cracking wireless networks · dr.ir. dave singelee counsellors: dr. ir. sebastiaan indesteege ir....
TRANSCRIPT
-
Cracking Wireless Networks
Hoang Thao Phi
Thesis submitted for the degreeof Master of Engineering:
Electrical Engineering
Promotors:Prof. dr. ir. Bart Preneel
Prof. dr. ir. Vincent Rijmen
Academic year 2010 – 2011
Master of Engineering: Electrical Engineering
-
Cracking Wireless Networks
Hoang Thao Phi
Thesis submitted for the degreeof Master of Engineering:
Electrical Engineering
Promotors:Prof. dr. ir. Bart Preneel
Prof. dr. ir. Vincent Rijmen
Assessors:Prof. dr. ir. Patrick Wambacq
Dr. ir. Dave Singelee
Counsellors:Dr. ir. Sebastiaan Indesteege
Ir. Roel Peeters
Academic year 2010 – 2011
-
c© Copyright K.U.Leuven
Without written permission of the promotors and the authors it is forbidden to re-produce or adapt in any form or by any means any part of this publication. Requestsfor obtaining the right to reproduce or utilize parts of this publication should beaddressed to Departement Elektrotechniek, Kasteelpark Arenberg 10 postbus 2440,B-3001 Heverlee, +32-16-321130 or by email [email protected].
A written permission of the promotor is also required to use the methods, products,schematics and programs described in this work for industrial or commercial use,and for submitting this publication in scientific contests.
-
K.U.Leuven Faculty of Engineering 2010 – 2011
Master thesis filing card
Student : Hoang Thao Phi
Title: Cracking Wireless Networks
Dutch title: Draadloze netwerken kraken
UDC : 621.3
Abstract :This thesis presents an approach to analyze the security of Wi-Fi Protected Accessby verifying the randomness of the initialization values (IV) of nonces, the specialnumbers exchanged in 4-way handshake messages to derive session keys. It wasundertaken by means of a self-developed C program and an access point automaticreboot solution, to capture multiples nonce IV values. Afterwards, it proved thatthere were repetitions among the collected data. In the end, the thesis came toa conclusion that nonce IV randomness was not carefully implemented by someproducts vendors, resulting in security risks for session keys and 4-way handshakemessages. As proof of concept, two popular access points D-LINK DIR615 andLinksys WAG160N were used for experiments.
Thesis submitted for the degree of Master of Engineering: Electrical EngineeringPromotors: Prof. dr. ir. Bart Preneel
Prof. dr. ir. Vincent RijmenAssessors: Prof. dr. ir. Patrick Wambacq
Dr. ir. Dave SingeleeCounsellors: Dr. ir. Sebastiaan Indesteege
Ir. Roel Peeters
-
Foreword This writing is the final result of the thesis taken during the 2nd year in Master program of
Electrical Engineering (ICT) at Katholieke Universiteit Leuven (KUL), Belgium.
Taking research in wireless network security, a cutting-edge technology, has been demanding
on the one hand, but also motivating and full of inspiration on the other hand. I strongly
believe that after finishing this thesis project, I have gained much of knowledge in different
topics.
I would like to wholeheartedly thank my supervisors Sebastiaan Indesteege and Roel Peeters
for their full support, detailed explanation, as well as their patience. I also would like to
thank Professors Bart Preneel, Vincent Rijmen, and the department of Electrical Engineering
(ESAT) for giving me the opportunity to write this thesis.
The final words I would like to devote to my Mother, for all her love and sacrifice.
Phi Hoang Thao
-
ii
Table of Contents
Foreword ..................................................................................................................................... i
Table of Contents ........................................................................................................................ii
Abstract ...................................................................................................................................... v
List of figures and tables ........................................................................................................... vi
List of abbreviations and symbols ............................................................................................vii
Chapter 1: Introduction.............................................................................................................. 1
1.1 Motivation......................................................................................................................... 1
1.2 Objectives and Structure ................................................................................................... 1
1.3 Limitation.......................................................................................................................... 2
Chapter 2: Wireless network security ........................................................................................ 3
2.1 Security principles ............................................................................................................ 3
2.1.1 Adversaries and their techniques............................................................................... 3
2.1.2 Entity authentication .................................................................................................. 4
2.1.3 Confidentiality............................................................................................................ 5
2.1.4 Message integrity........................................................................................................ 6
2.1.5 Key establishment ...................................................................................................... 6
2.2 IEEE 802.11 wireless networks ......................................................................................... 7
2.2.1 IEEE 802.11 standards ................................................................................................ 7
2.2.2 IEEE 802.11 network structure ................................................................................... 8
2.2.3 IEEE 802.11 layers model............................................................................................ 8
2.2.4 IEEE 802.11 security problem ..................................................................................... 9
2.3 Wired Equivalent Privacy (WEP) ................................................................................... 10
2.3.1 WEP basics................................................................................................................ 10
2.3.2 WEP weaknesses ...................................................................................................... 11
-
iii
2.3.3 WEP chop-chop attack scheme................................................................................. 12
2.4 Wi-Fi Protected Access ................................................................................................... 13
2.4.1 Wi-Fi Protected Access basic concepts ..................................................................... 13
2.4.2 Temporal Key Integrity Protocol.............................................................................. 14
2.4.3 Counter mode with Cipher block chaining Message authentication code Protocol:
........................................................................................................................................... 15
2.4.4 WPA Entity authentication....................................................................................... 16
2.4.5 4-way handshake and Group Key handshake for keys establishment.................... 17
2.5 Conclusion ...................................................................................................................... 21
Chapter 3: Attacks on Wi-Fi Protected Access......................................................................... 23
3.1 Dictionary attack on WPA-Personal ............................................................................... 23
3.2 WPA TKIP chop-chop attack .......................................................................................... 24
3.3 WPA TKIP Enhanced chop-chop attack ......................................................................... 25
3.4 WPA TKIP Message Falsification attack......................................................................... 27
3.5 Conclusion ...................................................................................................................... 28
Chapter 4: Randomness in Wi-Fi Protected Access ................................................................. 31
4.1 Randomness overview.................................................................................................... 31
4.1.1 Definition and Examples .......................................................................................... 31
4.1.2 General requirements ............................................................................................... 32
4.1.3 Random numbers generation ................................................................................... 32
4.2 Randomness in Wi-Fi Protected Access.......................................................................... 33
4.2.1 Nonce and Nonce IV values ..................................................................................... 33
4.2.2 The impacts of weak randomness ............................................................................ 34
4.3 Conclusion ...................................................................................................................... 35
Chapter 5: Nonce Initialization Value’s randomness analysis ................................................ 37
5.1. NonceCap program ....................................................................................................... 37
5.1.1. Network monitor mode & Linux Backtrack............................................................ 37
5.1.2. Nonce capturing program’s basic blocks ................................................................ 38
5.1.3. libpcap functions library ......................................................................................... 39
5.1.4. NonceCap programming implementation.............................................................. 40
5.1.5. Nonce capturing result ............................................................................................ 41
5.2. Software reboot .............................................................................................................. 41
-
iv
5.2.1. Reboot HTTP requests............................................................................................. 41
5.2.2. Software Reboot implementation............................................................................ 42
5.3. Hardware reboot............................................................................................................ 44
5.3.1. Relay ........................................................................................................................ 44
5.3.2. Relay control by timer ............................................................................................. 45
5.3.3. Relay control by computer ...................................................................................... 46
5.4. Nonce Initialization Values randomness analysis......................................................... 47
5.4.1. Initialization Values repetitions .............................................................................. 47
5.4.2. Maximum Likelihood Estimator ............................................................................. 49
5.4.3. Schnabel estimation ................................................................................................. 50
5.4.4. Bias elimination ....................................................................................................... 51
5.5. Conclusion ..................................................................................................................... 51
Chapter 6: Conclusion.............................................................................................................. 53
6.1. Summary ........................................................................................................................ 53
6.2. Application..................................................................................................................... 54
6.3. Further work .................................................................................................................. 54
Appendix A: NonceCap source code....................................................................................... 55
Appendix B: FINDER 49.31-50SPA relay specifications.......................................................... 63
Bibliography............................................................................................................................. 64
-
v
Abstract
Security is an important problem for wireless networks. After the first security protocol
Wired Equivalent Privacy (WEP) was broken, the IEEE 802.11 working group standardized
Wi-Fi Protected Access (WPA) [1] to replace. However, since 2008, different attack schemes
on WPA have been successively published. Most of which exploit the flaws in Temporary
Integrity Key Protocol (TKIP), one of the two modes for data confidentiality and message
integrity. More efforts are still being taken to find other weaknesses of WPA.
