WiFi Security

From Embedded Lab Vienna for IoT & Security
Revision as of 18:26, 8 January 2023 by LPutz (talk | contribs)
Jump to navigation Jump to search

Summary

This documentation explains the basics of WiFi Security, specifically the protocols WPA2 and WPA3 and their respective handshakes. It also explains the possibility of frame aggregation and fragmentation, as well as some attacks on these concepts.

Basics

WPA2

4 Way Handshake

WPA2 (WiFi Protected Access 2) is specified in the IEEE 802.11i standard. It is the successor of WPA, which was based on an unfinished version of the IEEE 802.11i standard. This was done because the previously used WEP (Wired Equivalent Privacy) protocol was found to be insecure. WPA2 (and also WPA) uses the 4-Way-Handshake when a client connects to a network to create multiple keys, which are used to encrypt the communication between client (supplicant) and access point (authenticator). The handshake is based on a "Pairwise Master Key" (PMK), which is based on the Pre-Shared Key (PSK), the password you enter on a client to connect to a WiFi network. The 4-Way-Handshake consists of the following steps:

  1. The access point generates a random number (ANonce - Authenticator Nonce), and sends it to the client.
  2. The client also generates a random number (SNonce - Supplicant Nonce), and sends it to the access point, using the same value for the replay counter as the first message.
  3. The AP sends the group temporal key (GTK) to the client.
  4. The client confirms that the GTK was received.

After the 2. message, both, AP and client, have the needed information to calculate the Pairwise Transient Key (PTK), which is used to encrypt unicast messages between them. This PTK is based on the PMK, ANonce, SNonce and MAC adresses of both devices, and is therefore unique for each AP/client-combination. The GTK is used to encrypt multicast messages and therefore the same for every client in the network. This GTK is renewed regularly by sending the messages 3 and 4 again.

After sending message 4, the client installs the PTK and GTK, meaning they are being used now. The AP also installs the PTK (the GTK was already installed).

For the encryption WPA2 allows TKIP, CCMP (counter mode with CBC-MAC protocol) and GCMP (galois counter mode protocol). The support of CCMP is mandatory in the WPA2 standard. CCMP is based on AES and is secure, if no IV (initialization vector) is repeated. The IV contains the MAC-address of the sender, a Nonce, which is increased with every message, and some other information transmitted in the WiFi frame. GCMP, also based on AES, is also considered secure, if no IV is used again. Here the IV only contains the sender-MAC-address and the nonce. In both protocols, the nonce is also used as a replay counter and initialized with 0, when the PTK gets installed.

WPA3

Dragonfly Handshake (Source: https://wpa3.mathyvanhoef.com/)

The publication of the KRACK attacks lead to the release of WPA3. This uses the Dragonfly Handshake to provide forward secrecy and prevent dictionary attacks. It is possible to use WPA2 and WPA3 simultaneously in a network, however WPA3 clients are required to use WPA3 when it's available. If the messages, that the network supports WPA3 are manipulated and the client wants to use WPA2 instead, this is recognized during the 4-Way-Handshake, therefore preventing downgrade attacks. The Dragonfly variant used in WPA3 is also called Simultaneous Authentication of Equals (SAE). It uses elliptic curve cryptography to generate a key based on a password. This key is then used for the 4-Way-Handshake. Due to it's much higher entropy (compared to a password), it prevents dictionary attacks. Before the handshake starts, the password is converted to a group element P, by generating hashes of the password, IDs of Client and AP, and an increasing value. This is repeated until the result is a group element (in elliptic curve cryptography a point on the curve), but at least 40 times.

The dragonfly handshake consists of two phases: Commit Phase and Confirm Phase. In the Commit Phase both (Client and AP) pick two random numbers r and m in the range [2, q[ with q being the order of the used group, and calculate s = (r+m) mod q and E = -m * P (P is the previously calculated group element). The next step is to send s and E to the communcation partner (Client->AP and AP->client) and to confirm that the received values are in a valid range, aborting the handshake otherwise. In the Confirm Phase a secret point K on the curve is calculated: K = r1 * (s2 * P + E2). r1 is the own chosen value r, while s2 and E2 are the received values s and E. The hash of this point K leads to the key k. Finally, an HMAC consisting of k, s1, E1, s2 and E2 is calculated and sent between the devices. If the value is correct, k is successfully chosen as key, which is then used for the 4-Way-Handshake.

Frame Aggregation and Fragmentation

WiFi Frame Structure (Source: https://www.fragattacks.com/)

In WiFi the data is transmitted in so called Frames. To increase the efficiency of the transmission, it is possible to send multiple packets in one frame (aggreation), or to separate a (too) large packet into multiple frames (fragmentation). To to this, a frame contains a Frame Control Field, which specifies the type of the frame with multiple flags. The frame also contains MAC-adresses to specify the receiver and sender of the frame, as well as the source or destination. Furthermore, fields to specify the fragment- and sequence-number, and the QoS (Quality of Service) field are included. At the end, the actual transmitted data, called payload, is located. If the payload is small, multiple packets are aggregated into a large frame called A-MSDU (Aggregate MAC Service Data Units). This is marked by a flag in the QoS field, however this flag is not authenticated and can be changed by an attacker. The multiple payloads are called subframes, containing source- and destination-MAC-Address, packet-length and the actual data. The second possibility (fragmentation) is used, when the payload is too large for a single frame, but also in noisy environments. In the latter case this leads to an increased performance, because in the case of transmission errors, only a part of the data has to be transmitted again. It is possible to use up to 16 fragments, which have an incremental fragment-number and the same sequence-number.

Attacks

KRACK

Key Reinstallation Attacks are based on repeated installation of keys (see explanation of the 4-Way-Handshake), which leads to the Nonce resetting to 0, and therefore reusing an IV.

When the messages 2 and 4 of the 4-Way-Handhake are not received, the messages 1 and 3 are sent again. The IEEE 802.11i standard also states, that client should immediately install the keys after receiving message 3. In KRACK, the message 4 is intercepted, so the AP doesn't receive it. The client doesn't know about this and starts sending encrypted messages. When the access point sends the message 3 again, the client reinstalls the keys, resets the Nonce, and starts sending encrypted messages again. Since the IVs are reused now, the encryption is no longer considered secure.

FragAttacks

Example for a Mixed Key Attack

Fragmentation and Aggregation Attacks affect the above mentioned possibilites of fragmenting and aggregating frames.

To attack the aggregation, the frame has to be intercepted and the A-MSDU flag modified, to make normal frames look like aggregated frames. The payload has to contain specific values, so the subframe contains the desired values. This is done by making the client perform a POST-request with specific data (e.g. on a malicious website of the attacker). If chosen correctly, the data will be interpreted as correct subframe, leading to it being forwarded like an authentic frame. With this attack it's possible to e.g. perform portscans, or to get clients to use specific (malicious) DNS servers.

The other type of FragAttacks targets the fragmentation. One variant of this is the Mixed Key Attack, which exploits flaws in the 802.11 standard, since it's not required, that multiple fragments of a frame are encrypted using the same key. This attack requires, that the keys are renewed regularly, be performing a full 4-Way-Handshake. The victim has to access data on the server of an attacker (e.g. through social engineering), which is hosted on a long URL. This leads to the frame being fragmented. The attacker intercepts these fragments and only forwards the first (with packet number n) to the access point, which encrypts it, recognizes it needs to wait for the other fragments, and stores it. At a later time, the keys are renewed and the package number is reset. When the client then sends a fragment with the packet number n+1, the attacker forwards this fragment to the AP, which then combines the previous stored fragment with the new fragment, and forwards it. This could lead to sending login data (meant for a normal website) to the server of the attacker. See the picture on the right for a simplified example.

Dragonblood

Dragonblood is a set of attacks targeting the Dragonfly Handshake of WPA3. All of them require that the attacker is in close range of the Client or the Access Point. Depending on which of these devices is attacked, the attacker has to pretend to be the other.

As mentioned above, downgrade attacks to force WPA2 instead of WPA3 are recognized during the 4-Way-Handshake. However, at this point the client has already sent enough encrypted data, to allow an attacker to perform a dictionary attack based on this data. This leads to one of the advantages of WPA3 being bypassed. To do this, a fake WPA2-network with the same SSID as the original network has to be created. Depending on the specific implementation, clients even try to connect to the fake network, although the original network doesn't support WPA2.

Another type of a Dragonblood attack targets the possibility, that Client and AP negotiate which elliptic curve is used for the handshake. The client sends the access point their desired curve. If the AP doesn't support this curve, it responds with a message stating so, leading to the client select another curve from it's list. This is repeated until a curve supported by both devices is found. The message that the AP doesn't support a curve is not verified, therefore it can be forged to force them to use a weaker curve (downgrade attack). This can also be used to perform an upgrade attack, leading to a denial of service on devices with low computational power.

Tools

A description of how aircrack-ng (a popular program suite for WiFi network security) can be used to crack the Pre Shared Key after capturing the 4-Way-Handshake can be found in the article: WiFi Sniffing

References