MétaCan
Menu
Back to cohort
Record W2990470761 · doi:10.1145/3357613.3357629

Bad-token

2019· article· en· W2990470761 on OpenAlex

Why this work is in the frame

A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.

affAt least one author lists a Canadian institution in the pinned OpenAlex snapshot.

Bibliographic record

Venuenot available
Typearticle
Languageen
FieldComputer Science
TopicAdvanced Authentication Protocols Security
Canadian institutionsQueen's University
Fundersnot available
KeywordsComputer securityDenial-of-service attackComputer scienceSpoofing attackAuthentication (law)Security tokenPasswordVulnerability (computing)CountermeasureComputer networkHandshakeNetwork packetAsynchronous communicationOperating systemThe InternetEngineering

Abstract

fetched live from OpenAlex

WPA3 (Wi-Fi Protected Access 3) is a certification that augments its predecessor WPA2 with protection mechanisms, such as resistance against password dictionary attacks through SAE (Simultaneous Authentication of Equals) handshake, MFP (Management Frame Protection) against management frame spoofing, and forward secrecy to prevent an attacker from decrypting old packets if it manages to crack the network key in the future. The mechanism is still under implementation by various device vendors. WPA3-capable devices are supposed to be on the market by the end of this year (2019) or early next year (2020). In this work, we describe a vulnerability that we have discovered in WPA3 authentication protocol. This vulnerability, named bad-token, can be exploited by an attacker in a race condition to cause a denial of service to Wi-Fi clients. The attacker sends fake authentication messages that contain a bad token (WPA3 authentication confirm value) during the WPA3 authentication and prevents legitimate clients from connecting to a WPA3 network. We also present two denial of service attacks related to WPA2, but can be inherited by WPA3. We start by presenting the WPA3-SAE mechanism and then introduce the bad-token vulnerability. We implement an attack that exploits the vulnerability using the Linux software utilities hostapd-2.7 and wpa_supplicant-2.7 on Raspberry Pis and show the impact of the attack on a legitimate WPA3 network. We provide a countermeasure to mitigate the attack. Finally, we present the two WPA2-related attacks that can occur on WPA3 if certain security measures are not applied. We experimentally show the feasibility of these two attacks and propose countermeasures to mitigate them and direct device vendors to better implement security in their future devices.

Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.

Full frame distilled prediction

Teacher imitation

Not calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.

metaresearch head score (Codex)0.000
metaresearch head score (Gemma)0.000
Version: codex-gemma-dda1882f352aValidation status: machine_predicted_unvalidated
Candidate categoriesInsufficient payload (model declined to judge)
Consensus categoriesnone
DomainCandidate signal: none · Consensus signal: none
Study designCandidate signal: Theoretical or conceptual · Consensus signal: Theoretical or conceptual
GenreCandidate signal: Methods · Consensus signal: none
Teacher disagreement score0.887
Threshold uncertainty score0.997

Codex and Gemma teacher scores by category

CategoryCodexGemma
Metaresearch0.0000.000
Meta-epidemiology (narrow)0.0000.000
Meta-epidemiology (broad)0.0000.000
Bibliometrics0.0000.000
Science and technology studies0.0000.000
Scholarly communication0.0000.000
Open science0.0010.000
Research integrity0.0000.000
Insufficient payload (model declined to judge)0.0000.004

Machine scores (provisional)

The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.

Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.

Opus teacher head0.007
GPT teacher head0.257
Teacher spread0.250 · how far apart the two teachers sit on this one work
Validation statusscore_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it