1 00:00:04,200 --> 00:00:10,180 Hello and welcome to this video titled WPA3, Perfect Forward Secrecy. 2 00:00:10,180 --> 00:00:16,180 In order to explain the concept of perfect forward secrecy, we first of 3 00:00:16,180 --> 00:00:20,620 all have to understand what the word forward means in that term. 4 00:00:20,620 --> 00:00:25,240 So as this says in cryptography, the terms forward or backward as applied 5 00:00:25,240 --> 00:00:31,320 to the secrecy of data is determined if the moment of compromise is in 6 00:00:31,320 --> 00:00:36,180 front of or behind the data that remains protected. 7 00:00:36,180 --> 00:00:38,240 So we're comparing two things. 8 00:00:38,240 --> 00:00:42,740 Where the moment of compromise happens and are we talking about data that 9 00:00:42,740 --> 00:00:48,460 from that point on is protected or data that's behind that moment of compromise 10 00:00:48,460 --> 00:00:49,960 being protected. 11 00:00:49,960 --> 00:00:51,100 Here's an example. 12 00:00:51,100 --> 00:00:52,960 Here's our timeline. 13 00:00:52,960 --> 00:00:55,480 Here's data going through it. 14 00:00:55,480 --> 00:00:59,520 Let's say that right now at that moment, there's a key compromise. 15 00:00:59,520 --> 00:01:04,280 And so that malicious hacker is able to spot your EAP over land, four 16 00:01:04,280 --> 00:01:08,320 way handshake and somehow figure out your pairwise transient key. 17 00:01:08,320 --> 00:01:11,300 And then the three keys are derived from that. 18 00:01:11,300 --> 00:01:17,600 So if we have some sort of algorithm that says the set of data below on 19 00:01:17,600 --> 00:01:23,220 the right is maintained in secrecy, well, the compromise occurred behind 20 00:01:23,220 --> 00:01:26,040 or in the back of the data. 21 00:01:26,040 --> 00:01:29,880 So we would call that backward secrecy. 22 00:01:29,880 --> 00:01:35,960 If the data, if the compromise occurs in front of data, and that data 23 00:01:35,960 --> 00:01:39,880 is protected, so if the data on the left is protected, so all the data 24 00:01:39,880 --> 00:01:43,800 from the past, we call that forward secrecy. 25 00:01:43,800 --> 00:01:45,380 I know it sounds kind of odd. 26 00:01:45,380 --> 00:01:48,400 I used to think that perfect forward secrecy meant, okay, well, if there's 27 00:01:48,400 --> 00:01:52,980 a compromise, then that means all the data that is exchanged after that 28 00:01:52,980 --> 00:01:54,900 compromise is protected. 29 00:01:54,900 --> 00:01:57,080 That's not what this means. 30 00:01:57,080 --> 00:02:03,640 Let me give you another definition of this. 31 00:02:03,640 --> 00:02:09,760 So perfect forward secrecy as a whole refers to cryptographic key exchange 32 00:02:09,760 --> 00:02:15,900 protocols. For example, ephemeral Diffie -Hellman used in WPA three, where 33 00:02:15,900 --> 00:02:20,360 the compromise of long term keys, and that's critical there that term 34 00:02:20,360 --> 00:02:25,460 long term keys, if those are compromised, they cannot be used to recover 35 00:02:25,460 --> 00:02:29,200 any past session keys. 36 00:02:29,200 --> 00:02:35,360 So even if an attacker recorded the EAP over land key handshake message, 37 00:02:35,360 --> 00:02:38,000 past data is still protected. 38 00:02:38,000 --> 00:02:41,060 So what do we mean by long term keys in this case? 39 00:02:41,060 --> 00:02:43,880 So in this context, a long term key refers to secret information that 40 00:02:43,880 --> 00:02:46,780 does not change over time. 41 00:02:46,780 --> 00:02:51,600 For example, in WPA two, the pre shared key is considered a long term 42 00:02:51,600 --> 00:02:56,700 key. If you're connecting to a WPA to wireless LAN, the pre shared key 43 00:02:56,700 --> 00:02:58,800 might be Cisco 123. 44 00:02:58,800 --> 00:03:03,300 Everybody gets that pre shared key, and that pre shared key is directly 45 00:03:03,300 --> 00:03:07,500 related via formula to the pairwise master key. 46 00:03:07,500 --> 00:03:10,800 You can do it just by following the formula. 47 00:03:10,800 --> 00:03:13,360 And the pairwise master key is always the exact same thing. 48 00:03:13,360 --> 00:03:14,740 So that's what we see here too. 49 00:03:14,740 --> 00:03:18,220 In WPA two, the pairwise master key does not change. 50 00:03:18,220 --> 00:03:22,660 And everybody has the exact same pairwise master key that's connecting 51 00:03:22,660 --> 00:03:25,920 to that WPA two personal wireless LAN. 52 00:03:25,920 --> 00:03:36,260 Now, is there a long term key in the context of WPA three? 53 00:03:36,260 --> 00:03:38,780 Yes, you need a passphrase to connect. 54 00:03:38,780 --> 00:03:42,780 But the pairwise master key is not considered a long term key, because 55 00:03:42,780 --> 00:03:47,600 that changes. Every every person has a different pairwise master key. 56 00:03:47,600 --> 00:03:51,500 And every time you connect to that wireless LAN, you get a different pairwise 57 00:03:51,500 --> 00:03:55,420 master key does not consider a long term key. 58 00:03:55,420 --> 00:04:03,780 Okay, so in WPA three, if an attacker captures your data for some time, 59 00:04:03,780 --> 00:04:08,220 and then later cracks the encryption key, which would be very difficult, 60 00:04:08,220 --> 00:04:13,120 only data after the key has been cracked is at risk. 61 00:04:13,120 --> 00:04:16,680 So even if they've been capturing, let's say they've been capturing three 62 00:04:16,680 --> 00:04:19,280 days of Wi-Fi data. 63 00:04:19,280 --> 00:04:22,560 And during those three days, you have associated and disassociated from 64 00:04:22,560 --> 00:04:26,960 that wireless LAN seven or eight times, and they've captured all of that. 65 00:04:26,960 --> 00:04:35,960 Now, they they stop their recent time that you connected to that wireless 66 00:04:35,960 --> 00:04:42,440 LAN. So they see the, you know, the, the, the uh, EAP over LAN handshake. 67 00:04:42,440 --> 00:04:47,140 And somehow from that, they are able to figure out what your pairwise 68 00:04:47,140 --> 00:04:48,620 transient key is. 69 00:04:48,620 --> 00:04:52,980 They extract from that the, uh, the temporal key that you use to encrypt 70 00:04:52,980 --> 00:04:57,640 and decrypt data, which means from that moment on, for that particular 71 00:04:57,640 --> 00:05:02,460 session, they can encrypt, they, I should say they can decrypt all the 72 00:05:02,460 --> 00:05:07,280 data that they caught from you, but they can't use that in any way to 73 00:05:07,280 --> 00:05:10,260 decrypt the sessions before that. 74 00:05:10,260 --> 00:05:13,240 So all those six or seven sessions when you connected and disconnected 75 00:05:13,240 --> 00:05:17,640 prior to that, the decryption is not going to help them in that particular 76 00:05:17,640 --> 00:05:22,840 case. So that's why we call it perfect forward secrecy. 77 00:05:22,840 --> 00:05:26,180 Now you might be wondering, well, what about WPA two? 78 00:05:26,180 --> 00:05:28,640 Doesn't that provide perfect forward secrecy? 79 00:05:28,640 --> 00:05:33,080 No, it doesn't. So I'm going to show you here a classic attack against 80 00:05:33,080 --> 00:05:38,240 WPA two called an offline dictionary attack and why this translates to 81 00:05:38,240 --> 00:05:43,260 WPA two personal, not providing perfect forward secrecy. 82 00:05:43,260 --> 00:05:46,960 All right, so let's say that a malicious actor starts watching and collecting 83 00:05:46,960 --> 00:05:51,740 all of your Wi-Fi frames on a particular channel on a particular SSID. 84 00:05:51,740 --> 00:05:53,320 So what do they see? 85 00:05:53,320 --> 00:05:58,400 They see the EAP over land message one, two, three, and four. 86 00:05:58,400 --> 00:06:01,600 So based on what they've seen here, what do they know? 87 00:06:01,600 --> 00:06:03,120 What are they able to collect? 88 00:06:03,120 --> 00:06:06,140 The things here, they can collect all the stuff in that those messages. 89 00:06:06,140 --> 00:06:10,780 The only thing they don't know so far is the pairwise master key. 90 00:06:10,780 --> 00:06:12,340 And that's their objective. 91 00:06:12,340 --> 00:06:15,840 They want to figure out what that pairwise master key is, because if they 92 00:06:15,840 --> 00:06:19,760 can figure that out successfully, they can do one of, they can do two 93 00:06:19,760 --> 00:06:20,780 different things with it. 94 00:06:20,780 --> 00:06:24,140 Number one, if they can figure out the pairwise master key, they can reverse 95 00:06:24,140 --> 00:06:30,520 engineer the WPA two passphrase, or I should say the pre shared key like 96 00:06:30,520 --> 00:06:37,340 coffee 123 or INE 123, because that passphrase directly created that PMK. 97 00:06:37,340 --> 00:06:40,180 So if they can figure out the PMK, they can figure out the passphrase. 98 00:06:40,180 --> 00:06:44,360 And now they can join the wireless LAN, and they can connect to it wire 99 00:06:44,360 --> 00:06:49,360 lessly and associate also, even more critically, if they're able to crack 100 00:06:49,360 --> 00:06:55,340 the PMK. And then they have these values here for this particular session 101 00:06:55,340 --> 00:07:01,600 from this client, they can also crack the pairwise transient key for this 102 00:07:01,600 --> 00:07:05,480 session here. And then they can subsequently get down to the temporal 103 00:07:05,480 --> 00:07:08,240 key, the key encryption key, and the other thing. 104 00:07:08,240 --> 00:07:10,760 So how are they going to go about doing that? 105 00:07:10,760 --> 00:07:14,560 All right, so in an offline dictionary attack, the malicious actor will 106 00:07:14,560 --> 00:07:16,800 have what's called an offline dictionary. 107 00:07:16,800 --> 00:07:21,060 This is basically just a software database of of thousands or even millions 108 00:07:21,060 --> 00:07:26,320 of passwords or potential passwords that they've downloaded off the dark 109 00:07:26,320 --> 00:07:28,820 web or wherever they've gotten it from. 110 00:07:28,820 --> 00:07:32,440 All right, so they're going to start going to that dictionary, and they're 111 00:07:32,440 --> 00:07:35,560 going to retrieve from it the very first item, whatever that is, maybe 112 00:07:35,560 --> 00:07:39,260 it's password 123, whatever the first item is in that list of millions 113 00:07:39,260 --> 00:07:40,960 of potential passwords. 114 00:07:40,960 --> 00:07:46,820 And they're going to say, Okay, I'm going to see if this is the WPA to 115 00:07:46,820 --> 00:07:52,280 pre shared key, like coffee 123 for this particular wireless LAN, let's 116 00:07:52,280 --> 00:07:56,820 see if it is. So they're going to pass that password, that dictionary 117 00:07:56,820 --> 00:08:06,180 item, into the PBK DF to algorithm, which is what WPA to uses to derive 118 00:08:06,180 --> 00:08:08,800 its pairwise master key. 119 00:08:08,800 --> 00:08:15,680 Okay, so once they pass that first dictionary item into the PBK DF to 120 00:08:15,680 --> 00:08:20,200 algorithm, it's going to spit out some output, some value, which might 121 00:08:20,200 --> 00:08:23,280 be which is a potential pairwise master key. 122 00:08:23,280 --> 00:08:27,520 How do we know if it's the real one, the accurate one for this particular 123 00:08:27,520 --> 00:08:29,440 WPA to wireless LAN? 124 00:08:29,440 --> 00:08:34,980 Well, the attacker knows how the PRF 512 algorithm works. 125 00:08:34,980 --> 00:08:39,140 It works by sort of concatenating all these things together. 126 00:08:39,140 --> 00:08:45,960 Now, from pairwise key expansion, that text string onto the right, they've 127 00:08:45,960 --> 00:08:49,140 already gotten this stuff because they saw the four way EAP over LAN handshake. 128 00:08:49,140 --> 00:08:52,480 They saw the MAC addresses that the two stations, the station, the access 129 00:08:52,480 --> 00:08:56,600 point, they saw the nonces, the A nonce and the S down that they got all 130 00:08:56,600 --> 00:09:00,080 that the only thing they didn't have was the PMK. 131 00:09:00,080 --> 00:09:02,320 So they're saying, okay, I've taken a dictionary item. 132 00:09:02,320 --> 00:09:07,140 I've turned it into a potential PMK by passing it through the exact same 133 00:09:07,140 --> 00:09:09,000 algorithm that a normal client would. 134 00:09:09,000 --> 00:09:10,940 I'm going to put it in here. 135 00:09:10,940 --> 00:09:14,160 And I'm going to so it's going to end up looking like this. 136 00:09:14,160 --> 00:09:18,000 I'm going to run this through the HMAC Shaw one algorithm. 137 00:09:18,000 --> 00:09:20,380 That's what WPA two clients do. 138 00:09:20,380 --> 00:09:22,460 And that's going to give me four outputs. 139 00:09:22,460 --> 00:09:26,720 I'm going to concatenate together, strip off the end of it. 140 00:09:26,720 --> 00:09:32,380 And that's going to provide for me a 512 bit value, which might be the 141 00:09:32,380 --> 00:09:33,780 pairwise transient key. 142 00:09:33,780 --> 00:09:36,140 Maybe it's a potential match. 143 00:09:36,140 --> 00:09:38,360 How do we find out if it's a real match? 144 00:09:38,360 --> 00:09:44,500 Well, now we take that potential pairwise transient key that we created. 145 00:09:44,500 --> 00:09:48,060 And we're going to, we know that the structure of it is like this, we 146 00:09:48,060 --> 00:09:51,640 know that the first third of it is the key confirmation key. 147 00:09:51,640 --> 00:09:56,020 So we say, okay, this might be the key confirmation key. 148 00:09:56,020 --> 00:09:58,480 So what I'm going to do is I'm going to take a look at that EPO over land 149 00:09:58,480 --> 00:10:00,260 handshake that I caught. 150 00:10:00,260 --> 00:10:02,820 I see there's mik values in there. 151 00:10:02,820 --> 00:10:08,000 Those mik values are computed by taking all the data in the message and 152 00:10:08,000 --> 00:10:12,400 running it through a hashing algorithm with this key confirmation key. 153 00:10:12,400 --> 00:10:17,800 So it says, okay, can I use the key confirmation key I came up with, apply 154 00:10:17,800 --> 00:10:22,200 it to this exact same data using the exact same normal formula and come 155 00:10:22,200 --> 00:10:25,220 up with the exact same mik value. 156 00:10:25,220 --> 00:10:29,440 If I can, that means I figured it out. 157 00:10:29,440 --> 00:10:34,380 I've got the pairwise transient key for this particular session, which 158 00:10:34,380 --> 00:10:37,900 was derived from the pairwise master key. 159 00:10:37,900 --> 00:10:42,580 So now I can decode decrypt all the data from this session onwards. 160 00:10:42,580 --> 00:10:48,920 Also, I can join this wireless land myself because I have the pairwise 161 00:10:48,920 --> 00:10:52,960 master key. And I know that that was derived from dictionary item number 162 00:10:52,960 --> 00:10:59,080 one. Therefore dictionary item number one must be the WPA two passphrase. 163 00:10:59,080 --> 00:11:02,760 Now, if the answer is no, which most likely it's not, you're probably 164 00:11:02,760 --> 00:11:04,640 not going to get it on the first try. 165 00:11:04,640 --> 00:11:08,860 Try again, pull dictionary item number two and do this potentially thousands 166 00:11:08,860 --> 00:11:11,340 of times. Hey, it might take you several hours. 167 00:11:11,340 --> 00:11:15,200 But if you get it working, if after a few hours or a day or so of trying 168 00:11:15,200 --> 00:11:18,420 out millions of combinations, you're able to crack this. 169 00:11:18,420 --> 00:11:22,920 Now, not only can you decrypt all the session data from that particular 170 00:11:22,920 --> 00:11:27,000 Wi-Fi client that you captured, you can now get onto that Wi-Fi and you 171 00:11:27,000 --> 00:11:29,540 can have it free of charge for yourself. 172 00:11:29,540 --> 00:11:35,660 So WPA two, as we look at the perfect forward secrecy. 173 00:11:35,660 --> 00:11:40,720 Once the malicious actor has decoded that, that pre shared key, he knows 174 00:11:40,720 --> 00:11:44,440 that he knows what the pairwise master key will always be. 175 00:11:44,440 --> 00:11:46,240 It's always going to be static and unchanging. 176 00:11:46,240 --> 00:11:48,060 That's the nature of WPA two. 177 00:11:48,060 --> 00:11:51,760 So therefore, he can go back in time and look at all the captured Wi-Fi 178 00:11:51,760 --> 00:11:53,380 sessions for this client. 179 00:11:53,380 --> 00:11:57,620 And as long as he has the EPU over land four way handshake, he can crack 180 00:11:57,620 --> 00:12:03,040 all those sessions and decrypt all that past data from that client. 181 00:12:03,040 --> 00:12:08,300 So this all hinged on the malicious actor being able to figure out what 182 00:12:08,300 --> 00:12:11,020 the pairwise master key was. 183 00:12:11,020 --> 00:12:14,880 And we saw that with a little bit of effort with WPA two, he was able 184 00:12:14,880 --> 00:12:16,480 to figure that out. 185 00:12:16,480 --> 00:12:18,440 What about WPA three? 186 00:12:18,440 --> 00:12:22,480 Now, WPA three is advertises having perfect forward secrecy, which means 187 00:12:22,480 --> 00:12:24,820 in theory, you can't do that. 188 00:12:24,820 --> 00:12:32,220 And also in theory, even if somehow you were able to crack the pairwise 189 00:12:32,220 --> 00:12:36,340 master key for a particular session, that wouldn't help you for the previous 190 00:12:36,340 --> 00:12:37,740 sessions before that. 191 00:12:37,740 --> 00:12:42,820 Why not? Well, we know that the key to cracking a Wi-Fi session, decrypting 192 00:12:42,820 --> 00:12:46,620 data and to getting on the wireless LAN yourself is to obtain the pairwise 193 00:12:46,620 --> 00:12:51,120 master key. Now, we found out in the previous slides there that WPA two's 194 00:12:51,120 --> 00:12:58,220 PMK was directly computed from the PSK using that PBK DRF two formula. 195 00:12:58,220 --> 00:13:01,360 And it never changes, which made it weak and crackable. 196 00:13:01,360 --> 00:13:05,980 But let's think about how WPA three comes up with its pairwise master 197 00:13:05,980 --> 00:13:12,280 key. First of all, is derived from the SAE dragonfly EDCH method. 198 00:13:12,280 --> 00:13:17,200 Basically, it's using like a modified Diffie-Hellman method to come up 199 00:13:17,200 --> 00:13:18,540 with the pairwise master key. 200 00:13:18,540 --> 00:13:20,000 There's lots of formulas involved. 201 00:13:20,000 --> 00:13:22,720 They're changing on every single time. 202 00:13:22,720 --> 00:13:26,020 So every single time a client connects to the wireless LAN, that same 203 00:13:26,020 --> 00:13:30,560 client on that same wireless LAN is going to get a different PMK. 204 00:13:30,560 --> 00:13:33,860 So even if you crack it right now for his current session, that's not 205 00:13:33,860 --> 00:13:36,020 going to help you for his previous sessions at all. 206 00:13:36,020 --> 00:13:38,780 And secondly, how would you crack that? 207 00:13:38,780 --> 00:13:44,160 Because the way that client came up with that PMK was using like random 208 00:13:44,160 --> 00:13:49,160 numbers and exponents and things that were not exchanged at all during 209 00:13:49,160 --> 00:13:50,320 the exchange of the values. 210 00:13:50,320 --> 00:13:55,420 Yeah, if you actually captured the SAE handshake, you'll get, for example, 211 00:13:55,420 --> 00:13:59,900 the scalar values and the finite field, the finite field element values. 212 00:13:59,900 --> 00:14:04,860 But those were all created due to the pre-computations of the password 213 00:14:04,860 --> 00:14:10,240 element and due to random exponential values, which are really huge and 214 00:14:10,240 --> 00:14:12,760 pretty much impossible to reverse engineer. 215 00:14:12,760 --> 00:14:18,420 So it's virtually impossible to crack what the pairwise master key is 216 00:14:18,420 --> 00:14:21,420 that was used in any given WPA3 session. 217 00:14:21,420 --> 00:14:23,700 And it changes every session. 218 00:14:23,700 --> 00:14:26,620 And like I said, even as you were able to crack it for this particular 219 00:14:26,620 --> 00:14:31,200 session right now, which would be very difficult, if not impossible, that 220 00:14:31,200 --> 00:14:34,220 wouldn't help you for any previous sessions that you cracked. 221 00:14:34,220 --> 00:14:38,660 And this is why we say the WPA3 has perfect forward secrecy. 222 00:14:38,660 --> 00:14:42,840 Because even if you had that one in a billion shot of cracking a pairwise 223 00:14:42,840 --> 00:14:47,420 master key for this one session, you would not be able to go back and 224 00:14:47,420 --> 00:14:51,780 decrypt any previous session traffic that you had captured because that 225 00:14:51,780 --> 00:14:54,260 had a completely different set of keys. 226 00:14:54,260 --> 00:14:58,300 And that is the definition of perfect forward secrecy. 227 00:14:58,300 --> 00:14:59,880 So thank you so much for watching. 228 00:14:59,880 --> 00:15:01,800 And I really hope this presentation was helpful.