Tuesday, December 18, 2018

Reconocimiento a los hackers, investigadores y/o profesionales técnicos de seguridad españoles

NOTE: This post, as an exception, has been published in Spanish, as it is dedicated to the Spanish hacker (and technical cybersecurity) community, for a well deserved recognition.

Es para mí todo un honor haber sido designado como merecedor del premio a la trayectoria profesional en valor de la ciberseguridad por parte del Centro Criptológico Nacional (CCN), especialmente, en estas XII Jornadas STIC CCN-CERT (inolvidables por múltiples motivos), otorgado de la mano de Su Majestad el Rey, Don Felipe VI:


En primer lugar, creo que es muy significativa la presencia de Su Majestad el Rey en este evento, reflejando la importancia que ha adquirido la seguridad de los entornos tecnológicos en nuestro día a día. Esta relevancia aumentará aún más en el futuro, debido a la sobredependencia tecnológica que vivimos actualmente, tanto en el plano personal o como sociedad, como en el plano profesional, institucional o industrial.

Video: Fragmento del momento de la entrega del premio.

Casualmente, este año se podría decir que cumplo la mayoría de edad como profesional dedicado íntegramente a la seguridad informática, de la información, y de las tecnologías (hoy en día denominada ciberseguridad :-), qué comenzó allá por 2000-2001 cuando trabajaba en HP (Hewlett-Packard). Circunstancialmente, 2018 ha sido también el año del décimo aniversario de mi compañía, DinoSec, que fundamos para intentar hacer realidad nuestros sueños profesionales y dedicarnos a aquello que más nos gusta. Después de un intenso año de trabajo y tras casi 20 años de carrera profesional en este campo, este premio es la "culminación" al comienzo de una todavía (espero) larga trayectoria para intentar seguir aportando mi granito de arena al apasionante mundo de la seguridad.

Se trata de un premio aún joven, que comenzó a entregarse el pasado año, pese a que algunos tenemos la suerte de haber participado en las doce ediciones de este evento de referencia, lo que hace que me sienta aún más orgulloso de haberlo recibido en una edición temprana. Estoy seguro de que a tod@s nos vienen, o vinieron en el momento de la entrega, a la cabeza, numerosos otros profesionales que se merecen igualmente este premio, y que estoy seguro, serán reconocidos en años venideros.

Agradezco al CCN su confianza, reflejada en este premio, así como el mensaje difundido este año, y plasmado en la interpretación tan positiva que se ha hecho del mismo por parte de la comunidad a la que pertenezco, y en ocasiones como ésta, represento: los profesionales técnicos de seguridad, investigadores, o hackers (aunque el término es lo de menos), que son tan necesarios para, con su alto conocimiento técnico especializado y dedicación, evaluar e identificar las debilidades y vulnerabilidades de la tecnología, con el objetivo de que sean corregidas y de mejorarla, para que todos dispongamos de entornos más seguros.

Video: Fragmento antes de nuestra ponencia sobre DNSSEC para, muy brevemente (por las limitaciones de tiempo), poder agradecer el premio.

Enfatizar, que de alguna manera, se demuestra que el trabajo duro siempre da sus frutos, ya que este es un premio al talento, al inconmensurable valor que debe tener el conocimiento técnico de unas tecnologías e infraestructuras cada vez más complejas, a las capacidades de análisis y de pensamiento lateral, a la motivación de resolver nuevos retos, y a los valores con los que siempre me he identificado y, que de alguna manera, también se reflejan en este premio: esfuerzo, pasión, dedicación, compromiso, implicación, sacrificio, humildad, profesionalidad, curiosidad, inquietud, y muchas ganas de siempre seguir aprendiendo.

Quizás el término que más se ha repetido en todos los mensajes de felicitación recibidos ha sido "merecido", lo que, viniendo de tantos y tan valiosos profesionales, le da aún más valor y me hace estar más orgulloso y satisfecho. Un mensaje que, ahora más que nunca, siento que no nos debemos de cansar de transmitir a las nuevas generaciones.

