 presentation that's a bit personal for me because for 15 years ago I actually worked on standardizing this peep protocol so I'm very happy to see that it's it has been completely broken and this will be a nice nice demonstration of how so welcome Sergei. Hello my name is Sergei, I'm from Belarus, I'm a computer science student, the fourth year student. Today I'd like to present you an amateur work just as an open source hacker. I've been interested in wireless security and in this paper I was studying the way how many of the middle attack can be implemented in the setup of WPA enterprise standard when we use peep with MSChap v2 protocol. The initial goal was like I have discovered that I'm using insecure not secure setup of wireless communication because at my university they they stimulate you to skip certificate verification just to enter your user and password and that's it. So it's not secure because the history behind peep. Peep it is a protected extensible authentication protocol it is based on IP framework it is a general conception of various authentication protocols they are they all operate in the way of IP state machines just like a graph with vertices and edges and each time the machine stays in some state and getting a new message it processes it and then goes into another state taking some actions. If we will look at peep state machines the RFC is 4137 in the draft they proposed a conceptual implementation of state machine for client and the server and there is a host app project you usually should be familiar with WPA supplicant and host app d applications one of them is used for client side and the other one can work as a server side application both of them share the same core but they diffuse in the way who uses them why did I choose host app because they had an example it is called eep example and in there they configured a demo communication between the peer and server side state machines without any hardware layer so we can just play around with it without having set an up rogue access point put an additional man in the middle node so that example it has the exact setup peep with ms chap v2 without radius just credentials were built in and I wanted to simulate man in the middle attack as it was written in the paper man in the middle man in the middle attack in sorry the name of the paper is man in the middle in tunnel authentication protocols it is dated to 2002 it has been available at spring publication in 2005 and on Wikipedia you can you are able to access it since 2013 and in previous year I have studied to read it at first time and it was a bit difficult to understand how to implement this man in the middle attack because it usually looks like this these are mostly it is written mostly the same way in that paper just like man in the middle okay waits for a legitimate device to enter an internal let us say remote authentication protocol and it captures the initial message if you are operating in wireless networks the proceed the previous step is to capture the attention of the client it is called association usually what can we use we can create a rogue access point we can make it to look like the same way as the legitimate server that is we usually configure the same SSID and of course the inner protocol should be the same it shouldn't be WPA PSK should be WPA enterprise and the second point you need to get the client connect to you if he is talking to legitimate server we can send the authentication packet to brogue the session and ask the client to reconnect also very useful technique is to come closer to the victim this way our rogue access point has the highest signal and usually they prefer hotspots with a better signal but it's not always in general it works so we capture the attention of the client it associated to our rogue access point and at the moment we begin if authentication so I have decided to call the server Alice the client Bob usually they call it drop a millery but I have called it if it doesn't matter at all so in my simulation the man on the middle node it it consists of two if state machines the if pure and if server so if pure communicate with the legitimate server and if server this are this is our rogue access point that captured the attention of Bob so actually I think that they usually even make it another way with the names of Alice and Bob usually Bob is the legitimate server and Alice is the client it differs here so peep it is a wrap over eep protocol usually all those leadership protocols like ms2p2 they send credentials with various problems it can be weak password problem like hash can be cracked in 2012 there have been a talk about cracking ms2p2 credentials in less than 24 hours the platform is called cloud cracker if I'm not if I'm correct and it utilizes FPGA nodes in this simulation I was interested in proxying the ms2p credentials from Bob peer to Alice server and backward in January around January 15 I have discovered that there was really cool paper in 2014 about not this trivial attack but about really cool attack it is called okay it's about double we pay enterprise exploiting and they call proxying of messages like let's let use ms2p1 oracles because ms2p2 protocol it is the inner protocol in peep and there is leap protocol that uses ms2p1 and iOS 7 had a problem like you connect to the you draw maxes point for example you provide your credentials but if I will create a rogue access point with leap protocol your iPhone will leak credentials and even more that protocol even does not use tiller's tunnel so if there is somebody interested in more deep study of the problem you can refer to that paper the link is provided at first them page so in peep at first parties established tiller's handshake the usual way server provides the certificate to the client client is to verify it the thing to steal the certificate there is no certificate authority usually because it's not good it should be another trusted storage the easiest way is to provide self signed certificate into a client and usually Android phones allows you to unspecify this certificate this way you connect to the server without we refine his authenticity and so man in the middle is possible so we have established tiller's we have finished tiller's handshake it is a part of tiller's protocol and now we begin tiller's communication both parties other server and if peer and the same is true for if server and both peer they come up with a shared master key that is the basis for future encryption so since we performed man in the middle if peer and if server they pose they are in possession of both secret keys for tunnels between other server and if peer and for the tunnel between if server and both peer and now we are actually working with a with a pure MS chat with two protocol here I presented the actual implementation of proxy in of the inner protocol because it's not that easy to process the protocol there are some things that differs so I have decided to went into the code of host app and at first there are was only two machines I have created four machines then I added communication and pairs these two communicate between themselves and those two between themselves then I started to configure the setup like I have I disabled the verification of the certificate in Bob peer machine then I meet the following problem we can skip the certificate verification but we can be still sure that we were communicating to legitimate server this functionality scored is called crypto binding the ideas the following we generate special integrity value with the help of hash function that takes as arguments both secret materials the master key from TLS tunnel and special secret key generated on the basis of MS chat with two credentials and then we exchange these values and both parties can be sure that the other end was in possession of both materials and I was really trying to disable this functionality because with it you can perform simulation crypto binding they have been created in 2004 by Cisco I'm not sure at least in Cisco they had this functionality since 2004 and it's usually only for okay it's usually only for peep we zero because in peep you one they don't even have this crypto binding so in my simulation I have configured peep you one protocol but just to make my life easier so then I started to add communication between these two money on the middle state machines like Alice server sends a challenge request to if peer peer if peer does not have a password even the hash of this password then if peer starts a pending state it's just specific functionality of the implementation host step and sends the data to if server if server waits to the initial message from if peer and sends a change request just putting inside the same data that was sent from Alice server to if peer both peer computes required response if server obtains it enters enters pending state and sends the data to if peer if peer successfully builds a forged MS chapter to challenge response as a server verifies it everything is okay and sends success request if peer have to verify this request because it is a part of protocol but since it is an attacker she skips it and sends the request to if server because both peer won't skip this verification so we need to deliver the success request to the end so after that the authentication is completed everybody thinks it's okay I mean those ends and we are as attackers in possession of required secret materials and we are permitted to access network resources that were protected with double pay enterprise authentication and as well we can proxy application layer messages from both peer to Alice server and analyze this traffic it's very true attack you can protect from these with the help of VPN HTTPS it works still it's more about network resources like some kind of university email or like like that so that's it thank you for attention thank you sir J questions we have time for questions raise your hand yes how is the certificate normally checked against the host so I thought about sometimes you get the CA from your university or something like this then does it trust them all certificates which are signed by the CA also binding between the common name of the CA and the name of the radio server something like this so for the next step okay usually you have you can you have to provide some kind of verification chain like an usual trusted storage in HTTPS in Windows they usually mix these certificate authorities and Linux actually in host app you can provide separate certificates specifically for this network the actual way how to