Subtitles section Play video Print subtitles Dr. Steve Bagley: - So on Monday the 16th of October, 2017, two researchers of the Belgian University released information of an exploit that they've found for the security mechanism used on all major Wi-Fi connections these days. So this is WPA, the encryption protocol that was brought in to replace the early one, WEP, which was basically useless. So this one has been proven to be mathematically correct. It's been proven to be mathematically secure and so it was thought that you wouldn't be able to attack it. And for the last 15 years or so there's been a few fringe effects that you could exploit to get certain things, but in general, it's secure. Until yesterday ? The way that WPA works is that when the client, your computer, connects to the base station initially starts off unencrypted and very quickly they exchange a series of messages between the two which get them so they've agreed on a key that they're going to use to encrypt the message. And so to understand how this attack works we need to understand how those messages are transmitted, and then how that's used to encrypt the data, which is why I brought Mike along to sort of help talk about the encryption side of things Hello, Mike Dr. Make Pound: - Hello! What am I doing here? - So what we've got open on the computer here is I set wireshark going when I turned on my Wi-Fi card It's captured a series of packets and what we can see here is there are four packets of information that are sent between the computer and the access point and These effectively agree the shared key that they're going to use. now this isn't the password you put into your Wi-Fi router. One of the interesting things that this attack works without ever necessarily getting hold of your password. So we end up with four messages that are being sent between the base station and Your computer to establish those things. So if we have a look at them, we got our computer here, and we have The access point here, or the base station and we've associated with it, so the first thing to set up the encryption is that the access point sends a message across, and we'll call this Message 1. This contains various information in there including a random number which is used, and a counter which is used for something else. But we won't go into too much detail And then we reply with our random number which is Message 2 They send Message 3 which contains a bit more information, and then we send Message 4 which basically says, "Yep. I got that. The communication is now established." Now the way the Krack Attack works is by sitting in the middle you have another computer, which is your malicious actor which is going to sit there to try and break into this encryption, and he has to sit in such a way that he can know when Message 3 is sent and stop Message 4 being sent back - Sean: What does he do? Block it or something? - Dr. Bagley: I mean basically the way this works Is that you need to cause Message 3 to be received by the computer more than once in a way that you know about and you've got access to things and if you do that you can start capturing data and you can use some of the techniques that Mike's going to talk about to decrypt the information. So one way you could do it is you could perhaps splat a bit of noise on to the Wi-Fi signal at that point. There are easy ways where you pretend to be a base station and quickly send a message saying, "Switch to me on a different channel because I've got better communications here," which means you receive it And the other base station doesn't and then it sends it out and you could sort of forward it on. So there's various ways you could probably push this into into use, but basically once you've got in here, and you caused this to be resent it causes parts of the values that the computer uses to encrypt the messages To be reset as well and once you've done that you can get into a position where you can actually start to decrypt the messages. Dr Mike Pound: - When the client receives message 3, That's a moment it thinks right I've got my keys now. I can store them away ready for encryption The problem is that if the access point doesn't receive message 4, it thinks Oh well something must have happened to it. So I'll send message 3 again to make sure the client got it . The bugs that these researchers have found is that if message 3 gets resent, it restores the key and in doing so also resets all of the other cryptographic variables it's been working with, which is a real problem In particular it's a problem when you reset something called the nonce, or a number used once. So the way we usually encrypt in WPA is through AES, advanced encryption standard and we do it in counter mode generally speaking because it's quite fast so If you think back to the video we did on XOR and Stream ciphers we basically use AES as a stream cipher so we have an ever-increasing counter Let's say it starts at one, and we encrypt these numbers with our AES block cipher Here's our key coming in here So this one when encrypted using this key will produce a block of AES encrypted data that's random. So basically we're generating here a set of random numbers that goes on like this from the first block and then the second, and then the third and so on all the way along But it's not a truly random thing because if I know the key and I can still get want to generate the same, yeah And so I mean, that's about Unfortunate is the problem with cryptography is that we couldn't ever use truly random because we wouldn't be able to decrypt it again We have our message bits, which are you know naught, 1, 1, naught, something different And we XOR these together one bit at a time And that's how we encrypt and the nice thing is to decrypt we basically regenerate This key stream and do the exact process again we XOR our ciphertext and get our message