FELK 19: Security of Wireless

Networks*
Mario agalj

University of Split
2013/2014.

WiFi (In)Security 2st part:

Vulnerabilities of WPA and
WPA2
Assembled from different sources: Walker,
Lehembre Buttyan, ...
Produced by Mario agalj

Introduction: IEEE 802.11i

We have seen that WEP is critically flawed
IEEE 802.11i defined to properly secure wireless

LANs (2004)
Specifies robust security mechanisms for WLANs
Defines Transition Security Network (TSN)
Called WiFi-Protected Access (WPA) by WiFi-Alliance
Based on new TKIP (that uses old RC4 like WEP)
Backward compatibility (with old RC4-only hardware)
IEEE 802.1X authentication framework

More importantly defines a Robust Security Network

(RSN)
Called WiFi-Protected Access 2 (WPA2) by WiFi-Alliance
Based on AES and optionally TKIP
Also uses IEEE 802.1X authentication framework

Tranzicija prema IEEE 802.11i

IEEE 802.11b
WEP

WPA

Tajnost podataka
(enkripcija)

WEP (RC4)

TKIP (RC4)

Integritet podataka

WEP (RC4) + CRC

TKIP-MIC

Autentikacija i
kontrola pristupa

Shared Key
Authentication

IEEE 802.1X/EAP

TKIP: Temporal Key Integrity

Protocol
AES: Advanced Encryption Standard
MIC: Message Integrity Code
MAC: Message Authentication Code

IEEE 802.11i
(WPA2)
AES,
(opcija TKIP)
AES-MAC
(opcija TKIP-MIC)
IEEE 802.1X/EAP

(+ EAP-TLS, LEAP) (+ EAP-TLS, LEAP)

EAP: Extensible Authentication Protocol

TLS: Transport Layer Security
LEAP: Light EAP (Cisco)

Autentifikacijski model IEEE

802.1X u WiFi
Kontroliran
port

AP

LAN
(Internet)

Autentifikacijski
server

Mobilni klijent

Slobodan
(otvoren) port

Port-based Network Access Control

Mobilni klijent zahtijeva pristup uslugama (eli se spojiti na

mreu)
AP kontrolira pristup uslugama (kontrolirani port)
Autentifikacijski server (AS)
Mobilni klijent i AS se meusobno autentificiraju
AS informira AP da moe otvoriti kontrolirani port mobilnom

Vulnerabilities of home
networks
Assembled from different sources: Walker,
Lehembre Buttyan, ...

Operacijske faze IEEE 802.11i:

kune i ad hoc mree
Autentifikacijski server nije prisutan

Autentifikacija zasnovana na dijeljenom kljuu (Pre-Shared Key,

PSK)

Mobilni klijent (M)

PSK
(umjesto PMK)

Pristupna toka (AP)

Otkrivanje sigurnosnih
funkcionalnosti
IEEE 802.1X key management
(Provjera PSK/PTK 4-way handshake)
Zatita podataka
(TKIP, CCMP/AES)

Key derivation and distribution

PTK (Pairwise Transient Key) unique for this M and

this AP

Guillaume Lehembre, hakin9 6/2005

IEEE 802.11i: Pre-Shared Key

(PSK)
No explicit authentication!

The IEEE 802.1X authentication exchange absent

Usually a single pre-shared key for entire network

Password-to-Key Mapping
Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK

from an ASCII password

PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096,
256)
Salt = SSID, so PSK different for different SSIDs
4096 is the number of hashes used in this process

4-Way Handshake (over a radio

channel)

PTK = EAPoL-PRF(PSK, ANonce | SNonce |

AP MAC Addr | Ms MAC Addr)

Guillaume Lehembre, hakin9 6

PTK

10

Vulnerabilities of 4-way
handshake (1/3)
Affects both WPA and WPA2

Password-to-Key Mapping
Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII
password
PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256)
Salt = SSID, so PSK different for different SSIDs
4096 is the number of hashes used in this process
Password length between 8 and 63 printable ASCII characters

Vulnerability
The PTK used in 4-way handshake derived from PSK and

PSK=f(PWD)
4-way handshake protected with PTK
4-way handshake messages transmited over a public radio
channel

11

Vulnerabilities of 4-way
handshake (2/3)
The strenght of PTK relies on the PSK

which effectively means on the strength of the password PWD

Offline brute-force and dictionary attacks possible

1. attacker captures (records) 4-way handshake (only first 2
messages; why?)
2. attacker performs brute-force or dictionary attacks (at home)
1. guesses or reads from the dictionary the candidate PWDtest
2. calculates

PSKtest = PBKDF2 (PWDtest, SSID, SSIDlength, 4096, 256)

PTKtest = EAPoL-PRF(PSKtest, ANonce | SNonce | AP MAC Addr | Ms
MAC Addr)
PTKtest gives KCKtest (used for message authentication in 4-way hand)
MICtest = MAC(KCKtest, public info)
3. if (MICtest==MICcaptured) output PWDtest as the password guess
else go to 1.
12

Vulnerabilities of 4-way
handshake (3/3)

How to capture the 4-way handshake?

1. Enter the monitoring mode
2. Discover nearby networks and associated clients
MAC addresses, WPA or WPA2, SSID

3. Disassociate clients to force them to run again 4-way

handshake
Use fake disassociation control packets (not protected by IEEE 802.11i)

4. Record the new 4-way handshake

e.g., using Aireplay

5. Go home and launch a dictionary attack

Aircrack

13

Attack complexity
Depends on the entropy of passwords
Weak passwords easy to crack
Strong passwords
E.g., a random passphrase of 13 characters (selected from the set of

95 permitted characters) gives 9513 285

Slow hashing algorithm (PBKDF2 involves many iteration of HMACSHA1)
PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256)
In practice PBKDF2 forces the attacker to iterate SHA1 16.000
times
Increases the attacers cost (the time to test a single pwd)
E.g., by slowing down the attacker by the factor of 3650 implies
that the effort of 1 day increases to 3650 days (10 years)

Unfortunatelly, people do not select 13 random

characters!

14

Speeding up the dictionary

attack
Recall the dictionary attack
1. attacker captures (records) 4-way handshake
2. attacker performs dictionary attacks (at home)
1. reads from the dictionary the candidate PWDtest

This part is
PSKtest = PBKDF2 (PWDtest, SSID, SSIDlength,
slow 4096, 256)

2. calculates

PTKtest = EAPoL-PRF(PSKtest, ANonce | SNonce | AP MAC Addr |

Ms MAC Addr)
PTKtest gives KCKtest (used for message authentication in 4-way
hand)
MICtest = MAC(KCKtest, public info)
3. if (MICtest==MICcaptured) output PWDtest as the password guess
else go to 1.

15

Speeding up the dictionary

attack

Pre-compute the slow part (before attacking) and re-

use against many networks

PSKtest = PBKDF2 (PWDtest, SSID, SSIDlength, 4096, 256)
Observe, nothing specific about the current session

Where can the attacker re-use the pre-computed data?

With networks sharing the same SSID

How much data the attacker has to store?

It depends on the concrete attack implementation and

targeted success probability

E.g. 100.000.000 passwords of average length 10 chars
(letters and numbers) -> 232B i.e. about 4GB
16

Securing against the dictionary

attacks

To secure your network against these pre-computed

dictionaries make sure that

Your SSID is unique (does not appear in the existing

tables)
Your PWD is strong enough (sufficiently long and random
:-)

17

Vulnerabilities of enterprise
networks
Assembled from different sources: Walker,
Lehembre Buttyan, ...

Autentifikacijski model IEEE

802.1X u WiFi
Kontroliran
port

AP

LAN
(Internet)

Autentifikacijski
server

Mobilni klijent

Slobodan
(otvoren) port

Port-based Network Access Control

Mobilni klijent zahtijeva pristup uslugama (eli se spojiti na

mreu)
AP kontrolira pristup uslugama (kontrolirani port)
Autentifikacijski server (AS)
Mobilni klijent i AS se meusobno autentificiraju
AS informira AP da moe otvoriti kontrolirani port mobilnom

19

Operacijske faze IEEE 802.11i

Mobilni klijent (M)

Pristupna toka (AP)

Autentikacijski server (AS)

Otkrivanje sigurnosnih
funkcionalnosti
Rezultat: M i AS
-generiraju Master Key (MK)
-izvedu Pairwise MK (PMK)

802.1X autentifikacija

Rezultat: M i AP
802.1X key management
-provjere PMK
-izvedu Paiwise Transient Key (PTK)
-PTK vezan uz ovaj M i ovu AP

Distribucija PMK kljua

(npr. putem RADIUS-a)

Zatita podataka
(TKIP, CCMP/AES)
CCMP = Counter-Mode / Cipher Block Chaining 20
Message Authentication Code Protocol based on

Example: FESB WiFi (EAP-TTLS

and PAP)

Tunneled TLS over Extensible Authentication Protocol (EAP-

TTLS)
Provides protection for initial authentication messages (plaintext

passwords,<-----------certificate---------->
e.g. PAP used by FESB)
<--no trust-->

Mobilni klijent (M)

<--trust-->

Pristupna toka (AP)

<--trust-->

TTLS server

Autentifikacijski
server (AS)

Establishing an authentication TLS tunnel

TLS protected authentication

Authentication

WLAN master
session key
Data traffic
on secured link

21

Example: FESB WiFi (EAP-TTLS

and PAP)

Validation of the authentication server based on certificate

validation
Trusted issuing authority, matching certificate owners Common

Name (CN)
Many PEAP (EAP-TTLS) deployments fail to properly deploy
Malicious authentication server gains access to inner authentication
controlled by the attacker (Rogue AP)

methods
PEAP: MS-CHAPv2
<--no trust-->
<--trust-->
TTLS: MS-CHAPv2,
CHAP, PAP,
etc.
Mobilni klijent (M)

Pristupna toka (AP)

<--trust-->

TTLS server

Establishing an authentication TLS tunnel

with the rogue AuthSrv
TLS protected inner authentication

Record session

22

How to set properly setup PEAPlike authentication methods

PEAP: Pwned Extensible Authentication

Protocol
by Joshua Wright and Brad Antoniewicz,
ShmooCon 2008

23

Wi-Fi Protected Setup (WPS)

Insecurities (home nets again)
A standard that attempts to allow easy establishment

of a secure wireless home network

The standard allows four usage modes aimed at a home
network user adding a new device to the network:
PIN Method (e.g., enter the PIN on AP into the client)
Push-Button-Method (a user simultaneously pushes a button on the AP and

the client)
Near-Field-Communication Method (bring the client close to the AP)
USB Method
In December 2011 researcher Stefan Viehbck reported a design and

implementation flaw that makes brute-force attacks against PIN-based

WPS feasible to perform on WPS-enabled Wi-Fi networks
A successful attack on WPS allows unauthorized parties to gain access to the

network
The only effective workaround is to disable WPS
Impossible on some APs

24