Krack: Difference between revisions
From charlesreid1
No edit summary |
|||
| Line 1: | Line 1: | ||
KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router. | KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router. | ||
== | ==Overview of WPA2 Handshake Process== | ||
===Overview from KRACK Paper=== | |||
The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf | The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf | ||
The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant): | The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant): | ||
| Line 24: | Line 24: | ||
WPA2 also transports the group temporal key (GTK) to supplicant. | WPA2 also transports the group temporal key (GTK) to supplicant. | ||
===Detailed Four Step Handshake=== | ===Detailed Four Step Handshake from KRACK Paper=== | ||
The handshake process is 4 steps: | The handshake process is 4 steps: | ||
| Line 42: | Line 42: | ||
* Last two messages send group and temporal keys | * Last two messages send group and temporal keys | ||
If a new 4-way handshake is initiated, this leads to a new PTK | If a new 4-way handshake is initiated, this leads to a new PTK. | ||
===Overview from Stanford Paper=== | |||
An alternative overview of the four-way handshake from this paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf | |||
== | |||
Successful authentication results in the supplicant and authenticator verifying each other's identity, and generating a shared secret for subsequent secure data transmissions. | Successful authentication results in the supplicant and authenticator verifying each other's identity, and generating a shared secret for subsequent secure data transmissions. | ||
| Line 88: | Line 78: | ||
Normally, one 4-way handshake leads to one valid PTK after handshake. Running another 4-way handshake with the same PMK leads to generating a fresh PTK. | Normally, one 4-way handshake leads to one valid PTK after handshake. Running another 4-way handshake with the same PMK leads to generating a fresh PTK. | ||
What can the attacker do? | |||
* An attacker can easily masquerade using any MAC address (either the MAC of the authenticator or the supplicant) | |||
* The difficulty for the attacker is in not knowing the PMK of the honest participants | |||
* An attacker can eavesdrop on every message and remember nonces and MICs for each message | |||
* Additional difficulties arise from the fact that attackers can insert forged messages or replay stored messages | |||
* An attacker can compose a message 1 from stored nonces, and respond to every message with arbitrary combinations of known nonces/MICs | |||
* Again, difficulties arise from fact that attacker can't control flow of messages, but assume the worst... | |||
Message flag: | |||
* Combination of Key ACK, Key MIC, Secure bits in Key Information field | |||
* Protected by MIC field | |||
* Message flag makes msg1, msg2, msg3, msg4 distinguishable (otherwise, attacker can use MICs in msg2, msg3 to forge a valid msg4, or use a msg2 to forge a msg3) | |||
Nonces: | |||
* Nonces are used to make every message fresh and derive the fresh PTK | |||
* These should be generated in an unpredictable and globally unique way | |||
* If they are not, the protocol is vulnerable to replay or pre-computation attacks | |||
* The nonce generation algorithm satisfies these requirements | |||
Sequence number: | |||
* The sequence number is not necessary for security objectives in a four-way handshakes | |||
* Replay attacks are prevented by freshness of nonces and PTKs | |||
* Sequence number does not provide performance improvement | |||
* MIC field must eventually be checked anyway, even if attacker modifies sequence number to valid value | |||
MAC addresses: | |||
* MAC addresses are used to bind the PTK to peers | |||
* By establishing a PMK successfully, shared PMK has already bound keys with peers | |||
* If PMK based on PSK (shared by group of users), fresh nonces will bind PTK to peers | |||
* Like sequence numbers, MAC addresses are not necessary for authentication process - they don't add anything | |||
===Denial of Service=== | |||
By flooding the network with a forged copy of message 1, an attacker can create a denial of service. | |||
An attacker forges a fake message 1 (the real message 1 goes from authenticator to supplicant). It is sent out after the supplicant responds to the authenticator with message 2. | |||
===Quote=== | |||
{{Quote| | |||
To repair the problems in WEP without requiring additional hardware, the Wi-Fi Alliance proposed a Temporal Key Integrity Protocol (TKIP) to provide stronger security through a keyed cryptographic Message Integrity Code (MIC), an Extended IV space and a key mixing function. | |||
...As a long-term solution to securing wireless links, the latest IEEE standard 802.11i was ratified on June 24, 2004. The Counter-mode/CBC-MAC Protocol (CCMP) provides data confidentiality, integrity and replay protection. The authentication process combines 802.1X authentication with key management procedures to generate a fresh pairwise key and/or group key, followed by data transmission sessions. | |||
- He and Mitchell, "Analysis of the 802.11i 4-way Handshake" | |||
}} | |||
Link to above paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf | |||
===WPA Enterprise=== | |||
If we're including WPA Enterprise, there is also a RADIUS server involved. This is a third party in the handshake process. The RADIUS server is referred to as the authentication server. Ana additional set of handshakes need to occur between the authenticator (AP) and the authentication server (RADIUS server). | |||
==Resources== | ==Resources== | ||
Revision as of 02:58, 25 October 2017
KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router.