This thesis presents another approach to analyze the security of Wi-Fi Protected Access by
verifying the randomness of the initialization values (IV) of nonces, the special numbers
exchanged in 4-way handshake messages to derive session keys. It was undertaken by means
of a self-developed C program and an access point automatic reboot solution, to capture
multiples nonce IV values. Afterwards, it proved that there were repetitions among the
collected data. In the end, the thesis came to a conclusion that nonce IV randomness was not
carefully implemented by some products vendors, resulting in security risks for session keys
and 4-way handshake messages. As proof of concept, two popular access points D-LINK
DIR615 and Linksys WAG160N were used for experiments.
-
vi
List of figures and tables
Figure 2.1: Wireless Local Area Network structure………………………………………………..8
Figure 2.2: Open System Interconnection model…………………………………………………..9
Figure 2.3: TKIP encapsulation……………………………………………………………………..14
Figure 2.4: CCMP encapsulation…………………………………………………………………...16
Figure 2.5: Pairwise keys hierarchy………………………………………………………………...18
Figure 2.6: Group keys hierarchy…………………………………………………………………..19
Figure 2.7: 4-way handshake………………………………………………………………………..20
Figure 2.8: Group key handshake…………………………………………………………………..20
Figure 3.1: Enhanced TKIP attack – Local TCP scan……………………………………………...26
Figure 3.2: Enhanced TKIP attack – Remote TCP scan…………………………………………...27
Figure 3.3: Message falsification man-in-the-middle attack……………………………………..28
Figure 5.1: NonceCap program flowchart…………………………………………………………39
Figure 5.2: Web interface log in data, captured by Wireshark…………………………………..44
Figure 5.3: 555 Timer IC……………………………………………………………………………..45
Figure 5.4: Relay control circuit…………………………………………………………………….46
Figure 5.5: D-LINK DIR615 Nonce IVs histogram….…………………………………………….48
Table 2.1: WPA classification….…………………………………………………………………….14
Table 5.1: Estimated space sizes of ANonce IVs ………………………………………………….50
-
vii
List of abbreviations and symbols
ANonce: Access Point’s Nonce
AP: Access Point
ARP: Address Resolution Protocol
CCMP: Counter mode with Cipher block Chaining Message authentication code
Protocol
GEK: Group Encryption Key
GIK: Group Integrity Key
GMK: Group Master Key
GTK: Group Transient Key
IEEE: Institute of Electrical and Electronics Engineers
IP: Internet Protocol
IV: Initialization Value
KCK: Key Confirmation Key
KEK: Key Encryption Key
MAC: Media Access Control
MPDU: Media Access Control Protocol Data Unit
MSDU: Media Access Control Service Data Unit
PMK: Pairwise Master Key
PRF: Pseudo Random Function
PTK: Pairwise Transient Key
SNonce: Station’s Nonce
STA: Station
TCP: Transmission Control Protocol
TEK: Temporal Encryption Key
TKIP: T emporal Key Integrity Protocol
WEP: Wired Equivalent Privace
WPA: Wi-Fi Protected Access
-
viii
-
1
Chapter 1: Introduction
During recent years, wireless communication has been increasingly popular. Since
wireless network is convenient for the installation without having to bother about
cables, it is more and more preferred than the traditional wired one. However, its
nature of sending message to the open air is prone to result in security risks. After
the first security standard Wired Equivalent Privacy (WEP) was broken, Wi-Fi
Protected Access (WPA) was standardized to secure wireless communication. Since
then, there have been numerous efforts to analyze the weakness of WPA.
1.1 Motivation
The first attack on Wi-Fi Protected Access was published in November 2008 [6],
several other scenarios appeared afterwards. Although most of them exploit the
same weakness of WPA which lies in a protocol named Temporal Key Integrity
Protocol (TKIP), such results were indeed a strong encouragement for
cryptographers to put effort on finding other WPA’s flaws.
This thesis project is motivated by the fact that Wi-Fi Protected Access is a complex
standard, consisting of various protocols, some of which might contain weakness.
Previous attack scenarios mostly focused on TKIP, while other important
components of the standard have not been carefully analyzed, e.g. the keys
establishment handshake processes and their critical elements.
1.2 Objectives and Structure
The first goal of this thesis is to get a clear and systematic overview about wireless
security concepts, as well as uncovered weaknesses of its newest standard WPA.
Secondly, it aims to find out any possible new weakness in current wireless
networks, either in the standard itself or in the practical implementation. It is
clarified later in the text that this project took an approach on analyzing the
-
2
implementation of randomness by device vendors. In brief, this thesis is considered
an attempt contributing to current research on WPA security.
Following such objectives, this project document is organized in the structure
bellowed:
� An overview of wireless networks security is given in Chapter 2. � Chapter 3 summarizes the existing attack scenarios on Wi-Fi Protected
Access.
� Chapter 4 analyzes the role of nonces and their initialization values, which are important components for session keys establishment in 4-way
handshake.
� Practical implementation to collect those nonce initialization values and the verification of their randomness are taken in Chapter 5.
� Final conclusions are drawn in Chapter 6. � Appendix A contains the NonceCap program source code used to capture
nonce and nonce IV values. Appendix B lists the technical specifications of
FINDER 49.31-50SPA relay used for access points’ reboot.
1.3 Limitation
During this project, underlying cryptographic algorithms were not studied
thoroughly in details. It focused more on protocol and implementation aspects.
Experiments are taken on two popular off-the-shelf access points produced by
Linksys and D-LINK. The final outcome is the verification only for those two
devices. Different access points and other vendors may lead to different results.
-
3
Chapter 2: Wireless network
security
This chapter discusses the basic concepts of wireless network security protocols.
Section 2.1 firstly covers the principles of communication security. Next, section 2.2
gives a short overview of IEEE 802.11 wireless networks. In section 2.3, the first
wireless security protocol Wired Equivalent Privacy (WEP), together with its
weaknesses, is introduced. Its successor, Wi-Fi Protected Access (WPA) is presented
in section 2.4. Sub-section 2.4.5 especially analyzes the details of 4-way handshake,
one essential component of WPA.
2.1 Security principles
Communication security is becoming important. Networks need to authenticate
which users are allowed to log in. Data need to be protected against modification,
and their content must not be exposed to unauthorized parties. This section first
gives a description of adversaries and their attack techniques on communication
protocols, and then cryptography solutions to preclude them are introduced.
2.1.1 Adversaries and their techniques
Communication data are valuable. A single telegraph could carry important
defense information of a whole country. An online bank transaction nowadays may
contain the security of millions of Euros. As a consequence, sometimes there are
people trying to derive the valuable information inside communication links.
One of the most basic techniques that an adversary can use is eavesdropping.
Wired communication packets can be eavesdropped by tapping into the wires for
example. Sniffing the traffic in the open air can give wireless packets. For data
transmitted without protection scheme, simple eavesdropping can give adversaries
all the plain information.
-
4
Even with protected data transmission, eavesdroppers can capture messages for
later use in other attacking techniques. One of the simplest scenarios would be
resending the messages without any modification. Such simple trick is called
replay attack [2], and proved to be efficient. Assuming an unreliable guy receives a
banking transaction of €1000 in an insecure system, he could replay the transaction
to benefit multiple times of that money amount.
A more active adversary can even inject messages to impersonate both parties,
making them believe they were communicating directly with each other. This type
of attack is known as man-in-the-middle attack. One of its examples is the attack
against Diffie-Hellman key agreement as explained in [2], section 12.6.1.
Specifically in networks authentication, brute-force [4], dictionary [2] and pre-
computation [5] attacks are very popular. Secret authentication messages such as
passwords can be guessed by a trial-and-error approach in case the search space is
limited. Should the search space be large, such brute-force technique would take a
very long time and lots of computation effort, thus infeasible. However, novice
users normally take meaningful information or a frequently used sequence of
characters as their secret. It facilitates attackers to try all the possibilities in a
“dictionary”, which is much smaller than the whole search space. Sometimes
attackers can even speed up the attack in real-time by pre-computing
authentication messages.
Some other more sophisticated techniques are: chop-chop attack which is clarified
later in section 2.3; fragmentation attack described in section 3.3; etc. The variety of
attackers' schemes leads to different network protection algorithms, classified into
following categories: entity authentication, data confidentiality, and message
integrity. The session keys used for data confidentiality and message integrity are
derived from key establishment protocols.
2.1.2 Entity authentication
Each communication party needs to verify that the identity of the other party is as
declared, to prevent impersonation. Such mechanism is called entity authentication
[2].
There are different methods for entity authentication. The first approach is to verify
usernames and passwords (a.k.a. passphrases). The system keeps a lookup table,
pairing each username to a password. This method is simple but weak. One of the
disadvantages is that the system stores passwords in plain text, which can be
harmful if somehow adversaries (or even a user with proper access) manage to
break into the system’s database and gain all the stored passwords. Therefore the
username - password scheme is improved by keeping a hash value of the password
-
5
derived from a one-way function [2], which cannot be inverted. Stolen information
from server database only exposes the hash value instead of the passwords.
An even further improvement is to use a user-specific salt value together with the
password as inputs of the one-way function [2]. For a salt of n bits, if the attacker
wants to carry out brute force or dictionary attack, he has to pre-compute 2n
possible hash values corresponding to one password. It would require an
enormous memory for pre-computation, reducing the chance that the attacker can
attack multiple passwords simultaneously. Later, sub-section 2.4.4 gives a typical
example of such scheme with the generation of a pair-wise master key from the
passphrase.
The second approach is network sending a challenge, user then response either by
a hash value or a digital signature [2]. In this approach, it is no longer possible to
derive passwords by simply eavesdropping. The challenge is also called the nonce,
i.e. number used only once. A nonce is often a random number, a timestamp or a
sequence counter, which helps the protocols prevent replay attack.
There are combination schemes between the two above. For example, as clarified
later in section 2.4, challenges are sent from both parties, together with a common
passphrase, are used in a complex handshake process to authenticate.
2.1.3 Confidentiality
After being authenticated, users can start to exchange messages. It is mandatory
that messages are only accessible to allowed users, without being disclosed their
contents to any other entities. Thus the plaintext messages need to be encrypted
into ciphertexts before transmission, which are unreadable for eavesdroppers.
Upon receiving, ciphertexts need to be decrypted back to plaintexts.
There are two main categories of techniques for data confidentiality: public key
encryption and symmetric key encryption [2]. Symmetric encryption uses the same
key for both encryption and decryption. Whereas, public key encryption
(asymmetric key) uses two different keys: public key for encryption and private
key for decryption.
Symmetric key encryption can be either stream cipher or block cipher schemes.
Stream ciphers work on each single digit (bit or byte) at a time. They originate from
the idea of Vernam cipher, a.k.a. one-time-pad, which encrypts by bitwise adding
the plaintext with a key, and decrypt by bitwise adding the ciphertext also with that
key. One-time-pad needs truly random keys with the same length as plaintexts to
be encrypted. Since plaintexts are often very long, this condition makes it infeasible
to realize one-time-pad. In practice, stream ciphers generate pseudorandom session
key streams from a fixed length long-term secret key. Typical examples of stream
-
6
ciphers are RC4 [17] [6] and A5/1 [8], both are commonly used in communication
networks.
While stream ciphers work on each digit at a time, block ciphers process a block of
data each time. Instead of using long key stream to encrypt/decrypt long plaintext,
block ciphers use fixed-length keys to encrypt fixed-length data blocks. The block
size and key size are often 128, 192 or 256-bit. A typical example is AES [24], which
is still secure so far and is already widely used in commercial application,
especially in wireless security products.
Naive use of block cipher encryption does not give perfect message security. If each
block is encrypted independently as in Electronic Code Book (ECB) mode, attackers
can replay or build a lookup table from chosen plaintexts. Therefore, more
advanced modes of operation with an Initialization Vector (IV) are often applied to
block ciphers, leading to pseudo-randomness for encrypted messages. Details of
these operation modes are included in 7.2.2 of [2].
2.1.4 Message integrity
Exchanged messages must be protected from not only being exposed, but also
being altered. Therefore quite often a code is used as the fingerprint of each
message. The receiver will verify this code to detect any modification of the original
message. Depending on whether or not a key is involved to compute the code, they
are classified as Message Authentication Code (MAC) or Modification Detection
Code (MDC) correspondingly, as described in chapter 9 of [2]. The former one is
often called Message Integrity Code (MIC) in network security to avoid confusion
with the term Media Access Control. Beside message integrity, MIC algorithms can
provide message authentication as well, i.e. only parties who possess the keys can
alter and verify messages.
Techniques for calculating message integrity code vary differently. Modern
algorithms use either one-way hash functions, which is often called Hash-based
Message Authentication Code (HMAC) [9]; or a block cipher operation mode.
2.1.5 Key establishment
Data confidentiality and message integrity both need a key. If these algorithms use
one single secret key for all messages, the compromise of the key in one message at
any moment would harm the security of all messages forever. Therefore, it is better
to generate one key for each session, restricted within a certain period of time. It
offers another advantage in communication networks, where often an entity (e.g.
the access point) has to communicate with multiple other parties. In such a case,
storing multiple distinctive keys in that access point would cost a vast amount of
memory. Thus it is a better idea that all entities in the network use one single secret
-
7
key, and from which they derive distinctive pair-wise session keys when they
communicate with the access point. These motivations lead to the use of key
establishment protocols, which derive and distribute session keys from the original
long-term secret key.
Key establishment protocols require some properties to be sufficiently secure: key
authentication, key confirmation, forward secrecy, resistance to known-key attack,
etc. Key authentication is the property whereby one party is guaranteed that no
other party aside from the identified second party can get the established key. It is
also referred to as implicit key authentication. If the guarantee comes from both
parties, this key authentication is mutual.
Key confirmation is obtained when one party is confirmed that a second (possibly
unidentified) party already possessed the established key. If a key establishment
protocol has both (implicit) key authentication and key confirmation, it is said to
have (explicit) key authentication.
In a key establishment protocol that has forward secrecy, the compromise of the
long-term secret key would not affect the security of past session keys. Likewise, a
key establishment protocol is resistant to known-key attack if the compromise of
past session keys would not affect future sessions.
2.2 IEEE 802.11 wireless networks
Communication data can be transferred via wired or wireless networks. Wired
networks have been widely used for a long time, whereas wireless ones have just
been standardized for civilian usage recently.
2.2.1 IEEE 802.11 standards
The Institute of Electrical and Electronic Engineers (IEEE) released the first Wireless
Local Area Network (WLAN) 802.11 standard in 1997 [10]. It specified two net bit
rates of 1 or 2 megabits per second (Mbit/s), the frequency band is 2.4 GHz.
Subsequently, standards 802.11a [11], b [12], g [13] were released. While 802.11a
works at 5 GHz band, b and g work at 2.4 GHz. Current working version is 802.11-
2007 [1], a single document that merge different amendments (a, b, d, e, g, h, i, j), in
which 802.11i-2004 [15] is the security amendment.
Latest version 802.11n [14], with the additional use of multiple-input multiple-
output (MIMO) antennas to reduce fading and extend the coverage, is supposed to
be widely deployed in the forthcoming years.
-
8
2.2.2 IEEE 802.11 network structure
Basically, as defined in section 5 of the standard IEEE 802.11-2007 [1], a Wireless
Local Area Network (WLAN) specifies an access point (AP) and other non-AP
stations (STAs). The access point provides access to the external networks, i.e. it is
the interface between WLAN and external networks. Non-AP stations
communicate with each other and with the outside word via wireless connection to
the access point. Figure 2.1 gives the overview of a WLAN.
STA
STA
AP
Figure 2.1: Wireless Local Area Network structure
The standard also defines Authenticator and Supplicant in the authentication
process. Supplicant is the entity that needs to be authenticated to the network.
Authenticator is the entity that facilitates authentication for other Supplicants.
Indeed, all stations are Supplicants, while access points are Authenticators.
2.2.3 IEEE 802.11 layers model
The International Organization for Standardization (ISO) defined a layers model
for communication system: the Open System Interconnection (OSI). The IEEE
802.11-2007 standard also follows this OSI model, which consists of seven layers:
Application, Presentation, Session, Transport, Network, Data Link, and Physical, as
illustrated in Figure 2.2. Details of OSI are given in section 1.4 of [3].
The Data Link layer is further sub-divided into two sub-layers: Logical Link
Control (LLC), and Media Access Control (MAC). Particularly, MAC provides a
mechanism to control which network entities can access the media (the Physical
layer) and how to address them. This sub-layer, together with LLC, takes
responsibility for local delivery of network frames within a local area network (a
-
9
LAN or wireless WLAN). IEEE 802.11 network frames are similar to wired network
ones from LLC up above, and they are only different from MAC down below, in
order to maintain transparent communication between them.
Application
Presentation
Session
Transport
Network
Data Link
Physical
OSI model
Figure 2.2: Open System Interconnection model
A network entity figures out MAC addresses (hardware addresses) of other entities
in the same local network by using Address Resolution Protocol (ARP) [3]. It
broadcast an ARP request to all other to ask for MAC address(es), and receives the
response from the needed one(s). It can then stores the addresses in an ARP table
for later use. ARP request is mentioned here with regard to its application in
section 3.2 of chapter 3.
The standard IEEE 802.11-2007 also classifies two types of data unit regarding LLC
and MAC: MAC Service Data Unit (MSDU) and MAC Protocol Data Unit (MPDU).
One can consider MSDU a packet produced at LLC sub-layer and transferred down
to MAC sub-layer, while MPDU is a packet produced at MAC sub-layer. The
concept of MSDU and MPDU is mentioned here because they are sometimes
referred to in later sections, e.g. in sections 2.3 and 2.4.
2.2.4 IEEE 802.11 security problem
Wireless networks messages are transmitted to the open air, hence they are at high
risk of being captured invisibly. Taking into account the fact that wireless networks
have increasingly expanded their usage and nearly reach the popularity level of
wired counterparts, the impacts of security flaws might be serious. For instance, it
is common that nowadays people undertake their banking transactions with
-
10
wireless connection to the Internet. If being attacked, the revealed data could cost a
huge amount of money. As a consequence, there are a lot of concerns regarding
wireless networks’ security.
Being aware of security impacts, the Institute of Electrical and Electronics
Engineers (IEEE) already put much effort to the establishment of security protocols
for their WLAN standards. From the original broken Wire Equivalent Privacy,
802.11 standards moved to succeeding Wi-Fi Protected Access with better security
algorithms. 1
2.3 Wired Equivalent Privacy (WEP)
The first security protocol for wireless networks was Wired Equivalent Privacy
(WEP) [16], introduced as part of the IEEE 802.11 standard in 1999. WEP once was
widely used in most wireless devices. However, over the years, more and more
attacks on WEP were developed due to different security problems underlying it.
2.3.1 WEP basics
For data confidentiality, WEP uses RC4 [17] [6] stream cipher. RC4 generates a
pseudo-random bits stream (so-called key stream) by using two algorithms: RC4
Key Scheduling Algorithm (KSA) and Pseudo-Random Generation Algorithm
(PRGA). The encryption procedure starts with an unchanged root key of 40 or 104
bits, concatenated with 24-bit initialization vector (IV) to form a per-packet key,
each key corresponds to a MAC Protocol Data Unit previously described in sub-
section 2.2.3. The IV selection algorithm is unspecified; therefore it is vendor-
specific. The per-packet key is repeated itself until it fulfils 256 bytes to form a
temporary vector. 256 bytes of this temporary vector are iteratively swapped in RC4
KSA to produce an initial permutation of the state vector S. Then in Pseudo-
Random Generation Algorithm, a key stream of the same length with MPDU
packet is generated one byte at a time by swapping every byte of S. Such key
stream is added bitwise with the plaintext to get the ciphertext. Finally, the
ciphertext is transmitted together with the IV to the receiver, so the receiver can use
that IV for its key stream derivation.
WEP uses a simple mechanism, which has no key, to protect the integrity of packets.
It computes a 4-byte integrity check value (ICV) by an algorithm called cyclic
redundancy check (CRC-32) [18] over the whole MPDU. CRC-32 contains two
1 In order to obtain a transparent communication with wired networks, the standard
IEEE 802.11-2007 also states that wireless security mechanism must not apply to
layers higher than Data Link layer.
-
11
elements: an input and a 33-bit polynomial (32 stands for the power of the most
significant bit). The IEEE 802.11 standard defines this polynomial as followed:
G(x) = 232+226+ 223+ 222+ 216+ 212+ 211+ 210+ 28+ 27+ 25+ 24+ 22+2+1 (2.1)
The calculation of the CRC checksum works by performing several divisions of the
input over the polynomial [19]. It starts by appending W zeroes to the input packet.
The polynomial is then placed under the leftmost side of the input. If the input bit
above the leftmost polynomial bit is 1, the input and the polynomial are bitwise
added together, and then the polynomial is shifted one bit to the right. If the input
bit above the leftmost polynomial bit is 0, no bitwise addition is performed, but the
polynomial is still shifted right one bit. This process repeated until the polynomial
is shifted all the way to the rightmost bit of the input. Finally a W-bit remainder
called ICV (or CRC-32) checksum is obtained. ICV checksum is appended to
MPDU and the two are encrypted together using RC4 key streams. If ICV
checksum calculated over the received packet is different from the received ICV, it
detects a modification, and packet is discarded. However, this algorithm has
weakness, as will be clarified in the next section.
Regarding entity authentication, WEP applies a Shared Key authentication in
challenge – response approach. The access point sends a challenge and the station
responses by sending back the RC4 encrypted version of that challenge. Upon
verifying the properness of the response ciphertext, the access point authenticates
the station.
2.3.2 WEP weaknesses
A serious problem of WEP underlies its authentication protocol. By eavesdropping
both the plain challenge text and its response ciphertext, adversaries can then
simply add the two together to obtain the key stream. At this point, they can inject
arbitrary encrypted packets to the network, without knowing the WEP root key.
Another WEP weakness is its Initialization Vector. Because WEP uses RC4 stream
cipher, it is required that the same per-packet key must never be used twice.
Consequently, WEP IV is used to avoid repetition. Nevertheless, with only 24 bits
in length, it is not enough to assure this requirement. Because of the birthday
paradox [2], it has a 50% of probability that after 4096 packets, there will be two
packets which share the same IV and hence the same RC4 key.
It is also a flaw that 3-byte Initialization Vector is transmitted in clear text and in
the meantime is included in the per-packet key, so it reveals the first three bytes of
every per-packet key. In addition, some first bytes of the packet itself are also often
-
12
predictable1. By bitwise addition between these predictable plaintext bytes and
their corresponding ciphertext bytes, attackers obtain the first bytes of the key
stream. To sum up, attackers know n first bytes of the key stream and three first
bytes of per-packet key. Some attacks exploit this property in a trial-and-error
approach to guess the other bytes of the per-packet key. The mathematic details of
this approach are given in [20], [21], and [22].
Apart from weaknesses of RC4 stream cipher, WEP also carries another flaw
underlying its integrity check CRC-32. This flaw, together with the lack of a replay
protection mechanism, exposed WEP to a special kind of attack: chop-chop attack
[23]. This is so far the most successful attack and is still utilized on WPA, which will
be described in chapter 3. It is therefore necessary to give an overview of WEP
chop-chop attack here.
2.3.3 WEP chop-chop attack scheme
The plaintext is decomposed as followed:
P=Q.28 + R, with R is the last byte. (2.2)
Upon receiving and decrypting the ciphertext into the plaintext, the checksum
CRC-32 will verify if P mod PCRC = PONE, with PCRC as defined in 2.3.1 and PONE is
a polynomial with all coefficients are 1.
If we truncate (chop), the last byte from the ciphertext then send only the truncated
packet, the CRC-32 check in the receiver will detect failure and silently discard. The
linearity of CRC-32, however, allows adding the chopped ciphertext with the
following polynomial to get the correct checksum, as explained in [6] and [19]:
PONE + (28)-1. (PONE + R) (2.3)
Assuming an attacker captures a packet from a station, chops bytes and corrects the
checksum, then replays the packet to the access point. Upon receiving the packet
and verifying correct checksum, the access point sends out a message informing
about unidentified user because attacker has not been authenticated to the network.
However in case the packet has incorrect checksum, access point silently discards
the packet without informing anything.
1 For example, the first two bytes of every ARP packet are often 0x00 and 0x01
which indicate hardware type is Ethernet; the next two bytes are 0x08 and 0x00
which indicates the network layer uses IP version 4 protocol; the next two bytes are
0x06 and 0x04 indicating MAC address and IP address have six and four bytes in
length, correspondingly.
-
13
The attackers exploit this property and the flaw of CRC-32 mentioned in 2.3.2 to
implement the so-called chop-chop attack on WEP. They chop one last byte from
the ciphertext; guess its corresponding plaintext byte R; bitwise add the corrected
checksum with the chopped ciphertext and sends it to the access point to verify if
there is any unauthenticated indication message, i.e. if the guess of R is correct or
not. With at most 256 guesses, on average 128 guesses, the attackers can derive one
last byte of the plaintext. Doing it iteratively, they can get every byte of the
plaintext.
2.4 Wi-Fi Protected Access
Because of the flaws of Wire Equivalent Privacy, new security protocols Wi-Fi
Protected Access (WPA) and its successor WPA2 were introduced by Wi-Fi Alliance,
and later standardized in IEEE 802.11-2007 [1]. It includes several algorithms which
aimed to be strongly secure. However, one of the most critical parts, TKIP, has been
proved to be vulnerable.
In sub-section 2.4.1, the overview of WPA is given first. From sub-section 2.4.2 to
2.4.5, WPA mechanisms for confidentiality, message integrity, and entity
authentication are discussed. 4-way handshake and Group Key handshake, two
special algorithms for WPA session keys derivation, are presented in sub-section
2.4.5.
2.4.1 Wi-Fi Protected Access basic concepts
Considering the vulnerability of Wired Equivalent Privacy lies behind both its
naive use of RC4 stream cipher and integrity check CRC-32, Wi-Fi Protected Access
introduces better techniques for data confidentiality and message integrity. Firstly,
Temporal Key Integrity Protocol (TKIP) was developed with the aim to be
compatible with available WEP hardware but still offers better security. Counter
mode with CBC-MAC Protocol (CCMP) evolved afterwards, and is still secure so
far.
Wi-Fi Protected Access has two versions: WPA was standardized first, and then
WPA2. In WPA the use of TKIP is mandatory for backward compatibility, CCMP is
supported but optional. While in WPA2, it is the other way around: CCMP is
mandatory, TKIP is supported. The distinction between the two concepts is
sometimes ambiguous in papers and websites. For the sake of convenience, from
here onward in this document, one common name WPA will be used. The
distinction will manifest itself in the underlying algorithms: TKIP or CCMP.
-
14
Versions Application Classification
Algorithms WPA WPA2 WPA-Personal
WPA-Enterprise
Confidentiality
and Integrity
TKIP CCMP CCMP or TKIP
Authentication PSK or
Authentication Server
PSK Authentication
Server
Table 2.1: Wi-Fi Protected Access classification
WPA is still further classified into two categories: WPA-Personal for home networks,
and WPA-Enterprise for enterprise’s ones. The difference between the two lies in
the Entity Authentication algorithms: WPA-Personal uses pre-shared key (PSK)
authentication, WPA-Enterprise additionally uses Authentication Server and can
select among a number of protocol options. Table 2.1 gives an overview of Wi-Fi
Protected Access classification.
2.4.2 Temporal Key Integrity Protocol
In order to be realizable on previous WEP-compatible network cards without major
changes in hardware, Temporal Key Integrity Protocol (TKIP) also makes use of
RC4 stream cipher, but with more sophisticated mechanism to generate per-packet
key. While WEP simply concatenates an Initialization Vector with the root key,
TKIP applies two iterations of key mixing function to produce IV and RC4 per-
packet key. Figure 2.3 shows that inputs to the two key mixing phases are 128-bit
Temporal Key (TK) which will be defined in sub-section 2.4.5; transmitter address
(TA) which is MAC address of the transmitter; and a sequence counter (TSC).
According to [1], mixing the key in two phases makes the computation of the key
less intensive. It eases the burden for older WEP hardware.
Figure 2.3: TKIP encapsulation
-
15
It is already clarified in sub-section 2.3.1 that WEP IV is transmitted in clear text
and thus being exposed to attacker. Whereas, TKIP IV is encrypted together with
the plaintext. The attacks in [20] [21] [22], which base on the knowledge of IV, are
therefore prevented.
For message integrity, apart from CRC-32 which is used in WEP, TKIP additionally
uses a 64-bit Message Integrity Code (MIC) algorithm named MICHAEL [1].
Regarding MAC service data unit (MSDU) and MAC protocol data unit (MPDU),
TKIP differentiates the integrity algorithms usage: CRC-32 integrity check value
(ICV) for MPDU, while MICHAEL MIC for MSDU. MIC value is appended to the
plaintext MSDU before being segmented to MPDUs and encrypted. The reason it is
appended to MSDU instead of MPDUs is to be compatible with WEP hardware.
TKIP implements two countermeasures to prevent attacks:
� When a station receives a packet with incorrect ICV, it silently discards the packet. If ICV is correct but MIC check is failed, then it detects an attack and
sends a MIC failure report to the access point. In case there are more than
two MIC failures within 60 seconds, the communication is shut down and
the two parties start the authentication all over again.
� Replay attacks are prevented in TKIP by means of a 6-byte TKIP sequence counter (TSC), updated after each MPDU. If a packet is received with TSC
value out of order, it is discarded to eliminate replay.
It will be clarified later in chapter 3 that despite those countermeasures, TKIP is still
vulnerable to chopchop-like schemes.
2.4.3 Counter mode with Cipher block chaining Message authentication
code Protocol:
Different from TKIP which was designed for not only security but also backward
compatibility with WEP, Counter mode with Cipher block chaining Message
authentication code Protocol (CCMP) was developed to achieve strong security
only.
Its core component is Advanced Encryption Standard (AES) [24], the strongest
block cipher currently. AES was adopted from Rijndael algorithm, which was
standardized by the U.S National Institute of Standards and Technology (NIST) in
2001. This block cipher is based on the design technique called substitution-
permutation network to transform the plaintext in a number of rounds before
producing the final ciphertext. While the original Rijdael algorithm's block and key
sizes can be specified in any multiple of 32 bits, AES uses a fixed block size of 128
bits and key size of 128, 192 or 256 bits. CCMP in IEEE 802.11-2007 uses AES-128, i.e.
-
16
it fixes the block and key sizes both at 128 bits. More details on the AES algorithm
are given in [24].
Figure 2.4: CCMP encapsulation
As emphasized in sub-section 2.1.3, any block cipher must be used in a special
mode of operation to be secure. The standard IEEE 802.11-2007 uses AES in a mode
called CCM (Counter mode with Cipher block chaining Message authentication
code), which is a combination of two well-known modes Counter Mode (CTR) and
Cipher Block Chaining (CBC). This mode has an advantage that with a single
encryption key, it not only enhances data confidentiality but also provides message
integrity. Regarding message integrity, MIC check is done over each MAC protocol
data unit, instead of over MAC service data unit as in TKIP. There is no ICV check
for CCMP, because CCMP does not aim to be compatible with WEP hardware.
To prevent replay attack, a 6-byte packet number (PN) is incremented to be fresh
for each MPDU. This PN value is included in CCMP header and then transmitted
in clear text. Receiver will extract PN value from the unencrypted CCMP and
compare it with PN value derived from ciphertext to detect replay.
CCMP assures a high level of security. So far, there has not been a single attack on
CCMP, and it is believed to be still secure for a long time to come.
2.4.4 WPA Entity authentication
Regarding entity authentication, WPA-Personal and WPA-Enterprise variants have
different approaches. In WPA-Personal, there is no separated process for
authentication. Instead it is integrated into the so-called 4-way handshake, which is
a process for keys establishment. Before authentication, the Supplicant (i.e. station)
and the Authenticator (i.e. access point) share a common passphrase, which has 8
to 63 ASCII characters in length. Through a pseudo-random function which
-
17
consists of 4096 iterations of HMAC-SHA-1 [9], the passphrase is used to generate a
Pairwise Master Key (PMK) as followed:
PMK = PBKDF2(passphrase, ssid, 4096, 256) (2.4)
with Service Set Identifier (SSID) is the name of the network, used as the salt for
this pseudo random function. The PMK in turn is applied for entity authentication
and session keys derivation in the 4-way handshake. Details of the 4-way
handshake are given in the next sub-section 2.4.5.
In WPA-Enterprise, authentication is carried out in a process separated from key
derivation. A dedicated Authentication Server (AS) takes responsibility for
authenticating Supplicants. The Authenticator, i.e. the access point, only works as a
transporter for authentication packets between Authentication Server and
Supplicants. Authentication algorithms in WPA-Enterprise greatly vary, examples
are Pre-Shared Key Extensible Authentication Protocol (EAP-PSK) [25], Internet
Key Exchange version 2 (IKEv2) [26]. The result of this process is a 256-bit Pairwise
Master Key, which is later used as input of 4-way handshake for session keys
derivation.
2.4.5 4-way handshake and Group Key handshake for keys establishment
As explained in sub-section 2.1.5, different communication sessions need different
session keys. Each session key is restricted within a certain period of time, after
which it is eliminated and a new session key needs to be derived. To derive session
keys, Wi-Fi Protected Access performs two processes called 4-way handshake and
Group Key handshake. The 4-way handshake establishes session keys for both
pair-wise communication, i.e. communication between the access point and one
station, and for broadcast messages, i.e. messages which involve all communication
entities within the WLAN network. Whereas, the Group Key handshake is only
used to update session keys for broadcast messages at specific moments. As
clarified above, the 4-way handshake also undertakes entity authentication in the
case of WPA-Personal.
a. 4-way handshake:
The 4-way handshake derives a Pairwise Transient Key (PTK) for pair-wise
communication, and a Group Temporal Key (GTK) for broadcast messages. PTK
consists of a Temporal Encryption Key (TEK), a MIC Key Confirmation Key (KCK)
and a Key Encryption Key (KEK). TEK is used in TKIP for data confidentiality and
in CCMP for both data confidentiality and message integrity. Since messages of the
4-way handshake and Group Key handshake also need their own confidentiality
and integrity, KEK and KCK are used for these requirements. In case of TKIP, PTK
has two extra Temporal MIC keys, one for packets from the station to the access
-
18
point and the other for packets of the other direction. GTK contains a Group
Encryption Key (GEK), and an extra Group Integrity Key (GIK) in the case of TKIP.
GEK and GIK take the same responsibilities as pair-wise TEK and Temporal MIC
keys, yet for broadcast packets. The keys hierarchies generated by 4-way
handshake are described in Figures 2.5 and 2.6.
Figure 2.5: Pairwise keys hierarchy
The first message:
In the first message of 4-way handshake, the access point basically sends in clear
text the ANonce, which is a nonce (i.e. number-used-once) value. Upon receiving
ANonce, the station also generates another SNonce value to compute the PTK by a
pseudo-random function:
PTK = PRF-X(PMK,”Pairwise key expansion”, Min(AP_MAC,STA_MAC) ||
Max(AP_MAC,STA_MAC) || Min(ANonce,SNonce) || Max(ANonce,SNonce))
(2.5)
with “Pairwise key expansion” is a text string.
The second message:
Upon completion of PTK derivation, the station sends back its SNonce, also in clear
text, to the access point in the second message. A MIC value of the second message
itself is computed by the KCK key just derived. The access point in turn applies the
two nonces to derive pair-wise keys itself. At this point, the access point uses its
-
19
KCK to check the MIC value of the second message sent by the station. Only if the
two parties derive the same pair-wise keys from the same master key PMK then the
check is correct, otherwise a failure is detected and the protocol will abort.
Figure 2.6: Group keys hierarchy
The third message:
After successful MIC check of the second message, the access point chooses a
random Group Master Key (GMK) and another nonce value GNonce to compute
Group Temporal Key (GTK) by another pseudo-random function:
GTK = PRF-X(GMK,”Group key expansion”, AP_MAC || GNonce) (2.6)
with “Group key expansion” is a text string. The access point then sends back GTK,
encrypted by the KEK key just derived, together with the MIC value to the station
in the third message.
The forth message:
Finally, station confirms the arrival of GTK and correct MIC check of the third
message with the fourth confirmation message containing a MIC value.
All 4-way handshake messages are illustrated in Figure 2.7
During 4-way handshake, there are three nonce values are chosen to derive PTK
and GTK. In order to avoid repetition of the output session keys, which results in
security risks, it is mandatory that those nonce values are used only once. This
condition will be analyzed further in chapters 4 and 5.
-
20
Figure 2.7: 4-way handshake
b. Group key handshake:
Normally the Group Temporal Key, generated in the third message of 4-way
handshake, is shared between the access point and all stations in the same network.
It is updated in Group Key handshake either after a defined interval or in case a
station is de-authenticated due to certain kind of failures, e.g. MIC failure.
Figure 2.8: Group key handshake
-
21
The two messages of Group Key handshake are mostly identical to the third and
fourth messages of 4-way handshake, except the additional Key Replay Counter to
prevent replay attacks.
2.5 Conclusion
This chapter already presented several fundamental concepts in wireless network
security and its protocols: Wired Equivalent Privacy, and Wi-Fi Protected Access.
The former one is broken, why the latter is more secure. The next chapter will
discuss the discovered weakness of WPA and some existing attack schemes on this
standard.
-
22
-
23
Chapter 3: Attacks on Wi-Fi
Protected Access
When Wi-Fi Protected Access was designed to replace weak Wired Equivalent
Privacy, it is hoped to perfectly secure wireless communication. However, there are
still vulnerabilities to be exploited by adversaries, either through the naive
configuration of end-users or by its own flaws in TKIP mode. This chapter
discusses some typical attacks on WPA so far.
3.1 Dictionary attack on WPA-Personal
As indicated in sub-section 2.4.4, the pair-wise master key PMK used for 4-way
handshake is generated by a pseudo-random function Password-Based Key
Derivation Function 2 (PBKDF2) [28], taking 4096 iterations of HMAC-SHA-1 [30].
The complexity of 4096 HMAC-SHA-1 iterations [1] makes the PMK computation
intensive. Typically, a computer can only try 50 to 300 possible keys per second
depending on CPU speed. Consequently, given the use of salt value and the
passphrase length of at least 8 characters, it is impossible for pre-computation or
brute force on PMK in WPA-Personal if all possibilities of passphrases are utilized.
In practice, however, passphrases rarely cover the whole space that it is supposed
to use. Novice network administrators, especially home users who set up their own
WPA-Personal networks, usually set predictable passphares which are either
sequences of numbers, or meaningful phrases that can be found in a “dictionary”.
This leads to weak random space of PMK. In such cases, attackers can exploit an
available passphrase dictionary to brute force.
The full dictionary attack on WPA-Personal PMK is included in aircrack-ng suite by
Aircrack group [30], also carefully described in its online tutorial [31]. The attacker
can choose to use any password dictionary he can find on the Internet. In order to
perform such attack, the attacker needs a wireless network card with patched
driver to capture and inject packets. The attacker intentionally injects de-
-
24
authentication requests to force a client (station) to re-authenticate, starting the 4-
way handshake all over again. At this point, aircrack-ng tool captures and stores
handshake messages to a file, then run a passwords dictionary to brute-force the
password. Depending on the speed of the attacker’s computer and the size of the
dictionary, the whole process can take a long time, even days [31]. In case the
password is randomly chosen and has not included in any password dictionary, the
attack will fail.
This dictionary attack works on both TKIP and CCMP in WPA-Personal, because it
indeed exploits the naive configuration of network users, rather than the
cryptographic algorithms.
3.2 WPA TKIP chop-chop attack
In 2008, M. Beck and E. Tews developed a chop-chop variant on TKIP [6]. This
attack can succeed in case the following conditions are satisfied: 1) the attacked
network uses TKIP; 2) it is configured to support IEEE 802.11e Quality of Service
(QoS) [1]; and 3) most of the address bytes in its IP range [32] are known to the
attacker, e.g. 192.168.1.x.
As stated in sub-section 2.4.2, WPA TKIP deploys two countermeasures to prevent
attacks. With the first one, failed ICV check is silently discarded while failed MIC
check is informed by the station; and two MIC failures within 60 seconds cause
both parties to de-authenticate each other. The second countermeasure is to
eliminate replay attack by a sequence counter. Following are the techniques that
Back and Tews used to overcome these countermeasures in their chop-chop scheme.
Similar to the original WEP chop-chop attack, adversaries iteratively guess each last
byte by chopping one byte from the ciphertext and then adding the truncated
version with a polynomial. If the guess is wrong, ICV check is failed and the
message is just discarded. If it is correct, ICV check is passed but a MIC failure is
detected since the message was indeed modified. In other words, only in case the
guess of the last byte is correct, then adversaries receive a MIC failure notification,
otherwise everything is silent. Adversaries exploit this property to use chop-chop
attack as in WEP on messages from access points to stations. As soon as the station
informs MIC failure, attackers know that their guess is correct and then wait for at
least 60 seconds before continuing with another chop-chop on the next byte.
According to the authors, within around 12 minutes, all last 12 bytes (8 bytes MIC
and 4 bytes ICV) can be decrypted.
The remaining unknown bytes can be guessed and checked by ICV. It is certainly
feasible only if the number of unknown bytes is very limited. Therefore attackers
-
25
often apply such attack on Address Resolution Protocol (ARP) [33] request message,
in which normally only the last bytes of two IP addresses are unpredictable 1.
Upon receiving all bytes of plaintext, the key stream can be obtained by bitwise
adding the plaintext with the ciphertext. For MIC key, the MICHAEL [1] message
integrity algorithm was not designed to be a one-way function. It just contains
rather simple operations shift, XOR, AND. According to [6], attacker can simply
invert all of its steps to uncover the MIC key from MIC value and plaintext.
Subsequently, attackers are able to send a custom packet to the station with the key
stream and MIC key just derived. At this point, to overcome the second
countermeasure which prevents replay attack, attackers can send their chosen
packets to other QoS channels, where the TKIP sequence counters are still lower
than the one in broken packet. In practice, access points often just send packets in
one channel, leaving other channels free to be exploited.
Despite its success, the mentioned TKIP chop-chop attack still faces some limits.
First, it is applied mostly on ARP request packets, meaning that each attack only
gives a 28-byte key stream, which is rather short. Second, the number of ARP
packets is also limited, so the number of key streams that attackers can gain is
limited too. Third, because only the station triggers MIC failure, the attack can only
apply on packets sent from the access point to stations. Last but not least, this TKIP
chop-chop attack is only possible when the access point enables QoS feature, which
is not always the case.
3.3 WPA TKIP Enhanced chop-chop attack
Beck, one of the two authors of TKIP chop-chop attack, published a more
developed variant in [7]. It makes use of the fact that each IP packet has 12
guessable bytes in the beginning of its header, giving the attacker 12-byte key
stream. Considering huge number of IP packets in traffic, number of 12-byte key
streams that can be derived is almost unlimited.
Another concept is exploited within the scope of this attack approach:
fragmentation, as described in 9.4 of [1]. In general, an MSDU can be fragmented to
1 As explained in sub-section 2.3.2, the first six bytes of every ARP packet are often
0x00, 0x01, 0x08, 0x00, 0x06 and 0x04. The next two bytes are 0x00 and 0x01,
indicating the type of this ARP packet is Request. Following bytes are MAC
addresses of the sender and the receiver which are also included in unencrypted
MAC header; and IP addresses of the two parties which are for example 192.168.1.x,
i.e. only one last byte of each address is unknown
-
26
multiple MPDUs (i.e. fragments) before being transmitted. On the receiver side, all
fragments are reassembled to join a single original data unit. Each fragment should
be of equal length and has an even number of bytes, except for the last fragment
which can be shorter than the others, and has either odd or even number of bytes.
Based on that, a technique called fragmentation attack is deployed: each 12-byte
key stream derived from the previous step is used to encrypt a fragment (8 data
bytes, 4 ICV bytes) of a Transmission Control Protocol synchronize (TCP-SYN)
MSDU packet [3]. It requires 7 key streams in total for the whole TCP-SYN packet.
Up to that point, the attacker can spoof a client (Station B in Figure 3.1) to send a
TCP-SYN to Station A. Station A then responds a TCP SYN/ACK packet to the
spoofed Station B. Because Station B in fact did not originate the TCP-SYN but
received the TCP-SYN/ACK, it sends back TCP Reset (TCP-RST) [3] to Station A,
which is finally captured by the waiting attacker. The attacker then exploits a
feature in many stations running Linux operating system that all the bytes of TCP-
RST can be guessed completely [7]. As a consequence, a new key stream of 60 bytes
is obtained. The attacker can then encrypt another TCP-SYN packet (without
fragmentation) and send it to 7 other QoS channels where TKIP sequence counters
are still lower, and gain 7 other 60-byte key streams from TCP-RST in return.
TCP SYN
TCP SYN/ACK
TCP RST
Figure 3.1: Enhanced TKIP attack – Local TCP scan
In case the system in use (Station B in Figure 2.15) is not Linux, attacker can
implement another scenario with a minor change: TCP-SYN packet is sent toward a
remote system controlled by the attacker. The process also starts with the attacker
sending a TCP-SYN to Station A under the spoofed address of attacker’s remote
system. Station A responds TCP-SYN/ACK to the spoofed remote system. At that
point, the remote one intentionally sends back a TCK-ACK, which is known to the
attacker. This TCP-ACK is finally encrypted by the key of the local system being
attacked. Thereby, the unknown key stream of current system is disclosed.
-
27
Figure 3.2: Enhanced TKIP attack – Remote TCP scan
3.4 WPA TKIP Message Falsification attack
Based on Beck and Tews’ TKIP chop-chop attack, Ohigashi and Morii developed
another attack scenario [34] [35], called Message Falsification attack. One big
disadvantage of the original Beck-Tews attack is that it only works on networks
which enable the Quality of Service extension feature. The Message Falsification
attack overcomes that limit by deploying a man-in-the-middle scenario to extend
its application to any WPA network.
Firstly, the attackers place their computer in between the access point and the
station, acting like a repeater between the two. It is mandatory that the access point
and the station cannot communicate directly: either they are out of the other’s
wireless coverage, or the attacker overpowers both of them. All communications
between the access point and the station are relayed by the attacker, i.e. the man-in-
the-middle. Such scenario has an initial drawback: when the attacker relays the
packet from one side to the other, because normal antennas in wireless cards are
omni-directional, the original sender will also receive a copy of the packet it just
sent. The sender can therefore detect the relay scenario. To blind the sender, this
attack proposes to use directional antenna.
The attacker’s computer then works in three different modes: Repeater mode, MIC
key recovery mode, and Message falsification mode. In Repeater mode, the attacker
does nothing but relaying the packets between the two parties. Its purpose is only
to avoid blackout in the communication session.
At certain moments, the attacker switches to MIC key recovery mode, performing
the original Beck-Tews chop-chop scenario to obtain the MIC key and ICV
-
28
checksum. An example of suitable moments to run this mode is when most packets
are Address Resolution Protocol (ARP) packets, which both suffice the condition
for chop-chop scenario and minimize the impacts on communication blackout. In
case an important packet arrives in the middle of MIC key recovery mode, this
mode is interrupted and the attacker switches back to Repeater mode, in order to
avoid being detected.
When the keys are successfully retrieved, the attacker enters Message falsification
mode, falsifying an encrypted packet with the keys just derived.
In addition to the man-in-the-middle setup, the authors also present a probabilistic
approach to reduce the attack time. While in the original Beck-Tews attack all four
bytes of ICV checksum are recovered by chop-chop, in this scenario only one last
byte of the ICV is derived. In case of an 8-byte MIC value and with the assumption
that MIC key is uniformly distributed, the success rate is 37% [34]. It is lower than
100% of the original attack, but it greatly reduces the time of from four minutes to
one minute in the best case.
Figure 3.3: Message falsification man-in-the-middle attack
3.5 Conclusion
Over the years, several attack scenarios on WPA were developed. Except the
dictionary attack, the others are all based on chop-chop and just focus on TKIP. No
-
29
attack scheme on CCMP has been found. There is so far not much interest in
breaking other aspects of the IEEE 802.11 WPA standard, e.g. 4-way handshake or
Group Key handshake messages. There are important components in these
handshake processes: the nonce values, which are supposed to be used only once.
-
30
-
31
Chapter 4: Randomness in Wi-Fi
Protected Access
In chapter 2, we already saw that Temporal Key Integrity Protocol (TKIP), Counter
Mode with CBC-MAC Protocol (CCMP), and 4-way handshake messages are
critical components of WPA security. There have been different efforts to analyze
the weaknesses of WPA. Breaking CCMP is much likely infeasible. Whereas,
cryptographers did study TKIP for years and already found different attack
schemes, some of which were presented in chapter 3. The 4-way handshake is
important for session keys establishment, but there has not been much
investigation on its security. It will be clarified in this chapter that the security of 4-
way handshake messages much depends on their nonces, especially the nonce
initialization values (IV) must be random.
