A very short overview of Wireless Security Protocols including WEP, WPA, WPA2 and WPA3. For each of them we’ll try to point out both their strengths and weaknesses and describe some of the possible attacks.
We’ll include cryptography details of each protocol at some other post/time, including execution of individual attacks (step by step). For now, just the basics.
WEP [Wired Equivalent Privacy]
Wired Equivalent Privacy (WEP), introduced as part of the original 802.11 standard ratified in 1997, it’s probably the most used WiFi Security protocol out there. It’s pretty recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits). In 2004, both
WEP-104 were declared deprecated. There were
128-bit (most common) and
256-bit WEP variants, but with ever increasing computing power enable attackers to exploit numerous security flaws. All in all, this protocol is “dead”.
The RC4 stream cipher used by WEP is based upon two algorithms:
- The first one being RC4-Key Scheduled Algorithm (KSA), which transforms a key of length 1 to 256 bits into a initial permutation S of the numbers 0 to N. The internal state of RC4 consists of two numbers i and j used as pointers to elements of S.
- The second algorithm is RC4-Pseudo Random Generation Algorithm (PRGA). It generates a single byte of keystream from the current internal state of RC4 and then updates the internal state. Originally, N=255, but the algorithm can work with different values of N.
With CRC32 original message is XORed with a constant of 32 bits followed by as many 0 as necessary to reach the length of the message. The result becomes the new “message” and the operation is repeated until the length of the result is under the length of the constant. It is important to note that this hash function is linear and unkeyed.
- Packet Injections
- Fake Authentication
- FMS Attack, statistical, 2001
- KoreK Attack, statistical, 2004
- ChopChop Attack, fake ARP, 2004
- Fragmentation Attack, fragmentation, 2005
- PTW Attack (Pychkine, Tews, Weinmann) , statistical, 2007
This allows an outsider to generate a large amount of traffic on a network without being associated to it in any way. First, he must capture a packet of specific type. Although hidden behind encryption, packet type can be easily guessed based on packet size.
Fake Authentication attack allows an attacker to join a WEP protected network even if he doesn’t know the root key. There are two ways a client can authenticate itself in an WEP protected network:
- The first method is Open System authentication, basically unprotected.
- The second method is called Shared Key authentication. This one uses the secret root key and a challenge-response authentication. Client asks AP to connect, AP sends a frame containing a challenge (random byte string, cleartext) and the client answers with a WEP encrypted frame. If ok, AP answers back with success.
Released in 2001 by Fluhrrer, Mantin and Shamir, it’s based on
RC4 weakness combined with the awarness of IV (Initialization Vector or a nonce, 3 bytes of the per packet key).
If we know first “l” bytes of the per packet key, we can simulate “l” first steps of
RC4-KSA. Don’t want to go too deep in the math here, basically next byte of key depends (is somewhat related) on the current one and that can be used to check if we’re on the right track. With each iteration we’re getting one more byte of key, eventually testing it. If it’s wrong, byte of the key is being switched with another probable value and process is restarted.
This one is based on FMS attack (first appeared on netstumbler forum, 2004), but lets attacker finds the key faster.
Also found by “KoreK”, and opposed to exploiting a weakness in RC4, it attacks WEP protocol itself (CRC32 checksum and the lack of replay protection). It gives an attacker the ability to decryt a packet without knowing the key.
Flipping a bit in the cipher text and then calculating which bit in encrypted CRC32 value must be flipped so that the packet is still valid. Frequently mentioned is approach is to take away last byte and try to guess its value.
The ChopChop Theory.
Great attack to run if there are no clients currently connected to the access point. Similar to ChopChop attack it speeds up cracking process by injection arbitrary packets into AP. It’s going to generate enough traffic to capture large number of IVs improving your chance of cracking the key (aircrack-ng). The “aireplay-ng” & “packetforge-ng” are standard toolkit for this attack.
Released by Bittau in 2005. By sniffing the packets, attacker can find/guess first 8 bytes of clear text. By XORing these 8 bytes with 8 corresponding bytes of cipher text, he can obtain 8 bytes of keystream for a specific IV. Now, he can’t use that to send whole packet, but WEP allows him to send a single packet in up to 16 fragments. So, the attacker now uses those 8 bytes of keystream to broadcast a packet containing 64 bytes of known text in 16 fragments. AP on the receiving end takes those fragments, deciphers & combines them into a single packet, encrypting it and send it back to the network.
As C ⊕ M = K the attacker can get the keystream for other IVs and build a dictionnary, allowing him to decipher packets on the network and create traffic.
The Pyshkin Tews Winmann (PTW) attack, released in 2007.
What makes PTW powerful than all the other attacks is the fact it can make use of every packet captured. It implements a key ranking strategy which instead of trying all possible combinations of the key, picks a set number of likely keys and continues the RC4 algorithm based on those. Using different voting strategies the attacker can pick the most likely key byte at each decision in the tree to determine the correct key.
The tests showed that only 35,000 to 40,000 packets were required to get a 50% succes probability. Other sources state that we can get a probability of 95% with 85,000 frames.
The PTW attack is the default method used by Aircrack-ng to crack WEP keys.
WPA [Wi-Fi Protected Access]
Wi-Fi Protected Access (WPA), became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard. The most common WPA configuration is
WPA-PSK (Pre-Shared Key). The keys used by WPA are
256-bit, a significant increase over the
128-bit keys used in the WEP system.
WPA included message integrity checks (to determine if an attacker had captured/altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that was radically more secure than the fixed key system used by WEP. The TKIP encryption standard was later superseded by Advanced Encryption Standard (AES).
TKIP uses the same underlying mechanism as WEP, and consequently is vulnerable to a number of similar attacks (e.g. Chop-Chop, MIC Key Recovery attack).
Usually people don’t attack WPA protocol directly, but supplementary system that was rolled out with WPA – Wi-Fi Protected Setup (WPS).
RC4stream cipher is used with a
128-bitper-packet key, meaning that it dynamically generates a new key for each packet. Although still used, it’s considered obsolete after being replaced by CCMP in 2009.
- Back and Tews’ Improved Attack on RC4, 2008, Inject
- Ohigashi-Morii Attack (Beck and Tews’ + Man in the middle), 2009, inject
- Michael Attacks, 2010, inject
- THe Hole196 Vulnerability, 2010, inject/dos/MITM
- Dictionary Attack against the handshake,key recovery
Back and Tews’ Attack
Released in 2008, exploits weakness in TKIP, allowing an attacker to decrypt ARP packets and to inject traffic into a network, enabling a DoS or ARP poisoning.
Attack “requires” Quality of Service (QoS) to be enabled (practical aspect). That allows several channels to be used. Each channel has its own TSC (TKIP Sequence Counter). Channel 0 holds most of the traffic, other channels will have lower TSC. Attack requires Key Renewal Interval to be longer than 15 min (time needed to decrypt an ARP packet).
From 2009, an improvement of the Beck-Tews attack on WPA-TKIP, more efficient for all modes of WPA and not just those with QoS features.
In 2010, Beck found that if the internal state of Michael reaches a certain point, the Michael algorithm resets. With that, an attacker can inject some text in a packet, add a string that resets Michael algorithm. Packet is changed but the Michael’s result remains correct. Apparently, requirements of this attack are even tighter compared to “Beck and Tews”.
In 2010, Sohail Ahmad found a hole in 802.11. This is a MITM attack, not a key-recovering attack. The attacker has to be an authorized user of the network.
Two types of keys for data encryption:
- Pairwise Transient Key (PTK) – used to protect unicast data frames
- Group Temporal Key (GTK) – used to protect group addressed data frames (e.g. broadcast ARP frames)
The point of the attack is to send a message with a GTK key but directed to a target MAC instead of a broadcasting MAC address (Detectable). By doing this in a kinda “stealthy” way, only the victim will process that broadcast packet ( unless the ARP table has static resolution for the MAC of the gateway), ending up with IP poisoning, replacing the router.
- ARP Poisoning/MITM
- Buffer overflow
- Malware Injection
WPA2 [Wi-Fi Protected Access II]
Of course, WPA2 replaced WPA. Certification began in September, 2004 and from March 13, 2006 it was mandatory for all new devices to bear the Wi-Fi trademark. Most important upgrade is mandatory use of AES algorithms (instead of previous RC4) and the introduction of CCMP (AES CCMP, Counter Cipher Mode with Block Chaining Message Authentication Code Protocol, 128 Bit) as a replacement for TKIP (which is still present in WPA2, as a fallback system and WPA interoperability).
