W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L...
Transcript of W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L...
![Page 1: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/1.jpg)
WIFI SECURITYWIFI SECURITY
1
![Page 2: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/2.jpg)
ENCRYPTION REVISITEDENCRYPTION REVISITEDWe have covered encryp�on in chars and blocks.
But what about the security, if two k-bit blocks are encrypted thesame?
We need some randomness, so iden�cal block encrypt differently.
2 . 1
![Page 3: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/3.jpg)
CIPHER BLOCK CHAININGCIPHER BLOCK CHAININGTo avoid two k-bit blocks are encrypted the same, we need some
randomness, so iden�cal block encrypt differently.
Let m(i) denote the ith plaintext block
Let c(i) denote the ith ciphertext block
Let a ⊕ b denote XOR of a and b
Let KS denote Encryp�on algorihm with key S
2 . 2
![Page 4: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/4.jpg)
CIPHER BLOCK CHAININGCIPHER BLOCK CHAININGBasic idea: Sender creates a random k-bit number r(i) for the ith block and calculates: c(i) = KS(m(i) ⊕ r(i))
The sender then sendt: c(1),r(1),c(2),r(2),c(3),r(3)…
Receiver can now calculate: m(i) = KS(c(i) ⊕ r(i))
Althrough r(i) is sent in the plain, Trudy cannot obtain m(i) as shedoes not know KS
Problem: Must transmit twice the number of bits.
2 . 3
![Page 5: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/5.jpg)
CIPHER BLOCK CHAININGCIPHER BLOCK CHAININGBasic idea: Cipher Block Chaining
Send only one random value along with the very firstmessage, and then have the sender and receiver use thecomputed code blocks in place of the subsequent randomnumber.
2 . 4
![Page 6: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/6.jpg)
CIPHER BLOCK CHAININGCIPHER BLOCK CHAININGCBC operates as follows
Before encryp�ng the message, the sender generates a random k-bit string, the Ini�aliza�on Vector (IV). The sender sends the IV incleartext. Let c(0) denote the IV.
For the first block, sender calculates m(1) ⊕ c(0) and encryptswith the key: c(1) = KS(m(1) ⊕ c(0))
For the ith block, the sender generates the ith ciphertext blockfrom c(i) = KS(m(i) ⊕ c(i-1))
2 . 5
![Page 7: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/7.jpg)
CIPHER BLOCK CHAININGCIPHER BLOCK CHAININGConsequences:
Receiver can s�ll decrypt the original message: m(i) = KS(c(i) ⊕ c(i-1))
Even if two cleartext blocks are iden�cal, the correspondingciphertexts will (almost allways) be different.
Only one overhead block
Issue: If one block is missing, the blocks following that cannot bedecrypted.
2 . 6
![Page 8: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/8.jpg)
SECURING WIRELESS LANSSECURING WIRELESS LANS
3 . 1
![Page 9: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/9.jpg)
WEP DESIGN GOALSWEP DESIGN GOALSSymmetric key crypto
Confiden�ality
End host authoriza�on
Data integrity
Self-synchronizing: each packet separately encrypted
given encrypted packet and key, can decrypt; can con�nue todecrypt packets when preceding packet was lost (unlike CipherBlock Chaining (CBC) in block ciphers)
Efficient
implementable in hardware or so�ware3 . 2
![Page 10: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/10.jpg)
SYMMETRIC STREAM CIPHERSSYMMETRIC STREAM CIPHERS
3 . 3
![Page 11: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/11.jpg)
RC4 - RIVEST CIPHER 4RC4 - RIVEST CIPHER 4RC4 generates a pseudorandom stream of bits (a keystream).
RC4 was designed by Ron Rivest of RSA Security in 1987. Ini�allya trade secret.
RC4 (also known as ARC4 or ARCFOUR meaning Alleged RC4) isthe most widely used so�ware stream cipher
Simple and fast
Vulnerable when the beginning of the output keystream is notdiscarded, or when nonrandom or related keys are used
3 . 4
![Page 12: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/12.jpg)
RC4 - RIVEST CIPHER 4RC4 - RIVEST CIPHER 4Makes use of a secret internal state which consists of two parts:
A permuta�on of all 256 possible bytes.
Two 8-bit index-pointers
The permuta�on is ini�alized with a variable length key, typicallybetween 40 and 256 bits, using the key-scheduling algorithm(KSA).
The stream of bits is generated using the pseudo-randomgenera�on algorithm (PRGA).
3 . 5
![Page 13: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/13.jpg)
RC4 - RIVEST CIPHER 4RC4 - RIVEST CIPHER 4Notes:
Varia�ons exist
Does suffer from some vulnerabili�es
3 . 6
![Page 14: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/14.jpg)
RC4 - RIVEST CIPHER 4RC4 - RIVEST CIPHER 4Key-scheduling algorithm (KSA)
for i from 0 to 255
S[i] := i
endfor
j := 0
for i from 0 to 255
j := (j + S[i] + key[i mod keylength]) mod 256
swap values of S[i] and S[j]
endfor
3 . 7
![Page 15: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/15.jpg)
RC4 - RIVEST CIPHER 4RC4 - RIVEST CIPHER 4Pseudo-random genera�on algorithm (PRGA)
i := 0
j := 0
while GeneratingOutput:
i := (i + 1) mod 256
j := (j + S[i]) mod 256
swap values of S[i] and S[j]
K := S[(S[i] + S[j]) mod 256]
output K
endwhile
3 . 8
![Page 16: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/16.jpg)
STREAM CIPHER AND PACKET INDEPENDENCESTREAM CIPHER AND PACKET INDEPENDENCERecall design goal: each packet separately encrypted
if for frame n+1, use keystream from where we le� off for framen, then each frame is not separately encrypted
need to know where we le� off for packet n
WEP approach: ini�alize keystream with key + new IV for eachpacket:
3 . 9
![Page 17: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/17.jpg)
WEP ENCRYPTIONWEP ENCRYPTION
4 . 1
![Page 18: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/18.jpg)
WEP ENCRYPTIONWEP ENCRYPTIONsender calculates Integrity Check Value (ICV) over data
four-byte hash/CRC for data integrity
each side has 104-bit shared key
sender creates 24-bit ini�aliza�on vector (IV), appends to key:gives 128-bit key
sender also appends keyID (in 8-bit field)
128-bit key inpu�ed into pseudo random number generator toget keystream
4 . 2
![Page 19: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/19.jpg)
WEP ENCRYPTIONWEP ENCRYPTIONdata in frame + ICV is encrypted with RC4:
B bytes of keystream are XORed with bytes of data and ICV
IV and keyID are appended to encrypted data to create payload
payload inserted into 802.11 frame
4 . 3
![Page 20: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/20.jpg)
WEP ENCRYPTIONWEP ENCRYPTION
4 . 4
![Page 21: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/21.jpg)
WEP DECRYPTION OVERVIEWWEP DECRYPTION OVERVIEW
receiver extracts IV
inputs IV, shared secret key into pseudo random generator, getskeystream
XORs keystream with encrypted data to decrypt data + ICV
verifies integrity of data with ICV
note: message integrity approach used here is different fromMAC (message authen�ca�on code) and signatures (using PKI).
4 . 5
![Page 22: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/22.jpg)
END-POINT AUTHENTICATION W/ NONCEEND-POINT AUTHENTICATION W/ NONCENonce: number R used only once-in-a-life�me
How to prove Alice “live”: Bob sends Alice nonce, R. Alice mustreturn R, encrypted with shared secret key
4 . 6
![Page 23: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/23.jpg)
WEP AUTHENTICATIONWEP AUTHENTICATION
Notes:
not all APs do it, even if WEP is being used
AP indicates if authen�ca�on is necessary in beacon frame
done before associa�on4 . 7
![Page 24: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/24.jpg)
BREAKING 802.11 WEP ENCRYPTIONBREAKING 802.11 WEP ENCRYPTION
5 . 1
![Page 25: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/25.jpg)
SECURITY HOLESECURITY HOLE24-bit IV, one IV per frame, → IV’s eventually reused
IV transmi�ed in plaintext → IV reuse detected
5 . 2
![Page 26: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/26.jpg)
ATTACKATTACKTrudy causes Alice to encrypt known plaintext d1 d2 d3 d4 …
Trudy sees: ci = di XOR kiIV
Trudy knows ci di, so can compute kiIV
Trudy knows encryp�ng key sequence k1IV k2IV k3IV …
Next �me IV is used, Trudy can decrypt!
5 . 3
![Page 27: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/27.jpg)
WPA2 - 802.11IWPA2 - 802.11I
6 . 1
![Page 28: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/28.jpg)
WPA2 802.11I: IMPROVED SECURITYWPA2 802.11I: IMPROVED SECURITYNumerous (stronger) forms of encryp�on possible
Provides key distribu�on
Can use authen�ca�on server separate from access point
6 . 2
![Page 29: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/29.jpg)
WPA2 - NOTESWPA2 - NOTESWPA implemented a subset of a dra� of 802.11i.
The full 802.11i is referred to as WPA2
Also called RSN (Robust Security Network).
Advanced Encryp�on Standard (AES) block cipher
WEP and WPA use the RC4 stream cipher.
6 . 3
![Page 30: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/30.jpg)
WPA2 - FOUR PHASES OF OPERATIONWPA2 - FOUR PHASES OF OPERATION
6 . 4
![Page 31: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/31.jpg)
WPA2 - 4 WAY HANDSHAKE AND KEY GENERATIONWPA2 - 4 WAY HANDSHAKE AND KEY GENERATION
AP Sends nonce, ANonce - random 128 bit
6 . 5
![Page 32: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/32.jpg)
WPA2 - 4 WAY HANDSHAKE AND KEY GENERATIONWPA2 - 4 WAY HANDSHAKE AND KEY GENERATION
Client makes random nonce SNonce
Client uses ANonce, SNonce, AP MAC, Client MAC, WPA2Password (PMK) to generate PTK (Pairwise Transient Key)
MIC (Message Integrity Code) also include ANonce
6 . 6
![Page 33: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/33.jpg)
WPA2 - 4 WAY HANDSHAKE AND KEY GENERATIONWPA2 - 4 WAY HANDSHAKE AND KEY GENERATION
AP uses ANonce, SNonce, AP MAC, Client MAC, WPA2 Password(PMK) to generate PTK.
Send Group Temporal Key (GTK) for broadcast, and MIC
6 . 7
![Page 34: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/34.jpg)
WPA2 - 4 WAY HANDSHAKE AND KEY GENERATIONWPA2 - 4 WAY HANDSHAKE AND KEY GENERATION
ACK of the keys
6 . 8
![Page 35: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/35.jpg)
SECURITY PROBLEMSSECURITY PROBLEMS
7 . 1
![Page 36: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/36.jpg)
KRACK ATTACK ON WPA2KRACK ATTACK ON WPA2
7 . 2
![Page 37: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/37.jpg)
KRACK ATTACK ON WPA2KRACK ATTACK ON WPA2Remember the 4 way Handshake
7 . 3
![Page 38: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/38.jpg)
KRACK ATTACK ON WPA2KRACK ATTACK ON WPA23rd message can be resent mul�ple �mes, causing a reset oftransmission nonces.
As a result, same encryp�on key is used with with nonce valuesthat have already been used in the past
Violates perfect forward secrecy
The reset causes all encryp�on protocols of WPS2 to reusekeystream when encryp�ng packets.
Keystream will decrypt all packets with same nonce.
7 . 4
![Page 39: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/39.jpg)
KRACK ATTACK ON WPA2KRACK ATTACK ON WPA2h�ps://www.kracka�acks.com/
h�ps://papers.mathyvanhoef.com/ccs2017.pdf
7 . 5
![Page 40: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/40.jpg)
WIFI PROTECTED SETUPWIFI PROTECTED SETUPWiFi Protected Setup (WPS)
The Wi-Fi Alliance in 2006
Goal: Allow home users to set up Wi-Fi Protected Access easily
Make it easy to add new device to exis�ng network.
7 . 6
![Page 41: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/41.jpg)
WIFI PROTECTED SETUPWIFI PROTECTED SETUPsuscep�ble to a brute force a�ack
allows an a�acker to know when the first half of the 8 digit PIN iscorrect
last digit of the PIN is known because it is a checksum for the PIN.
The number of a�empts goes from 108 to 104 + 103 = 11,000a�empts in total.
The lack of a proper lock out policy a�er a certain number offailed a�empts to guess the PIN on many wireless routers makesthis brute force a�ack that much more feasible.
Maybe not possible to turn off!7 . 7
![Page 42: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/42.jpg)
WIFI PROTECTED SETUPWIFI PROTECTED SETUPh�p://www.kb.cert.org/vuls/id/723755
h�p://arstechnica.com/business/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver/
7 . 8
![Page 43: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/43.jpg)
WIFI PROTECTED SETUPWIFI PROTECTED SETUP
![Page 44: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/44.jpg)
7 . 9
![Page 45: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/45.jpg)
OPEN HOTSPOTSOPEN HOTSPOTSWith no login
No guaranteed encryp�on - sniffing possible
Everyone can see
What unencrypted web pages you’re visi�ng
What you’re typing into unencrypted web forms
Even see which encrypted websites you’re connected to
First a�er connec�on will it be encrypted → Metadata
Browser plugin: HTTPS Everywhere
7 . 10
![Page 46: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/46.jpg)
SUMMARYSUMMARYOr more a final remark
Use WPA2, not WEP or WPA as both of the later arecompromised
8
![Page 47: W I F I S E C U R I T Yjamik/dm557-19/material/Lecture-13a.pdf · S E C U R I N G W I R E L E S S L A N S 3 . 1. W E P D E S I G N G O A L S Sy m m et ric key c ry pt o Confi denalit](https://reader034.fdocuments.us/reader034/viewer/2022050508/5f99713fedd64b1f3d4e0de9/html5/thumbnails/47.jpg)
QUESTIONSQUESTIONS
9