linear congruential generator Hostapd:  Based on 802.11 group key hierarchy  Also injects new entropy on group rekeys!  Reads from /dev/random on boot & when clients join  If not enough entropy available, connections are rejected 33
Agenda: security of group keys 34 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
Injecting unicast packets?  Put unicast IP packet in a broadcast frame? 35 Hole 196 check done at network-layer … … but an AP works at link-layer! Flags Receiver to client FF:⋯:FF Source IP Destination IP Data 802.11 specific  Detected by “Hole 196” check
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 36 AP Victim Attacker Sender Destination Data
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 37 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Encrypted using group key
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 38 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Decrypted using group key
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 39 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Encrypted using session (pairwise) key
Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 4. Victim sees normal unicast frame 40 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Decrypted using session (pairwise) key
Decrypting all traffic ARP poison to broadcast MAC address  Poison both router and clients  Can decrypt network-layer protocols: IPv4, IPv6, … Countermeasure:  Don’t forward broadcast frames to a unicast destination  Even better: AP should simply ignore frames received on broadcast or multicast MAC address. 41
Agenda: security of group keys 42 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
The 4-way handshake 43
The 4-way handshake 44 Group key encrypted and transmitted … … before downgrade attack detection!
The 4-way handshake 45 Group key encrypted and transmitted … … before downgrade attack detection! Session cipher GTK encryption WPA-TKIP RC4 AES-CCMP AES key wrap
Attacking RC4 encryption of GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped 46
Attacking RC4 encryption of GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped Recover repeated encryptions of GTK:  Similar in spirit to RC4 NOMORE attack  Requires ~231 handshakes: takes >50 years Countermeasures:  Disable WPA-TKIP & RC4  Send GTK after handshake 47
Agenda: security of group keys 48 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
An improved 802.11 RNG Entropy present on al Wi-Fi chips?  Wi-Fi signals & background noise Spectral scan feature in commodity chips:  Can generate 3 million samples / second  First XOR samples in firmware  Extract & manage resulting entropy using known approaches Additional research needed: performance under jamming? 49
Conclusion Lessons learned: 1. Always check quality of RNG 2. Let AP ignore group-addressed frames 3. Don’t put “expository” security algo’s in a specification 4. Don’t transmit sensitive data before downgrade detection 50
Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - @vanhoefm Questions?

Recomendados

ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network DefenseSalvatore Lentini
 
Aircrack
AircrackAircrack
AircrackNithin Sathees
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 

Recomendados

ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network DefenseSalvatore Lentini
 
Aircrack
AircrackAircrack
AircrackNithin Sathees
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast TrackNovizul Evendi
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemnewbie2019
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEthical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEric Vanderburg
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New NightmareOguzhan Topgul
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Best!
Best!Best!
Best!gofortution
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Side Channel Attacks on AES
Side Channel Attacks on AESSide Channel Attacks on AES
Side Channel Attacks on AESRavi Prakash Giri
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu ExploitationAhmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitationbarcamp.my
 
Unl intro presentation fin
Unl intro presentation finUnl intro presentation fin
Unl intro presentation fineucariot
 

Más contenido relacionado

La actualidad más candente

Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast TrackNovizul Evendi
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemnewbie2019
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEthical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEric Vanderburg
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New NightmareOguzhan Topgul
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 

La actualidad más candente (20)

Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast Track
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection system
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEthical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New Nightmare
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Best!
Best!Best!
Best!
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
 
Port scanning
Port scanningPort scanning
Port scanning
 
Side Channel Attacks on AES
Side Channel Attacks on AESSide Channel Attacks on AES
Side Channel Attacks on AES
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautam
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 

Destacado

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu ExploitationAhmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitationbarcamp.my
 
Unl intro presentation fin
Unl intro presentation finUnl intro presentation fin
Unl intro presentation fineucariot
 
Free Download Powerpoint Slides
Free Download Powerpoint SlidesFree Download Powerpoint Slides
Free Download Powerpoint SlidesGeorge
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentationelliehood
 
State of the Word 2011
State of the Word 2011State of the Word 2011
State of the Word 2011photomatt
 

Destacado (6)

Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu ExploitationAhmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
 
Unl intro presentation fin
Unl intro presentation finUnl intro presentation fin
Unl intro presentation fin
 
Free Download Powerpoint Slides
Free Download Powerpoint SlidesFree Download Powerpoint Slides
Free Download Powerpoint Slides
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentation
 
State of the Word 2011
State of the Word 2011State of the Word 2011
State of the Word 2011
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 

Similar a Predicting and Abusing WPA2/802.11 Group Keys

Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfYuChianWu
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
ChapterTwoCryptoTheStreamCipherFHSU.pptx
ChapterTwoCryptoTheStreamCipherFHSU.pptxChapterTwoCryptoTheStreamCipherFHSU.pptx
ChapterTwoCryptoTheStreamCipherFHSU.pptxssuser0a47f0
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Rimba Ari
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavthc2cat
 

Similar a Predicting and Abusing WPA2/802.11 Group Keys (20)

Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
 
amrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdfamrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdf
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Martin Novotny and Timo Kasper
Martin Novotny and Timo KasperMartin Novotny and Timo Kasper
Martin Novotny and Timo Kasper
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
ChapterTwoCryptoTheStreamCipherFHSU.pptx
ChapterTwoCryptoTheStreamCipherFHSU.pptxChapterTwoCryptoTheStreamCipherFHSU.pptx
ChapterTwoCryptoTheStreamCipherFHSU.pptx
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Day2
Day2Day2
Day2
 
Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamav
 

Más de vanhoefm

Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...vanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
Stateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven ProgramsStateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven Programsvanhoefm
 
HacknamStyle Plaid CTF write-up
HacknamStyle Plaid CTF write-upHacknamStyle Plaid CTF write-up
HacknamStyle Plaid CTF write-upvanhoefm
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
TEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hackedTEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hackedvanhoefm
 

Más de vanhoefm (9)

Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
Stateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven ProgramsStateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies for Event-Driven Programs
 
HacknamStyle Plaid CTF write-up
HacknamStyle Plaid CTF write-upHacknamStyle Plaid CTF write-up
HacknamStyle Plaid CTF write-up
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
TEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hackedTEDxUHasselt Salon: How you can be hacked
TEDxUHasselt Salon: How you can be hacked
 

Último

Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfSumit Kumar yadav
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTSérgio Sacani
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPirithiRaju
 
Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfSumit Kumar yadav
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxFarihaAbdulRasheed
 
Seismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxSeismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxAlMamun560346
 
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...Monika Rani
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfrohankumarsinghrore1
 
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...chandars293
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Sérgio Sacani
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bSérgio Sacani
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)Areesha Ahmad
 
Bacterial Identification and Classifications
Bacterial Identification and ClassificationsBacterial Identification and Classifications
Bacterial Identification and ClassificationsAreesha Ahmad
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPirithiRaju
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfSumit Kumar yadav
 
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxGreen chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxRajatChauhan518211
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxgindu3009
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 

Último (20)

Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
 
Zoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdfZoology 4th semester series (krishna).pdf
Zoology 4th semester series (krishna).pdf
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
 
Seismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxSeismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptx
 
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
 
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
High Class Escorts in Hyderabad ₹7.5k Pick Up & Drop With Cash Payment 969456...
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)
 
Bacterial Identification and Classifications
Bacterial Identification and ClassificationsBacterial Identification and Classifications
Bacterial Identification and Classifications
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdf
 
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxGreen chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptx
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 

Predicting and Abusing WPA2/802.11 Group Keys

  • 1. Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm
  • 2. Observation General Wi-Fi crypto is widely studied 2 Recover pre-shared key(s) protecting all WEP traffic Tornado Attack: Recover WPA-TKIP session keys (theoretic) Rogue AP against enterprise networks to steal credentials Predictable pre-shared key & dictionary attack against handshake  Mainly targets pre-shared and session keys
  • 3. What about group keys? Group keys protect broadcast and multicast frames:  All clients posses a copy of the group key Security of group keys not yet properly studied!  In contrast with pre-shared & session (=pairwise) keys … 3 We analyze security of group key during its full lifetime!
  • 5. Background: group key lifetime 5 Group Key Three important stages: 1. Generation (flawed RNG)
  • 6. Background: group key lifetime 6 Group Key Session Key 1 Encrypted group key sent to client Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) Group Key Session Key
  • 7. Background: group key lifetime 7 Group Key Session Key 1 Group Key Session Key Three important stages: 1. Generation (flawed RNG) 2. Session key agreement and group key transport (force usage of RC4) 3. Usage (abuse to decrypt all traffic) Addressing some of these issues:  New RNG for Wi-Fi platforms?
  • 8. Background: sending group frames 8 Group Key Session Key Group Key Session Key Group Key Session Key A Session Key B Client A Client B
  • 9. Background: sending group frames 9 1. Client uses pairwise key to send group frame to AP Session Key Session Key A Client A Client B Recv: AP Dest: FF:⋯:FF Src: Client A
  • 10. Background: sending group frames 10 1. Client uses pairwise key to send group frame to AP 2. AP broadcasts group frame using group key  Only AP sends real group frames Group Key Group Key Group Key Client B Client A Recv: FF:⋯:FF Dest: FF:⋯:FF Src: Client A
  • 11. Agenda: security of group keys 11 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 12. Agenda: security of group keys 12 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 13. How are group keys generated? Based on a key hierarchy:  AP randomly generates public counter and secret master key  Derives group temporal key (GTK) from these values every hour Entropy only introduced at boot  Bad design: if master key is leaked, all group keys become known! 13 Public counter Private master key +1 SHA-1 Group Temporal Key (GTK) Sampled only at boot!
  • 14. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness 14 “Each STA can generate cryptographic-quality random numbers. This assumption is fundamental, as cryptographic methods require a source of randomness. See M.5 for suggested hardware and software methods to achieve randomness suitable for this purpose.”
  • 15. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 15 “This clause suggests two sample techniques that can be combined with the other recommendations of IETF RFC 4086 to harvest randomness. [..] These solutions are expository only, to demonstrate that it is feasible to harvest randomness on any IEEE 802.11 platform. [..] they do not preclude the use of other sources of randomness when available [..] ; in this case, the more the merrier. As many sources of randomness as possible should be gathered into a buffer, and then hashed, to obtain a seed for the PRNG.”
  • 16. How are random numbers generated? 802.11 standard has example Random Number Generator  §11.1.6a: the RNG outputs cryptographic-quality randomness  Annex M.5: proposed RNG is expository only 16 Inconsistent description of RNG’s security guarantees!  How secure is the 802.11 RNG?  How many platforms implement this RNG?
  • 17. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution 17
  • 18. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand 18 Deviates from traditional RNG design:  No entropy pools being maintained  Entropy is only collected when the RNG is being invoked
  • 19. 802.11 RNG: main design The 802.11 RNG is a stateless function returning 32 bytes  Vague description, even if only expository solution  Collects entropy on demand  Based on frame arrival timestamps and clock jitter 19
  • 20. 802.11 RNG: entropy sources Frame arrival times:  Collected by starting & aborting handshakes  Problem: AP will be blacklisted by clients Clock jitter and drift:  No minimum time resolution  small clock jitter  Hence contains only low amount of randomness 20 ¯_(ツ)_/¯
  • 21. Surely no one implemented this…? 21 Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks Weakened 802.11 RNG
  • 22. Surely no one implemented this…? 22 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Hostapd: /dev/random Estimated ~22% of Wi-Fi networks
  • 23. MediaTek RNG: overview Uses custom Linux drivers:  Implements 802.11’s group key hierarchy  But GNONCE “counter” is randomly refreshed on GTK rekey  Based on the 802.11 RNG using only clock jitter  Uses jiffies for current time: equals uptime of the AP  Predict both GMK and GNONCE to determine group key! 23 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1 RNG At boot
  • 24. MediaTek RNG: key search  Jiffies have at best millisecond accuracy  GMK: generated at boot  limited set of possible values  GNONCE: depends on uptime of router (and clock skew)  Uptime is leaked in beacons  Capture encrypted broadcast packet and search for key  24 OpenCL ~3 mins GMK & GTKRT-AC51U
  • 26. Surely no one implemented this…? 26 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
  • 27. Broadcom: Linux When running on a Linux kernel:  Implements 802.11’s group key hierarchy  Randomness from /dev/urandom “Mining your Ps and Qs” by Heninger et al.:  /dev/urandom might be predictable at boot  All group keys might be predictable on old kernels 27
  • 28. Broadcom: VxWorks and eCos 28 Open SourceProprietary
  • 29. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds) 29 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG
  • 30. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) 30 Counter (GNONCE) Group master key (GMK) Group Temporal Key (GTK) SHA-1RNG At boot
  • 31. Broadcom: VxWorks and eCos  Implements 802.11’s group key hierarchy  Random numbers: MD5(time in microseconds)  GNONCE counter is leaked during handshake  Attacker only has to predict master group key (GMK) OpenCL ~4 mins GMK & GTKWRT54Gv5 31
  • 32. Surely no one implemented this…? 32 Weakened 802.11 RNG Depends on OS Custom RNG Open Firmware Estimated ~22% of Wi-Fi networks Hostapd: /dev/random
  • 33. Open Firmware Open Firmware:  An open source BIOS  Supports client Wi-Fi functionality in BIOS (!)  Randomness from boot time & linear congruential generator Hostapd:  Based on 802.11 group key hierarchy  Also injects new entropy on group rekeys!  Reads from /dev/random on boot & when clients join  If not enough entropy available, connections are rejected 33
  • 34. Agenda: security of group keys 34 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 35. Injecting unicast packets?  Put unicast IP packet in a broadcast frame? 35 Hole 196 check done at network-layer … … but an AP works at link-layer! Flags Receiver to client FF:⋯:FF Source IP Destination IP Data 802.11 specific  Detected by “Hole 196” check
  • 36. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 36 AP Victim Attacker Sender Destination Data
  • 37. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 37 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Encrypted using group key
  • 38. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 38 AP Victim Attacker Flags Receiver Final dest. To AP FF:⋯:FF Victim Sender Destination Data 802.11 specific Decrypted using group key
  • 39. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 39 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Encrypted using session (pairwise) key
  • 40. Forging unicast frames using group key Abuse AP to bypass Hole 196 check: 1. Inject as group frame to AP 2. AP processes and routes frame 3. AP transmits it to destination 4. Victim sees normal unicast frame 40 Victim Attacker AP Flags Receiver Final dest. To STA Victim Victim Sender Destination Data 802.11 specific Decrypted using session (pairwise) key
  • 41. Decrypting all traffic ARP poison to broadcast MAC address  Poison both router and clients  Can decrypt network-layer protocols: IPv4, IPv6, … Countermeasure:  Don’t forward broadcast frames to a unicast destination  Even better: AP should simply ignore frames received on broadcast or multicast MAC address. 41
  • 42. Agenda: security of group keys 42 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 44. The 4-way handshake 44 Group key encrypted and transmitted … … before downgrade attack detection!
  • 45. The 4-way handshake 45 Group key encrypted and transmitted … … before downgrade attack detection! Session cipher GTK encryption WPA-TKIP RC4 AES-CCMP AES key wrap
  • 46. Attacking RC4 encryption of GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped 46
  • 47. Attacking RC4 encryption of GTK  RC4 Key: 16-byte IV ||16-byte secret key  First 256 keystream bytes are dropped Recover repeated encryptions of GTK:  Similar in spirit to RC4 NOMORE attack  Requires ~231 handshakes: takes >50 years Countermeasures:  Disable WPA-TKIP & RC4  Send GTK after handshake 47
  • 48. Agenda: security of group keys 48 Flawed generation New Wi-Fi tailored RNGForce RC4 in handshake Inject & decrypt all traffic
  • 49. An improved 802.11 RNG Entropy present on al Wi-Fi chips?  Wi-Fi signals & background noise Spectral scan feature in commodity chips:  Can generate 3 million samples / second  First XOR samples in firmware  Extract & manage resulting entropy using known approaches Additional research needed: performance under jamming? 49
  • 50. Conclusion Lessons learned: 1. Always check quality of RNG 2. Let AP ignore group-addressed frames 3. Don’t put “expository” security algo’s in a specification 4. Don’t transmit sensitive data before downgrade detection 50
  • 51. Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - @vanhoefm Questions?