wpa2   347

« earlier    

How to Hack WiFi Password Easily Using New Attack On WPA/WPA2
developer of the popular password-cracking tool Hashcat, Jens 'Atom' Steube, the new WiFi hack works explicitly against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

it is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point
The attack to compromise the WPA/WPA2 enabled WiFi networks was accidentally discovered by Steube while he was analyzing the newly-launched WPA3 security standard
wpa2  cybersecurity  wifi  crypto  exploit 
9 weeks ago by bwiese
KRACK Attacks: Breaking WPA2
Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK):

the properties that were proven in formal analysis of the 4-way handshake remain true. However, the problem is that the proofs do not model key installation. Put differently, the formal models did not define when a negotiated key should be installed. In practice, this means the same key can be installed multiple times, thereby resetting nonces and replay counters used by the encryption protocol (e.g. by WPA-TKIP or AES-CCMP).
wpa2  wifi  cybersecurity  attack  krack  crack  crypto  protocols 
january 2018 by bwiese
With WPA3, Wi-Fi security is about to get a lot tougher
The lack of security on open, public WiFi networks has long been a security woe for internet users. But these woes will be addressed with WPA3, replacing the less secure WPA2 standard. "The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that's built in to protect almost every wireless device today -- including phones, laptops, and the Internet of Things.

One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices.

WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated." - Zack Whittaker, ZDNet
otf  wifi  wpa3  wpa2  security 
january 2018 by dmcdev
Falling through the KRACKs – A Few Thoughts on Cryptographic Engineering | https://blog.cryptographyengineering.com/
The IEEE has been making a few small steps to ease this problem, but they’re hyper-timid incrementalist bullshit. There’s an IEEE program called GET that allows researchers to access certain standards (including 802.11) for free, but only after they’ve been public for six months — coincidentally, about the same time it takes for vendors to bake them irrevocably into their hardware and software.

This whole process is dumb and — in this specific case — probably just cost industry tens of millions of dollars. It should stop.

In the end we all know that the answer is for humans to stop doing this work. We need machine-assisted verification of protocols, preferably tied to the actual source code that implements them. This would ensure that the protocol actually does what it says, and that implementers don’t further screw it up, thus invalidating the security proof.
formalverification  security  crypto  wifi  wpa2  vulnerability  humanerror 
november 2017 by kme

« earlier    

related tags

2017  802.11i  802.1x  a:alex-hudson  aircrack  airodump  apple  article  attack  authentication  block  blog  bug  cartoon  cipher  comp3911  computer_security  connected_devices  crack  cracking  crittografia  crypto  cryptography  cybersecurity  eap  encryption  exploit  fail  formalverification  fortinet  go  golang  hack  hacking  hacks  hashcat  hccap  hole  htc-krack  humanerror  ieee  ifttt  informatiebeveiliging  information-security  information  infosec  internet.of.shit  internet  internet_of_things  iot  key  keystream  krack  krak  meru  michael  mode  network  networking  nsa  otf  p:alex-hudson  pentesting  pocket  protocol  protocols  psk  read  reinstallation  security  ssl  stack  standard  standards  stream  test  theguardian  tls  uh-oh  vulnerabilities  vulnerability  wi-fi  wifi  wireless  wlan  wpa  wpa2-krack  wpa2crack  wpa3 

Copy this bookmark: