1
00:00:00,000 --> 00:00:16,620
*34c3 intro*

2
00:00:16,620 --> 00:00:23,720
Herald: I'm really happy to be able to
introduce our next speaker. Mathy is a

3
00:00:23,720 --> 00:00:30,180
postdoc in Network Security and Applied
Crypto. He took part in discovering and

4
00:00:30,180 --> 00:00:35,860
implementing quite some attacks in this
field and especially in the wireless

5
00:00:35,860 --> 00:00:43,490
sector. And today he will show us, that all
our Wi-Fi devices are vulnerable.

6
00:00:43,490 --> 00:00:49,120
Especially the ones with Linux and
Android. So, I don't want to go into the

7
00:00:49,120 --> 00:00:53,140
technical details, because he would do
this and I think if you're interested in

8
00:00:53,140 --> 00:00:57,960
even learning more about it, he even linked
the research paper as well as the scripts

9
00:00:57,960 --> 00:01:04,190
and a website for this attack in the
Fahrplan. So for now, give a big round of

10
00:01:04,190 --> 00:01:06,699
applause for Mathy Vanhoef!

11
00:01:06,699 --> 00:01:11,510
*applause*

12
00:01:11,510 --> 00:01:15,960
Mathy Vanhoef: Ok, thank you for the
introduction and thank you all for

13
00:01:15,960 --> 00:01:19,921
attending the talk, even though it's
already a bit late in the evening. Thank

14
00:01:19,921 --> 00:01:25,480
you CCC for allowing me to speak here. So
today I'm going to talk about my research

15
00:01:25,480 --> 00:01:30,750
on WPA2 and you probably have already
heard about this under the name of KRACK

16
00:01:30,750 --> 00:01:37,770
attacks. Now, the history of this research
is quite interesting, because during my PhD,

17
00:01:37,770 --> 00:01:44,490
I was already researching the security of
wireless networks and during my PhD

18
00:01:44,490 --> 00:01:50,840
defense last year, when I was finishing up
on writing my thesis, one of the jury

19
00:01:50,840 --> 00:01:57,230
members in my PhD asked: "Hey, you're
recommending WPA2 with AES in your thesis,

20
00:01:57,230 --> 00:02:03,390
but are you sure that's really a secure
solution?" And last year my answer was:

21
00:02:03,390 --> 00:02:08,229
"Yeah, I mean it seems secure. It has been
around for more than a decade and if we

22
00:02:08,229 --> 00:02:11,920
ignore some brute-force attacks against
the password, if you select a secure

23
00:02:11,920 --> 00:02:16,910
password, then there are no real weaknesses
that are known. On top of that, there are

24
00:02:16,910 --> 00:02:21,190
also mathematical proofs that state that
if you have the 4-way handshake on the

25
00:02:21,190 --> 00:02:27,490
encryption algorithm, that it's supposed to
be secure. Unfortunately, a year later I

26
00:02:27,490 --> 00:02:32,800
was staring at some OpenBSD code. In
particular, I was looking at this function

27
00:02:32,800 --> 00:02:39,440
called ic_set_key. The details aren't
important here yet, but this key installs

28
00:02:39,440 --> 00:02:44,470
the encryption key for use by the driver,
so frames get encrypted and I was

29
00:02:44,470 --> 00:02:48,240
wondering, what
would happen if this function is called

30
00:02:48,240 --> 00:02:53,459
twice. And I was thinking, like, will it
reinstall the key and what will happen

31
00:02:53,459 --> 00:02:58,380
when you reinstall the key? And it turns
out that answering this question led to

32
00:02:58,380 --> 00:03:06,540
the attack I found and as you know by now,
this uncovered the flaw in WPA2. So in a

33
00:03:06,540 --> 00:03:13,589
sense, this talk is all about how I gave
the wrong answer during my PhD defense. To

34
00:03:13,589 --> 00:03:19,590
explain the attack, I will illustrate it
against the 4-way handshake. After that I

35
00:03:19,590 --> 00:03:24,470
will discuss the impact of the attack in
practice, then I will go over some

36
00:03:24,470 --> 00:03:28,720
common misconceptions that have been
floating around the internet and finally I

37
00:03:28,720 --> 00:03:31,940
will discuss some lessons that we can
learn from this

38
00:03:31,940 --> 00:03:37,819
research and from our findings. Let's get
started with explaining the attack against

39
00:03:37,819 --> 00:03:42,290
the 4-way handshake and the first
question I have to answer here is: what

40
00:03:42,290 --> 00:03:48,740
exactly is this 4-way handshake? And the
4-way handshake is executed whenever

41
00:03:48,740 --> 00:03:53,349
you connect to a protected Wi-Fi network.
It's used when you connect to your home

42
00:03:53,349 --> 00:03:57,290
Wi-Fi network where you just have a pre-
shared password, but it's also used in

43
00:03:57,290 --> 00:04:02,489
enterprise network-networks where you for
example have a username and a password to

44
00:04:02,489 --> 00:04:06,239
log in.
The purpose of this handshake is to verify

45
00:04:06,239 --> 00:04:10,800
that you possess the correct credentials
in order to connect to the network and at

46
00:04:10,800 --> 00:04:15,250
the same time, this 4-way handshake
negotiates a fresh session key that will

47
00:04:15,250 --> 00:04:19,979
be used to encrypt data frames.
This session key is called the PTK, the

48
00:04:19,979 --> 00:04:27,610
pairwise temporal key. And as I mentioned,
this handshake seemed to be really secure

49
00:04:27,610 --> 00:04:33,769
because for over a decade, no attacks have
been found against it, assuming that a

50
00:04:33,769 --> 00:04:40,020
secure password is being used, and on top
of that, the 4-way handshake was

51
00:04:40,020 --> 00:04:43,729
formally proven to be secure and the
encryption algorithm that is used after

52
00:04:43,729 --> 00:04:48,659
the 4-way handshake, which generally
is AES CCMP, that was also formally

53
00:04:48,659 --> 00:04:53,550
proven to be secure.
Yet somehow we did find an attack even

54
00:04:53,550 --> 00:04:57,199
though we have all these formal proofs,
even though this protocol has been around

55
00:04:57,199 --> 00:05:01,230
for that long. So what went
wrong?

56
00:05:01,230 --> 00:05:08,050
To explain this, I'm going to explain how
the 4-way handshake works, using this

57
00:05:08,050 --> 00:05:12,550
specific example. So let's say, we have the
client on the right here that wants to

58
00:05:12,550 --> 00:05:17,710
connect to the access point on the left.
Now, in order to start the 4-way

59
00:05:17,710 --> 00:05:22,020
handshake, there first needs to be some
preshared secrets between the client on

60
00:05:22,020 --> 00:05:26,749
the access point and if you have a network
at home, this preshared secret is basically

61
00:05:26,749 --> 00:05:30,750
the password of the network. But if you
have an enterprise or a more professional

62
00:05:30,750 --> 00:05:35,649
network, then - where you for example have
to log in using a username and a password -

63
00:05:35,649 --> 00:05:41,789
then first 802.1x authentication algorithm
is executed, which in practice is commonly

64
00:05:41,789 --> 00:05:47,079
some form of RADIUS authentication.
The details of that are not important.

65
00:05:47,079 --> 00:05:51,180
What's important here is the result.
Namely, after this authentication phase

66
00:05:51,180 --> 00:05:55,509
there is a shared secret between the
client and the access point.

67
00:05:55,509 --> 00:06:01,460
And once we have this shared secret, we
can execute the 4-way handshake. What

68
00:06:01,460 --> 00:06:06,879
the first two messages in the 4-way
handshake do, is they transport a random

69
00:06:06,879 --> 00:06:11,099
number between both devices.
So in particular, the access point will

70
00:06:11,099 --> 00:06:15,569
generate a random number called the access
point nonce, the ANonce, and it will

71
00:06:15,569 --> 00:06:20,379
transport that to the client.
Then in reaction to that, the client will

72
00:06:20,379 --> 00:06:24,150
generate its own random number called the
supplicant nonce - and supplicant is

73
00:06:24,150 --> 00:06:29,119
basically a synonym for client - and it
will send that random number, the SNonce,

74
00:06:29,119 --> 00:06:36,550
to the access point in the second message
of the handshake. Once both devices have

75
00:06:36,550 --> 00:06:41,690
each other's random number, then we can
derive this unique per session key.

76
00:06:41,690 --> 00:06:46,860
How that key is derived, is fairly simple: we
take the preshared key, that is known

77
00:06:46,860 --> 00:06:51,669
between these two devices, we combine that
with both of these random numbers and the

78
00:06:51,669 --> 00:06:56,849
result is the PTK, this fresh encryption
key, that will later be used to encrypt

79
00:06:56,849 --> 00:07:02,930
data frames.
Now, I want to clarify one thing, and you

80
00:07:02,930 --> 00:07:07,849
might have heard about this research under
the name 'key reinstallation attacks:

81
00:07:07,849 --> 00:07:13,610
forcing nonce reuse in WPA2'.
I want to highlight here that the nonce

82
00:07:13,610 --> 00:07:17,990
reuse does not refer to the nonce reuse
about the ANonce or SNonce during the

83
00:07:17,990 --> 00:07:22,479
4-way handshake. So here we're going [to]
assume, that these ANonce and SNonce, that

84
00:07:22,479 --> 00:07:27,249
they are random and not predictable. The
nonce reuse refers to nonce reuse that

85
00:07:27,249 --> 00:07:34,000
will happen during the encryption
algorithm, which I will explain in a bit.

86
00:07:34,000 --> 00:07:40,249
That's it for the first stage of the 4-way
handshake. The second stage of the 4-way

87
00:07:40,249 --> 00:07:47,429
handshake, a bit simplified, it basically
confirms that both parties negotiate at

88
00:07:47,429 --> 00:07:51,999
the same PTK, the same encryption key. And
in particular, the access point will send

89
00:07:51,999 --> 00:07:56,909
Message 3 to the client. The client will
verify the authenticity of that frame and

90
00:07:56,909 --> 00:08:04,309
if everything looks ok, the client will
reply using Msg4 to the access point.

