Monday, 12 March 2018

WPA3: Technical Details and Discussion

Update 20 May 2018: A short description of the DPP protocol was added, and more information is provided about increased key sizes of WPA3.

The Wi-Fi Alliance made a press release where it announced WPA3. Unfortunately, this did not include many technical details. Nevertheless, we'll interpret the press release from a technical perspective. In particular, it mentions WPA3 will include four major new security features:

1. A More Secure Handshake

They explain that WPA3 will "deliver robust protections even when users choose passwords that fall short of typical complexity recommendations". This means that personal networks, in other words ordinary home networks that are protected with a single password, will be required to use the Simultaneous Authentication of Equals (SAE) handshake. Most importantly, this handshake is resistant against offline dictionary attacks. In contrast, personal WPA2 networks that use a weak password are vulnerable to offline dictionary attacks. Since in practice many networks use weak passwords, resistance against this attack is a major improvement.

On top of that, there is a security proof that indicates the design of the new SAE handshake is secure. The proof also confirms that the handshake provides forward secrecy: if an attacker ever learns the password of a network, they cannot use it to decrypt old captured traffic. This is again in contrast to WPA2, where learning the password allows an attacker to decrypt old traffic. So again the SAE handshake of WPA3 offers a major improvement.

Nevertheless, some caution is warranted. If the handshake is not carefully implemented, it is vulnerable to side-channel attacks. Additionally, because the handshake was designed to be a balanced PAKE, the access point (AP) must store the password in plaintext. Put differently, the AP cannot store some derivation of the password, meaning if someone gains access to the AP they can read out the plaintext password. Finally, just because there is a security proof, does not guarantee it is indeed secure. After all, WPA2 also had a security proof, but could still be attacked. Therefore it remains important to verify that the security proof is correct, makes valid assumptions, proves the correct properties, models real implementations, etc.

On a more technical level, the SAE handshake is a variant of the Dragonfly handshake defined in RFC 7664, which in turn is based on the SPEKE handshake. In a Wi-Fi network, the SAE handshake negotiates a fresh Pairwise Master Key (PMK). The resulting PMK is then used in a traditional 4-way handshake to generate session keys. This means the SAE handshake is always followed by a 4-way handshake. Although it may be surprising to learn that the 4-way handshake is still being used, this construction does avoid the weaknesses of the 4-way handshake. That's because the 32-byte PMK that the SAE handshake negotiates cannot be guessed using a dictionary attack, even though it's used in the 4-way handshake. Additionally, forward secrecy is indeed provided because the SAE handshake assures the PMK cannot be recovered if the password becomes known.

You can view the pcap of an example SAE handshake online on cloudshark.

2. Replacement of Wi-Fi Protected Setup (WPS)

The second improvement that WPA3 brings is "simplified, secure configuration and onboarding for devices with limited or no display interface". This refers to the replacement of Wi-Fi Protected Setup (WPS). Note that WPS is considered insecure. More precisely, the replacement of WPS will be the Wi-Fi Device Provisioning Protocol (DPP). This protocol allows you to securely add new devices to a network using a QR code or a password. It also defines methods to add devices using NFC, and using Bluetooth. At its core, DPP relies on public keys to identify and authenticate devices.

The DPP protocol itself consists of three main phases. In the first phase, called bootstrapping, the public key of the new device (i.e. the device being added to the network) is obtained. This can be accomplished by scanning a QR code that encodes the public key, or by exchanging and encrypting the public key wirelessly using the PKEX protocol. As previously suggested, it is also possible to transfer the public key using NFC or Bluetooth. Each method provides different levels of guarantees as to whether the obtained public key indeed belongs to the new device.

In the second phase, called authentication and provisioning, the now trusted public keys are used to establish a (temporary) authenticated connection, over which credentials can be exchanged. The exchanged credentials are not yet the final credentials to connect to the network. Instead, the exchanged credential is a so-called connector. This connector is used in the final phase of the DPP protocol, called the network access phase, to establish the actual networks keys. More precisely, the connect is used to perform a Diffie-Hellman exchange to establish a Pairwise Master Key (PMK). This PMK can then be used to access the network in a normal fashion.

3. Unauthenticated Encryption

The third feature of WPA3 "strengthens user privacy in open networks through individualized data encryption". This refers to unauthenticated encryption for open networks (i.e. for public hotspots). More precisely, I believe WPA3 will require support for Opportunistic Wireless Encryption (OWE). In practice this would mean a passive adversary, which can only sniff/monitor traffic, will not be able to read traffic of clients. Unfortunately, an active adversary can still create a fake AP, trick victims into connecting to this fake AP, and then read all traffic of connected clients.

Remark that the common practice of setting up a WPA2 network, and then publicly sharing the password to customers, does not prevent a passive adversary from decrypting all traffic. That's because an adversary only needs to capture the handshake the client executes when connecting to a WPA2 network, and then combine it with the public password to decrypt all frames between the client and AP. Active attacks against this setup are equally trivial: an adversary can set up a WPA2 network with the same name and password. Clients (e.g. customers) will then connect to the AP of the adversary, again allowing the adversary to intercept and read all traffic.

