Placeholder Image

字幕表 動画を再生する

  • Dr. Steve Bagley: - So on Monday the 16th of October, 2017,

  • two researchers of the Belgian University released

  • information of an exploit that they've found

  • for the security mechanism used on all major

  • Wi-Fi connections these days.

  • So this is WPA, the encryption protocol that was

  • brought in to replace the early one,

  • WEP, which was basically useless.

  • So this one has been proven to be mathematically correct.

  • It's been proven to be mathematically

  • secure and so it was thought

  • that you wouldn't be able to attack it. And for the last 15 years or so

  • there's been a few fringe effects that you could exploit to get certain things,

  • but in general, it's secure. Until yesterday ?

  • The way that WPA works is that

  • when the client, your computer, connects to the base station initially starts off

  • unencrypted and very quickly they exchange a series of messages between the two

  • which get them so they've agreed on a key that they're going to use to encrypt the message.

  • And so to understand how this attack works we need to understand how those messages are transmitted,

  • and then how that's used to encrypt the data, which is why I brought Mike

  • along to sort of help talk about the encryption side of things

  • Hello, Mike

  • Dr. Make Pound: - Hello!

  • What am I doing here?

  • - So what we've got open on the computer here is I

  • set wireshark going when I turned on my Wi-Fi card

  • It's captured a series of packets and what we can see here

  • is there are four packets of information that are sent

  • between the computer and the access point and

  • These effectively agree the shared key that they're going to use.

  • now this isn't the password you put into your Wi-Fi router.

  • One of the interesting things that this attack works

  • without ever necessarily getting hold of your password.

  • So we end up with four messages that are being sent between the base station and

  • Your computer to establish those things.

  • So if we have a look at them,

  • we got our computer here, and we have

  • The access point here, or the base station

  • and we've associated with it,

  • so the first thing to set up the encryption is that the access point

  • sends a message across, and we'll call this Message 1.

  • This contains various information in there including a random number

  • which is used, and a counter which is used for something else.

  • But we won't go into too much detail

  • And then we reply with our random number which is Message 2

  • They send Message 3 which contains a bit more information, and then we send

  • Message 4 which basically says,

  • "Yep. I got that. The communication is now established."

  • Now the way the Krack Attack works is by sitting in the middle you have another computer,

  • which is your malicious actor

  • which is going to sit there to try and break into this encryption, and he has to sit in such a way that he can

  • know when Message 3 is sent and stop Message 4 being sent back

  • - Sean: What does he do? Block it or something?

  • - Dr. Bagley: I mean basically the way this works

  • Is that you need to cause Message 3 to be received by the computer

  • more than once in a way that you know about

  • and you've got access to things and if you do that you can start capturing data

  • and you can use some of the techniques that Mike's going to talk about

  • to decrypt the information.

  • So one way you could do it is you could perhaps

  • splat a bit of noise on to the Wi-Fi signal at that point.

  • There are easy ways where you pretend to be

  • a base station and quickly send a message saying,

  • "Switch to me on a different channel because I've got better communications here,"

  • which means you receive it

  • And the other base station doesn't and then it sends it out

  • and you could sort of forward it on.

  • So there's various ways you could probably

  • push this into into use, but basically once you've got in here, and you caused this to be resent

  • it causes parts of the values that the computer uses to encrypt the messages

  • To be reset as well and once you've done that you can get into a position where you can actually start to

  • decrypt the messages.

  • Dr Mike Pound: - When the client receives message 3,

  • That's a moment it thinks right I've got my keys now. I can store them away ready for encryption

  • The problem is that if the access point doesn't receive message 4, it thinks

  • Oh well something must have happened to it. So I'll send message 3 again to make sure the client got it .

  • The bugs that these researchers have found is that if message 3 gets resent, it restores the key

  • and in doing so also resets all of the other cryptographic variables it's been working with, which is a real problem

  • In particular it's a problem when you reset something called the nonce, or a number used once.

  • So the way we usually encrypt in WPA is through AES, advanced encryption standard

  • and we do it in counter mode generally speaking because it's quite fast so

  • If you think back to the video we did on

  • XOR and

  • Stream ciphers we basically use AES as a stream cipher so we have an ever-increasing counter

  • Let's say it starts at one, and we encrypt these numbers with our AES block cipher

  • Here's our key coming in here

  • So this one when encrypted using this key will produce a block of AES encrypted data that's random.

  • So basically we're generating here a set of random numbers that goes on like this from the first block

  • and then the second, and then the third and so on all the way along

  • But it's not a truly random thing because if I know the key and I can still get want to generate the same, yeah

  • And so I mean, that's about

  • Unfortunate is the problem with cryptography is that we couldn't ever use truly random because we wouldn't be able to decrypt it again

  • We have our message bits, which are you know naught, 1, 1, naught, something different

  • And we XOR these together one bit at a time

  • And that's how we encrypt and the nice thing is to decrypt we basically regenerate

  • This key stream and do the exact process again

  • we XOR our ciphertext and get our message back out. Now counter mode is very very fast and

  • It's perfectly secure if your block cipher produces nicely random bits

  • unless

  • You reuse the numbers in which case it's completely broken. In this attack, remember,

  • We're resetting the nonce because we're sending message 3 the client sees this and goes,

  • "Oh I better restart my encryption from start from scratch again."

  • So this number goes back to one, or goes back to zero somewhere at the beginning, and so we're generating the exact same key stream

  • multiple times

  • We start by cryptic some data using the key starting at 1 2 3 4 and then it gets reset

  • and we encrypt some different data with 1 2 3 4

  • Q: So normally it doesn't go around like 1 2 3 4, 1 2 3 4. It literally keeps --

  • It will just keep counting up and obviously the theoretical limit will be the

  • 128-bit number that you're trying to store. That's unlikely to happen in the time you're connected to the Wi-Fi

  • But it's a theoretical possibility

  • If they use one multiple times you can probably work out what? -- yeah,

  • so if you imagine that we've used one multiple times

  • The same keys been used, because the key didn't get changed, then the same key stream of zeros and ones have been XOR our message

  • and that's very very weak when we use the same key twice we can essentially nullify the key by XOR in two messages together and

  • Then we do a very similar process become something called crib dragging so we will come up with hypothetical bits of plaintext

  • we think let's say the word HTML or

  • Someone's login name or something like this, and we will slide it over the message until

  • It gets a hit and at that point

  • We know not only where it is

  • But also what the keystream bits for that position were. So it's not a completely trivial process

  • But on our computer it can be bruteforced incredibly quickly. If you reuse the same

  • counter twice with the same key in something like counter mode

  • It's such a huge problem because basically you can extract plaintext bits from multiple messages

  • Once you've started to do that then you've got some idea of what we've sent you might be able to predict what they're going to

  • send and sort of get in and start doing replay attacks and things like this or

  • injecting information in, but we've done all this without even knowing what the key was. So it's an interesting part of encryption where

  • You aren't necessarily secure just because the key is secret right and in this case very much not the case

  • The other issue is that some of these modes you can extract the

  • Authentication key as well so when we talked about HMAC

  • We had a secret key that we used to make sure the message hadn't been interfered with. Well, if we can find that key

  • Which you can using this attack, then you can start to forge your own messages. Start to, let's say, add in TCP packets of

  • HTML that conveniently holds some JavaScript that runs some ransomware for example, and then you know you're in business

  • And we've done that without knowing what the key is. One question

  • What would happen if this key was zero?

  • Here when we're generating this counter what happen if the key was zero. If the key is zero

  • Then you're encrypting one with zeros it will still produce a random output, but it'll produce a random output

  • That's always the same, and we will know what it is

  • So we could we could guess the key stream. And if we knew were in the key stream then

  • We could generate the right values generate the right packets. The way this

  • Plays out is on certain operating systems. It basically has no effect so Windows. IOS. It seems because of the way they

  • Follow or don't quite follow the standard it seems that this has limited effect.

  • There are still ways you can attack things, but it has a limited effect

  • So you'll say people on Windows laptops and on iOS devices should be alright?

  • They are safer than other devices the problem comes with them

  • The program that does it in Linux and on certain Android friends so the implementation used on Linux and Android

  • That clears the key out of memory which is a good thing to do because if you're sitting in a coffee shop when you go

  • After buy a coffee it's not

  • impossible to plug the device quickly, a Thunderbolt device to do it into the side of the machine and copy the

  • bit of memory out of there, which is perhaps got the key in it

  • And then we can decrypt your traffic so that makes sense the problem is that

  • When you replay message 3

  • Which you need to do to make the attack work

  • That also resets the counter, the things that Mike's talked about, and it now uses the key which is 0 to

  • Start encrypting these things so actually you end up with a known sequence of counters being generated

  • Which means that you can then as well as decrypt the messages you can sort of

  • insert data into that message stream and start sending things to you that you perhaps weren't expecting to get. So on certain operating systems, it's

  • Relatively benign on others it's more dangerous

  • But it's also worth remembering that we should still use WPA2 to encrypt things because the alternative is that you have no security

  • And that even if someone does come and do this they could do exactly the same by unplugging your base station and plugging in

  • a new device into the Ethernet the other side of that

  • and listen there anyway, so it's the risk, it needs to be patched

  • It'll be patched, and then we can all go back to using Wi-Fi and browsing the web

  • Those leaks happen all the time and so passwords are being just dumped into the internet all the time, so there's this password list called RockYou

  • Which is a bit of a game changer in password cracking if that's a thing like-- 50

  • But this is the IBM pc/xt the model 51 60 which came out two years later in 1983

  • So this is really what the first PC was like--

Dr. Steve Bagley: - So on Monday the 16th of October, 2017,

字幕と単語

ワンタップで英和辞典検索 単語をクリックすると、意味が表示されます

A2 初級

クラック攻撃(WiFi WPA2の脆弱性) - コンピュータマニア (Krack Attacks (WiFi WPA2 Vulnerability) - Computerphile)

  • 1 0
    林宜悉 に公開 2021 年 01 月 14 日
動画の中の単語