34C3 - TUWAT - Talks - Part 3
Post date: Feb 4, 2018 7:17:56 AM
- Decoding Contactless (Card) Payments - An Exploration of NFC Transactions and Explanation How Apple Pay and Android Pay work. - This one is interesting topic for sure. But unfortunately this talk didn't contain anything new. They said that SIM cards don't provide Trusted Service Manager. Well, some do. I can use strong authentication with my SIM card using SIM Toolkit and Trusted Service Manager. So there's private key, which was generated on SIM card, and the private key is only known by the SIM card, and can't be read from it.
- KRACKing WPA2 by Forcing Nonce Reuse - Covered the key re-installation attack (KRACK) on 4-way handshake which has been covered in my blog earlier. Nice samples how the handshake works with optional 802.x1x authentication. ANonce, SNonce, used to form forming PTK and GTK. Rest of communication is encrypted. Frame encryption method explained. Keystream XORed with Plaintext data = Encrypted Ciphertext. Nonce starts from zero after PTK key installation. Examples how to execute the attack. Nice slides and process flow description. Retransmitted message #4 should have been sent without encryption according specification. This is great example where using encryption actually breaks security. Actually good example why encryption code where data is xored with keystream are extremely vulnerable to nonce leaks. Allows replay attacks, due replay counter getting reset. Key re-installation attack (KRACK) totally breaks GCMP (WiGig, 802.11ad, GCM) encryption, allowing forge / inject frames in both directions. From client to access point and from access point to client. Group key handshake attack which allows replaying broadcast traffic. FT handshake doesn't have any replay protection. Re-association Response. Nice slides about this case too. All zero encryption key flaw on Android and Linux devices. And more nice details in presentation. Trivial to intercept and manipulate client traffic. Corrections to popular misconceptions. It is required to update / patch both clients and access points, to remedy this issue fully. Own comment, this means that this issue will be remain wild for a decade or longer. It's possible to attack networks far using special directional antennas. Directional antenna with line of sight can work around 12 kilometers away. Attacks are possible if you just know that the network exists, you don't need any kind of pre-knowledge. Forsing new 4-way handshake by sending de-authentication packets. Obtaining channel-based MitM is hard, but it isn't. You can use channel switch announcements. Pre-existing attack scripts are there ready, allowing script-kiddies to use these attacks. AES-CCMP doesn't mitigate the attack, because it still allows decryption & replay of frames. Enterprise networks (802.1x) do use 4-way handshake and are therefore affected. Keep protocols simple. Even CIA says: "Re-keying introduces Unnecessary complexity (and therefore opportunities for bugs or other unexpected behavior) without delivering value in return". Disclosure coordination challenges. Because they found out this is widespread issue. Conclusion. Flaw is in WPA2 standard. Proven correct but is insecure. Attack has practical impact.
- Decoding Contactless (Card) Payments - An Exploration of NFC Transactions and Explanation How Apple Pay and Android Pay work - Some keywords from the talk: Credit Card, Issuer, Payment Networks, Terminal, Acquirer, Visa, Mastercard, JCB, Amex. Card Issuing, Terminal Provisioning, Online Authorization, Cryptogram Verification, Transaction Settlement. Contactless Transaction, Data Exchange. EMV, NFC, ICC, HCE, PAN, Android Pay, Apple Pay, Card Authentication, Customer Verification. Point of Sale. ISO-7816, ISO-8583. Host Card Emulation on Smartphone. Limited use crypto keys. Offline transactions. One Time Keys (LUK). Hardware-based Secure Element (SE). Account Data Tokenization. Token Service Provider, Token Requestor. Payment process data flow and exchange. Alternative Payment Methods like Alipay and WeChat. Host Card Emulation (HCE) @ Wikipedia