The advantage of OWE is that passive attacks are prevented. Unfortunately, active attacks still enable an adversary to intercept traffic. Nevertheless, under the motto of RFC 7435 "Some Protection Most of the Time" this still increases security. One shortcoming of OWE is that there is no mechanism to trust an AP on first use. Contrast this with, for example, SSH: the first time you connect to a SSH server, you can trust the public key of the server. This prevents an adversary from intercepting traffic in the future. However, with OWE there is no option to trust a particular AP on first use. So even if you connected to a particular AP previously, an adversary can still set up a fake AP and make you connect to it in the future.

On a technical level, the OWE handshake negotiates a new PMK using a Diffie-Hellman key exchange. This handshake is encapsulated in Information Elements (IEs) in the (re)association request and response frames. The resulting PMK is used in a 4-way handshake, which will negotiate and install frame encryption keys.

4. Increased Session Key Sizes

Finally, the fourth improvement that WPA3 offers is increased key sizes. More specifically, they refer to the Commercial National Security Algorithms (CNSA) suite. This means WPA3 will support AES-GCM with 256-bit keys for encryption, and elliptic curve cryptography based 384-bit curves. Additionally, SHA384 of the SHA2 family will be used, and any employed RSA keys must be at least 3072 bits in size. All combined, this results in 192-bit security, because that's roughly the effective strength of 384-bit elliptic curves and SHA384.

Improvements to WPA2

It's also interesting to note that the Wi-Fi Alliance now mandates support of Protected Management Frames (PMF) as part of its WPA2 certification. This means new WPA2-certified devices are now required to support PMF. This prevents deauthentication attacks where an adversary can forcibly disconnect clients from a Wi-Fi network. On top of that, it seems they will fuzz implementations of WPA2. Or to put it in their words, they will perform "Enhanced validation of vendor security implementations". In particular devices are tested to assure they validate server certificates properly, and that they are patched against the KRACK attack against WPA2.

Monday, 20 February 2017

Windows 10 Lock Screen: Abusing the Network UI for Backdoors (and how to disable it)

This is a short blog post about a peculiar decision that Microsoft made. When you lock your computer on Windows 10, you are still able to connect to wireless networks. It's even possible to connect to new networks. You simply click on the network icon in the bottom right, and then add the wireless network:

So what's the deal with this? Well, it means that anyone can make your device connect to a possibly malicious wireless network. As an attacker you simply have to broadcast a network, wait until it shows up in the network list, and connect to it:

The victim will now automatically connect to the attacker's network whenever it is nearby. This is unwanted behavior. Since the victim automatically connects to it, it can be used to track the victim, and to intercept and manipulate his or her network traffic.

This is not ideal. When I lock my laptop, I don't expect someone to able to change my network configuration! But now someone can add a (possibly unencrypted!) wireless network to my config, and my device will automatically connect to it.

Thankfully, it's possible to disable the network menu at the lock screen. Open the Windows menu and type "Edit group policy" and open this tool. Now go to "Computer Configuration\Administration Templates\System\Logon" and enable "Do not display network selection UI":

And now the network icon is gone in your lock screen. No annoying people can now mess with your network configuration when you lock your device!

Monday, 7 March 2016

How MAC Address Randomization Works on Windows 10

When Apple announced its devices would use random MAC addresses when searching for Wi-Fi networks, it received extensive media attention. And rightly so. It prevents companies from tracking your movements, and Apple was the first major player to start doing this. Windows and Android are quietly trying to catch up. As a result, some devices running Windows now support MAC address randomization, and we will discuss how it's implemented, and where it fails. This information is a small selection from the recent paper Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms.

Update: we have contacted Microsoft, and they are in the process of addressing the vulnerabilities we discovered.

How it works

Microsoft first added support for MAC address randomization in Windows 10. Unfortunately, it's only available if you have a WiFi card and driver that support it. For example, the Intel 7265 AC, when using the latest driver, supports randomization [1]. You can see if your hardware supports MAC address randomization by going through the following menus:

If your hardware supports MAC address randomization, you will see the following option at the top of the window:

As you can see, I have it enabled on my laptop. So far it's been working quite well. What's very interesting about Microsoft's approach is that it also uses random MAC addresses when connecting to a wireless networks. In contrast, Apple only uses random addresses when searching for nearby networks, and it falls back to its original address when connecting to a network. In this aspect Windows 10 offers better privacy than Apple.

