Weakness in Passphrase Choice in WPA Interface

Started by Metgod, November 07, 2003, 12:20:30 AM

Previous topic - Next topic
I think this is a good addition for this section. I didn't get a chance to really read it but I think I just might. Might be interesting to some.. explaining some of the concepts (including a vulnerability) under Wi-Fi Security.



By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp
November 04, 2003

Use of PSK as the key establishment method

WPA and 802.11i provide for a Pre-Shared Key (PSK) as an alternative
to 802.1X based key establishment. A PSK is a 256 bit number or a
passphrase 8 to 63 bytes long. Each station MAY have its own PSK, tied
to its MAC address. To date, vendors are only providing for one PSK
for an ESS, just as they do for WEP keying.

When a PSK is used instead of 802.1X, the PSK is the Pairwise Master
Key (PMK) that is used to drive the 4-way handshake and the whole
Pairwise Transient Key (PTK) keying hierarchy. There is a
straightforward formula for converting a passphrase PSK to the 256-bit
value needed for the PMK.

This paper will look into the risks of using a PSK and particularly
the risk associated with a passphrase-based PSK.

How the PSK is used in WPA and 802.11i

The PSK provides an easily implemented alternative for the PMK as
compared to using 802.1X to generate a PMK. A 256bit PSK is used
directly as the PMK. When the PSK is a passphrase, the PMK is derived
from the passphrase as follows:

PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)

Where the PBKDF2 method is from PKCS #5 v2.0: Password-based
Cryptography Standard. This means that the concatenated string of the
passphrase, SSID, and the SSIDlength is hashed 4096 times to generate
a value of 256 bits. The lengths of the passphrase and the SSID have
little impact on the speed of this operation.

The PTK is a keyed-HMAC function using the PMK on the two MAC
addresses and the two nonces from the first two packets of the 4-Way
Handshake. This is why the whole keying hierarchy falls into the hands
of anyone possessing the PSK, as all the other information is

The Intra-PSK attack

The normal practice is to have a single PSK within an ESS. To generate
any PTK, a device only needs to learn the two MAC addresses and nonces
(and the selected ciphersuite). All of this is available in the
initial exchange, from the ASSOCIATE through the 4-Way Handshake. Any
device can passively listen for these frames and then generate the
PTK. If the device missed these frames, it can send a DISASSOCIATE
against the STA and force the STA to perform the ASSOCIATE through the
4-Way Handshake again.

Thus even though each unicast pairing in the ESS has unique keys (PTK)
there is nothing private about these keys to any other device in the

The offline PSK dictionary attack

A station that does not know a passphrase-based PSK can attack it with
an offline attack. This is effective for an outsider where there is a
single PSK in the ESS, or an insider where there are unique PSKs.

The 802.11i standard points out that:

A passphrase typically has about 2.5 bits of security per character,
so the passphrase of n bytes equates to a key with about 2.5n + 12
bits of security. Hence, it provides a relatively low level of
security, with keys generated from short passwords subject to
dictionary attack. Use of the key hash is recommended only where it is
impractical to make use of a stronger form of user authentication. A
key generated from a passphrase of less than about 20 characters is
unlikely to deter attacks.

The PTK is used in the 4-Way handshake to produce a hash of the
frames. There is a long history of offline dictionary attacks against
hashes. Any of these programs can be altered to use the information in
the 4-Way Handshake as input to perform the offline attack. Just about
any 8-character string a user may select will be in the dictionary. As
the standard states, passphrases longer than 20 characters are needed
to start deterring attacks. This is considerably longer than most
people will be willing to use.

This offline attack should be easier to execute than the WEP attacks.

Using Random values for the PSK

The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a
large number for human entry; 20 character passphrases are considered
too long for entry. Given the nature of the attack against the 4-Way
Handshake, a PSK with only 128 bits of security is really sufficient,
and in fact against current brute-strength attacks, 96 bits SHOULD be
adequate. This is still larger than a large passphrase, but is
unlikely to be in a dictionary attack. Using a relatively small random
value represented in hexadecimal, and entering it as a passphrase will
expand it to a proper 256-bit PSK.


Anyone with knowledge of the PSK can determine any PTK in the ESS
through passive sniffing of the wireless network, listening for those
all-important key exchange data frames. Also, if a weak passphrase is
used, for example, a short passphrase, an offline dictionary attack
can readily guess the PSK. Since the common usage will be a single PSK
for the ESS, once this is learned by the attacker, the attacker is now
a member of the ESS, and the whole ESS is compromised. The attacker
can now read and forge any traffic in the ESS.

Pre-Shared Keying is provided in the standard to simplify deployments
in small, low risk, networks. The risk of using PSKs against internal
attacks is almost as bad as WEP. The risk of using passphrase based
PSKs against external attacks is greater than using WEP. Thus the only
value PSK has is if only truly random keys are used, or for deploy
testing of basic WPA or 802.11i functions. PSK should ONLY be used if
this is fully understood by the deployers.

"My Terminal is my Soul"

SMF spam blocked by CleanTalk