Mathy Vanhoef, mlembi wa KRACK kuwukira kwa ma waya opanda zingwe ndi WPA2, ndi Eyal Ronen, wolemba nawo zina zowukira TLS, adawulula zambiri zokhudzana ndi ziwopsezo zisanu ndi chimodzi (CVE-2019-9494 - CVE-2019-9499) muukadaulo. chitetezo cha ma netiweki opanda zingwe a WPA3, kukulolani kuti muthenso mawu achinsinsi olumikizirana ndikupeza ma netiweki opanda zingwe popanda kudziwa mawu achinsinsi. Zowopsa zake pamodzi ndi dzina la Dragonblood ndipo zimalola njira yolankhulirana ya Dragonfly, yomwe imateteza ku kulosera kwa mawu achinsinsi opanda intaneti, kusokonezedwa. Kuphatikiza pa WPA3, njira ya Dragonfly imagwiritsidwanso ntchito kuteteza ku kulosera kwa mtanthauzira mawu mu protocol ya EAP-pwd yomwe imagwiritsidwa ntchito pa Android, ma seva a RADIUS ndi hostapd/wpa_supplicant.
Kafukufukuyu adapeza mitundu iwiri yayikulu yamavuto omanga mu WPA3. Mitundu yonse yamavuto imatha kugwiritsidwa ntchito kupanganso mawu achinsinsi. Mtundu woyamba umakupatsani mwayi wobwerera ku njira zosadalirika zachinsinsi (zowononga): zida zowonetsetsa kuti zikugwirizana ndi WPA2 (njira yolowera, kulola kugwiritsa ntchito WPA2 ndi WPA3) kulola wowukirayo kukakamiza wofuna kuchita nawo magawo anayi olumikizirana. yogwiritsidwa ntchito ndi WPA2, yomwe imalola kugwiritsa ntchito mawu achinsinsi akale omwe amagwiritsidwa ntchito pa WPA2. Kuphatikiza apo, kuthekera kochita kuukira kotsikira mwachindunji panjira yofananira ndi Dragonfly kwadziwika, kulola kuti munthu abwerere kumitundu yocheperako yokhotakhota ya elliptic.
Mtundu wachiwiri wa vuto umabweretsa kutayikira kwa chidziwitso chokhudza mawonekedwe achinsinsi kudzera munjira za chipani chachitatu ndipo zimachokera ku zolakwika za njira yolembera mawu achinsinsi mu Dragonfly, zomwe zimalola deta yosadziwika, monga kusintha kwa kuchedwa panthawi yogwira ntchito, kukonzanso mawu achinsinsi oyambira. . Kachilombo ka Dragonfly's hash-to-curve aligorivimu amatha kugwidwa ndi cache, ndipo ma aligorivimu ake a hash-to-gulu amatha kugwidwa ndi nthawi.
Kuti achite ziwopsezo za migodi ya cache, wowukirayo ayenera kuyika nambala yopanda pake pamakina a wogwiritsa ntchito omwe akulumikizana ndi netiweki yopanda zingwe. Njira zonsezi zimapangitsa kuti zitheke kupeza chidziwitso chofunikira kuti mufotokozere kusankha kolondola kwa magawo achinsinsi panthawi yosankha mawu achinsinsi. Kuchita bwino kwa chiwembuchi ndikwambiri ndipo kumakupatsani mwayi wolosera mawu achinsinsi a zilembo 8 omwe ali ndi zilembo zing'onozing'ono, kungotenga magawo 40 okha pakugwirana chanza ndikugwiritsa ntchito zinthu zofanana ndi kubwereketsa Amazon EC2 ya $125.
Malingana ndi zovuta zomwe zadziwika, zochitika zambiri zowukira zaperekedwa:
- Rollback kuwukira pa WPA2 ndikutha kusankha mtanthauzira mawu. M'malo omwe kasitomala ndi malo ofikira amathandizira onse WPA3 ndi WPA2, wowukira atha kuyika malo awo olowera mwankhanza ndi dzina lomwelo la netiweki lomwe limangothandizira WPA2. Zikatero, kasitomala adzagwiritsa ntchito njira yolumikizirana yolumikizirana ya WPA2, pomwe zidzatsimikizirika kuti kubweza koteroko sikuloledwa, koma izi zidzachitika panthawi yomwe mauthenga amakambirano atumizidwa ndi zidziwitso zonse zofunika. chifukwa dikishonale yatsikira kale. Njira yofananira ingagwiritsidwe ntchito kubweza zovuta za ma elliptic curve mu SAE.
Kuphatikiza apo, zidadziwika kuti iwd daemon, yopangidwa ndi Intel ngati njira ina ya wpa_supplicant, ndi Samsung Galaxy S10 opanda zingwe stack amatha kutsitsa ngakhale pamanetiweki omwe amagwiritsa ntchito WPA3 yokha - ngati zida izi zidalumikizidwa kale ndi netiweki ya WPA3. , ayesa kulumikizana ndi netiweki ya WPA2 yokhala ndi dzina lomwelo.
- Kuukira kwapambali komwe kumatulutsa zidziwitso kuchokera ku cache ya processor. Mawu achinsinsi osunga mawu achinsinsi mu Dragonfly ali ndi nthambi zokhazikika komanso wowukira, wokhala ndi kuthekera kogwiritsa ntchito makina opanda zingwe, atha, kutengera kusanthula kwa kachesi, kudziwa kuti ndi midadada iti-ndi-imodzi yomwe yasankhidwa. Zomwe mwapeza zitha kugwiritsidwa ntchito kuyerekeza pang'onopang'ono mawu achinsinsi pogwiritsa ntchito njira zofananira ndi mawu achinsinsi a mtanthauzira mawu pa mawu achinsinsi a WPA2. Kuti atetezedwe, akuyenera kusintha kuti agwiritse ntchito ntchito zomwe zimakhala ndi nthawi yokhazikika, osadalira mtundu wa deta yomwe ikukonzedwa;
- Kuukira kwapambali ndikuyerekeza nthawi yogwira ntchito. Khodi ya ntchentche imagwiritsa ntchito magulu angapo ochulukirachulukira (MODP) kuti alembe mawu achinsinsi komanso kuchuluka kobwerezabwereza, kuchuluka kwake kumadalira mawu achinsinsi omwe amagwiritsidwa ntchito komanso adilesi ya MAC ya malo olowera kapena kasitomala. Wowukira akutali amatha kudziwa kuchuluka kwa mawu omwe adachitika panthawi yoyika mawu achinsinsi ndikuwagwiritsa ntchito ngati chizindikiritso chongoyerekeza pang'onopang'ono mawu achinsinsi.
- Kukana kuyimbira foni. Wowukira akhoza kuletsa ntchito zina za malo olowera chifukwa cha kutopa kwa zinthu zomwe zilipo potumiza zopempha zambiri zokambilana njira yolumikizirana. Kuti tilambalale chitetezo cha kusefukira kwa madzi choperekedwa ndi WPA3, ndikokwanira kutumiza zopempha kuchokera ku ma adilesi abodza, osabwerezabwereza a MAC.
- Kubwereranso kumagulu achinsinsi otetezedwa ochepa omwe amagwiritsidwa ntchito muzokambirana za WPA3. Mwachitsanzo, ngati kasitomala amathandizira ma elliptic curves P-521 ndi P-256, ndikugwiritsa ntchito P-521 ngati njira yoyamba, ndiye kuti wowukirayo, mosasamala kanthu za chithandizo.
P-521 kumbali yolowera imatha kukakamiza kasitomala kugwiritsa ntchito P-256. Kuwukiraku kumachitika posefa mauthenga ena panthawi yolumikizirana ndikutumiza mauthenga abodza okhala ndi chidziwitso chokhudza kusowa kwa chithandizo chamitundu ina yama elliptic curve.
Kuti muwone zida zomwe zili pachiwopsezo, zolemba zingapo zakonzedwa ndi zitsanzo za kuwukira:
- Dragonslayer - kukhazikitsa kuukira kwa EAP-pwd;
- Dragondrain ndi chida chothandizira kuwona kusatetezeka kwa malo opezeka pachiwopsezo pakukhazikitsa njira yolumikizirana ya SAE (Simultaneous Authentication of Equals), yomwe ingagwiritsidwe ntchito kuyambitsa kukana ntchito;
- Dragontime - script yochititsa kuukira kwa njira yotsutsana ndi SAE, poganizira kusiyana kwa nthawi yogwiritsira ntchito pogwiritsira ntchito magulu a MODP 22, 23 ndi 24;
- Dragonforce ndi chida chothandizira kubwezeretsanso zidziwitso (kungoyerekeza mawu achinsinsi) kutengera zambiri zanthawi zosiyanasiyana zogwirira ntchito kapena kudziwa kasungidwe ka data mu cache.
Wi-Fi Alliance, yomwe imapanga miyezo ya ma intaneti opanda zingwe, inalengeza kuti vutoli limakhudza chiwerengero chochepa cha kukhazikitsa koyambirira kwa WPA3-Personal ndipo chikhoza kukhazikitsidwa kudzera mu firmware ndi pulogalamu yamakono. Sipanakhalepo zochitika zolembedwa zokhala pachiwopsezo zomwe zimagwiritsidwa ntchito pochita zoyipa. Pofuna kulimbikitsa chitetezo, Wi-Fi Alliance yawonjezera mayeso owonjezera pa pulogalamu yotsimikizira zida zopanda zingwe kuti zitsimikizire kulondola kwazomwe zakhazikitsidwa, ndipo yafikiranso opanga zida kuti agwirizanitse limodzi zokonza pazovuta zomwe zadziwika. Zigamba zatulutsidwa kale kwa hostap/wpa_supplicant. Zosintha zamaphukusi zilipo kwa Ubuntu. Debian, RHEL, SUSE/openSUSE, Arch, Fedora ndi FreeBSD akadali ndi zovuta zosakonzedwa.
Source: opennet.ru