Wednesday, May 23, 2018

DinoSec's 10-Year Anniversary... and WPA3

This month, May 2018, is DinoSec's 10-year anniversary and this milestone deserves, at least, a blog post... of appreciation and technical content! ;-)
First of all, we want to say thank you to all our customers for showing their trust and confidence in us and our high quality practices, helping to make DinoSec's adventures and business a reality. We also want to thank our collaborators for their support, allowing us to accomplish more ambitious and complex projects and challenges. Thanks you all for allowing DinoSec's original essence and goals as a company remain after a decade!

We are very aware DinoSec's Blog has remained quite quiet during the last three years. Although I don't want this to sound as an excuse (as the reality is that we are quite busy), it is true that back in the early days, publishing blog articles was one of the main mechanisms we used in the security industry to spread the word about new research, tools and topics. This is what I did throughout the three RaDaJo, Taddong and DinoSec blogs over time. However nowadays, although blogs are still used and relevant, there are many other methods to distribute contents, mainly social networks, team messaging and messaging apps (super)groups (public and private), technical training, and (still) presentations and talks (like the ones you can find at DinoSec's Lab) delivered at a very long list of cybersecurity conferences, local (e.g. Spain) or worldwide.

Switching to the technical content, one of the technologies I have been passionate about during almost two decades has been Wi-Fi security. This is a good reason to focus, once again, on Wi-Fi security in this (last?) DinoSec blog post (coincidentally, I also talked about Wi-Fi security in the latest DinoSec's blog post more than three years ago).

The 2018 Wi-Fi predictions from the Wi-Fi Alliance include various attractive programs they are developing, such as bringing enterprise design practices to new home Wi-Fi networks via the Wi-Fi Home Design initiative, optimizing the Wi-Fi user experience and performance by unifying multiple key technologies in programs such as Wi-Fi Vantage, or improving the retail and shopping experience via Wi-Fi Aware by allowing Wi-Fi devices to discover their word nearby and exchange (peer-to-peer) data with other devices without a Wi-Fi infrastructure, even managing location information through Wi-Fi Location. The Wi-Fi bandwidth and speed keeps growing over the years via new technologies such as WiGig (60 GHz) and High Efficiency (HE) IEEE 802.11ax (2.4 & 5 GHz), with products expected in the market late 2018 or 2019. The predictions also mention how the ongoing Wi-Fi security evolution will introduce new WPA3 (Wi-Fi Protected Access, version 3) enhancements throughout this year.

In 2018 the WPA2 certification program will continue to evolve to meet new security requirements, such as standardizing 128-bit cryptographic suites, or making mandatory the use of Protected Management Frames (PMF), a feature defined in the IEEE 802.11w standard to avoid easy manipulation of sensitive 802.11 management frames, widely used in deauthentication attacks. KRACK mitigations are going to be mandatory too in future WPA2 certified products.

The Wi-Fi Alliance announced in January this year (2018) the upcoming release of WPA3, a new security standard focused on enhancing Wi-Fi security protections in both personal and enterprise networks. It is not clear to what extent this announcement has been influenced by the discovery and publication of KRACK (Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse) in October 2017. Last week, the announcement of a large chipset vendor integrating WPA3 in their upcoming products hit the news (really? isn't this something all manufacturers are going to do along this year..?: "According to the Wi-Fi Alliance, new devices supporting WPA3 will be released later in 2018, many of which will likely be announced at Computex in June").

The new WPA3 improvements include four specific security capabilities:

  • Robust protections even when users choose passwords that fall short of typical complexity recommendations.
  • Simplify the process of configuring security for devices that have limited or no display interface.
  • Strengthen user privacy in open networks through individualized data encryption.
  • A 192-bit (cryptographic) security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite (more suitable for government, defense, industrial, and other high security sensitive environments).

