WiFi Protected Access 3 Flashcards

1
Q

Why was WPA3 introduced?

A

Because WPA2 was hacked by the Key Reinstallation Attack (KRACK)
Exploits WPA2 four-way handshake
Attacks 3rd message in handshake

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

WPA/WPA2 Authentication

A

Authenticator responds to supplicant by sending GTK (Group Temporal Key)
Also protects the frame with MIC ( Message Integrity Code)
At this point after 3rd message is send, if router does not receive acknowledgement that 3rd message was received, it will send it again.
Belgian researchers realised that if you blocked the ack mesg (4th msg), you can force a device to re install the encryption key and this in turn would reset the Nonce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain the KRACK Exploit

A

Here, the entire 4 way handshake is not required to complete authentication process for reconnection between access point and router -
Therefore, to enable faster reconnections, only 3rd message is required for reconnect
Hacker mimics WLAN
3rd message in Handshake resent numerous times - This is where the vulnerability lies with MITM attack: The attacker can mimic a wireless network that user previously connected to -
Once supplicant connects to the network, the hackersends what they believe is the 3rd msg of the 4 way handshake from network’s WAP.

Encryption Key Cracked - The attackers keep sending a 3rd message and with each ack message from client a small piece of data is encrypted

WLAN packets decrypted with MITM

Cannot Decrypt SSL Traffic -> SSL Strip -> MITM attack

Forced to communicate in plaintext over HTTP -
The attacker proxies the modified content from HTTPS server. This is achieved through SSLStrip -> Strips HTTPS URLs to become HTTP URLS so the content can be read

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

KRACK Exploit continued

A

4 Way Handshake -> New Session Key - Tricks user in installing a key that the client is alreeady using by replaying 3rd Handshake Message -
The session key is installed by supplicant after it receiving GTK and MIC from AP. This session key is now ready to be used to encrypt data frames.

All OSs were vulnerable - Particularly Android 6.0

KRACK -> Decrypt TCP SYN
CCMP - Can hijack TCP comms when CCMP is used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

WiFi Protected Access 3 (WPA3)

A

WLAN Security Protocol - IEEE 802.11 Protocols
Replaces WPA2 in Jan ‘18
Eliminates brute force attacks (previously wep,wpa and wpa2 allowed for continuous password attempts)
Encryption on per user basis for each connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

WPA3 Security Improvements

A

More Secure Handshake to secure comms
Increased security for adding new devices
Security for Public WiFi
Longer Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

WPA2 vs WPA3

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe Simultaneous Authentication of Equals

A

WPA2 - Krack Vulnerability - MITM -> Tricks user into Key Reinstallation
SAE - Variant of Dragonfly Key Exchange
IEEE 802.11s: WLAN Mesh Networks
WPA3-Personal:SAE - 128-bit Encryption
WPA3 - QR Codes - Easy Connect (allows non tech savvy to connect to router - IoT Device Setup
Connection via smartphone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

WPA3 Enterprise Authentication

A

Back-end Authentication
RADIUS Server
Elliptic Curve Diffie-Hellman (ECDH) Exhange &Elliptic Curve Digital Signature Algorithm (ECDSA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe Dragonfly Key Exchange

A

Key Exhange using discreet Logarithm Cryptography
Both parties have shared password or phrase
Specific Domain Parameter - Elliptical Curve Cryptography (ECC) or Finite Field Cryptography (FCC)
Designed to protect user from offline dictionary attacks (Obtains a ciphertect generated using the password derived key, and trying each password against the ciphertext. This is invisible to user and much faster that online attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Dragonfly Key Exchange Cont’d

A

Commit Exchange - Both parties commit to single guess of the password
Confirm Exhange - Both parties confirm that they know the password

Password Element (PE) Created - Random Element in Negotiated Group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DragonBlood

A

Dragonfly Handshake

DragonBlood Hack -
WPA3 - Personal
Recovery Network Key
Downgrade Security
Launch DoS (Denial of Service) Attack
Abuse timiing or Cache-based side channel leaves

Transitional mode of operation - susceptible to downgrade attack - attacker can use to set up a rogue ap that only supports WPA2 - therefore forcing WPA3 devices to connect using WPS 2 4 way handshake

Attacker only needs to know SSID of WPA3 network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DragonBlood Cont’d

A

Susceptible to:
Security Group Downgrade Attack
Timiing Based Side Channel Attack
Cache Based Side Channel Attack
Denial of Service Attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly