1 / 10

Hole 196

Hole 196. 報告者:劉旭哲. What’s “Hold 196” ? AirTight Networks WPA2-secured Wi-Fi network On page 196 of the 1323-page IEEE 802.11 Standard ( Revision,2007 ). Vulnerability. WPA2. 2 keys to protect data frames : Pairwise Tansient Key ( PTK ) Group Temporal Key ( GTK ). GTK. PTK1. PTK2.

cora
Download Presentation

Hole 196

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hole 196 報告者:劉旭哲

  2. What’s “Hold 196” ? • AirTight Networks • WPA2-secured Wi-Fi network • On page 196 of the 1323-page IEEE802.11 Standard (Revision,2007)

  3. Vulnerability

  4. WPA2 • 2 keys to protect data frames: • PairwiseTansient Key(PTK) • Group Temporal Key(GTK) GTK PTK1 PTK2

  5. Something about this vulnerability • Only insider • But don’t look down it • AES still OK , the problem is WPA2 standard • Man in the middle

  6. Wired LAN/Internet This data want to send to PC1 So I forward it Forward data to “REAL” gateway Encrypted with PC1’s PTK Encrypted with PC2’s PTK PC2’s data PC2’s data PC2 want to send data to website OK, write into my cache for gateway I can decrypt data I am gateway encrypted with GTK PC1(Attacker) PC2..N (Victims)

  7. Attacker only need… • Wpa supplicant • It implements key negotiation with a WPA Authenticator • It controls the roaming and IEEE 802.11 authentication /association of the wlan driver.

  8. Madwifi • one of the most advanced WLAN drivers available for Linux today • Both open source • AirTight Networks add ten lines of codes

  9. What’s new about Hole 196 • Class ARP attack • Security has evolved over the years, it is easy to block this attack on wired network • Hole 196 • Payload is encrypted • Only on the air • Wired network find nothing abnormal

  10. http://airheads.arubanetworks.com/article/aruba-analysis-hole-196-wpa2-attackhttp://airheads.arubanetworks.com/article/aruba-analysis-hole-196-wpa2-attack • http://www.darknet.org.uk/2010/07/wpa2-vulnerability-discovered-hole-196-a-flaw-in-gtk-group-temporal-key/ • http://www.airtightnetworks.com/home/resources/knowledge-center/wpa2-hole196-vulnerability.html • http://www.airtightnetworks.com/fileadmin/webinars/Hole196-vulnerability-webinar/hole196-vulnerability-webinar.html • http://hostap.epitest.fi/ • http://hostap.epitest.fi/wpa_supplicant/ • http://www.gentoo.org/doc/zh_tw/handbook/handbook-x86.xml?part=4&chap=4#doc_chap2 • http://madwifi-project.org/ • http://en.wikipedia.org/wiki/Wpa_supplicant

More Related