Unfortunately,  it seems we do not learn from history in the infosec (nowadays called cybersecurity) industry. The Wi-Fi Alliance (WFA) is currently working on an internal WPA3 draft. Wouldn't make sense opening the WPA3 draft specification for a global and public security review?, trying to find potential vulnerabilities beforehand, and with the goal of getting it right before it is already implemented in millions and millions of Wi-Fi products and chipsets... ("...more than three billion (Wi-Fi) devices shipping (just) in 2018 (are expected)."). The reality is that the Wi-Fi Alliance impose tight controls on the specifications confidentiality until they are finalized and published... :(

This is something we have (somehow) learned to do in the cryptographic community, requesting peer reviews and opening competitions for new standards, such as NIST did with the Advanced Encryption Standard (AES, Rijndael), the Secure Hash Algorithm-3 (SHA-3, Keccak), or with post-quantum cryptography. As most Wi-Fi security improvements in WPA3 are crypto-related, perhaps we should learn from others in the wireless and network protocols community...

In the next four sections, due to the limited details available in the initial Wi-Fi Alliance announcement, I will try to provide some additional technical details about these new security capabilities introduced by WPA3, complementing the identified needs or WPA3 analysis and interpretation already published by other researchers. Apart from these four features, WPA3 might remove the option to use WEP or TKIP (considered obsolete nowadays), and (re)define the supported list of EAP methods for WPA3-Enterprise.

Updated and More Secure WPA3 Handshake

"Robust protections even when users choose passwords that fall short of typical complexity recommendations"

The current WPA2 traditional four-way handshake does not implement specific countermeasures against hardware-based offline cracking attacks, although the original design made use of PBKDF2 (a key derivation function, in this case, using 4,096 HMAC-SHA1 iterations) and a salt (the SSID, or Wi-Fi network name) to slow down password cracking attacks (offline dictionary or brute force attacks).

The new WPA3 four-way handshake adds extra protections for the WPA3-PSK password, even when a robust passphrase is not used. WPA3 is based on the Simultaneous Authentication of Equals (SAE) handshake, a variant of an authentication and key exchange protocol (or PAKE, Password-Authenticated Key Exchange) known as Dragonfly.  Dragonfly, currently defined in RFC 7664 and in the 802.11-2016 specification (a PDF with more than 3,500 pages), has been supposedly enhanced to mitigate previously identified Dragonfly offline attacks (and/or other weaknesses), it is also the foundation for TLS-PWD and there is even a security proof for it (... like for WPA2 before KRACK? ;-). SAE was originally used for 802.11-based mesh networks under the IEEE 802.11s security umbrella, although in WPA3 infrastructure networks typically only the Wi-Fi AP (Access Point) will initiate the handshake. For compatibility reasons, both WPA2-PSK (or Personal) and SAE might coexist simultaneously in WPA3-Personal APs.

SAE employs discrete logarithm cryptography (finite fields or elliptic curve cryptography, FFC or ECC) for a mutual authentication exchange using only a password, that is used to derive an ephemeral key, similarly to a Diffie-Hellman (DH) key exchange, and it benefits from associated properties such as forward secrecy (the derived key cannot be recovered in the future even if the password is obtained). It is designed to be (probably) resistant against offline dictionary attacks, as no information about the password (or the key) is disclosed except whether a password guess is correct or incorrect.

The result of the SAE handshake is a strong shared secret (or derived key) that will become the PMK (Pairwise Master Key, 256 bits) in WPA3 (like the PMK in WPA2), therefore, it will be used in the traditional four-way handshake to derive the PTK (Pairwise Transient Key, 512 bits). Thus, the new WPA3 handshake replaces the traditional WPA2 PBKDF2 key derivation process to obtain the PMK from the PSK (Pre-shared Key), or password... or passphrase.

One potential drawback of this new WPA3 handshake is that the Wi-Fi AP might require storing the password in plaintext, as pointed out by Mathy Vanhoef (from KRACK). Although a "balanced" PAKE also allows storing a hash of the password with a random salt, as a "non-augmented" protocol, the stored values (or hashes) can be used directly to authenticate to the AP. Therefore, the stored hash is acting as a plaintext password (even if it cannot be easily read by humans), and becomes vulnerable to PtH-like (Pass-the-Hash) attacks (in which a dictionary or brute force attack to obtain the original password is not required).

Updated and More Secure WPS Alternative

"Simplify the process of configuring security for devices that have limited or no display interface"

WPA3 introduces new capabilities to configure secure Wi-Fi networks in devices without screens or input peripherals, such as IoT (Internet of Things) devices.

The simplification of the initial setup process to join a new Wi-Fi client to a Wi-Fi network in a secure way has been troublesome in the past. The WPS (Wi-Fi Protected Setup) standard has suffered serious online (Reaver) and offline (Pixie) vulnerabilities in recent years.

WPA3 tries to replace WPS with a new technical specification named Wi-Fi Device Provisioning Protocol (DPP), still in draft state (registration required). This new three-way handshake authentication or setup protocol requires the usage of public key cryptography to identify and authenticate all Wi-Fi devices. DPP employs elliptic curve cryptography (ECC), and specifically elliptic curve Diffie-Hellman (ECDH), to derive a shared secret or key. Again, upon successful validation of the peer discovery process, the Wi-Fi devices will  mutually derive a PMK (Pairwise Master Key) that will be used in the traditional four-way handshake to derive the PTK (Pairwise Transient Key). AES-SIV (Synthetic Initialization Vector, RFC 5297) is involved in the protocol for the parties to prove possession of the private keys associated to the public identity keys.

Mutual authentication is desired between the Wi-Fi devices (e.g. client and AP), but due to constraints in some clients, it is not mandatory (thus, more insecure). One of the methods promoted by the new WPA3 mechanism to identify the other device is the usage of QR codes (e.g. containing the public key with the identity of the Wi-Fi network) for client devices with a camera. Other options for bootstrapping trust involve Neighbor Aware Networking (NAN), used in Wi-Fi Aware, USB, NFC, or Bluetooth, or proof of knowledge of a shared code, key, phrase, or word.

Individualized Data Encryption

"Strengthen user privacy in open networks through individualized data encryption"

This feature tries to offer encryption (using individual encryption keys for each connecting client) for open Wi-Fi networks, where the common WPA2-PSK security based on a unique Wi-Fi network password is not even available. This feature will mainly affect open Wi-Fi networks commonly used in public Wi-Fi hotspots (hotels, airports, libraries, coffee hops, restaurants, conferences, etc.).

Long time ago, around year 2010, a few proposals to offer enterprise-level security for open or public Wi-Fi networks were already discussed, named Open Secure Wireless (OSW), promoted by Christopher Byrd, or a variant, Secure Open Wireless Networking (SOWN or SOWA, Secure Open Wireless Access), promoted by Tom Cross & Takehiro Takahashi. These proposals emphasized that open does not mean unencrypted.

OSW main goal was to make use of all the security benefits provided by WPA2-Enterprise, without the need of authenticating the user, that is, providing open access to any user. OSW only requires a slightly modified EAP-TLS type (anonymous authentication) supported by the Wi-Fi clients, and there is even a prototype implementation available. A new OSW 2.0 revision (OSW2) was released afterwards, incorporating IEEE 802.11u improvements. I have found even a related patent for something like OSW/SOWN.

SOWN, also EAP-TLS based, focused more on binding the Wi-Fi network digital certificate (associated to the RADIUS server) to the Wi-Fi network name (or SSID), enhanced as an eXclusive or eXtended SSID (or XSSID). Even before that age, in 2007, George Ou made a proposal to use a WPA2-Enterprise PEAP-based Wi-Fi network with a generic or guest account for anonymous users, to accomplish similar goals.

WPA3 "individualized data encryption" refers to Opportunistic Wireless Encryption (OWE) for Wi-Fi networks, a mechanism designed to provide encryption without authentication, encompassed under the "opportunistic security" concept (RFC 7435), and defined in RFC 8110.

OWE provides protections against passive attacks, such as traffic sniffing. Similarly to the new WPA3 handshake, OWE negotiates or derives a PMK (Pairwise Master Key) using a Diffie-Hellman (DH) key exchange (again using finite fields or elliptic curves), but with no initial password involved this time (as there is no authentication in public or open Wi-Fi networks). The PMK is used again throughout the traditional four-way handshake to derive the PTK (Pairwise Transient Key).

WPA3 APs will advertise support for OWE in their 802.11 beacons and probe responses. Once a Wi-Fi client performs a standard open authentication (request and response), additional information elements (IE) are incorporated into association requests and responses to perform the DH key exchange, allowing both the Wi-Fi AP and the client to exchange their public keys and, as a result, perform the cryptographic computations required to derive the PMK.

A 192-bit Cryptographic Security Suite

"A 192-bit (cryptographic) security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite"

WPA2 (ignoring TKIP, that should not be used anymore) implements an encryption protocol based on AES CCMP (CTR mode with CBC-MAC Protocol). CTR mode, also known as CounTeR mode, turns a block cipher into a stream cipher (as detailed in the KRACK attacks). RFC 3610 defines the Counter with CBC-MAC (CCM) protocol, and specifies that this generic authenticated encryption (AE) block cipher mode is defined for use with 128-bit block ciphers, such as AES.

Therefore, the new 192-bit crypto suite introduced by WPA3 does not simply offer an increased key size, but must use a different encryption algorithm (referred as NIST "Suite B" cryptographic algorithms), most probably, AES GCMP (Galois/Counter Mode Protocol), described in RFC 5288 for TLS. GCMP was already "silently" introduced in WPA2 for 802.11ac, even using longer 256-bit keys, and will be used by WiGig too.

Wi-Fi Hidden Networks... Still in WPA3?

Apart from these four previously detailed WPA3 security enhancements, there are pending security issues that still need to be addressed in the current Wi-Fi specification. Future Wi-Fi-related WPA3 developments might focus on protecting users privacy too (probably a lost battle globally at this point...), including MAC address randomization (using locally administered MAC addresses when the client is not associated to the Wi-Fi network yet, or even post-association...) as well as reducing other types of information leakage (SSID names in probe requests). Thus, WPA3 might introduce privacy enhancements (badly named, as they also have serious implications from a security perspective, not just privacy), such as mitigating Wi-Fi devices from sending directed probe requests until the associated SSIDs have been already discovered via passive scanning (obtaining and processing the 802.11 beacon frames in the area) or active scanning (via wildcard or generic 802.11 probe requests).

One of the main issues I have been really interested in during the last years is Wi-Fi hidden (or non-broadcasting) networks, a useless feature that facilitates attacks against Wi-Fi clients and promotes the disclosure of their PNL (Preferred Network List). In fact, the potential WPA3 privacy enhancements mentioned in the previous paragraph would be equivalent to not considering a Wi-Fi network as hidden anymore or, said otherwise, if WPA3 introduces these mitigating behaviours, Wi-Fi clients won't be capable of connecting to hidden networks anymore, which drives us to my next point.

Wi-Fi PNL disclosure is one of the topics I extensively cover in my "Practical Wireless & Radio Hacking" (PWRH) training, and I do even have a slide (see below) detailing what should be removed from the IEEE 802.11-2012 specification to eliminate support for Wi-Fi hidden networks and, as a result, mitigate the related privacy and security attacks. It is trivial for a potential attacker to fire up a fake Wi-Fi AP impersonating one of the legitimate APs the victim Wi-Fi client has connected to in the past, and is searching for. The attacker has plenty of opportunities to attack the victim Wi-Fi client, no matter what security type was used by the legitimate Wi-Fi network (open, WEP, WPA(2)-PSK or WPA(2)-Enterprise). 

In the past I tried to approach the IEEE to promote the removal of Wi-Fi hidden networks, but I was disappointed about the bureaucracy and obstacles I had to confront, at least, for a security researcher that does not belong to any of the IEEE 802.11 Working Group (WG) members. If you know someone in the 802.11 WG interested on helping with this, please, send me an e-mail. Perahps another approach is to get it out of the specification through the Wi-Fi Alliance thanks to WPA3. If we are lucky and get it removed from the next IEEE 802.11 specification, perhaps a decade from now, all Wi-Fi products in the market will not disclose their PNL for free via directed 802.11 probe requests... ;-)

Happy WPA3 security testing!

Image source:
Image source:
Image source: