The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

The blackjack vulnerability

If you are from the Wi-Fi Alliance and feel this should not be public, feel free to contact me, my email is not far. TL;DR : WPS PIN with fixed PIN (printed on sticker) can be broken in 18 packets, and they knew it.

Welcome to the Internet, beware of the errors :)

Erratum

: I thought the Enrollee was the client, and the Registrar the AP (see spec :

Enrollee: A Device seeking to join a WLAN Domain. Once an Enrollee obtains a valid credential, it becomes a Member. Registrar: An entity with the authority to issue and revoke Domain Credentials. A Registrar may be integrated into an AP, or it may be separate from the AP. A Registrar may not have WLAN capability. A given Domain may have multiple Registrars.

, but I was wrong. Thus, what I wrote below contains errors. Correction and implementation are left as an exercise to the reader.

The blackjack vulnerability

Wi-Fi Protected Setup (WPS, formerly Wi-Fi Simple Configuration) is a protocol which aims to simplify the security setup and management of Wi-Fi networks.

Wi-Fi Protected Setup

WPS is a set of 3 simple methods used to configure a WLAN client station. Security is assured by out-of-band communication (NFC, seven segment display, physical button). These 3 methods are : WPS PIN is known to be a weak protocol. Implementations use 8-digit pins, and usually this pin is a fixed value printed on a sticker. The PIN is negociated in two parts, and the last digit is a checksum : XXXXYYYZ. Because an attacker can validate the first part (XXXX) before the second (YYYZ), there are only 11000 different PINs. The reaver tool can be used to enumerate the keyspace in 4-6 hours. Some routers are configured with a known trivial PIN (12345670). There are some manufacturers who use secret algorithms that define the PIN as a function of the MAC address and the serial number of the router. Algorithms, MAC addresses and serial numbers are known to attackers, thus a lot of PINs can be easily recovered.

Description of the WPS PIN protocol

M1Version N1 Description PK E M2Version N1 N2 Description PK R M3Version N2 E-Hash1 E-Hash2 M4Version N1 R-Hash1 R-Hash2 ENC KeyWrapKey (R-S1) M5Version N2 ENC KeyWrapKey (E-S1) M6Version N1 ENC KeyWrapKey (R-S2) M7Version N2 ENC KeyWrapKey (E-S2) M8Version N1 ENC KeyWrapKey (ConfigData)
  1. Client (Enrollee) send a N1, a 128-bit random number, and PK E, a Diffie-Hellman public key to Registrar (AP)
  2. Registrar answers back with N2, a 128-bit random number and PK R, a Diffie-Hellman public key.

    Now, the two sides can compute the session keys :

    • The 1536-bit MODP group is taken from RFC 3526.
    • PK E = 2^A % p
    • PK R = 2^B % p
    • Diffie Hellman Key : DHKey = SHA256(zeropad((2^AB)%p,192))
    • Key Derivation Key (KDK) : HMAC-SHA-256(DHKey, N1 Enrollee MAC N2)
    • AuthKey, KeyWrapKey and Extended Master Session Key are derived from the KDK with a key derivation function. The key derivation function concatenates HMAC-SHA-256(KDK,uint32_be(iteration) "Wi-Fi Easy and Secure Key Derivation" uint32_be(total_bits)). total_bits is 640 (AuthKey+KWK+EMSK = 256+128+256 = 640) AuthKey KWK EMSK = HMAC-SHA-256(KDK, 0x00000001 "Wi-Fi Easy and Secure Key Derivation" 0x00000280) HMAC-SHA-256(KDK, 0x00000002 "Wi-Fi Easy and Secure Key Derivation" 0x00000280) HMAC-SHA-256(KDK, 0x00000003 "Wi-Fi Easy and Secure Key Derivation" 0x00000280)

    These keys are used to encrypt the secret nonces R-S1, E-S1, R-S2, E-S2, and ConfigData. (but not the hashes, see pixie dust attack). From now, Diffie-Hellman key exchange is done and every packet has a suffix consisting of the HMAC-SHA-256(AuthKey) signing the last two packets.

  3. The Enrollee sends two hashes, as proofs that he knows PIN1 and PIN2. He will send the keys later.

    The two parts of the PIN (PIN1=XXXX and PIN2=YYYZ) are derived in two PSK :

    • PSK1 = HMAC-SHA-256(AuthKey,XXXX)
    • PSK2 = HMAC-SHA-256(AuthKey,YYYZ)

    The Enrollee creates two 128-bit secret nonces, E-S1, E-S2 and then computes

    • E-Hash1 = HMAC AuthKey (E-S1 PSK1 PK E PK R )
    • E-Hash2 = HMAC AuthKey (E-S2 PSK2 PK E PK R )

    The Registrar creates two 128-bit secret nonces, R-S1, R-S2 and then computes

    • R-Hash1 = HMAC AuthKey (R-S1 PSK1 PK E PK R )
    • R-Hash2 = HMAC AuthKey (R-S2 PSK2 PK E PK R )

    The hash values are gradually exchanged and verified in messages M3-M7. If a verification check of one of the Device Password parts fails, the receiving side must acknowledge the message with a failure indication, and the Enrollee and Registrar must stop the protocol and discard all keys and nonces associated with the session.

  4. The Registrar sends two hashes, and the first secret R-S1.
  5. The Enrollee sens the first secret nonce, E-S1. The Registrar knows if the Enrollee knows the first half of the PIN.
  6. The Registrar sends the second secret, R-S2.
  7. The Enrollee sends the second secret nonce, E-S2. The Registrar can confirm that the Enrollee knows the PIN.
  8. The Registrar sends the WPA2 password. (encrypted :D )

The Pixie Dust attack

The Pixie Dust attack (as described in Dominique_Bongard.pdf) contains some errors. (In fact, I was reading an old version of this paper all along, and the version beyond the hyperlink seems better. He found the note oh, if the WPS PIN has a fixed value, you are screwed..) We cannot (as an active attacker) do the protocol up to M3 and guess our own random nonces E-S1 and E-S2, because we don't know the PIN and our E-Hash1 and E-Hash2 can't be correct. (Otherwise, we already know the PIN) (I may have misunderstood the specification) A variation of what is described is still possible, fake content in red : M1Version N1 Description PK E M2Version N1 N2 Description PK R M3Version N2 E-Hash1 E-Hash2 M4Version N1 R-Hash1 R-Hash2 ENC KeyWrapKey (R-S1) M5Version N2 ENC KeyWrapKey (E-S1) M6Version N1 ENC KeyWrapKey (R-S2) M7Version N2 ENC KeyWrapKey (E-S2) M8Version N1 ENC KeyWrapKey (ConfigData) We can send fake E-Hash1 and E-Hash2 to Registrar (chose turned down cards), he won't notice, and we will recieve correct hashes from the Registrar. If we do so, we know R-Hash1, R-Hash2. Pixie Dust attack blah blah, we have to pretend that the Registrar crates predictable random number. If so, we know R-S1 and R-S2, game over.

The blackjack vulnerability

While confirming that the Pixie Dust attack as described in the pdf isn't correct, I discovered an new attack. I was reading the specification, and I was sad when I reached the end of the pdf beause this attack is described in the official pdf. This has a lot of implications : they knew (and implemented) that every Wi-Fi with WPS PIN enabled and a static PIN can be cracked in 18 packets, period. It may appear that this vulnerability may have already been discovered and reported. Independent research blah blah. There is still some hype around the Pixie Dust attack, so I thought I should add signal on the Internet. I called it the blackjack because the analogy with face down and face up cards makes the problem easy to explain. The negociation can be viewed as a magical trick with secret face down cards and 3 sets of the same game with the same cards. After 3 rounds the magician loses. We'll do it in 3 WPS PIN sessions : M1Version N1 Description PK E M2Version N1 N2 Description PK R M3Version N2 E-Hash1 E-Hash2 M4Version N1 R-Hash1 R-Hash2 ENC KeyWrapKey (R-S1) M5Version N2 ENC KeyWrapKey (E-S1) M6Version N1 ENC KeyWrapKey (R-S2) M7Version N2 ENC KeyWrapKey (E-S2) M8Version N1 ENC KeyWrapKey (ConfigData) Abort after M4. We now know R-Hash1 and R-S1. We have to guess XXXX. Keyspace size is 10000, we know XXXX, PIN1, the first half of PIN. Let's recover the other half : M1Version N1 Description PK E M2Version N1 N2 Description PK R M3Version N2 E-Hash1 E-Hash2 M4Version N1 R-Hash1 R-Hash2 ENC KeyWrapKey (R-S1) M5Version N2 ENC KeyWrapKey (E-S1) M6Version N1 ENC KeyWrapKey (R-S2) M7Version N2 ENC KeyWrapKey (E-S2) M8Version N1 ENC KeyWrapKey (ConfigData) We now know R-Hash2 and R-S2. We can deduce PIN2, and PIN = PIN1 PIN2. We submitted random values in E-Hash2, so we have to restart the protocol again : M1Version N1 Description PK E M2Version N1 N2 Description PK R M3Version N2 E-Hash1 E-Hash2 M4Version N1 R-Hash1 R-Hash2 ENC KeyWrapKey (R-S1) M5Version N2 ENC KeyWrapKey (E-S1) M6Version N1 ENC KeyWrapKey (R-S2) M7Version N2 ENC KeyWrapKey (E-S2) M8Version N1 ENC KeyWrapKey (ConfigData) We know ConfigData, which contains the WPA2 PSK (Pre Shared Key = password). Game over.

Continue reading on méric.fr