2

I was shocked to learn how the PTK is crafted from the PMK in WPA2 WiFi.

PMK is made with crypt_hash(SSID + PSK). OK, seems good.

Then, the client and the Access Point (AP) make the famous 4 way handshake: 

Client -> [ANonce, MACClient] -> AP  
Client <- [ SNonce, MACAP] <- AP  
Client -> OK -> AP  
Client <- OK <- AP

Then, the final PTK is derivated from the vector [PMK, ANonce, SNonce, MACClient, MACAP].

This is the thing that appears to be obviously ridiculous in terms of security.

If you know the PSK -> you know the PMK

If you know the PMK -> you can decrypt the 4 way handshake of another client of the WiFi (that you wifi chip is able to intercept)

If you see this 4 way handshake -> you can decrypt every further packet he will send to the AP because you know its PTK (you see the ANonce, SNonce, and MAC addresses)

This is confirmed here: https://networkengineering.stackexchange.com/questions/24236/sniff-traffic-on-a-private-ssid/24243#24243

This means that every client of a WiFi could be able to observe the traffic of the others clients (like an attacker doing ARP spoofing or in a network with a hub).

As we see during pentest, performing MiTM with ARP spoof can be very dangerous because very few companies actually use only ciphered protocol. You can observe telnet passwords, HTTP passwords, etc.

The main remediation is to only use ciphered protocols, I know. But the defense in depth says that the security must be applied in every layer. Here we have a layer 1 as unsecure as a global hub for the network or like connecting to a TAP interface and eveasdrop all the traffic.

Why they did not design the 4 way handshake to use something like Diffie Hellman where Client and AP only transmit non secret data to construct their secret key?
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
ANonce and SNonce could be replaced by Client and AP public keys. This way, anyone who can eavesdrop the 4 way handshake will not know the PTK and layer 1 will be as secured (or more) than physical cable.

I don't understand how they could do things like this. Diffie Hellman exchange key is something well known and pretty standard.

Currently, the 4 way handshake (the PTK) do not provide more security than the PMK, because knowing the PMK is sufficient to know the PTK of the others (okay you need to be here when the users is connecting).

schroeder
  • 123,438
  • 55
  • 284
  • 319
Sibwara
  • 1,316
  • 7
  • 19
  • 2
    You're right about everything, but you're 14 years late, WPA2 was designed (released 2004) to replace WEP, which was infamously weak/destroyed. Last year WPA2 was also fully destroyed with KRACK, so, we're already moving on to WPA3. My point here is what kind of answer are you expecting? This ain't a forum to debate on which implementation is better or what I/You think it's better or what did the IEEE Standard committee thought when they were implementing the 4WH instead of DH. – Azteca May 17 '18 at 18:38
  • The question boils down to why they chose a nonce-based approach. And the answer might simply have to do with keeping the resource requirements at a minimum since wifi is going to be used in very resource-constrained devices. – schroeder May 17 '18 at 19:48
  • @schroeder I absolutely agree, but as you said, it *"might"* if he's lucky, we'll get an answer like https://security.stackexchange.com/questions/181580/why-is-math-random-not-designed-to-be-cryptographically-secure , but I doubt we have someone from the IEEE committee here in in SE: Since **it's a question to a decision** taken years ago I think It's trivial and it should be closed, it doesn't really add any value, does it? – Azteca May 17 '18 at 20:01
  • Unless there is an exploration here of nonce vs non-nonce encryption approaches. I think it is ok to let this ride and see if we can get good quality answers, because I believe it is possible. – schroeder May 17 '18 at 20:03
  • Thanks for your response and to confirm what I didn't believe. My question is also about: "is it possible to still consider wifi wpa2 secured (even before KRACK) and to recommend its use as layer 2 is exposed like with a hub". A friend showed me a related subject with an interresting response: https://security.stackexchange.com/questions/124073/could-diffie-hellman-be-used-to-stop-people-who-knows-the-psk-from-snooping-on-y – Sibwara May 22 '18 at 16:45

0 Answers0