Nakuba izinga elisha le-WPA3 lingakenziwa ngokugcwele, amaphutha ezokuphepha kule phrothokholi avumela abahlaseli ukuthi bagebege iphasiwedi ye-Wi-Fi.
I-Wi-Fi Protected Access III (WPA3) yethulwa ngomzamo wokubhekana nokushiyeka kwezobuchwepheshe kwephrothokholi ye-WPA2, okwase kuyisikhathi eside ibhekwa njengengavikelekile futhi isengozini ye-KRACK (Ukuhlasela Kokufaka Kabusha Okubalulekile). Nakuba i-WPA3 ithembele ekuxhawulaneni okuvikeleke kakhudlwana okwaziwa ngokuthi Dragonfly, okuhloswe ngayo ukuvikela amanethiwekhi e-Wi-Fi ekuhlaselweni kwesichazamazwi ungaxhunyiwe ku-inthanethi (amandla anonya angaxhunyiwe ku-inthanethi), abacwaningi bezokuphepha uMathy Vanhoef no-Eyal Ronen bathola ubuthakathaka ekusetshenzisweni kusenesikhathi kwe-WPA3-Personal engavumela. umhlaseli ukuze athole amaphasiwedi e-Wi-Fi ngokusebenzisa kabi izikhathi noma izinqolobane eziseceleni.
“Abahlaseli bangafunda imininingwane okufanele i-WPA3 ibethelwe ngokuphephile. Lokhu kungasetshenziswa ukweba ulwazi olubucayi olufana nezinombolo zekhadi lesikweletu, amaphasiwedi, imilayezo yengxoxo, ama-imeyili, njll.”
Ishicilelwe namuhla , ebizwa ngokuthi i-DragonBlood, abacwaningi bahlolisise izinhlobo ezimbili zamaphutha okuklama ku-WPA3: eyokuqala iholela ekuhlaselweni okuphansi, kanti okwesibili iholela ekuvuzeni kwe-cache eseceleni.
Ukuhlasela kwesiteshi esiseceleni okusekelwe kunqolobane
I-algorithm yombhalo wephasiwedi ye-dragonfly, eyaziwa nangokuthi i-algorithm yokuzingela nokucofa, iqukethe amagatsha anemibandela. Uma umhlaseli angakwazi ukunquma ukuthi yiliphi igatsha legatsha uma-ke-ke-ke elithathiwe, angathola ukuthi ingxenye yephasiwedi itholwe yini ekuphindaphindweni okuthile kwaleyo algorithm. Empeleni, kutholwe ukuthi uma umhlaseli ekwazi ukusebenzisa ikhodi engalungile kukhompuyutha yesisulu, kungenzeka ukusebenzisa ukuhlasela okusekelwe kunqolobane ukuze kunqunywe ukuthi yiliphi igatsha elizanyiwe ekuphindaphindweni kokuqala kwe-algorithm yokwenza iphasiwedi. Lolu lwazi lungasetshenziswa ukwenza ukuhlasela kokuhlukanisa iphasiwedi (lokhu kufana nokuhlasela kwesichazamazwi esingaxhunyiwe ku-inthanethi).
Lokhu kuba sengozini kulandelelwa kusetshenziswa i-CVE-2019-9494.
Ukuzivikela kuqukethe ukufaka esikhundleni samagatsha anemibandela ancike kumanani ayimfihlo ngezinsiza zokukhetha zesikhathi esingaguquki. Ukwenziwa kufanele kusetshenziswe nokubala ngesikhathi esifanayo.
Ukuhlasela kwesiteshi eseceleni okusekelwe ekuvumelaniseni
Uma Ukuxhawula I-Dragonfly kusebenzisa amaqembu athile aphindaphindayo, i-algorithm yombhalo wekhodi wephasiwedi isebenzisa inani elihlukile lokuphindaphinda ukuze ufake ikhodi iphasiwedi. Inani eliqondile lokuphindaphinda lincike kuphasiwedi esetshenzisiwe kanye nekheli le-MAC lephoyinti lokufinyelela kanye neklayenti. Umhlaseli angenza ukuhlasela kwesikhathi esikude ku-algorithm yombhalo wekhodi wephasiwedi ukuze anqume ukuthi kuthathelwe ukuphindwa okungaki ukuze abhale iphasiwedi. Ulwazi olutholiwe lungasetshenziswa ukwenza ukuhlasela kwephasiwedi, okufana nokuhlasela kwesichazamazwi esingaxhunyiwe ku-inthanethi.
Ukuze uvimbele ukuhlasela kwesikhathi, ukusetshenziswa kufanele kukhubaze amaqembu aphindaphindekayo asengozini. Ngokombono wezobuchwepheshe, amaqembu e-MODP 22, 23 kanye no-24 kufanele akhutshazwe. Kuyanconywa futhi ukukhubaza amaqembu e-MODP 1, 2 kanye no-5.
Lokhu kuba sengozini kuphinda kulandelelwe kusetshenziswa i-CVE-2019-9494 ngenxa yokufana ekusetshenzisweni kokuhlasela.
Ukwehliswa kwe-WPA3
Njengoba umthetho olandelwayo we-WPA15 oneminyaka engu-2 ususetshenziswe kabanzi ngezigidigidi zamadivayisi, ukwamukelwa okusabalele kwe-WPA3 ngeke kwenzeke ngokuphazima kweso. Ukuze kusekelwe amadivayisi amadala, amadivayisi aqinisekiswe i-WPA3 anikezela "ngemodi yokusebenza yesikhashana" engalungiselelwa ukwamukela ukuxhumana kusetshenziswa kokubili i-WPA3-SAE ne-WPA2.
Abacwaningi bakholelwa ukuthi imodi yesikhashana isengozini yokuhlaselwa kokwehlisa izinga, abahlaseli abangasebenzisa ukuze bakhe indawo yokufinyelela eqinile esekela kuphela i-WPA2, okuphoqa amadivayisi anikwe amandla i-WPA3 ukuthi axhume kusetshenziswa ukuxhawula kwesandla okune-WPA2 okungavikelekile.
"Siphinde sathola ukuhlaselwa kokwehlisa izinga lokuxhawulana kwe-SAE (Simultaneous Authentication of Peers, ngokuvamile eyaziwa ngokuthi Dragonfly), lapho singaphoqa idivayisi ukuthi isebenzise ijika eliyi-elliptic elibuthakathaka kunokuvamile," kusho abacwaningi.
Ngaphezu kwalokho, indawo yomuntu ophakathi nendawo ayidingeki ukwenza ukuhlasela kokwehlisa izinga. Kunalokho, abahlaseli badinga kuphela ukwazi i-SSID yenethiwekhi ye-WPA3-SAE.
Abacwaningi babike abakutholile ku-Wi-Fi Alliance, inhlangano engenzi nzuzo eqinisekisa izindinganiso ze-WiFi nemikhiqizo ye-Wi-Fi ukuze ithotshelwe, evume izinkinga futhi isebenza nabathengisi ukulungisa amadivayisi akhona anesitifiketi se-WPA3.
I-PoC (404 ngesikhathi sokushicilela)
Njengobufakazi bomqondo, abacwaningi maduze bazokhipha amathuluzi amane ahlukene alandelayo (kumakhosombe e-GitHub axhunywe ngezansi) angasetshenziswa ukuhlola ubungozi.
iyithuluzi elingahlola ukuthi indawo yokufinyelela isengozini kangakanani ekuhlaselweni kwe-Dos ekuxhawulaneni kwe-WPA3 Dragonfly.
- Ithuluzi lokuhlola lokwenza ukuhlasela okunesikhathi ngokumelene nokuxhawulana kwe-Dragonfly.
iyithuluzi lokuhlola elithola ulwazi lokubuyisela ekuhlaselweni kwesikhathi futhi lenze ukuhlasela kwephasiwedi.
- ithuluzi elihlasela i-EAP-pwd.
Iwebhusayithi yephrojekthi -
Source: www.habr.com