Predicting and Abusing WPA2/802.11 Group Keys

Presented at 33C3 (2016), Dec. 27, 2016, 2 p.m. (60 minutes)

We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.

First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.

Presenters:

• Mathy Vanhoef
  Mathy Vanhoef is a postdoctoral researcher at KU Leuven (Belgium). He finished his PhD on the security of WPA-TKIP, TLS, and RC4, in July 2016. His research interest is in computer security with a focus on wireless security (Wi-Fi), network protocols in general, the RC4 stream cipher, and software security (discovering and exploiting vulnerabilities). Currently he is researching how to automatically detect logical flaws in network protocol implementations. Mathy Vanhoef is a postdoctoral researcher at KU Leuven, where he performs research on streamciphers, discovered a new attack on RC4 that made it possible to exploit RC4 as used in TLS in practice (the RC4 NOMORE attack), and found the HEIST attack against TLS. He also focuses on wireless security, where he turns commodity wifi cards into state-of-the art jammers, defeats MAC address randomization, and breaks protocols like WPA-TKIP. He also did research on information flow security to assure cookies don't fall in the hands of malicious individuals. Currently he is researching how to automatically fuzz network protocols, and detect *logical* flaws in implementations (e.g. downgrade attacks). Apart from research, he also knows a thing or two about low-level security, reverse engineering, and binary exploitation. He regularly participates in CTFs with KU Leuven's Hacknamstyle CTF team.

Links:

• https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8195.html

Similar Presentations:

• VB2019 / Buhtrap metamorphosis: from cybercrime to cyber espionage (partner presentation)
• ToorCon San Diego 12 (2010) / The keys to running a successful Defcon Group by DC612
• DEF CON 18 (2010) / The Keys To Running A Successful DEF CON Group By DC612