Wi-Fi Protected Access 3 Flashcards
KRACK summary
Secure wireless networks use a 4-Way Handshake to create a new session key. This attack tricks the user into re-installing a session key that the client is already using by replaying the 3rd handshake message. The session key is installed by the supplicant after it receives the GTK and MIC from the AP. This session key is now ready to be used to encrypt data frames. Hence, when the key is re-installed the Nonce is set to its initial value.
KRACK can also be used to decrypt TCP SYN packets and hi-jack TCP connections when CCMP is used.
SSLStrip
Attacker cannot decrypt SSL traffic but this is overcome using SSLStrip. SSLStrip is a type of MITM attack that forces the client to communicate with an adversary in plain text over HTTP and the attacker proxies the modified content from a HTTPS server. To achieve this SSLStrip is used to strip HTTPS URLs and convert them to HTTP URLs so the content can be read.
Security improvements WPA3
- More secure Handshake to secure communications
- Increased security for adding new devices
- Security for public Wi-Fi
- Longer key
Simultaneous Authentication of Equals (SAE)
SAE is a variant of the Dragonfly Key Exchange protocol and replaces pre-shared keys. SAE was originally implemented for use in IEE 802.11s which is a protocol for WLAN Mesh Networks
Dragonfly Key Exchange
This is a key exchange using a discrete logarithm cryptography that is authenticated using a password. Dragonfly was designed to protect the user against offline dictionary attacks. There are 2 parties in a Dragonfly exchange who have a shared password and they have agreed to a specific domain parameter which is either an Elliptical Curve Cryptography (ECC) or Finite Field Cryptography (FCC).
WPA3 Authentication phases
Commit phase
Confirm phase
Dragonblood
A WPA3 hack and this hack allows the attacker to recover the network key, downgrade security measures and launch DOS attacks. WPA3 implements the Dragonfly Handshake and this protects against offline dictionary attacks.
WPA3 devices are backward compatible with WPA2 devices using a transitional mode of operation. This transitional mode of operation is susceptible to a downgrade attack which an attacker can use to set-up a rogue access point that only supports WPA2, thereby, forcing WPA3 devices to use WPA2’s Four-Way Handshake. An attacker therefore, only needs to know a networks SSID of the WPA3 network.
Vulnerabilities in Dragonfly
- Security Group Downgrade Attack
- Timing-Based Side-Channel Attack
- Cache-Based Side-Channel Attack
- Denial-of-Service Attack
Side-channel Atacks
In computer security, a side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is implemented, rather than flaws in the design of the protocol or algorithm itself (e.g. flaws found in a cryptanalysis of a cryptographic algorithm) or minor, but potentially devastating, mistakes or oversights in the implementation.