91
00:08:04,309 --> 00:08:08,739
Once these four messages have been
exchanged, both the client on the access

92
00:08:08,739 --> 00:08:15,569
point will install the PTK for use by the
driver, so now data frames can be exchanged

93
00:08:15,569 --> 00:08:22,139
and these data frames will be encrypted.
Ok, so now we covered the 4-way

94
00:08:22,139 --> 00:08:29,010
handshake, we know the highlight of how it
works. Now the final thing I need to

95
00:08:29,010 --> 00:08:34,639
explain, before we can get to the details
of the attack, is: How does encryption work

96
00:08:34,639 --> 00:08:40,059
in a Wi-Fi network? And to explain this,
let's take the example here, where we want

97
00:08:40,059 --> 00:08:44,510
to send some plain text data from, e.g.,
from the client to the access

98
00:08:44,510 --> 00:08:49,399
point. Then the first thing that will
happen, is that we will take the PTK and

99
00:08:49,399 --> 00:08:53,309
the fresh session key, that the 4-way
handshake just negotiated and we will

100
00:08:53,309 --> 00:08:59,940
combine that with a packet number. And here,
this packet number is called a nonce.

101
00:08:59,940 --> 00:09:04,750
The packet number is incremented by 1 for
every frame, that is transmitted and the ID

102
00:09:04,750 --> 00:09:09,579
here is, that by combining the session key
with the packet number we get a unique per

103
00:09:09,579 --> 00:09:15,930
packet key for every packet that we want
to transmit.

104
00:09:15,930 --> 00:09:20,329
The way the encryption now works is fairly
simple, we feed this per packet key as

105
00:09:20,329 --> 00:09:25,911
input to a stream cipher. We get us output
some key stream, we simply XOR that key

106
00:09:25,911 --> 00:09:31,610
stream with the plaintext and the result
is the encrypted data, the ciphertext.

107
00:09:31,610 --> 00:09:36,620
Now we prepense a plaintext header with
some metadata and also the packet number,

108
00:09:36,620 --> 00:09:40,479
the nonce value, that we used, so the
receiver will be able to decrypt the

109
00:09:40,479 --> 00:09:46,120
packet. Essentially, this is just a stream
cipher, where a nonce is used to always

110
00:09:46,120 --> 00:09:52,899
derive a unique per packet key. Now there's
one essential requirements in this

111
00:09:52,899 --> 00:09:58,000
encryption key.
That is, that under a particular session

112
00:09:58,000 --> 00:10:04,300
key, a nonce value should only be used once,
because if you ever reuse a nonce value,

113
00:10:04,300 --> 00:10:08,299
you will generate the same per packet key.
You will generate the same key stream and

114
00:10:08,299 --> 00:10:12,080
this will allow you to decrypt packets,
that are sent and depending on the

115
00:10:12,080 --> 00:10:19,359
specific stream cipher that is being used,
it will also allow you to forge frames.

116
00:10:19,359 --> 00:10:20,549
*clears his throat*

117
00:10:20,549 --> 00:10:28,040
Now the question here is: Is this nonce
value indeed only used once? And we already

118
00:10:28,040 --> 00:10:32,350
know, that it is incremented by one for
every packet that is transmitted, so the

119
00:10:32,350 --> 00:10:37,070
only question that remains is: To what
value is this packet number initialized?

120
00:10:37,070 --> 00:10:44,050
And the answer is quite simple: when the
PTK is installed, this transmit nonce is

121
00:10:44,050 --> 00:10:49,279
initialized to 0.
At first sight, this makes a lot of sense.

122
00:10:49,279 --> 00:10:53,550
I mean, you initiate that number to 0,
you increment it by one for every packet,

123
00:10:53,550 --> 00:11:00,700
so surely this nonce is a specific nonce
value, is only used once.

124
00:11:00,700 --> 00:11:06,959
Unfortunately, this is not the case. And the
reason this nonce value or a particular

125
00:11:06,959 --> 00:11:11,930
nonce value is sometimes used more than
once, is because we can force

126
00:11:11,930 --> 00:11:17,540
reinstallations of the PTK and those
reinstallations will again reset the nonce

127
00:11:17,540 --> 00:11:23,980
to 0 and then nonce value will be reused.
So, how can we force these key

128
00:11:23,980 --> 00:11:29,339
reinstallations as an attacker?
Let's again take the example where we have

129
00:11:29,339 --> 00:11:34,660
a client on the left, that wants to connect
to the access point on the right and in

130
00:11:34,660 --> 00:11:38,970
this case, we also have an attacker that
sits in the middle and this attacker will

131
00:11:38,970 --> 00:11:45,410
assume a so-called channel-based man-in-
the-middle position and in this-man-in-the-

132
00:11:45,410 --> 00:11:50,800
middle position, the adversary isn't yet
able to decrypt any packets. This man-in-

133
00:11:50,800 --> 00:11:56,020
the-middle position is purely there, so we
can reliably block packets from arriving

134
00:11:56,020 --> 00:12:01,909
and we can reorder the packet and so on. We
are not breaking encryption yet. And the

135
00:12:01,909 --> 00:12:06,690
way we obtain this man-in-the-middle
position is, we simply take all the frames

136
00:12:06,690 --> 00:12:11,250
that the access point which, e.g.,
is on Channel 6, we take all the frames

137
00:12:11,250 --> 00:12:16,250
that it is broadcasting and as an attacker,
we capture them and we rebroadcast them, we

138
00:12:16,250 --> 00:12:21,220
retransmit them on a different channel, 
e.g. Channel 1. So we are effectively

139
00:12:21,220 --> 00:12:26,829
cloning the real access point on a rogue
channel and then we force the victim into

140
00:12:26,829 --> 00:12:31,069
connecting to this rogue access point on
this different channel.

141
00:12:31,069 --> 00:12:36,020
So let's assume now that the attacker
obtains this position, this man-in-the-

142
00:12:36,020 --> 00:12:42,620
middle position and the first stage of the
4-way handshake, we don't modify any

143
00:12:42,620 --> 00:12:48,579
frames at all. So e.g. if the
client is using 802.1x authentication, we

144
00:12:48,579 --> 00:12:52,800
simply forward all the frames between
these two different channels and we do the

145
00:12:52,800 --> 00:12:56,600
same thing with the first three messages
of the 4-way handshake, we simply

146
00:12:56,600 --> 00:13:03,970
forward them unmodified. Where the attack
starts, is if the client sends Msg4

147
00:13:03,970 --> 00:13:08,990
of the 4-way handshake. Instead of
forwarding this message to the access

148
00:13:08,990 --> 00:13:14,329
point, we don't forward it, which in our
situation is equivalent to blocking the

149
00:13:14,329 --> 00:13:20,860
message from arriving at the access point.
Now what's interesting in this situation,

150
00:13:20,860 --> 00:13:26,670
is that from the perspective of the client,
the handshake now successfully completed.

151
00:13:26,670 --> 00:13:32,040
After all, it received Msg3, it
replied using Msg4 and it thinks that

152
00:13:32,040 --> 00:13:35,860
the handshake is done, meaning it now
installs the encryption key and installs

153
00:13:35,860 --> 00:13:44,439
the PTK for use. So, let's make some space
here - the client thinks, that the handshake

154
00:13:44,439 --> 00:13:48,660
was completed, it has installed the key,
but the access point hasn't received

155
00:13:48,660 --> 00:13:55,339
Msg4 yet and the access point will
try to recover from this situation and it

156
00:13:55,339 --> 00:14:02,269
will do that by retransmitting a new
Msg3. And as the - as we, as the

157
00:14:02,269 --> 00:14:06,620
attacker, will forward this message to the
client, the client will accept this

158
00:14:06,620 --> 00:14:11,579
retransmitted Msg3 and then the Wi-Fi
standard says, that if you receive a

159
00:14:11,579 --> 00:14:16,940
retransmitted Msg3, you will reply
using a new Msg4. After that you will

160
00:14:16,940 --> 00:14:23,449
also install the encryption key again. Now,
one remark that I want to make here, is

161
00:14:23,449 --> 00:14:30,519
that, when we receive the retransmitted
Msg3, we reply using a new Msg4,

162
00:14:30,519 --> 00:14:36,149
however, this Msg4 will be already
encrypted at the link layer and the reason

163
00:14:36,149 --> 00:14:40,980
it's already encrypted, is because these
handshake messages are normal data frames

164
00:14:40,980 --> 00:14:45,879
and well, we already installed the
encryption key to encrypt data frames. So

165
00:14:45,879 --> 00:14:51,610
nearly all implementations we tested, will
send Msg4, the retransmitted Msg4,

166
00:14:51,610 --> 00:14:56,709
in an encrypted fashion. Now, I want to
remark here, that the Wi-Fi standard

167
00:14:56,709 --> 00:15:02,649
actually demands that Msg4, if it is
retransmitted, should be sent in plain text,

168
00:15:02,649 --> 00:15:07,020
so according to the specification, this
shouldn't happen. But nearly all

169
00:15:07,020 --> 00:15:12,999
implementations we tested, sent a
retransmitted Msg3 using encryption,

170
00:15:12,999 --> 00:15:17,730
and we will abuse this observation later.
So as I mentioned, after the client

171
00:15:17,730 --> 00:15:22,339
receives a retransmitted Msg3, it'll
reply using Msg4, it will again

172
00:15:22,339 --> 00:15:27,499
install the encryption key, and as a
result of that, this transmit nonce will be

173
00:15:27,499 --> 00:15:34,160
reset, which means, that if the client now
sends another data frame, it will again

174
00:15:34,160 --> 00:15:41,569
use this nonce value of 1 to encrypt the
frame, meaning we have nonce reuse, and we

175
00:15:41,569 --> 00:15:46,220
have key stream reuse, meaning we can now
try to abuse this to decrypt the data

176
00:15:46,220 --> 00:15:51,879
frame.
Now, how are we precisely going to abuse

177
00:15:51,879 --> 00:15:57,740
this, because we do somehow need to
recover the key stream that was used? And

178
00:15:57,740 --> 00:16:03,309
we go back to our observation, that we have
a Msg4 here, that is initially sent in

179
00:16:03,309 --> 00:16:08,180
plain text, and a retransmission of
Msg4 is later sent in an encrypted

180
00:16:08,180 --> 00:16:12,161
fashion. Now, there is a small difference
between these two messages, but

181
00:16:12,161 --> 00:16:15,600
essentially we have a message sent in
plaintext, and we have a message sent

182
00:16:15,600 --> 00:16:20,820
encrypted, and all we need to do, is we
need to XOR these two messages and we have

183
00:16:20,820 --> 00:16:24,350
the key stream corresponding to the nonce
value of 1.

184
00:16:24,350 --> 00:16:28,680
This data frame here at the bottom, it
also uses nonce value of 1, meaning it

185
00:16:28,680 --> 00:16:33,130
uses the exact same key stream, so we XOR
this packet with the key stream and there

186
00:16:33,130 --> 00:16:41,659
you go: We decrypted the packets and we
have now defeated WPA2. So...

187
00:16:41,659 --> 00:16:50,530
*Applause*
Thank you. So, that describes the attack

188
00:16:50,530 --> 00:16:56,129
against the 4-way handshake. And the
4-way handshake is not the only Wi-Fi

189
00:16:56,129 --> 00:17:00,310
handshake that is vulnerable. There are
also other handshakes which can be

190
00:17:00,310 --> 00:17:05,140
attacked in a similar manner, but I'm not
going to explain all of them in detail. If

191
00:17:05,140 --> 00:17:09,650
you want all the nitty-gritty details, I'm
going to refer you to our academic paper.

192
00:17:09,650 --> 00:17:14,260
Here, I'm just going to discuss more the
high-level concepts and the ideas behind

193
00:17:14,260 --> 00:17:18,880
the attack. So, e.g., one handshake
that is also vulnerable, is the group key

194
00:17:18,880 --> 00:17:23,260
handshake, and that handshake is used to
transport the group key from the access

195
00:17:23,260 --> 00:17:27,398
point to the client. And that key is used
to encrypt broadcast and multicast

196
00:17:27,398 --> 00:17:33,570
traffic. Then we also have the FT
handshake. The FT handshake is used, when

197
00:17:33,570 --> 00:17:38,460
you roam from one access point to another
access point of the same Wi-Fi network.

198
00:17:38,460 --> 00:17:42,730
It's used so you can quickly switch
from one access point to another without

199
00:17:42,730 --> 00:17:47,450
a long timeout. And finally, another
handshake that's also vulnerable is the

200
00:17:47,450 --> 00:17:51,990
PeerKey handshake, and that's used when
two clients want to communicate directly

201
00:17:51,990 --> 00:17:59,510
with one another. Okay, so I'm now going
to discuss in a bit more detail, what the

202
00:17:59,510 --> 00:18:05,500
practical impact of our attacks are. And
I'm first going to start with the general

203
00:18:05,500 --> 00:18:11,770
impact that a key reinstallation attack
has. So, let's assume we have a device

204
00:18:11,770 --> 00:18:15,690
that's vulnerable. This device can either
be a client device, e.g. it can be

205
00:18:15,690 --> 00:18:20,370
a smartphone, or a laptop, or these days
it can even be a toaster. They have Wi-Fi

206
00:18:20,370 --> 00:18:26,970
as well. Or it can also be an access
point. So if a client or access point is

207
00:18:26,970 --> 00:18:32,520
vulnerable to our key reinstallation
attack, the first thing that generally

208
00:18:32,520 --> 00:18:38,930
always happens, if this device ever sends
encrypted data frames, we can force it to

209
00:18:38,930 --> 00:18:44,929
reuse the nonce, which in turn we can use
to decrypt frames. But that's not the only

210
00:18:44,929 --> 00:18:50,529
thing we can do when a device is vulnerable.
Another thing we can do, is we can replay

211
00:18:50,529 --> 00:18:57,530
encrypted frames sent towards this device.
Now, why is that the case? That's because

212
00:18:57,530 --> 00:19:02,500
if a key is reinstalled, not only is this
transmit nonce reset to 0, but another

213
00:19:02,500 --> 00:19:08,380
parameter, which is called the replay
counter, it is also reset to 0. And this

214
00:19:08,380 --> 00:19:12,490
replay counter, as the name implies,
it's used to detect retransmissions, or

215
00:19:12,490 --> 00:19:18,690
it's used to detect malicious replays. If
this counter is reset, we can also replay

216
00:19:18,690 --> 00:19:24,510
frames towards a vulnerable device. So,
that's the general impact of a key

217
00:19:24,510 --> 00:19:33,110
reinstallation attack, but there are a lot
of other factors which also influence the

218
00:19:33,110 --> 00:19:41,250
exact impact of the attack, and one of the
things that probably has the biggest

219
00:19:41,250 --> 00:19:48,100
influence, is the encryptions cipher that
is being used. So, e.g., these days

220
00:19:48,100 --> 00:19:52,350
it is quite common that Wi-Fi networks use
AES CCMP. It's the most widely used

221
00:19:52,350 --> 00:19:58,659
encryption algorithm in Wi-Fi networks.
Against this algorithm, the impact in a

222
00:19:58,659 --> 00:20:04,070
sense stays limited to only decrypting and
replaying frames. It's not possible to

223
00:20:04,070 --> 00:20:10,230
abuse our key reinstallation attack to now
forge frames. And really, we got lucky

224
00:20:10,230 --> 00:20:16,690
here, because this is the most widely used
cipher, and against this cipher we cannot

225
00:20:16,690 --> 00:20:22,260
start to forge frames. Because, if we
would have been using the older encryption

226
00:20:22,260 --> 00:20:28,130
algorithm, which is WPA TKIP, against that
algorithm, we would be able to recover the

227
00:20:28,130 --> 00:20:32,200
Message Integrity Check key, which is
basically just a fancy word for the

228
00:20:32,200 --> 00:20:37,179
authentication key. And once we have that
authentication key, we would be able to

229
00:20:37,179 --> 00:20:44,880
forge frames that appear to be sent by the
device under attack. Interestingly, lately

230
00:20:44,880 --> 00:20:50,100
there's also been a new encryption
algorithm that is being introduced, and

231
00:20:50,100 --> 00:20:53,850
that algorithm is
called GCMP. It's fairly new, so only a

232
00:20:53,850 --> 00:20:59,169
few devices currently support it, and
currently it is being rolled out under the

233
00:20:59,169 --> 00:21:06,190
name of WiGig. Against this algorithm, the
impact of a key reinstallation attack is

234
00:21:06,190 --> 00:21:14,000
really the worst, because here we can
again recover the authentication key, but

235
00:21:14,000 --> 00:21:18,520
when we use GCMP, the same authentication
key is used in both communication

236
00:21:18,520 --> 00:21:23,490
directions. So against GCMP, we would be
able to forge frames that are sent from

237
00:21:23,490 --> 00:21:27,580
the client to the access point and also
forge frames that appear to be sent

238
00:21:27,580 --> 00:21:32,630
from the access point to the client, while
for the WPA-TKIP algorithm, we would only

239
00:21:32,630 --> 00:21:37,509
be able to forge frames, that appear to be
sent by the device that is under attack.

240
00:21:37,509 --> 00:21:42,630
So, my opinion - this is a bit surprising,
because GCMP is the latest encryption

241
00:21:42,630 --> 00:21:46,880
algorithm that is defined in the Wi-Fi
standard, yet the impact against it would

242
00:21:46,880 --> 00:21:51,950
be the highest. So, this is also why I
think we got lucky here, because if we

243
00:21:51,950 --> 00:21:55,490
would have found the attack, say maybe
five or ten years later, and everyone

244
00:21:55,490 --> 00:22:01,710
would be using this algorithm, the impact
would have been a lot worse. Another thing

245
00:22:01,710 --> 00:22:06,280
that influences the impact of the attack
is, which specific handshake we are

246
00:22:06,280 --> 00:22:11,169
attacking. For example, if we attack the
group key handshake, then the only thing

247
00:22:11,169 --> 00:22:14,159
we can do is, we can 
only replay, broadcast or

248
00:22:14,159 --> 00:22:20,390
multicast frames. Now, why is that the
case? Why can't we decrypt broadcast or

249
00:22:20,390 --> 00:22:26,390
multicast frames, if a key reinstallation
occurs? And the reason is, that if we

250
00:22:26,390 --> 00:22:30,150
attack the group key handshake, we are
attacking the client, and the client is

251
00:22:30,150 --> 00:22:35,380
never sending actual encrypted broadcast
frames, so will never reuse the transmit

252
00:22:35,380 --> 00:22:40,050
nonce when it encrypts frames, because
it's never encrypting frames. Now, why is

253
00:22:40,050 --> 00:22:44,519
it, that the client never sends real
encrypted broadcast frames? Well, the

254
00:22:44,519 --> 00:22:49,100
reason is quite simple. Let's say, we have
the network layout shown here and the

255
00:22:49,100 --> 00:22:54,229
client on the left wants to send a
broadcast frames to all the other clients.

256
00:22:54,229 --> 00:22:58,419
Now, what happens here, is that this client
will send the data frame it wants to

257
00:22:58,419 --> 00:23:03,690
broadcast as a Unicast frame to the access
point only, meaning it won't encrypt it

258
00:23:03,690 --> 00:23:09,980
yet under the group key. It's the access
points that will broadcast this frame to

259
00:23:09,980 --> 00:23:14,149
all connected clients, and only the access
point will then encrypt it using the group

260
00:23:14,149 --> 00:23:16,350
key, and this is to assure that all
clients

261
00:23:16,350 --> 00:23:20,690
within range of the access point will
receive this broadcast message. Now, for

262
00:23:20,690 --> 00:23:24,659
us, this means that only the access point
is transmitting real encrypted broadcast

263
00:23:24,659 --> 00:23:28,940
frames, and in the group key handshake we
cannot attack the access point. We are

264
00:23:28,940 --> 00:23:33,059
only attacking the client, meaning in
practice, we can only replay broadcast

265
00:23:33,059 --> 00:23:37,560
frames to the client, at least if we are
targeting the group key handshake. So,

266
00:23:37,560 --> 00:23:42,980
really, the impact is limited in practice
if we attack this handshake, because

267
00:23:42,980 --> 00:23:47,769
generally, replaying broadcast data doesn't
have a high impact. Though, I do want to

268
00:23:47,769 --> 00:23:53,250
note, that some home automation systems use
broadcast traffic to, e.g., send

269
00:23:53,250 --> 00:23:59,250
commands to turn the device on or off,
e.g. to turn your fridge on, or to turn

270
00:23:59,250 --> 00:24:03,970
lights on or off, so although the
impact of replaying broadcast frame is

271
00:24:03,970 --> 00:24:08,120
low, there are situations in practice,
where it does have some impact, but it

272
00:24:08,120 --> 00:24:13,090
really depends on your network setup and
the devices that you use. So, the other

273
00:24:13,090 --> 00:24:17,129
handshake that is vulnerable, is the 4-
way handshake, but we already discussed

274
00:24:17,129 --> 00:24:21,809
that. Against a 4-way handshake we can
attack the clients and the impact, is that

275
00:24:21,809 --> 00:24:25,610
we can replay and decrypt frames, and
depending on the encryption algorithm

276
00:24:25,610 --> 00:24:31,690
being used, we can possibly forge frames
as well. The situation is a lot more

277
00:24:31,690 --> 00:24:36,080
interesting for the FT handshake, though.
And remember, this handshake is used, when

278
00:24:36,080 --> 00:24:40,959
you roam from one access point to another
of the same network. Against the FT

279
00:24:40,959 --> 00:24:45,669
handshake, it's not the clients that we
can attack, but here we can attack the

280
00:24:45,669 --> 00:24:51,450
access point. And on top of that, when
attacking the FT handshake, we no longer

281
00:24:51,450 --> 00:24:56,679
need this man-in-the-middle position. Now,
why is that the case? Well, let's again

282
00:24:56,679 --> 00:25:01,370
explain this using our common example,
where a client wants to connect and where

283
00:25:01,370 --> 00:25:08,330
it is executing the FT handshake. And at a
high level, the FT handshake is the same

284
00:25:08,330 --> 00:25:11,520
as the 4-way handshake, meaning you
also have four frames that are

285
00:25:11,520 --> 00:25:16,730
transmitted, but the big difference here
is, that with the FT handshake it's the

286
00:25:16,730 --> 00:25:21,220
client that sends the first message
in the handshake, while for the 4-way

287
00:25:21,220 --> 00:25:26,250
handshake it was the access point that
sends the first message. So, the handshake

288
00:25:26,250 --> 00:25:29,860
is practically the same as the 4-way
handshake, meaning, initially we have two

289
00:25:29,860 --> 00:25:34,190
messages that transport these random
numbers, these nonces, between both

290
00:25:34,190 --> 00:25:40,770
devices. Then, both these endpoints can
generate the fresh encryption key. Then

291
00:25:40,770 --> 00:25:46,090
the last two frames, they are again used
to confirm that both parties negotiated

292
00:25:46,090 --> 00:25:51,210
the same encryption key. Now, I want to go
in a bit more detail here on this last

293
00:25:51,210 --> 00:25:56,600
phase, and what happens here, is that the
third frame of the handshake is now sent

294
00:25:56,600 --> 00:26:01,970
from the client to the access point and
that is a reassociation request. And after

295
00:26:01,970 --> 00:26:06,779
the access point receives this frame, it
will reply using a reassociation response

296
00:26:06,779 --> 00:26:12,799
frame and it will install the encryption
key. Once it has installed the encryption

297
00:26:12,799 --> 00:26:18,590
key, it can of course start sending
encrypted data frames. So, let's again

298
00:26:18,590 --> 00:26:23,820
make some room here. What we can now do
as an attacker, is we can take this

299
00:26:23,820 --> 00:26:28,840
reassociation request that the client
previously transmitted, and we can simply

300
00:26:28,840 --> 00:26:36,450
replay it. That's because in the FT
handshake, there is no replay protection

301
00:26:36,450 --> 00:26:41,730
against messages of the handshake. So we
can just take that frame, we can send it

302
00:26:41,730 --> 00:26:45,380
again to the access point. The access
point will receive it, it will accept it,

303
00:26:45,380 --> 00:26:51,490
and it will reply using a reassociation
response. Now, so far this is not a

304
00:26:51,490 --> 00:26:57,440
problem. The problem here is, that again
the access point will reinstall the

305
00:26:57,440 --> 00:27:01,269
encryption key, and here it goes wrong
because we are reinstalling this

306
00:27:01,269 --> 00:27:05,889
encryption key. The transmit nonce is
again reset to 0, meaning if we now send

307
00:27:05,889 --> 00:27:11,930
the data frame again, the nonce value of 1
is used to encrypt these data frames,

308
00:27:11,930 --> 00:27:14,950
meaning the same key stream is used,
meaning we can start applying the same

309
00:27:14,950 --> 00:27:19,029
tricks to first derive some known key
stream and to then abuse that to attack

310
00:27:19,029 --> 00:27:24,250
the handshake. So, I want to highlight
here a few things. And the first is, the

311
00:27:24,250 --> 00:27:27,740
reason why we don't need a man-in-the-
middle position, is because handshake

312
00:27:27,740 --> 00:27:30,170
messages in
the FT handshake, they are not protected

313
00:27:30,170 --> 00:27:34,720
against replays, while in the 4-way
handshake, every handshake messages

314
00:27:34,720 --> 00:27:40,330
contains a sequence counter, where the
receiver uses the sequence counter to

315
00:27:40,330 --> 00:27:44,450
detect replays, but for the FT handshake
that's not the case, so we can just take

316
00:27:44,450 --> 00:27:48,090
these messages, we can replay them, and we
don't need a man-in-the-middle position to

317
00:27:48,090 --> 00:27:55,351
block packets and to trigger
retransmissions. Ok, so that's the

318
00:27:55,351 --> 00:28:01,630
explanation for the FT handshake. Another
factor that can influence the impacts of

319
00:28:01,630 --> 00:28:06,660
our attack in practice, is which operating
system and which device precisely we are

320
00:28:06,660 --> 00:28:12,120
attacking. And in particular, we see that
iOS and Windows, they are not vulnerable

321
00:28:12,120 --> 00:28:17,970
against attacks against a 4-way
handshake. And why is that the case? Well,

322
00:28:17,970 --> 00:28:22,360
that's because these two devices don't
really follow the standard, and they don't

323
00:28:22,360 --> 00:28:26,659
accept retransmissions of Msg3,
meaning we cannot abuse these

324
00:28:26,659 --> 00:28:33,180
retransmissions of Msg3 to trigger
these key reinstallations.

325
00:28:33,180 --> 00:28:36,380
Now, I want to make two remarks 
here. And the first one is, that

326
00:28:36,380 --> 00:28:41,550
against these devices we can still attack
the group key handshake. And particularly

327
00:28:41,550 --> 00:28:46,860
when looking at iOS, if we look at iOS
version 11, it does implement the standard

328
00:28:46,860 --> 00:28:50,679
properly and it does accept
retransmissions of Msg3, meaning that

329
00:28:50,679 --> 00:28:58,580
one is vulnerable to attacks against the
4-way handshake. Now, Linux is not much

330
00:28:58,580 --> 00:29:04,460
better, because if we look at the Wi-Fi client
that is used on Linux, and for example on

331
00:29:04,460 --> 00:29:11,750
Android, it's called wpa_supplicant, and
against wpa_supplicant 2.4 and higher, we

332
00:29:11,750 --> 00:29:17,919
notice that, if we try to perform a key
reinstallation attack, it won't reinstall

333
00:29:17,919 --> 00:29:22,990
the secret key that was negotiated, but
no, instead it will suddenly install an

334
00:29:22,990 --> 00:29:27,870
all-zero encryption key, and then it of
course becomes very trivial to start

335
00:29:27,870 --> 00:29:36,919
decrypting data that this device is
transmitting. Now, why does this happen?

336
00:29:36,919 --> 00:29:42,659
I can actually sort of understand why this
went wrong. So, I'm going to explain what

337
00:29:42,659 --> 00:29:48,990
the implementation does wrong, to... why it
installs this all-zero key. And to explain

338
00:29:48,990 --> 00:29:52,460
this, I'm going to assume that we have an
Android device that is connecting to an

339
00:29:52,460 --> 00:29:56,660
access point. And we're going to zoom in a
bit on the implementation of the Android.

340
00:29:56,660 --> 00:30:01,080
And we're going to look at two entities.
We're first going to look at wpa_supplicant,

341
00:30:01,080 --> 00:30:05,330
which is represented by the
handshake icon here, and we're also going

342
00:30:05,330 --> 00:30:10,429
to look at another entity, namely the
Linux kernel. It's the Linux kernel that

343
00:30:10,429 --> 00:30:15,239
will be responsible for encrypting data
frames, and wpa_ supplicant will be

344
00:30:15,239 --> 00:30:20,889
responsible for executing the 4-way handshake.
And of course we assume, that we as an

345
00:30:20,889 --> 00:30:27,410
attacker are nearby, and we again have
this man-in-the-middle position. So, what

346
00:30:27,410 --> 00:30:31,149
does an attacker have to do to cause this
installation of an all-zero encryption

347
00:30:31,149 --> 00:30:36,780
key? Well, again, we simply let the first
phase of the 4-way handshake execute

348
00:30:36,780 --> 00:30:42,460
normally, and when the access point sends
Msg3 of the 4-way handshake, we

349
00:30:42,460 --> 00:30:48,679
forward that to the Android. Android will
reply using Msg4. And we will

350
00:30:48,679 --> 00:30:53,510
again block Msg4 from arriving at the
access point.

351
00:30:53,510 --> 00:30:58,090
Now, completely similar to the case with
the 4-way handshake, the client thinks that

352
00:30:58,090 --> 00:31:02,019
the handshake now successfully completed,
meaning it will install the encryption

353
00:31:02,019 --> 00:31:07,600
key. How it will install the encryption
key is as follows: It commands the Linux

354
00:31:07,600 --> 00:31:15,059
kernel into installing the encryption key
in the driver. And the driver itself will

355
00:31:15,059 --> 00:31:19,080
make a copy of the encryption key. And it
will store it locally. And the driver can

356
00:31:19,080 --> 00:31:24,280
then encrypt frames. Now this means that
wpa_supplicant, which is just a user land

357
00:31:24,280 --> 00:31:28,139
program, no longer needs to store the
encryption key, meaning it will clear it

358
00:31:28,139 --> 00:31:34,270
from memory. What will happen now, if we
continue with the attack, is that the

359
00:31:34,270 --> 00:31:38,969
access point will retransmit Msg3,
because it did not receive Msg4. The

360
00:31:38,969 --> 00:31:42,790
client will again happily accept this
retransmitted Msg3 and reply using

361
00:31:42,790 --> 00:31:48,289
Msg4. And again it will instruct the
Linux kernel saying "Hey, please install

362
00:31:48,289 --> 00:31:52,389
this encryption key that is located at
this address in the memory." But of

363
00:31:52,389 --> 00:31:56,789
course, that memory is now all zeros,
because that key has just been cleared

364
00:31:56,789 --> 00:31:59,720
from memory. So,
now it's basically commanding the Linux

365
00:31:59,720 --> 00:32:04,139
kernel into installing an all-zero
encryption key. And the Linux kernel and

366
00:32:04,139 --> 00:32:09,080
driver will happily obey this command and
they will install an all-zero encryption

367
00:32:09,080 --> 00:32:13,690
key, meaning at this point, all the data
that the client is sending, is encrypted

368
00:32:13,690 --> 00:32:18,370
using a known key, so we can easily
decrypt all the traffic, and of course we

369
00:32:18,370 --> 00:32:23,470
can also send any traffic we want to the
client. Basically, we are now a rogue

370
00:32:23,470 --> 00:32:28,529
access point and we can manipulate the
traffic of the client as we wish.

371
00:32:28,529 --> 00:32:37,699
*Applause*
MV: Thank you. So, after this you might be

372
00:32:37,699 --> 00:32:42,940
wondering, "Well, gee, is my device
vulnerable?" And you can test your own

373
00:32:42,940 --> 00:32:50,039
device using the following script. It's on
github. I have tested the script on Kali

374
00:32:50,039 --> 00:32:54,870
Linux, on Arch Linux, and also on Ubuntu,
so I could recommend using one of these

375
00:32:54,870 --> 00:33:00,270
distributions, and I also recommend to use
a Wi-Fi dongle that we or someone else has

376
00:33:00,270 --> 00:33:05,409
tested ourselves, because we noticed that
if you use our testing scripts with some

377
00:33:05,409 --> 00:33:08,960
older
Wi-Fi devices, then there are some bugs in

378
00:33:08,960 --> 00:33:16,279
these Wi-Fi devices which cause our
scripts to fail. And one way to also

379
00:33:16,279 --> 00:33:20,010
prevent our scripts to fail, is to disable
hardware encryption. Now, how you should do

380
00:33:20,010 --> 00:33:25,409
that is also explained on this page. Using
these scripts, you can test both your

381
00:33:25,409 --> 00:33:29,140
client devices, you can test against
attacks against the 4-way handshake,

382
00:33:29,140 --> 00:33:33,799
the group key handshake, and there's also
a script to test the access point, whether

383
00:33:33,799 --> 00:33:40,519
it's vulnerable against attacks against
the FT handshake. Now, if you're going to

384
00:33:40,519 --> 00:33:45,500
try to see which devices are vulnerable,
you are most likely going to see that

385
00:33:45,500 --> 00:33:52,559
quite some clients are still vulnerable to
our attacks. Luckily, we can modify the

386
00:33:52,559 --> 00:33:58,129
access point to prevent attacks against
the client. In particular, we can make

387
00:33:58,129 --> 00:34:02,620
additional modifications to the access
point, such that the access points never

388
00:34:02,620 --> 00:34:07,149
retransmits Msg3 of the 4-way
handshake, and that it also never

389
00:34:07,149 --> 00:34:11,640
retransmits the first message of the group
key handshake. And if we do that, then

390
00:34:11,640 --> 00:34:17,060
clients that are connected to such a
modified access points, they are no longer

391
00:34:17,060 --> 00:34:19,130
vulnerable against most attacks. There are

392
00:34:19,130 --> 00:34:24,660
still some edge cases where the device is
vulnerable, but these have a very low

393
00:34:24,660 --> 00:34:29,909
impact. So, if we modify an access point
in this way, then connected clients are no

394
00:34:29,909 --> 00:34:34,719
longer vulnerable. One downside here is,
that because we are no longer

395
00:34:34,719 --> 00:34:40,530
retransmitting certain messages, it could
be that especially in a noisy environment,

396
00:34:40,530 --> 00:34:44,520
because we don't retransmit these messages
anymore, that the handshake may fail

397
00:34:44,520 --> 00:34:50,500
because the reliability is now less. Now,
one thing I also want to remark here,

398
00:34:50,500 --> 00:34:57,310
that... if you have a router, which is
vulnerable against our attack and a

399
00:34:57,310 --> 00:35:02,090
vendor says "Hey, we patched our router,
so we patched our access point to defend

400
00:35:02,090 --> 00:35:07,400
against attacks," then this does not mean
that this access point implements these

401
00:35:07,400 --> 00:35:10,780
countermeasures. Because these
countermeasures, they are additional

402
00:35:10,780 --> 00:35:15,920
modifications on top of the normal
patches to defend against the attack. So,

403
00:35:15,920 --> 00:35:21,130
only if a vendor explicitly says that "Our
patches of the access point also prevent

404
00:35:21,130 --> 00:35:26,320
attacks against clients," then, only if
they explicitly say that, are attacks

405
00:35:26,320 --> 00:35:32,640
against the client also prevented. Ok,
so now I want to cover some misconceptions

406
00:35:32,640 --> 00:35:39,810
that have been floating around the
internet. And the first one is, that some

407
00:35:39,810 --> 00:35:43,490
people claim, if you only patch the
clients, or if you only patch the access

408
00:35:43,490 --> 00:35:46,980
point, then you're fine. But that's not
the case. Because if you only patch the

409
00:35:46,980 --> 00:35:51,420
client and the access point is vulnerable,
then we can still attack the access point.

410
00:35:51,420 --> 00:35:54,810
If the access point only contains these
normal patches, the normal patches to

411
00:35:54,810 --> 00:36:00,021
defend against attacks, then connected
clients are also still vulnerable. So, as

412
00:36:00,021 --> 00:36:05,660
I mentioned, connected clients are only
defended, if the access point contains

413
00:36:05,660 --> 00:36:11,530
really extra modifications on top of the
default patches. Now, another common

414
00:36:11,530 --> 00:36:17,081
misconception is, that some people might
say "But, yeah, it's a cool attack, but

415
00:36:17,081 --> 00:36:22,490
you have to be close to the network in
order to pull off these attacks."

416
00:36:22,490 --> 00:36:26,920
Unfortunately, that's not the case because
we can use special antenna. And this

417
00:36:26,920 --> 00:36:30,171
special antenna, they can be made
really cheap out of, e.g. just a

418
00:36:30,171 --> 00:36:36,040
tin can, and with this special antenna, we
can manipulate Wi-Fi traffic from up to,

419
00:36:36,040 --> 00:36:41,450
say, 2 miles. And there are even leaked
NSA documents, where the NSA is able to

420
00:36:41,450 --> 00:36:47,440
exploit a Wi-Fi network using other
attacks from up to 8 miles away. Now,

421
00:36:47,440 --> 00:36:51,010
that's of course with a clear line of
sight, but still this shows that you don't

422
00:36:51,010 --> 00:36:54,620
have to be physically close to the
network. You can still be relatively far

423
00:36:54,620 --> 00:37:02,370
away. Another strange remark that I
sometimes hear, is that you need to be

424
00:37:02,370 --> 00:37:06,630
connected to the network in order to pull
off these attacks, which would basically

425
00:37:06,630 --> 00:37:10,440
mean, you need to know the password of the
network to carry out the attacks. But

426
00:37:10,440 --> 00:37:14,540
that's not the case. As I mentioned,
during the attacks, you only need to be

427
00:37:14,540 --> 00:37:19,740
close enough. You need to be able to
manipulate some encrypted packets. But you

428
00:37:19,740 --> 00:37:23,740
don't need to know anything about the
network. You simply need to know the

429
00:37:23,740 --> 00:37:27,210
network is there and there's a vulnerable
client and access point and then you can

430
00:37:27,210 --> 00:37:34,450
start attacking them. One remark that I
can understand, is that some people

431
00:37:34,450 --> 00:37:39,430
say that "Yeah, Ok, you can attack these
handshakes, and you can decrypt data that

432
00:37:39,430 --> 00:37:43,630
is sent right after these handshakes, but
generally right after you connect to an

433
00:37:43,630 --> 00:37:48,690
Wi-Fi network, you're not really sending
interesting data, because at that point

434
00:37:48,690 --> 00:37:53,520
your device is sending e.g. ARP
requests, or it's sending DHCP requests,

435
00:37:53,520 --> 00:37:59,770
or is just creating TCP connections. But
no useful information is transmitted at

436
00:37:59,770 --> 00:38:06,260
this time." Unfortunately, at least for a
defender, this is again not true. Because,

437
00:38:06,260 --> 00:38:10,090
what we can do as an attacker is, we can
first let the client connect *blackout* out

438
00:38:10,090 --> 00:38:14,041
manipulating any traffic. The client, the
victim, will then, e.g. start

439
00:38:14,041 --> 00:38:20,120
browsing the internet, start
opening TCP connections, and in the middle

440
00:38:20,120 --> 00:38:24,070
of that, while the victim is e.g.
surfing the internet, we can

441
00:38:24,070 --> 00:38:28,090
deauthenticate the client from the
network, and all operating system will

442
00:38:28,090 --> 00:38:32,020
then immediately execute a new 4-way
handshake. And once that 4-way

443
00:38:32,020 --> 00:38:37,500
handshake is then completed, it will 
send all the buffered TCP packets again

444
00:38:37,500 --> 00:38:41,280
to the access point and also in a reverse
direction. So, basically, what we as an

445
00:38:41,280 --> 00:38:45,170
attacker can do, we can wait until we
expect the victim to send interesting

446
00:38:45,170 --> 00:38:49,190
information. Then we deauthenticate the
victim. It will execute a new handshake.

447
00:38:49,190 --> 00:38:56,010
And then we can decrypt the data that will
be transmitted right after that handshake.

448
00:38:56,010 --> 00:38:59,520
Another thing that makes the attack
possibly hard, is that obtaining this

449
00:38:59,520 --> 00:39:03,500
channel based man-in-the-middle is
difficult. For example, you might be

450
00:39:03,500 --> 00:39:07,760
thinking that in order to force the
clients to connect to the rogue access

451
00:39:07,760 --> 00:39:13,150
point, you need a stronger signal strength
than a real access point. But again,

452
00:39:13,150 --> 00:39:17,870
that's not the case. And the reason this
is not the case, is because we can use

453
00:39:17,870 --> 00:39:23,350
special Wi-Fi packets and so-called
channel switch announcements, which

454
00:39:23,350 --> 00:39:28,680
command the client into switching to a
different Wi-Fi channel, and effectively

455
00:39:28,680 --> 00:39:32,400
*blackout* to a rogue access point. So we don't
need a high signal strength, we can simply

456
00:39:32,400 --> 00:39:36,520
command a victim into saying "Hey, switch
to this channel and connect to our access

457
00:39:36,520 --> 00:39:40,820
point." And these frames are not
authenticated, so we can just forge them

458
00:39:40,820 --> 00:39:47,780
as an attacker. Another thing you might
say, that the complexity of the attack is

459
00:39:47,780 --> 00:39:52,871
hard, meaning it requires some expertise
to implement this. And this is true. You

460
00:39:52,871 --> 00:39:59,110
do need to know a bit about Wi-Fi in order
to make a proof of concept reliable, but

461
00:39:59,110 --> 00:40:03,480
as usual you only need to write this
attack once, and then people can use your

462
00:40:03,480 --> 00:40:07,880
script in order to attack others. And this
is similar to, e.g., memory

463
00:40:07,880 --> 00:40:13,350
corruption attacks, such as buffer
overflows or stack overflows. Writing the

464
00:40:13,350 --> 00:40:17,040
proof of concept may be hard, but if you
then give it to someone else, or if you

465
00:40:17,040 --> 00:40:22,000
put it in Metasploit or some other tool,
all the user has to do, is basically start

466
00:40:22,000 --> 00:40:29,270
the script, and you can start attacking
people. One other misconception that I

467
00:40:29,270 --> 00:40:35,630
sometimes encounter, is that people say "If
you use AES-CCMP, this mitigates the

468
00:40:35,630 --> 00:40:41,840
attack." Again, unfortunately, this is not
true, because the only advantage of using

469
00:40:41,840 --> 00:40:47,260
AES-CCMP is that
the attacker can no longer forge frames.

470
00:40:47,260 --> 00:40:52,680
The attacker is still able to decrypt and
replay frames. And finally, the last

471
00:40:52,680 --> 00:40:57,800
misconception is, that some people say that
enterprise networks aren't vulnerable,

472
00:40:57,800 --> 00:41:02,830
because they e.g. don't execute
the 4-way handshake. But again,

473
00:41:02,830 --> 00:41:07,450
unfortunately, that's wrong, because even
these networks use the 4-way handshake

474
00:41:07,450 --> 00:41:13,610
and they can be attacked as well. So, then
you have some people that say "OK, WPA2 is

475
00:41:13,610 --> 00:41:19,880
now completely broken. It's the end of the
world and we're all doomed." Let's not get

476
00:41:19,880 --> 00:41:25,530
carried away, though. We can patch these
vulnerabilities in a backwards compatible

477
00:41:25,530 --> 00:41:30,190
way. And as I illustrated here in my talk,
the impact also really depends on the

478
00:41:30,190 --> 00:41:34,530
devices that you are using and your own
network setup. So, sometimes the impact is

479
00:41:34,530 --> 00:41:38,150
actually really low, but of course
sometimes the impact can be very high,

480
00:41:38,150 --> 00:41:43,250
e.g. if you have a Linux device, then
attacker can do what he or she wishes,

481
00:41:43,250 --> 00:41:49,660
essentially. Now, for the last part of the
talk, I'm going to discuss some lessons

482
00:41:49,660 --> 00:41:56,150
that we can learn from this attack and
also the research. I think one of the most

483
00:41:56,150 --> 00:42:01,320
important and interesting observations -
it's also the reason why I really like

484
00:42:01,320 --> 00:42:06,500
this attack myself - is that the 4-way
handshake was proven to be secure. The

485
00:42:06,500 --> 00:42:11,270
encryption protocol, and in particular
AES, has also been proven as secure.

486
00:42:11,270 --> 00:42:18,560
However, if we combine these two things,
then suddenly we lose all security. And

487
00:42:18,560 --> 00:42:27,400
this is quite unfortunate. And what this
teaches us, is that even though individual

488
00:42:27,400 --> 00:42:33,080
parts of a system were really investigated
and perhaps formally analyzed, we also

489
00:42:33,080 --> 00:42:37,560
need to analyze the combination of these
different entities and models, and we also

490
00:42:37,560 --> 00:42:43,540
need to prove that these combinations are
secure as well. And another way to look at

491
00:42:43,540 --> 00:42:50,830
this, is that in the proof of the 4-way
handshake, the authors, they modeled the

492
00:42:50,830 --> 00:42:56,780
handshake in a rather abstract way. And
their proofs, specifically, they did not

493
00:42:56,780 --> 00:43:00,780
model retransmissions of handshake
messages. And that's one of the things we

494
00:43:00,780 --> 00:43:06,310
abuse. So, on one hand we need to assure
that we also look

495
00:43:06,310 --> 00:43:11,140
at the combinations of these different
entities, but we also need to assure that

496
00:43:11,140 --> 00:43:17,080
the abstract models that we use reflect
reality. Another thing that we can learn,

497
00:43:17,080 --> 00:43:21,690
is that we should keep the protocols and
also the implementations simple.

498
00:43:21,690 --> 00:43:28,490
E.g., if we look at wpa_supplicant 2.6,
when we were studying this version

499
00:43:28,490 --> 00:43:34,600
ourself, we thought it wasn't vulnerable
to key reinstallation attacks. However,

500
00:43:34,600 --> 00:43:40,550
when we were notifying companies of the
vulnerabilities, another researcher found

501
00:43:40,550 --> 00:43:46,800
an attack against this version which did
work. The reason we missed this attack

502
00:43:46,800 --> 00:43:52,780
against version 2.6, is because
wpa_supplicant uses a fairly complex

503
00:43:52,780 --> 00:43:57,600
implementation of the 4-way handshake
and the state machine is fairly complex to

504
00:43:57,600 --> 00:44:02,690
reason about. And there are two ways to
combat this. The first is to keep the

505
00:44:02,690 --> 00:44:07,210
protocol simple. The second way to combat
this, is to formally verify

506
00:44:07,210 --> 00:44:12,630
implementations. Now of course, we cannot
formally verify all the code, but what we

507
00:44:12,630 --> 00:44:17,410
can do is, really, these cryptographic
protocols which play a very important

508
00:44:17,410 --> 00:44:23,950
role, at least we should pay enough
attention to that. What's also

509
00:44:23,950 --> 00:44:29,330
interesting, is that I encountered a
document of the CIA which also agrees, that

510
00:44:29,330 --> 00:44:34,220
complex implementations or protocols are
bad. Specifically, they have a document,

511
00:44:34,220 --> 00:44:39,770
where the CIA advises people how to
properly implement backdoors, essentially,

512
00:44:39,770 --> 00:44:44,760
and they're saying that "Yeah, if you want
to send data back to us, of course, use

513
00:44:44,760 --> 00:44:48,970
encryption, but in that encryption
algorithm, don't enable re-key

514
00:44:48,970 --> 00:44:53,451
functionality, because that enables
additional features of the encryption

515
00:44:53,451 --> 00:44:58,860
algorithm. And these additional features,
they cause unnecessary complexity and that

516
00:44:58,860 --> 00:45:05,031
generally leads to bugs." Another thing
that we can learn, is that the standard

517
00:45:05,031 --> 00:45:10,560
needs to be specified rigorously and as
precisely as possible. Because the

518
00:45:10,560 --> 00:45:17,500
original WPA2 standard, it was a bit fake.
It didn't really define a state machine.

