25th USENIX Security Symposium has ended
Back To Schedule
Thursday, August 11 • 4:30pm - 5:00pm
Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

We analyze the generation and management of 802.11 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.

First we argue that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 231 handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.

avatar for Frank Piessens

Frank Piessens

Full professor, imec-DistriNet, KU Leuven
Frank Piessens is a professor at the Department of Computer Science of the KU Leuven, Belgium. His research interests lie in software security, including security in operating systems and middleware, architectures, applications, Java and .NET, and software interfaces to security technologies. He... Read More →

Thursday August 11, 2016 4:30pm - 5:00pm PDT
Zilker Ballroom 2

Attendees (5)