As in previous version, attack on WPS is the most frequent one.
- KRACK Attack
- PMKID Attack (PSK)
- WPS Attack
- Brute-force/Dictionary attack
- Hole 196
Discovered by Mathy Vanhoef and Frank Piessens in 2016. It’s a severe replay attack.
The attack targets the four-way handshake used to establish a nonce (a kind of “shared secret”) in the WPA2 protocol. The standard for WPA2 anticipates occasional WiFi disconnections, and allows reconnection using the same value for the third handshake (for quick reconnection and continuity). Because the standard does not require a different key to be used in this type of re-connection, which could be needed at any time, a replay attack is possible.
PMKID attack (PSK)
New exploit was anounced on August 4th, 2018, for Wi-Fi networks that use WPA/WPA2-PSK (pre-shared key). The vulnerability allows attackers to obtain the PSK being used for the particular SSID.
The attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard.
The main difference compared to other attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.
The main advantages of this attack are as follow:
- No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack).
- You wont need to wait for a complete 4-way handshake between the regular user and the AP.
- No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results) and invalid passwords sent by the regular user.
- There wont be lost EAPOL frames when the regular user or the AP is too far away from the attacker.
- No more fixing of nonce and replay counter values required (resulting in slightly higher speeds).
- No more special output format (
hccapx, etc.) – final data will appear as regular hex encoded string.
WPS was introduced in 2006, and the goal of the protocol is to allow home users who know little of wireless security to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases.
In December 2011 a flaw was revealed that affects wireless routers with the WPS feature. That flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network’s
WPA/WPA2 pre-shared key.
We have here 8 digits with 10 numbers, 108 (100.000.000). That’s too much. The 8th digit is checksum of first 7 digits, so we have 107. Furthermore, the pin number for verification goes in two halves, so we can independently verify the first 4 and the last 4 digits. It’s far easier to guess 4 digits 2x than 8 digits 1 at once. Finaly, math ends up with: 104 + 103 = 11,000 guesses.
While this tactic used to take a number of hours, the newer WPS Pixie-Dust attack can crack networks in seconds. Since 2011, many routers now have protections to detect and slow down (rate-limiting) or shut down a Reaver-type attack (lock with too many failed PIN attempts).
Routers updated some settings to prevent WPS, but flaws still existed in the way they implement encryption. It’s relatively difficult to create truly random numbers, which is required to produce strong encryption. To achieve this, there’s usually a function that takes “seed” and produces a pseudo-random number.
If there’s a use of long or varying “seed” number, you can get same result as a number that’s actually random, but if you use an easily guessed “seed”, or even worse, the same one again and again, you end up with weak encryption that’s easy to break. This is what happened with those updated routers, the thing that WPS Pixie-Dust attack exploits.
This relies on capturing a WPA handshake, and then using a wordlist or brute-force to try and crack the password. Depending on the password strength (length, charset), it can be difficult or impossible to break it in a “reasonable” amount of time.
WPA3 [Wi-Fi Protected Access III]
In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement to WPA2. The new standard uses
128-bit encryption in WPA3- Personal mode (
WPA-PSK, pre-shared key) or
192-bit in WPA3 – Enterprise (RADIUS authentication server).
WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE) or the Dragonfly Key Exchange. SAE improves security of the initial key exchange and offers better protection against offline dictionary-based attacks.
It is just as susceptible to man-in-the-middle attacks and offers no protection against evil twin attacks.
When it comes to protocols, best to worst:
- WPA2 MGT or WPA MGT
- WPA2 + CCMP/AES
- WPA + CCMP/AES
- WPA + TKIP | WPA + TKIP/AES (TKIP present as a fallback method) WEP
- Open Network (no security at all)
Hope this helps a bit on how to configure your router/wifi and set your defense. Use the highest version possible, long passwords and disable WPS. We’ll cover cryptography segments and individual attacks (steps on how to execute them) later on.