back out. Now counter mode is very very fast and It's perfectly secure if your block cipher produces nicely random bits unless You reuse the numbers in which case it's completely broken. In this attack, remember, We're resetting the nonce because we're sending message 3 the client sees this and goes, "Oh I better restart my encryption from start from scratch again." So this number goes back to one, or goes back to zero somewhere at the beginning, and so we're generating the exact same key stream multiple times We start by cryptic some data using the key starting at 1 2 3 4 and then it gets reset and we encrypt some different data with 1 2 3 4 Q: So normally it doesn't go around like 1 2 3 4, 1 2 3 4. It literally keeps -- It will just keep counting up and obviously the theoretical limit will be the 128-bit number that you're trying to store. That's unlikely to happen in the time you're connected to the Wi-Fi But it's a theoretical possibility If they use one multiple times you can probably work out what? -- yeah, so if you imagine that we've used one multiple times The same keys been used, because the key didn't get changed, then the same key stream of zeros and ones have been XOR our message and that's very very weak when we use the same key twice we can essentially nullify the key by XOR in two messages together and Then we do a very similar process become something called crib dragging so we will come up with hypothetical bits of plaintext we think let's say the word HTML or Someone's login name or something like this, and we will slide it over the message until It gets a hit and at that point We know not only where it is But also what the keystream bits for that position were. So it's not a completely trivial process But on our computer it can be bruteforced incredibly quickly. If you reuse the same counter twice with the same key in something like counter mode It's such a huge problem because basically you can extract plaintext bits from multiple messages Once you've started to do that then you've got some idea of what we've sent you might be able to predict what they're going to send and sort of get in and start doing replay attacks and things like this or injecting information in, but we've done all this without even knowing what the key was. So it's an interesting part of encryption where You aren't necessarily secure just because the key is secret right and in this case very much not the case The other issue is that some of these modes you can extract the Authentication key as well so when we talked about HMAC We had a secret key that we used to make sure the message hadn't been interfered with. Well, if we can find that key Which you can using this attack, then you can start to forge your own messages. Start to, let's say, add in TCP packets of HTML that conveniently holds some JavaScript that runs some ransomware for example, and then you know you're in business And we've done that without knowing what the key is. One question What would happen if this key was zero? Here when we're generating this counter what happen if the key was zero. If the key is zero Then you're encrypting one with zeros it will still produce a random output, but it'll produce a random output That's always the same, and we will know what it is So we could we could guess the key stream. And if we knew were in the key stream then We could generate the right values generate the right packets. The way this Plays out is on certain operating systems. It basically has no effect so Windows. IOS. It seems because of the way they Follow or don't quite follow the standard it seems that this has limited effect. There are still ways you can attack things, but it has a limited effect So you'll say people on Windows laptops and on iOS devices should be alright? They are safer than other devices the problem comes with them The program that does it in Linux and on certain Android friends so the implementation used on Linux and Android That clears the key out of memory which is a good thing to do because if you're sitting in a coffee shop when you go After buy a coffee it's not impossible to plug the device quickly, a Thunderbolt device to do it into the side of the machine and copy the bit of memory out of there, which is perhaps got the key in it And then we can decrypt your traffic so that makes sense the problem is that When you replay message 3 Which you need to do to make the attack work That also resets the counter, the things that Mike's talked about, and it now uses the key which is 0 to Start encrypting these things so actually you end up with a known sequence of counters being generated Which means that you can then as well as decrypt the messages you can sort of insert data into that message stream and start sending things to you that you perhaps weren't expecting to get. So on certain operating systems, it's Relatively benign on others it's more dangerous But it's also worth remembering that we should still use WPA2 to encrypt things because the alternative is that you have no security And that even if someone does come and do this they could do exactly the same by unplugging your base station and plugging in a new device into the Ethernet the other side of that and listen there anyway, so it's the risk, it needs to be patched It'll be patched, and then we can all go back to using Wi-Fi and browsing the web Those leaks happen all the time and so passwords are being just dumped into the internet all the time, so there's this password list called RockYou Which is a bit of a game changer in password cracking if that's a thing like-- 50 But this is the IBM pc/xt the model 51 60 which came out two years later in 1983 So this is really what the first PC was like--
A2 message encryption wi counter stream random Krack Attacks (WiFi WPA2 Vulnerability) - Computerphile 1 0 林宜悉 posted on 2020/03/27 More Share Save Report Video vocabulary