4.1 Randomness overview
Random numbers are frequently used in cryptography and network protocols,
playing a vital role in their security. This section gives the definition of randomness
and some of its applications. Afterwards, general requirements on random
numbers and their generation are investigated.
4.1.1 Definition and Examples
According to [2] and [36], randomness of a values sequence means the probability
of any particular value in the sequence being selected must be sufficiently small,
given all the values are uniformly distributed and independent of each other.
Randomness has wide range of application. Regarding entity authentication,
random numbers are sometimes used as the challenge in challenge – response
scenario, precluding the risk of replay attack.
-
32
For various Public Key Cryptography algorithms, random numbers are critically
used in generation of both public and private keys. For instance in RSA algorithm
[37], two random numbers p and q are used to generate both public and private
keys.
4.1.2 General requirements
One important property of randomness is the forward unpredictability, i.e. the next
element in the sequence cannot be predicted regardless of any knowledge of
previous elements. The sequence should also assure backward unpredictability:
knowledge of generated values cannot expose information about the seed value
used to generate the sequence. Because the mathematic algorithm of random
numbers generation are often publicly known [36], if the seed is predictable or
exposed by accident, adversaries can easily calculate the output sequence.
Since adversaries often try to brute force, the succeeding rate should be minimized
by sizing the search space large enough. For example, with a key space of a
cryptographic algorithm is 2128, attackers have to try 2127 possibilities on average
before obtaining the correct key [2]. Replay and pre-computation risks should also
be eliminated by avoiding the repetition of numbers in the sequence.
The realization of random numbers generation also plays an important role. For
example, some generation algorithms can output strong randomness, but they are
hard or expensive to implement in hardware. Hardware realization has been a big
challenge for random numbers generation, and it is indeed one of the main reasons
behind all flawed commercial hardware products in wireless security, making them
promising to attackers.
4.1.3 Random numbers generation
Random numbers sequence can be generated by two ways: Random Number
Generator (RNG) or Pseudo Random Number Generator (PRNG).
A Random Number Generator [36] utilizes a non-deterministic source (i.e. a high
entropy source), and optionally a function for further process, to produce random
numbers. The entropy source typically stems from physical phenomena, e.g. noise
in electrical circuit, mouse movement, quantum effects in semiconductor, etc. For
cryptographic application, RNG’s output should be unpredictable. However, some
physical sources are somewhat predictable, such as time. In such case, a
combination of different physical sources is used for Random Number Generator
input.
In practice, the generation of high quality random sequence from entropy sources
is difficult and time consuming. Therefore, Pseudo Random Number Generator
-
33
(PRNG) [36] is preferred to generate large quantities of random numbers. A PRNG
inputs a seed to a pseudo random function. The seeds in turn must also be random
and unpredictable; hence they are often generated by a Random Number Generator.
In other words, ones use a RNG to generate a random seed, which in turn is used in
a PRNG to generate a pseudo-random numbers sequence.
In general, the pseudo random function in PRNG is a deterministic function, i.e.
true randomness totally depends on the seed. If a PRNG initializes with the same
seed twice, and there is no other input, it always produces two identical sequences.
The deterministic nature of the generation function leads to the prefix “pseudo
random”.
Sometimes pseudo random functions are not used in their strictest sense. For
example in communication protocols, session keys are derived with the input is a
pre-shared key, which is (hopefully) unpredictable but not random. In such a case,
it would produce the same key for all sessions if the pre-shared key is unchanged.
For those protocols, an additional salt input is added to the pseudo random
function to pseudo-randomize the output session keys. The salt value must be used
only once, a.k.a. nonce.
In practice, to assure the backward unpredictability, PRNG also often applies a one-
way function as the pseudo random function [2]. It guarantees that regardless of
any output numbers are obtained, the function cannot be inverted to get the seed
value. As stated in 5.3 of [2], examples of suitable one-way functions are
cryptographic hash function such as HMAC-SHA-1 [9], or block cipher such as AES
[24].
4.2 Randomness in Wi-Fi Protected Access
WPA, like many other security protocols, needs random numbers. It is already
clarified in chapter 2 that WPA generates pair-wise and group session keys for
different communication sessions, instead of using one single secret pre-shared key
every time. Those session keys are randomized by a pseudo random function, with
the secret key and some nonce values as inputs.
4.2.1 Nonce and Nonce IV values
The pair-wise and group session keys are generated in 4-way handshake and
Group Key handshake by two pseudo random functions, which are defined in
section 8.5.1.1 of [1]:
PTK = PRF-X(PMK,”Pairwise key expansion”, Min(AP_MAC,STA_MAC) ||
Max(AP_MAC,STA_MAC) || Min(ANonce,SNonce) || Max(ANonce,SNonce))
-
34
GTK = PRF-X(GMK,”Group key expansion”, AP_MAC || GNonce)
(4.1)
In which, X is the number of bits for each session key, ”Pairwise key expansion”
and ”Group key expansion” are two text strings, ANonce, SNonce and GNonce are
32-byte nonce values. They are transmitted in clear text, allowing attackers to
capture. SNonce is generated by the station, when the other two are generated by
the access point. SNonce is not interested in this paper, because normally the
attackers can choose SNonce themselves. GNonce is chosen locally at the access
point and is not transmitted. Instead the access point derives GTK to be transmitted
in ciphertext to the station. Therefore capturing and investigating GNonce is
impossible. This thesis project focuses on analyzing ANonce, which is frequently
generated to authenticate network stations.
The inputs of those pseudo random functions are two components: the secret
master keys and nonce values. Master keys are not random at all, but secret.
Whereas the nonce values must be used only once, otherwise output session keys
could be reused. For each nonce to be used only once, the IEEE 802.11 working
group recommends that nonces sequence should be initialized to a random
initialized value (IV) during each system boot-up, and succeeding values should be
incremented. In section 8.5.7 of the standard [1], the recommended algorithm to
generate nonce IVs is described as followed:
Nonce = PRF-256(Random number, “Init Counter”, Local MAC address || Time)
(4.2)
“Init Counter” is a string. Time is the current Network or Local time, depending on
which is available. Random number is a highly random seed value, which is often
generated from a physical high entropy source, but hidden and not easy to discover.
The resulting nonce IVs should be well random and also be separated sufficiently
far from each other to avoid overlap between nonce sequences. In brief, the
randomness of nonce IVs determines the quality of nonce sequences and hence
guaranteeing output session keys are never reused.
4.2.2 The impacts of weak randomness
If the nonce IVs are not well random, i.e. they simply repeat one single value or
they are limited in range, after a relatively short time there would be repetition. The
repetition happens either with nonce values or their IVs would result in repetition
in the output session keys, leading to security risks.
-
35
Firstly, repetition facilitates replay attack. Session keys in the past will be identical
in the future sessions if the corresponding nonces are repeated. Attackers therefore
can replay messages in future sessions.
Secondly, in case a compromised session key in the past is repeated in a later
session, attackers can encrypt any chosen packets to send to the network. They can
decrypt valuable information in the packets being exchanged between the station
and the access point as well.
Thirdly, attackers may also replay handshake messages of previous sessions to
successful get over the 4-way handshake without knowing the keys. This
consequence violates the requirement of key confirmation in the 4-way handshake.
Successfully passing 4-way handshake get attackers authenticated and associated
to the network. However, further investigation shows that there is no real problem
for the network security in such a case. Even being authenticated, attackers still do
not have session keys PTK and GTK, hence being unable to decrypt anything
useful. This situation has the same consequence as the man-in-the-middle attack on
4-way handshake messages.
Another scenario would be: attackers collect all the possible values of the nonce IVs
and pre-compute relevant data, e.g. 4-way handshake messages, to store in a
database. Afterward they intentionally interrupt the access point’s power supply to
force it to reboot. When the new handshake starts with a nonce IV, attackers look
up the database and use the corresponding pre-computed data. This pre-
computation scenario might speed up attacks on 4-way handshake messages in the
future. In order for this scenario to be effective, attackers must be able to intervene
the power supply of the access point, otherwise the database for