1

I've been reading about the Pixie Dust attack from various sources, that provide a low-level explanation of how it works.

In the values

E-Hash1 = HMAC(AuthKey, E-S1 || PSK1 || PKE || PKR)

and

E-Hash2 = HMAC(AuthKey, E-S2 || PSK2 || PKE || PKR)

PKE and PKR are known. PSK1 and PSK2 are the first and last 4 digits of the 8-digit PIN respectively. The E-S1 and E-S2 values are supposed to be random. However, in some implementations they are generated with insecure PRNGs and can be easily guessed.

So in every description of the attack, they say that we can brute-force the PSK1 and PSK2 values and recover the PIN.

However, HMAC uses the AuthKey as secret key to generate the E-Hash values. If we don't know the AuthKey, how can we brute-force the PSK values?

I didn't find a source that incorporated the part of how the AuthKey is found. I hope that someone can shed some light on this.

Giannis Pappas
  • 33
  • 5
  • Maybe I'm missing something here, but if you know `E-S1`, `E-S2`, `PKE` and `PKR` *and* you have a hash you can compare against, it would only take a maximum of 10,000 attempts to recover half the pin, and another 10,000 to recover the other half. – Ron Beyer May 12 '20 at 17:11
  • In order to compare against the hash that I have, e.g. E-Hash1, I need to compute the hashes for each possible PSK1. But this hash was computed with the AuthKey as input. If I don't know the AuthKey, how will I generate hashes to compare against? – Giannis Pappas May 12 '20 at 17:16
  • As you've written it, it looks like the auth-key is the concatenation of `E-Sn || PSKn || PKE || PKR`, so if you know 3 of the 4 elements of the auth-key, brute forcing it shouldn't be too hard – Ron Beyer May 12 '20 at 17:18
  • The E-Sn || PSKn || PKE || PKR value is not the AuthKey. HMAC takes as input a secret key additionally to the value in the parentheses. https://en.wikipedia.org/wiki/HMAC I guess the notation is confusing in my post, but my text implies it is a different value. – Giannis Pappas May 12 '20 at 17:33

1 Answers1

1

The AuthKey is known as such:

When the registrar receives M1 he generates his public key and rnonce and can compute the

DHKey = SHA-256(gAB mod p, 192)

and subsequently the

KDK = HMAC-SHA-256(DHKey, enonce || EnrolleeMAC|| rnonce)

Finally the AuthKey is derived as part of

AuthKey|| KeyWrapKey|| EMSK = kdf(KDK, “Wi-FiEasy andSecure Key Derivation”, [256, 128, 256]).

Giannis Pappas
  • 33
  • 5