Using a random MAC address to connect to a network can cause problems if users are authenticated (i.e., recognized) based on their MAC address [2]. Interestingly, Windows avoids this issue by always using the same random address every time it connect to a specific network. For example, let's say you want to pay for Wi-Fi access, and they authenticate you based on your MAC address. Then this is not a problem. The first time you connect, Windows will generate a random MAC address. And if you reconnect to this network at a later point in time, Windows will reuse the previously generated address. Therefore the system can still recognize you, and you don't have to pay twice. There's one downside to this approach: since you always use the same address when connecting to a particular network, an adversary can learn when certain devices connect to specific networks. Nevertheless, compared to the old situation where you'd always use the original MAC address, it improves your privacy.

Technically, the random MAC address that is used to connect to a network is calculated as [5]:
address = SHA-256(SSID, real MAC address, connectionId, secret)[:6]
Here SSID is the name of the network you are connecting to, real MAC address the original address of your network interface, and connectionId is a value that changes every time the user removes (and re-adds) the network (i.e., this value is updated if you "forget" the network under Windows 10). The secret parameter is a 256-bit cryptographic random number, generated during system initialization, and kept the same across reboots. Every interface has a different value of the secret parameter, to assure each interface gets different random MAC address. Finally, bits in the most significant byte of address are set so it becomes a locally administered, unicast address. While the presentation by Huitema partly described this process, our paper is the first to describe this formula in full detail.

It's also possible to disable randomization for certain networks. In this case Windows will use the original address when connecting to a network. You can configure this through the following settings when you are currently connected to the network:

Notice that the user has three options for each specific network:
  • On: the same random MAC address is always used when connecting to this network.
  • Off: the original MAC address is used.
  • Change daily: every day a new random MAC address is used.
Remark that if randomization is enabled, independent of the above options, Windows 10 will always use random MAC addresses when scanning for nearby networks. This "scanning" address changes every time you connect (and disconnect) from a network, and when you restart your device [3]. Hence it doesn't change that frequently, but it's still sufficient to prevent tracking over extended periods of time. In contrast, Apple changes the scanning address roughly every few minutes, which provides more privacy.

Basic Security Analysis

Randomization as implemented in Windows 10 significantly improves your privacy. So enable it! Unfortunately, it's not perfect, because there are still some ways to defeat or bypass it.

The first weakness is that the sequence number contained in WiFi frames is not reset when changing the (random) MAC address. This sequence number, which is present in most Wi-Fi frames, is used to detected retransmissions, and is incremented by one after successfully transmitting a frame. As shown in the picture below, when the MAC address changes because the user connects to a network, the sequence counter is not reset:

The last frame from ea:69:0a:* has the sequence number of 92, and the other address 7c:5c:f8:* has the sequence number 94. Based on this an adversary can reasonably conclude that both frames are sent by the same device. In other words, he learns that the same device was using both addresses, defeating the purpose of address randomization.

The second problem is that Windows 10 reveals its real MAC address when interacting with Hotspot 2.0 networks. But what's Hotspot 2.0? Simply put, Hotspot 2.0 is a new standard to automatically and securely roam between WiFi networks. No manual interaction is needed. Your device automatically determines whether you have the appropriate credentials (passwords) to connect to a network. Think of this like the cellular network: when you get off the plane, your phone automatically finds and connects to a foreign cellular network. Hotspot 2.0 provides a similar experience for WiFi.

In order to accomplish automatic roaming, Hotspot 2.0 sends ANQP queries to the Access Point before connecting to it. These ANQP queries request detailed information about the wireless network. This information includes the credentials that are needed to connect with the hotspot, whether the hotspot provides internet access or only local network access, etc. Unfortunately, Windows 10 sends these ANQP queries using the real (original) MAC address:

In the first probe request it uses the random MAC address 2a:b3:e6:*. These probe requests are used to detect the presence of networks. If there's a Hotspot 2.0 network nearby, Windows will send ANQP requests using the real MAC address, in this case 7c:5c:f8:*. Therefore an attacker can obtain your real MAC address by advertising a Hotspot 2.0 network. Thankfully, Windows 10 only sends ANQP queries if at least one Hotspot 2.0 is configured. Since this standard is not yet widely deployed, few users will have such a network configured [4].

Detailed Security Analysis

Want to know all flaws that are present in existing implementations of MAC address randomization? And this specifically for Android, Apple, Linux, and Windows? Then read my paper Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms [5]! It has everything explained in technical detail.

References and Footnotes

[1] If you have an Intel 7260 AC, you can also force Windows 10 to use the drivers of the Intel 7265 AC. Your device will still work, and will support MAC address randomization.
[2] Even though authentication based on the MAC address is utterly insecure (an adversary can easily spoof a MAC address), it's still used by many systems.
[3] C. Huitema. Personal communication, Nov. 2015.
[4] One notable exception is the Passpoint configuration provided by Boingo. Essentially Passpoint is a synonym of Hotspot 2.0. If you have this configuration installed, you have a Hotspot 2.0 capable device, and the Boingo configuration will use Hotspot 2.0. This means Windows will send ANQP queries to nearby Hotspot 2.0 networks.
[5] M. Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms (AsiaCCS 2016).