Sin duda, la entrega del premio constituyó un emotivo e inolvidable momento, que uno sólo tiene posiblemente la suerte de poder disfrutar una vez en la vida:


Como colofón, uno no tiene la oportunidad de poder departir unos minutos en persona con Su Majestad el Rey, para desde la modestia, intentar transmitirle la importancia de estos valores, de disponer de una educación y formación de calidad en España, y la trascendencia que tiene, y tendrá, para nuestro país, contar con profesionales técnicos altamente cualificados, para cubrir la creciente demanda de nuestro sector. Y todo ello tras haber disfrutado de una demostración en directo del funcionamiento de una máquina Enigma de tres rotores, cifrando y descifrando un mensaje, como ejemplo vivo de la historia de la criptografía. Dejé el trofeo bajo ella durante unas horas, por si se le pegaba algo... :-)


Aunque el premio es entregado a una persona individual, por un lado es justo agradecer y destacar que yo no podría haber recibido este premio sin el incondicional apoyo y compañía de mi mujer, Mónica Salas, que durante un cuarto de siglo ha estado siempre ahí, haciéndome crecer tanto como persona, como en el plano profesional. Este premio es una realidad, sin duda, gracias a ella. Igualmente, a mi familia (tanto a los que aún están con nosotros, como especialmente a los que no), por acompañarme en este camino; con su esfuerzo y cariño siempre se preocuparon de proporcionarme la mejor educación y formación posible, y de crear el entorno ideal para que pudiera llegar donde me encuentro a día de hoy. Y por supuesto, a mis hijos, representando a las futuras generaciones que tendrán que protegernos dentro de muy pocos años... :-)

Por último, y no menos importante, no quiero olvidarme de aquellos con los que he compartido mi carrera profesional de forma más cercana todos estos años (compañeros, colaboradores, clientes, alumnos, conferencias de seguridad, etc.), y quiero también agradecer enormemente el extenso y afectuoso apoyo que he recibido por parte de toda nuestra comunidad, de tantas y tantas personas, que se han visto reflejadas en mí y en este premio. ¡Muchas gracias a tod@s!

Aunque los años no pasan en balde, y siempre uno se considera más joven de lo que es, quiero aclarar que ni mucho menos me ha llegado la hora de jubilarme (como algunos asumen que ocurre tras recibir un premio como éste :-), sino que este premio constituye un aliciente, que sirve para reflexionar, valorar lo realizado hasta ahora y seguir querer haciendo más y mejores cosas, siempre disfrutando.

Para no extenderme más, todas las anécdotas asociadas a mi indumentaria, con frases como "¿Es un fotomontaje o Raúl se ha puesto un traje?", las dejo para círculos más cerrados... ;-)

Autor: Raúl Siles

Tuesday, May 22, 2018

DinoSec's 10-Year Anniversary... and WPA3

UPDATE: The WPA3 presentation by Raul Siles at Navaja Negra (#NN8ED) in October 2018 has been published, including the video (in Spanish) and an early PDF version that includes all the technical references.

This month, May 2018, is DinoSec's 10-year anniversary and this milestone deserves, at least, a blog post... of appreciation and technical content! ;-)
First of all, we want to say thank you to all our customers for showing their trust and confidence in us and our high quality practices, helping to make DinoSec's adventures and business a reality. We also want to thank our collaborators for their support, allowing us to accomplish more ambitious and complex projects and challenges. Thanks you all for allowing DinoSec's original essence and goals as a company remain after a decade!

We are very aware DinoSec's Blog has remained quite quiet during the last three years. Although I don't want this to sound as an excuse (as the reality is that we are quite busy), it is true that back in the early days, publishing blog articles was one of the main mechanisms we used in the security industry to spread the word about new research, tools and topics. This is what I did throughout the three RaDaJo, Taddong and DinoSec blogs over time. However nowadays, although blogs are still used and relevant, there are many other methods to distribute contents, mainly social networks, team messaging and messaging apps (super)groups (public and private), technical training, and (still) presentations and talks (like the ones you can find at DinoSec's Lab) delivered at a very long list of cybersecurity conferences, local (e.g. Spain) or worldwide.

Switching to the technical content, one of the technologies I have been passionate about during almost two decades has been Wi-Fi security. This is a good reason to focus, once again, on Wi-Fi security in this (last?) DinoSec blog post (coincidentally, I also talked about Wi-Fi security in the latest DinoSec's blog post more than three years ago).

The 2018 Wi-Fi predictions from the Wi-Fi Alliance include various attractive programs they are developing, such as bringing enterprise design practices to new home Wi-Fi networks via the Wi-Fi Home Design initiative, optimizing the Wi-Fi user experience and performance by unifying multiple key technologies in programs such as Wi-Fi Vantage, or improving the retail and shopping experience via Wi-Fi Aware by allowing Wi-Fi devices to discover their word nearby and exchange (peer-to-peer) data with other devices without a Wi-Fi infrastructure, even managing location information through Wi-Fi Location. The Wi-Fi bandwidth and speed keeps growing over the years via new technologies such as WiGig (60 GHz) and High Efficiency (HE) IEEE 802.11ax (2.4 & 5 GHz), with products expected in the market late 2018 or 2019. The predictions also mention how the ongoing Wi-Fi security evolution will introduce new WPA3 (Wi-Fi Protected Access, version 3) enhancements throughout this year.

In 2018 the WPA2 certification program will continue to evolve to meet new security requirements, such as standardizing 128-bit cryptographic suites, or making mandatory the use of Protected Management Frames (PMF), a feature defined in the IEEE 802.11w standard to avoid easy manipulation of sensitive 802.11 management frames, widely used in deauthentication attacks. KRACK mitigations are going to be mandatory too in future WPA2 certified products.

The Wi-Fi Alliance announced in January this year (2018) the upcoming release of WPA3, a new security standard focused on enhancing Wi-Fi security protections in both personal and enterprise networks. It is not clear to what extent this announcement has been influenced by the discovery and publication of KRACK (Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse) in October 2017. Last week, the announcement of a large chipset vendor integrating WPA3 in their upcoming products hit the news (really? isn't this something all manufacturers are going to do along this year..?: "According to the Wi-Fi Alliance, new devices supporting WPA3 will be released later in 2018, many of which will likely be announced at Computex in June").


The new WPA3 improvements include four specific security capabilities:

  • Robust protections even when users choose passwords that fall short of typical complexity recommendations.
  • Simplify the process of configuring security for devices that have limited or no display interface.
  • Strengthen user privacy in open networks through individualized data encryption.
  • A 192-bit (cryptographic) security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite (more suitable for government, defense, industrial, and other high security sensitive environments).

Unfortunately,  it seems we do not learn from history in the infosec (nowadays called cybersecurity) industry. The Wi-Fi Alliance (WFA) is currently working on an internal WPA3 draft. Wouldn't make sense opening the WPA3 draft specification for a global and public security review?, trying to find potential vulnerabilities beforehand, and with the goal of getting it right before it is already implemented in millions and millions of Wi-Fi products and chipsets... ("...more than three billion (Wi-Fi) devices shipping (just) in 2018 (are expected)."). The reality is that the Wi-Fi Alliance impose tight controls on the specifications confidentiality until they are finalized and published... :(


This is something we have (somehow) learned to do in the cryptographic community, requesting peer reviews and opening competitions for new standards, such as NIST did with the Advanced Encryption Standard (AES, Rijndael), the Secure Hash Algorithm-3 (SHA-3, Keccak), or with post-quantum cryptography. As most Wi-Fi security improvements in WPA3 are crypto-related, perhaps we should learn from others in the wireless and network protocols community...

In the next four sections, due to the limited details available in the initial Wi-Fi Alliance announcement, I will try to provide some additional technical details about these new security capabilities introduced by WPA3, complementing the identified needs or WPA3 analysis and interpretation already published by other researchers. Apart from these four features, WPA3 might remove the option to use WEP or TKIP (considered obsolete nowadays), and (re)define the supported list of EAP methods for WPA3-Enterprise.

Updated and More Secure WPA3 Handshake

"Robust protections even when users choose passwords that fall short of typical complexity recommendations"

The current WPA2 traditional four-way handshake does not implement specific countermeasures against hardware-based offline cracking attacks, although the original design made use of PBKDF2 (a key derivation function, in this case, using 4,096 HMAC-SHA1 iterations) and a salt (the SSID, or Wi-Fi network name) to slow down password cracking attacks (offline dictionary or brute force attacks).

The new WPA3 four-way handshake adds extra protections for the WPA3-PSK password, even when a robust passphrase is not used. WPA3 is based on the Simultaneous Authentication of Equals (SAE) handshake, a variant of an authentication and key exchange protocol (or PAKE, Password-Authenticated Key Exchange) known as Dragonfly.  Dragonfly, currently defined in RFC 7664 and in the 802.11-2016 specification (a PDF with more than 3,500 pages), has been supposedly enhanced to mitigate previously identified Dragonfly offline attacks (and/or other weaknesses), it is also the foundation for TLS-PWD and there is even a security proof for it (... like for WPA2 before KRACK? ;-). SAE was originally used for 802.11-based mesh networks under the IEEE 802.11s security umbrella, although in WPA3 infrastructure networks typically only the Wi-Fi AP (Access Point) will initiate the handshake. For compatibility reasons, both WPA2-PSK (or Personal) and SAE might coexist simultaneously in WPA3-Personal APs.

SAE employs discrete logarithm cryptography (finite fields or elliptic curve cryptography, FFC or ECC) for a mutual authentication exchange using only a password, that is used to derive an ephemeral key, similarly to a Diffie-Hellman (DH) key exchange, and it benefits from associated properties such as forward secrecy (the derived key cannot be recovered in the future even if the password is obtained). It is designed to be (probably) resistant against offline dictionary attacks, as no information about the password (or the key) is disclosed except whether a password guess is correct or incorrect.

The result of the SAE handshake is a strong shared secret (or derived key) that will become the PMK (Pairwise Master Key, 256 bits) in WPA3 (like the PMK in WPA2), therefore, it will be used in the traditional four-way handshake to derive the PTK (Pairwise Transient Key, 512 bits). Thus, the new WPA3 handshake replaces the traditional WPA2 PBKDF2 key derivation process to obtain the PMK from the PSK (Pre-shared Key), or password... or passphrase.

One potential drawback of this new WPA3 handshake is that the Wi-Fi AP might require storing the password in plaintext, as pointed out by Mathy Vanhoef (from KRACK). Although a "balanced" PAKE also allows storing a hash of the password with a random salt, as a "non-augmented" protocol, the stored values (or hashes) can be used directly to authenticate to the AP. Therefore, the stored hash is acting as a plaintext password (even if it cannot be easily read by humans), and becomes vulnerable to PtH-like (Pass-the-Hash) attacks (in which a dictionary or brute force attack to obtain the original password is not required).

Updated and More Secure WPS Alternative

"Simplify the process of configuring security for devices that have limited or no display interface"

WPA3 introduces new capabilities to configure secure Wi-Fi networks in devices without screens or input peripherals, such as IoT (Internet of Things) devices.

The simplification of the initial setup process to join a new Wi-Fi client to a Wi-Fi network in a secure way has been troublesome in the past. The WPS (Wi-Fi Protected Setup) standard has suffered serious online (Reaver) and offline (Pixie) vulnerabilities in recent years.


WPA3 tries to replace WPS with a new technical specification named Wi-Fi Device Provisioning Protocol (DPP), still in draft state (registration required). This new three-way handshake authentication or setup protocol requires the usage of public key cryptography to identify and authenticate all Wi-Fi devices. DPP employs elliptic curve cryptography (ECC), and specifically elliptic curve Diffie-Hellman (ECDH), to derive a shared secret or key. Again, upon successful validation of the peer discovery process, the Wi-Fi devices will  mutually derive a PMK (Pairwise Master Key) that will be used in the traditional four-way handshake to derive the PTK (Pairwise Transient Key). AES-SIV (Synthetic Initialization Vector, RFC 5297) is involved in the protocol for the parties to prove possession of the private keys associated to the public identity keys.

Mutual authentication is desired between the Wi-Fi devices (e.g. client and AP), but due to constraints in some clients, it is not mandatory (thus, more insecure). One of the methods promoted by the new WPA3 mechanism to identify the other device is the usage of QR codes (e.g. containing the public key with the identity of the Wi-Fi network) for client devices with a camera. Other options for bootstrapping trust involve Neighbor Aware Networking (NAN), used in Wi-Fi Aware, USB, NFC, or Bluetooth, or proof of knowledge of a shared code, key, phrase, or word.

Individualized Data Encryption

"Strengthen user privacy in open networks through individualized data encryption"

This feature tries to offer encryption (using individual encryption keys for each connecting client) for open Wi-Fi networks, where the common WPA2-PSK security based on a unique Wi-Fi network password is not even available. This feature will mainly affect open Wi-Fi networks commonly used in public Wi-Fi hotspots (hotels, airports, libraries, coffee shops, restaurants, conferences, etc.).

Long time ago, around year 2010, a few proposals to offer enterprise-level security for open or public Wi-Fi networks were already discussed, named Open Secure Wireless (OSW), promoted by Christopher Byrd, or a variant, Secure Open Wireless Networking (SOWN or SOWA, Secure Open Wireless Access), promoted by Tom Cross & Takehiro Takahashi. These proposals emphasized that open does not mean unencrypted.

OSW main goal was to make use of all the security benefits provided by WPA2-Enterprise, without the need of authenticating the user, that is, providing open access to any user. OSW only requires a slightly modified EAP-TLS type (anonymous authentication) supported by the Wi-Fi clients, and there is even a prototype implementation available. A new OSW 2.0 revision (OSW2) was released afterwards, incorporating IEEE 802.11u improvements. I have found even a related patent for something like OSW/SOWN.

SOWN, also EAP-TLS based, focused more on binding the Wi-Fi network digital certificate (associated to the RADIUS server) to the Wi-Fi network name (or SSID), enhanced as an eXclusive or eXtended SSID (or XSSID). Even before that age, in 2007, George Ou made a proposal to use a WPA2-Enterprise PEAP-based Wi-Fi network with a generic or guest account for anonymous users, to accomplish similar goals.


WPA3 "individualized data encryption" refers to Opportunistic Wireless Encryption (OWE) for Wi-Fi networks, a mechanism designed to provide encryption without authentication, encompassed under the "opportunistic security" concept (RFC 7435), and defined in RFC 8110.

OWE provides protections against passive attacks, such as traffic sniffing. Similarly to the new WPA3 handshake, OWE negotiates or derives a PMK (Pairwise Master Key) using a Diffie-Hellman (DH) key exchange (again using finite fields or elliptic curves), but with no initial password involved this time (as there is no authentication in public or open Wi-Fi networks). The PMK is used again throughout the traditional four-way handshake to derive the PTK (Pairwise Transient Key).

WPA3 APs will advertise support for OWE in their 802.11 beacons and probe responses. Once a Wi-Fi client performs a standard open authentication (request and response), additional information elements (IE) are incorporated into association requests and responses to perform the DH key exchange, allowing both the Wi-Fi AP and the client to exchange their public keys and, as a result, perform the cryptographic computations required to derive the PMK.

A 192-bit Cryptographic Security Suite

"A 192-bit (cryptographic) security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite"

WPA2 (ignoring TKIP, that should not be used anymore) implements an encryption protocol based on AES CCMP (CTR mode with CBC-MAC Protocol). CTR mode, also known as CounTeR mode, turns a block cipher into a stream cipher (as detailed in the KRACK attacks). RFC 3610 defines the Counter with CBC-MAC (CCM) protocol, and specifies that this generic authenticated encryption (AE) block cipher mode is defined for use with 128-bit block ciphers, such as AES.

Therefore, the new 192-bit crypto suite introduced by WPA3 does not simply offer an increased key size, but must use a different encryption algorithm (referred as NIST "Suite B" cryptographic algorithms), most probably, AES GCMP (Galois/Counter Mode Protocol), described in RFC 5288 for TLS. GCMP was already "silently" introduced in WPA2 for 802.11ac, even using longer 256-bit keys, and will be used by WiGig too.

Wi-Fi Hidden Networks... Still in WPA3?

Apart from these four previously detailed WPA3 security enhancements, there are pending security issues that still need to be addressed in the current Wi-Fi specification. Future Wi-Fi-related WPA3 developments might focus on protecting users privacy too (probably a lost battle globally at this point...), including MAC address randomization (using locally administered MAC addresses when the client is not associated to the Wi-Fi network yet, or even post-association...) as well as reducing other types of information leakage (SSID names in probe requests). Thus, WPA3 might introduce privacy enhancements (badly named, as they also have serious implications from a security perspective, not just privacy), such as mitigating Wi-Fi devices from sending directed probe requests until the associated SSIDs have been already discovered via passive scanning (obtaining and processing the 802.11 beacon frames in the area) or active scanning (via wildcard or generic 802.11 probe requests).

One of the main issues I have been really interested in during the last years is Wi-Fi hidden (or non-broadcasting) networks, a useless feature that facilitates attacks against Wi-Fi clients and promotes the disclosure of their PNL (Preferred Network List). In fact, the potential WPA3 privacy enhancements mentioned in the previous paragraph would be equivalent to not considering a Wi-Fi network as hidden anymore or, said otherwise, if WPA3 introduces these mitigating behaviours, Wi-Fi clients won't be capable of connecting to hidden networks anymore, which drives us to my next point.

Wi-Fi PNL disclosure is one of the topics I extensively cover in my "Practical Wireless & Radio Hacking" (PWRH) training, and I do even have a slide (see below) detailing what should be removed from the IEEE 802.11-2012 specification to eliminate support for Wi-Fi hidden networks and, as a result, mitigate the related privacy and security attacks. It is trivial for a potential attacker to fire up a fake Wi-Fi AP impersonating one of the legitimate APs the victim Wi-Fi client has connected to in the past, and is searching for. The attacker has plenty of opportunities to attack the victim Wi-Fi client, no matter what security type was used by the legitimate Wi-Fi network (open, WEP, WPA(2)-PSK or WPA(2)-Enterprise). 


In the past I tried to approach the IEEE to promote the removal of Wi-Fi hidden networks, but I was disappointed about the bureaucracy and obstacles I had to confront, at least, for a security researcher that does not belong to any of the IEEE 802.11 Working Group (WG) members. If you know someone in the 802.11 WG interested on helping with this, please, send me an e-mail. Another approach would be to get it out of the specification through the Wi-Fi Alliance thanks to WPA3. If we are lucky and get it removed from the next IEEE 802.11 specification, perhaps a decade from now, all Wi-Fi products in the market will not disclose their PNL for free via directed 802.11 probe requests... ;-)

Happy WPA3 security testing!

Image source: http://www.systemandgeneration.com/uploads/images/about/logo%2010th%20anniversary.png
Image source: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsFqnl356aez9q5ixvtBRlX7hoXCv0NxS1xJVxRWMMDhWrryR42HSDtRiIpj2U-r-6ahDGy_BTGNzHPwtbIml-jAxypQREJuto3J_of0N0U4MHdTU9ziDf6NWiZWpPY2ujXMtICtfW-8pw/s728-e7/wpa3-wifi-security.png
Image source: http://dilbert.com/strip/2013-12-11