Wireless Security

Theory behind WPA and WPA2

Posted on October 1, 2016 as Networking. 6 minutes read.

Introduction

Hi everyone! Today we're gonna prepare a little bit before the next episode - in which we'll try to hack WPA and WPA Wi-Fi networks. But in order to do that we have to gain better understanding how it works, it's weaknesses (if any) and stronger sides that we shouldn't even try atttacking. Let's jump in to the world of theory!

What is WPA?

Due to the lack of security in WEP standard, Wi-Fi Alliance started working on the new standard known as 802.11i. But because the requirements of this new standard were too high for some devices, in 2003 WPA standard was introduced as a temporary soluton - fast upgrade was possible because of the simple software upgrade. WEP included some of the security features dedicated for 802.11i - called WPA2.

Main problems that 802.11i wanted to solve

  • Protection of shared key
  • Security of encryption
  • Authentication
  • Variability of the key
  • Integity

RSN

In order to rebuild the concept of security in wireless networks 802.11i standard introduced Robust Security Network.

In WPA there are 2 possible ways of authentication:

  • Using Pre-Shared-key (PSK) known to the everyone in the network
  • Using more advanced credentials like own username and password or X.509 certificates.

Access to the Wi-Fi using PSK works just like in the WEP, user before connecting to the network must enter a key. This solution, due to the simplicity, is used in homes and is called WPA-Personal, or WPA-PSKA. PSK is entered as 64 hexadecimal numbers, or 8-63 ASCII character.

Second solution called WPA-Enterprise is using another element - Radius server carrying out the process of authentication, authorization and accounting. That way we gain a few more possibilities:

  • Unique credentials for each user
  • Possibility to authenticate network to which user is connected (no more fake access point!)
  • Authentication proceeds before connecting to the network
  • Ability to control user on the network (time limit, connection to specific VLAN, etc)

Firstly, when the user is trying to connect to the network, access point connects to the Radius server, sending him credentials passed by the user. Then Radius decides whether to allow the user to connect or not, and sends this decision to AP. Lastly AP fulfills decision of the server.

Important! You have to remember that WPA-Enterprise should not be confused with captive portals, that require user to enter his credentials on WWW website in order to gain access to the Internet. In WPA-Enterprise authentication occurs before connecting the user to the network, while in captive portals it occurs after connection.

In 802.11i it's essential to create two pairs of keys used to encrypting the traffic - for individual broadcast it's PTK (Pairwise Transient Key) and for group broadcast GTK (Group Transient Key). Group key must be refreshed every time device disconnects from the network, in order to make impossible to get multicast or broadcast packets.

In order to create those keys, there was introduced 4 way handshake operation, used to create PTK and GTK keys with the PMK.

4-way-handshake

  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code (MAIC).
  3. The AP constructs and sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.

Whenever there will be need to create new GTK key, after the disconnection of the client, access point sends new key and connected client only accepts this change.

After 4 way handshake client gets PTK and GTK keys, that are essential to encrypt the data. They are constant for each session (if there wasn't key renegotiation). To make it work 802.11i standard introduced CCMP (for WPA it was TKIP which made possible faster implementation). Learn more at:

TKIP
CCMP

Security

  • Only eavesdropping the broadcast won't allow us to decrypt it due to the changes in encryption key (while in WEP you only had to capture big number of packets to crack the password).
  • Possesion of captured broadcast without the handshake won't let us decrypt it.
  • Fix in the IV collision
  • Use of algorithm insusceptible to the related key attack.
  • Better integrity of the packets
  • More advanced authentication mechanisms using 802.1X.

But is WPA vulnerable?

Yes, and here are the most important types of attacks.

Brute force attacks

Due to the fact that PTK key, used to protect the broadcast is created using PSK and some data sent through handshake.

Even if we don't know the PSK, but we can capture additional data used during the handshake, we can still try to perform a brute force attack based on trying different PSK values, then calculating PMK and PTK and checking if the value is correct

But because of the size of PSK's value (9-63 ASCII characters) trying out whole number of combinations is almost impossible. In real life this attack is performed using dictionary attack which is a lot faster since trying out all the words in dictionary can be done in a few days, or even faster. There is only one flaw in this attack - if the password isn't in the dictionary - then we will not succeed.

Alternative to this, we can try attacking using rainbow tables. Because hashing algorithms create hashes of same and always equal size it's very hard to avoid phenomenon called collision. Collision occurs when two different inputs passed to the hashing algorithms produce same output. It makes the process of attacking even faster as we're using precomputed rainbow tables (not hashing in 'air'), and we only have to check whether each hash in the table works. Still we don't have certainity to succeed.

Additionaly, in 2007, new vulnerability was described called "short packed spoofing", allowing us to decrypt short packets like ARP, but it didn't result in capturing the PSK key - only the key stream used to encrypt the packet, allowing us to inject few packets into the network, resulting in for example sending data from the user to the Internet.

Fuzzing

Security of the wireless networks also depends on the software handling this work (drivers, libraries etc). Because of the fact that network architecture is getting more and more complicated - code is also getting much more complex which may result in flaws that attacker can use to exploit.


I hope that you gained better understanding of how WPA and WPA2 works. In next part we're going to actually try and attack protected wireless network.

Keep learning and stay safe!

~ W3ndige