Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation

In this paper, we present three design flaws in the 802.11 standard that underpins Wi-Fi. One design flaw is in the frame aggregation functionality, and another two are in the frame fragmentation functionality. These design flaws enable an adversary to forge encrypted frames in various ways, which in turn enables exfiltration of sensitive data. We also discovered common implementation flaws related to aggregation and fragmentation, which further worsen the impact of our attacks. Our results affect all protected Wi-Fi networks, ranging from WEP all the way to WPA3, meaning the discovered flaws have been part of Wi-Fi since its release in 1997. In our experiments, all devices were vulnerable to one or more of our attacks, confirming that all Wi-Fi devices are likely affected. Finally, we present a tool to test whether devices are affected by any of the vulnerabilities, and we discuss countermeasures to prevent our attacks

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd

We systematically analyze WPA3 and EAP-pwd, find denial-of-service and downgrade attacks, present severe vulnerabilities in all implementations, reveal side-channels that enable offline dictionary attacks, and propose design fixes which are being officially adopted. The WPA3 certification aims to secure home networks, while EAP-pwd is used by certain enterprise Wi-Fi networks to authenticate users. Both use the Dragonfly handshake to provide forward secrecy and resistance to dictionary attacks. In this paper, we systematically evaluate Dragonfly\u27s security. First, we audit implementations, and present timing leaks and authentication bypasses in EAP-pwd and WPA3 daemons. We then study Dragonfly\u27s design and discuss downgrade and denial-of-service attacks. Our next and main results are side-channel attacks against Dragonfly\u27s password encoding method (e.g.~hash-to-curve). We believe that these side-channel leaks are inherent to Dragonfly. For example, after our initial disclosure, patched software was still affected by a novel side-channel leak. We also analyze the complexity of using the leaked information to brute-force the password. For instance, brute-forcing a dictionary of size $10^{10}$ requires less than $\$$1 in Amazon EC2 instances. These results are also of general interest due to ongoing standardization efforts on Dragonfly as a TLS handshake, Password-Authenticated Key Exchanges (PAKEs), and hash-to-curve. Finally, we discuss backwards-compatible defenses, and propose protocol fixes that prevent attacks. Our work resulted in a new draft of the protocols incorporating our proposed design changes

Stateful Declassification Policies for Event-Driven Programs

International audience—We propose a novel mechanism for enforcing information flow policies with support for declassification on event-driven programs. Declassification policies consist of two functions. First, a projection function specifies for each confidential event what information in the event can be declassified directly. This generalizes the traditional security labelling of inputs. Second, a stateful release function specifies the aggregate information about all confidential events seen so far that can be declassified. We provide evidence that such declassification policies are useful in the context of JavaScript web applications. An enforcement mechanism for our policies is presented and its soundness and precision is proven. Finally, we give evidence of practicality by implementing and evaluating the mechanism in a browser

Privacy in Databases

The question of how to analyze large amounts of data while preserving privacy now prevails more than ever. In the course of history there have been many failed attempts, showing that reasoning about privacy is fraught with pitfalls. This caused an increased interest in a mathematically robust definition of privacy. We will prove that absolute disclosure prevention is impossible. In other words, a person that gains access to a database can always breach the privacy of an individual. This motivated the move to assuring relative disclosure prevention. One of the most promising definitions in this area is differential privacy. It addresses all the currently known attacks and is applicable in many situations. Networked data also poses challenging privacy issues. Both active and passive attacks, where the underlying structure of the network is used to de-anonymize individuals, are discussed. Degree anonymization and algorithms to create a degree anonymous graphs will also be given

Privacy in Databases

The question of how to analyze large amounts of data while preserving privacy now prevails more than ever. In the course of history there have been many failed attempts, showing that reasoning about privacy is fraught with pitfalls. This caused an increased interest in a mathematically robust definition of privacy. We will prove that absolute disclosure prevention is impossible. In other words, a person that gains access to a database can always breach the privacy of an individual. This motivated the move to assuring relative disclosure prevention. One of the most promising definitions in this area is differential privacy. It addresses all the currently known attacks and is applicable in many situations. Networked data also poses challenging privacy issues. Both active and passive attacks, where the underlying structure of the network is used to de-anonymize individuals, are discussed. Degree anonymization and algorithms to create a degree anonymous graphs will also be given

A Time-Memory Trade-Off Attack on WPA3's SAE-PK

status: Published onlin

A Security Analysis of the WPA-TKIP and TLS Security Protocols

This dissertation analyzes the security of popular network protocols. First we investigate the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP), and then we study the security of the RC4 stream cipher in both WPA-TKIP and the Transport Layer Security (TLS) protocol. We focus on these protocols because of their popularity. In particular, around November 2012, WPA-TKIP was used by two-thirds of encrypted Wi-Fi networks, and it is currently still used by more than half of all encrypted networks. Similarly, around 2013, RC4 was used in half of all TLS connections. Finally, with as goal to implement reliable proof-of-concepts for some of our attacks against WPA-TKIP, we also study physical layer security aspects of Wi-Fi. In the first part of this dissertation we focus on WPA-TKIP when used to protect unicast Wi-Fi traffic. Here we demonstrate how fragmentation of Wi-Fi frames can be used to inject an arbitrary number of packets, and we show how this attack can be applied in practice by performing a portscan on any client connected to the network. Then we propose a technique to decrypt arbitrary packets sent towards a client. Our technique first resets the internal state of the Michael algorithm, and abuses this to make victims forward packets to a server under control of the adversary, effectively decrypting the packets. We also present a novel Denial of Service (DoS) attack that requires the injection of only two frames every minute. Additionally, we discover that several network cards use flawed and insecure implementations of WPA-TKIP. In the second part of the dissertation, our goal is to attack WPA-TKIP when used to protect broadcast and multicast traffic, i.e., group traffic. This is important since, even in 2016, more than half of all encrypted Wi-Fi networks still protect group traffic using WPA-TKIP. To carry out our attack in a general setting, we must be able to reliably block certain packets from arriving at their destination, preferably using cheap commodity Wi-Fi devices. Hence we first study low-layer aspects of the Wi-Fi protocol. Surprisingly, we found that commodity devices allow us to violate several assumptions made by the Wi-Fi protocol. We show this enables us to implement a constant and selective jammer using commodity Wi-Fi devices. Although the selective jammer can block a large percentage of packets from arriving at their destination, we found that an even more effective method is to block packets by obtaining a channel-based man-in-the-middle (MitM) position. In such a position, packets are blocked by not forwarding them. Finally, we demonstrate that our MitM position allows us to attack WPA-TKIP, when used as a group cipher, within only 7 minutes. In the last part of the dissertation we attack RC4 in both WPA-TKIP and TLS. First we search for new biases in the RC4 keystream, in hope they might be useful to improve our attacks. We empirically search for them using statistical hypothesis tests. This reveals many new biases in the initial keystream bytes, as well as several new long-term biases. Then we design algorithms that are capable of using multiple types of biases, in order to recover a repeatedly encrypted secret. These algorithms return a list of plaintext candidates in decreasing likelihood, and are applied to attack WPA-TKIP and TLS. For the WPA-TKIP scenario we first introduce a method to generate a large number of identical packets. We decrypt this packet by generating its plaintext candidate list, and use redundant packet structure to prune bad candidates. From the decrypted packet we derive the WPA-TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. In the attack against TLS, we show how to decrypt a secure HTTP cookie with a high success rate, by capturing roughly one billion ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin's ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack, and decrypt the cookie, within merely 75 hours.status: publishe