519
00:45:17,500 --> 00:45:23,720
Well, the state machine that it defined
says, what an implementation - sorry -

520
00:45:23,720 --> 00:45:30,360
should do if it receives a message, but -
let's go back to the slides - but it

521
00:45:30,360 --> 00:45:35,270
doesn't define what an implementation
should do when it receives an unexpected

522
00:45:35,270 --> 00:45:41,550
message. So, it doesn't define the order,
in which messages should be accepted. Now,

523
00:45:41,550 --> 00:45:46,760
there is an amendment of the Wi-Fi
standard which better defines how and when

524
00:45:46,760 --> 00:45:52,820
to handle messages, but even that standard
is a bit fake. And I want to remark here

525
00:45:52,820 --> 00:45:58,430
that because the original WPA2 standard
was a bit fake, I can forgive iOS and

526
00:45:58,430 --> 00:46:02,250
Windows for deviating a bit from the
standard. Because the standard was

527
00:46:02,250 --> 00:46:08,750
difficult to interpret correctly. Now, on
a bit of a related note, I want to briefly

528
00:46:08,750 --> 00:46:13,760
mention a workshop that we are organizing,
which is exactly about how to implement

529
00:46:13,760 --> 00:46:18,951
these security protocols properly, how to
e.g. fuzz security protocols, how

530
00:46:18,951 --> 00:46:23,620
to prove that they are correct, how to
make sure that we specify them rigorously.

531
00:46:23,620 --> 00:46:30,070
So, if you are working in this field, do
consider submitting to this. Now, the last

532
00:46:30,070 --> 00:46:35,500
thing that I want to mention on what we
can learn from this research, is how we

533
00:46:35,500 --> 00:46:42,520
can coordinate the disclosure of a
vulnerability like this. Because this is

534
00:46:42,520 --> 00:46:45,730
not an ordinary vulnerability,
that is, just affects one

535
00:46:45,730 --> 00:46:52,450
vendor, it really affects possibly every
Wi-Fi device that is around. So, how on

536
00:46:52,450 --> 00:46:56,880
earth are you going to start notifying
companies? Who are you going to notify?

537
00:46:56,880 --> 00:47:02,360
What would be the deadlines, and so on?
Well, I'm going to discuss a bit about the

538
00:47:02,360 --> 00:47:07,750
strategy that we used, and what we used
first is... we first wanted to determine,

539
00:47:07,750 --> 00:47:12,470
you know, is this really a widespread
issue? We wanted to be sure of that before

540
00:47:12,470 --> 00:47:18,620
we started to notify a lot of companies.
And the way we tackled that problem is, we

541
00:47:18,620 --> 00:47:25,040
first contacted a few selected vendors and
we told them that "Hey, we possibly found

542
00:47:25,040 --> 00:47:30,630
this flaw in the WPA2 protocol, but we
weren't able to test your devices, but you

543
00:47:30,630 --> 00:47:36,210
should check this out." And quite quickly
we got a few responses from vendors, saying

544
00:47:36,210 --> 00:47:41,960
that "Yes, we looked at your attack and
indeed, some of our devices are

545
00:47:41,960 --> 00:47:45,270
vulnerable," and this really confirmed to
us, that a device

546
00:47:45,270 --> 00:47:49,500
that we didn't test ourself was
vulnerable to the attack that we found.

547
00:47:49,500 --> 00:47:52,870
So, it confirmed that the issue is
widespread, and we also got a bit of

548
00:47:52,870 --> 00:47:57,160
feedback on the report that we sent
towards them on the description of our

549
00:47:57,160 --> 00:48:02,550
attack. So, at this point we were
convinced ourselves, that this really was a

550
00:48:02,550 --> 00:48:07,870
flaw in the standard and that a lot of
companies will be affected. Then the next

551
00:48:07,870 --> 00:48:12,620
question we had is, "Okay, who are we now
all going to notify?" We of course

552
00:48:12,620 --> 00:48:16,240
notified the big names and the big
companies, but who else do we have to

553
00:48:16,240 --> 00:48:22,810
notify? And at this point, our tactic was
to rely on a CERT team, specifically a

554
00:48:22,810 --> 00:48:28,680
CERT from the US and they did all the
coordination for us.

555
00:48:28,680 --> 00:48:33,760
But one other thing that you can do is,
that if you're not sure who all is

556
00:48:33,760 --> 00:48:38,690
affected or what, who all the vendors are,
then you can just ask a vendor that you

557
00:48:38,690 --> 00:48:42,760
contacted already for other
vendors, that also might be affected

558
00:48:42,760 --> 00:48:48,790
by the bug that you found, e.g.
Now one thing that is more difficult here,

559
00:48:48,790 --> 00:48:55,580
is that on one hand you want to notify as
much vendors as possibly, on the other hand

560
00:48:55,580 --> 00:49:01,260
you also can't notify everyone because if
you are going to notify everyone, then the

561
00:49:01,260 --> 00:49:10,450
chance of the details leaking, they become
close to one. Another difficult thing to

562
00:49:10,450 --> 00:49:15,580
decide is, how long should you give time to
companies in order to patch this. And again,

563
00:49:15,580 --> 00:49:23,110
here you're mixed between two decisions:
on one hand you can give give them a long

564
00:49:23,110 --> 00:49:27,950
period to patch everything, but then again,
the risk of this details leasing... err,

565
00:49:27,950 --> 00:49:33,300
leaking increase. On the other hand, if the
embargo period is too short, people won't

566
00:49:33,300 --> 00:49:36,950
have time to patch it. So this is quite a
hard decision. In the end,

567
00:49:36,950 --> 00:49:42,310
what we did is - and which I would
again do in the future - is, it's hard to

568
00:49:42,310 --> 00:49:47,490
pick a deadline, but still do pick a
deadline to avoid any uncertainty and so

569
00:49:47,490 --> 00:49:54,300
that people know, what to expect. And
finally, I want to thank CERT and ICASI

570
00:49:54,300 --> 00:49:59,960
for helping with the coordination and you
also want to thank Cisco for some of the

571
00:49:59,960 --> 00:50:05,700
advice that they give.
So, with that I can conclude the talk, so

572
00:50:05,700 --> 00:50:11,980
what we discussed, is a flaw and the WPA2
standard itself and the most surprising

573
00:50:11,980 --> 00:50:17,770
thing about this research is, that WPA2 was
proven to be correct, yet we still found

574
00:50:17,770 --> 00:50:23,041
his attack after more than a decade.
And more than that, not only is this just a

575
00:50:23,041 --> 00:50:27,880
theoretical attack, the attack has actual
impact and practice.

576
00:50:27,880 --> 00:50:32,740
And finally, in order to defend against
this, you should update all your clients

577
00:50:32,740 --> 00:50:38,220
and also check if your access points are
affected. So with that, thank you for your

578
00:50:38,220 --> 00:50:41,360
attention and if there are any questions,
feel free to ask.

579
00:50:41,360 --> 00:50:50,510
*applause*

580
00:50:50,510 --> 00:50:52,650
Herald: So, do we have any questions?

581
00:50:52,650 --> 00:50:57,760
There is mics everywhere, so please come
in front. And I think, we already have the

582
00:50:57,760 --> 00:51:01,770
first question directly here in front on
mic number 1.

583
00:51:01,770 --> 00:51:11,540
Mic1: You mentioned, that GCMP is most
vulnerable. Do you know if there's any

584
00:51:11,540 --> 00:51:18,300
standardization going on, about switching
to nonce misuse resistant scheme like

585
00:51:18,300 --> 00:51:28,100
AES-GCM, Synthetic Initialization Vector?
MV: Yes, so there have been

586
00:51:28,100 --> 00:51:33,710
some proposals in order to make the
encryption algorithm defend against nonce

587
00:51:33,710 --> 00:51:40,020
reuse. Now the impression I have, that this
is still a bit of ongoing research. So

588
00:51:40,020 --> 00:51:45,450
there are proposals, where you have an
algorithm that you can use, but I'm not

589
00:51:45,450 --> 00:51:50,640
aware of actual encryption protocols, e.g.
TLS or Wi-Fi, that are using them.

590
00:51:50,640 --> 00:51:54,790
But they exist, but I... they're not yet being
really used.

591
00:51:54,790 --> 00:52:02,920
Mic1: It is standardisation going on in
CFRG, so Crypto Forum Research Group in

592
00:52:02,920 --> 00:52:10,600
IETF standardization, but I was asking about
Wi-Fi standardization, if they are planning

593
00:52:10,600 --> 00:52:20,230
to use this? And [a] related question would be,
if you would use in AES-GCM instead of

594
00:52:20,230 --> 00:52:30,500
the deterministic initialization vector,
there's a random IV possible, if you use

595
00:52:30,500 --> 00:52:38,850
96 bit, then the impact wouldn't be
bounded.

596
00:52:38,850 --> 00:52:45,030
MV: So to answer the first question: I'm
not aware of the Wi-Fi standard

597
00:52:45,030 --> 00:52:51,730
from really modifying the standard to use
a nonce misuse resistant encryption

598
00:52:51,730 --> 00:52:57,340
cipher. They are modifying the standard to
defend against key reinstallation attacks,

599
00:52:57,340 --> 00:53:00,820
but I think they're not yet going to
incorporate a nonce misuse resistant

600
00:53:00,820 --> 00:53:05,430
encryption cipher, because they still have
the impression that they're going to wait

601
00:53:05,430 --> 00:53:11,760
probably a while and once that technology
is more mature they're going to use that.

602
00:53:11,760 --> 00:53:15,900
If I understood your second question, you
also have encryption algorithms, where you

603
00:53:15,900 --> 00:53:20,550
don't have deterministic nonce, but you
have a nonce, which for every encryption

604
00:53:20,550 --> 00:53:27,560
operation e.g. is random.
Mic1: Actually in the GCM standard there

605
00:53:27,560 --> 00:53:32,470
are two possibilities: one deterministic,
MV: Yeah.

606
00:53:32,470 --> 00:53:38,270
Mic1: and the second random.
MV: So the risk of using a random

607
00:53:38,270 --> 00:53:43,130
initialization vector is, that you may
have a bad random generator,

608
00:53:43,130 --> 00:53:52,010
that it can go wrong there. On that, that
you still have nonce reuse, so even with a

609
00:53:52,010 --> 00:53:56,680
randomly generated nonce it can
also go bad, but then there are different

610
00:53:56,680 --> 00:54:02,050
attacks. And I think, there has been a
paper that analyzes a certain TLS

611
00:54:02,050 --> 00:54:07,210
libraries, where they do find attacks, where
in that case the GCM algorithm can still

612
00:54:07,210 --> 00:54:11,930
be attacked, not through key reinstallation
attacks, but because there is, because

613
00:54:11,930 --> 00:54:15,780
basically the nonce isn't really random,
e.g. sometimes a bad implementation

614
00:54:15,780 --> 00:54:21,070
always uses the same random nonce.
Person X: Um, direct answer...

615
00:54:21,070 --> 00:54:22,610
Herald: Err, sorry,...
X: Direct answer to his question number

616
00:54:22,610 --> 00:54:30,590
one: because he asked, whether there's
right now an approach to modify the

617
00:54:30,590 --> 00:54:38,340
standard towards being resistant against
this attack, right now there is no IEEE

618
00:54:38,340 --> 00:54:46,170
task group working on an amendment which
will fix this.

619
00:54:46,170 --> 00:54:50,910
MV: Well, there is... they are working to 
prevent the key reinstallation attack.

620
00:54:50,910 --> 00:54:54,320
X: Well, there is no official
active task group right now.

621
00:54:54,320 --> 00:54:57,030
MV: Okay that could be, but there are still
people working on that.

622
00:54:57,030 --> 00:54:58,980
X: Yeah, they're working on that,
but no

623
00:54:58,980 --> 00:55:00,600
task group, right?
MV: Ok. Thank you.

624
00:55:00,600 --> 00:55:03,400
Herald: Okay thank you.
Here in number 3.

625
00:55:03,400 --> 00:55:07,510
Mic3: Yes, thanks for your
amazing talk.

626
00:55:07,510 --> 00:55:11,320
Just for my personal understanding:
could you briefly go back to

627
00:55:11,320 --> 00:55:17,370
the slide with the 4-way
handshake, like, right in the beginning?

628
00:55:17,370 --> 00:55:21,010
MV: Yup, so the attack or the handshake
itself?

629
00:55:21,010 --> 00:55:28,770
Mic3: Yeah, yeah the attack.
MV: So let's go to this slide.

630
00:55:28,770 --> 00:55:37,270
Mic3: Yeah so all you get from this, is the
keystream that is used to encrypt

631
00:55:37,270 --> 00:55:41,880
the the Msg4, right,
that's all you get?

632
00:55:41,880 --> 00:55:45,550
MV: Yes, but you can already use that to
start decrypting frames and what you can

633
00:55:45,550 --> 00:55:51,480
do as an attacker, you have several options.
The first thing you can do is, you can keep

634
00:55:51,480 --> 00:55:54,960
triggering new handshakes by
deauthenticating the client, so you can

635
00:55:54,960 --> 00:56:02,940
always decrypt one packet at a time.
What you can also do is, you can wait with

636
00:56:02,940 --> 00:56:09,090
sending this retransmitted Msg3
to the clients, because sometimes you know

637
00:56:09,090 --> 00:56:12,090
the encrypted data that is sent. So you
know that a packet is an ARP request, you

638
00:56:12,090 --> 00:56:16,650
know that the HTTP requests. You can capture
quite some packets where you know the

639
00:56:16,650 --> 00:56:22,370
content, to derive some known key stream
and once you have that, you can forward

640
00:56:22,370 --> 00:56:27,780
Msg3 to trigger a key
reinstallation and then you have collected

641
00:56:27,780 --> 00:56:33,830
quite some key stream to be able to
decrypt several packets at a time. So you

642
00:56:33,830 --> 00:56:38,910
can use tactics like that, you can rely on
the packet length to basically determine,

643
00:56:38,910 --> 00:56:43,770
what the type of packet is, where you have
known plaintext and you can use that to

644
00:56:43,770 --> 00:56:47,780
derive new key stream and there are a lot
of ways to play around with that.

645
00:56:47,780 --> 00:56:51,680
Mic3: Yeah but, all you get here is the -
because the key stream that you get is

646
00:56:51,680 --> 00:56:59,630
already being used immediately, because
it's being used to encrypt Msg4.

647
00:56:59,630 --> 00:57:02,940
MV: Well, we know the content of Msg4

648
00:57:02,940 --> 00:57:08,550
and we abuse, that Msg4 is
encrypted to derive known key stream and

649
00:57:08,550 --> 00:57:14,130
we can then use that to encrypt data
frames, which we do not know and... we

650
00:57:14,130 --> 00:57:15,740
should discuss this offline.
Mic3: Yeah.

651
00:57:15,740 --> 00:57:19,850
Herald: Perhaps this is for later
discussion with more in detail. Now we

652
00:57:19,850 --> 00:57:24,750
switch to number two... number four, I
think it is. Yeah, thanks.

653
00:57:24,750 --> 00:57:30,940
Mic4: Yes. Great find really and an
awesome talk. Could you maybe elaborate a

654
00:57:30,940 --> 00:57:38,100
bit on how to still use the advantage of
formal verification in the sense of, let's

655
00:57:38,100 --> 00:57:44,330
say, the flaws that it has, it gives a very
false sense of security in your sense, how

656
00:57:44,330 --> 00:57:48,990
can you still benefit from formal
verification?

657
00:57:48,990 --> 00:57:55,540
MV: Well, I think the attitude we should
adopt is, that formal verification of code

658
00:57:55,540 --> 00:58:01,670
or of algorithms increases the amount of
trust we can put into a program or into a

659
00:58:01,670 --> 00:58:07,450
protocol, but it's not just because it's
formally verified that it's secure.

660
00:58:07,450 --> 00:58:12,270
Perhaps one of the attitudes that people
had was: 'oh it's firmly verified, it must

661
00:58:12,270 --> 00:58:17,840
be fine'. We should abandon that attitude
and instead we should say: "Ok, it's

662
00:58:17,840 --> 00:58:21,750
formally verified but, you know, let's
check if the model they used reflects

663
00:58:21,750 --> 00:58:28,480
reality. Let's see if the proof is correct"
and so on. So, we should still employ a

664
00:58:28,480 --> 00:58:33,470
formal verification but we should just
treat it as additional evidence, that

665
00:58:33,470 --> 00:58:41,540
something looks secure.
Herald: Ok, there's another question on mic 2

666
00:58:41,540 --> 00:58:47,250
Mic2: The first part is on the slide
you're currently on. As far as I

667
00:58:47,250 --> 00:58:52,880
understood it in the talk, the
retransmission of Msg4 is not

668
00:58:52,880 --> 00:58:56,860
supposed to be encrypted by the standard.
MV: Correct.

669
00:58:56,860 --> 00:59:02,240
Mic2: So if you follow the standards, you
shouldn't have a problem here.

670
00:59:02,240 --> 00:59:05,630
MV: No, then you still have a problem,
because what you can then you do, is just

671
00:59:05,630 --> 00:59:10,000
wait for a data packet where you know that
contents of, e.g.it can be an ARP

672
00:59:10,000 --> 00:59:14,660
request, you can derive most fields of
that, it can be a DHCP request, it can be

673
00:59:14,660 --> 00:59:22,101
be a TCP SYN packet, or it can be some
plain text HTML frames. E.g. there

674
00:59:22,101 --> 00:59:28,770
has been work to fingerprint the length of
HTTP requests, to be able to determine

675
00:59:28,770 --> 00:59:32,440
which page you are visiting, so purely
based on the length, we can determine the

676
00:59:32,440 --> 00:59:37,260
contents of the website you are looking
for. We can then derive known plaintext

677
00:59:37,260 --> 00:59:44,020
and basically there are a lot of ways to
predict the content of a frame, to then

678
00:59:44,020 --> 00:59:51,750
derive known keystream and to then trigger
a key reinstallation attack to then abuse this.

679
00:59:51,750 --> 00:59:55,190
Herald: Ok we have time for one last
question. Mic number 1?

680
00:59:55,190 --> 01:00:04,730
Mic1: Um, so as far as I understood your
research, and so we, if we have like 11W

681
01:00:04,730 --> 01:00:11,240
deployed in the network, we are still
vulnerable to the attack, because as 11W

682
01:00:11,240 --> 01:00:19,590
specifies the encryption, I'm supposed by
this amendment, is also done by the

683
01:00:19,590 --> 01:00:28,020
encryption use on the network like before,
so 11W is not really a way to secure

684
01:00:28,020 --> 01:00:33,690
the network?
MV: Well, if I got it right, 11W is, one of

685
01:00:33,690 --> 01:00:36,380
the things it does, is protect the
management's frames, if I'm correct?

686
01:00:36,380 --> 01:00:39,122
Mic1: Yes.
MV: Yes.

687
01:00:39,122 --> 01:00:44,620
MV: So using that does not defend against
these attacks.

688
01:00:44,620 --> 01:00:50,710
Herald: Ok, I think there's still quite
details, where people are curious about,

689
01:00:50,710 --> 01:00:55,160
because it's everybody starting this
question "as far as I understood". So I think,

690
01:00:55,160 --> 01:00:58,840
this was a really nice comprehensive talk
and I want to thank you. And everybody who

691
01:00:58,840 --> 01:01:03,660
has more questions, perhaps can find you
here and ask you more or have a look into

692
01:01:03,660 --> 01:01:06,990
the paper, perhaps read everything in
detail there.

693
01:01:06,990 --> 01:01:11,540
So, please another big round of applause
for Mathy and his amazing talk!

694
01:01:11,540 --> 01:01:13,276
Thank you very much.
MV: Thank you!

695
01:01:13,276 --> 01:01:20,510
*applause*

696
01:01:20,510 --> 01:01:41,861
*34c3 outro*