Overview of WPA2 Handshake Process
Overview from KRACK Paper
The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf
The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant):
- Mutual authentication between authenticator and supplicant is based on Pairwise Master Key
- The PMK is derived from either a pre-shared password and negotiated using 802.1x authentication
- During the handshake process, a fresh session key called Pairwise Transient Key (PTK) is negotiated
- The PTK derived from PMK, authenticator nonce (anonce), supplicant nonce (snonce), and MAC address of supplicant and authenticator
PTK is generated from those three things, and it is split into three keys:
- key confirmation key (KCK)
- key encryption key (KEK)
- temporal key (TK)
Purpose:
- KCK and KEK protect handshake messages
- TK protects normal data frames
WPA2 also transports the group temporal key (GTK) to supplicant.
Detailed Four Step Handshake from KRACK Paper
The handshake process is 4 steps:
- Authenticator initiates 4-way handshake by sending message 1 containing ANonce
- Supplicant receives message 1
- Supplicant generates the SNonce and derives the PTK
- Supplicant sends message 2 containing SNonce to the authenticator
- Authenticator receives message 2 and learns the SNonce and derives the PTK
- Authenticator then sends the group key (GTK) in message 3
- Supplicant receives GTK in message 3
- To finalize handshake, supplicant replies with message 4
- Supplicant then installs the PTK and the GTK
- Authenticator receives message 4 and installs PTK
Important points:
- First two messages send nonces
- Last two messages send group and temporal keys
If a new 4-way handshake is initiated, this leads to a new PTK.
Overview from Stanford Paper
An alternative overview of the four-way handshake from this paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf
Successful authentication results in the supplicant and authenticator verifying each other's identity, and generating a shared secret for subsequent secure data transmissions.
Once the supplicant and authenticator have authenticated each other they generate a common shared secret (the Master Session Key MSK). The supplicant uses the MSK to derive a Pairwise Master Key (PMK).
In subsequent sessions, the authenticator and supplicant will generate fresh Pairwise Transient Key (PTK), as well as coordinating the Group Transient Key (GTK).
It is assumed that the shared PMK is only known to the authenticator and supplicant. THIS ASSUMPTION IS DESTROYED BY THE KRACK ATTACK.
Once the authenticator and supplicant have agreed upon a shared PMK, the authenticator begins a 4-way handshake (either by itself or upon request by the supplicant). Here's the summary:
Message 1: Authenticator to Supplicant
- Authenticator MAC Address, ANonce, sn, msg
Message 2: Supplicant to Authenticator
- Supplicant MAC Address, SNonce, sequence_number, msg2, MIC-PTK(SNonce, sequence_number, msg2)
Message 3: Authenticator to Supplicant
- AA, ANonce, sequence_number+1, msg3, MIC-PTK(ANonce, sequence_number+1, msg3)
Message 4: Supplicant to Authenticator
- SPA, sequence_number+1, msg4, MIC-PTK(sequence_number+1, msg4)
MIC-PTK represents the message integrity code (MIC) calculated as a function of the quantities in parentheses. It is computed with the fresh PTK.
The fresh PTK (temporary session key) is derived from the shared PMK through a pseudo-random function with output length X. This is a function of the PMK, the authenticator MAC address, the SPA mac address, the ANonce, and the SNonce.
Once the PTK is obtained, it is divided into the KEK (Key Encryption Key) and TK (Temporary Key).
Normally, one 4-way handshake leads to one valid PTK after handshake. Running another 4-way handshake with the same PMK leads to generating a fresh PTK.
What can the attacker do?
- An attacker can easily masquerade using any MAC address (either the MAC of the authenticator or the supplicant)
- The difficulty for the attacker is in not knowing the PMK of the honest participants
- An attacker can eavesdrop on every message and remember nonces and MICs for each message
- Additional difficulties arise from the fact that attackers can insert forged messages or replay stored messages
- An attacker can compose a message 1 from stored nonces, and respond to every message with arbitrary combinations of known nonces/MICs
- Again, difficulties arise from fact that attacker can't control flow of messages, but assume the worst...
Message flag:
- Combination of Key ACK, Key MIC, Secure bits in Key Information field
- Protected by MIC field
- Message flag makes msg1, msg2, msg3, msg4 distinguishable (otherwise, attacker can use MICs in msg2, msg3 to forge a valid msg4, or use a msg2 to forge a msg3)
Nonces:
- Nonces are used to make every message fresh and derive the fresh PTK
- These should be generated in an unpredictable and globally unique way
- If they are not, the protocol is vulnerable to replay or pre-computation attacks
- The nonce generation algorithm satisfies these requirements
Sequence number:
- The sequence number is not necessary for security objectives in a four-way handshakes
- Replay attacks are prevented by freshness of nonces and PTKs
- Sequence number does not provide performance improvement
- MIC field must eventually be checked anyway, even if attacker modifies sequence number to valid value
MAC addresses:
- MAC addresses are used to bind the PTK to peers
- By establishing a PMK successfully, shared PMK has already bound keys with peers
- If PMK based on PSK (shared by group of users), fresh nonces will bind PTK to peers
- Like sequence numbers, MAC addresses are not necessary for authentication process - they don't add anything
Denial of Service
By flooding the network with a forged copy of message 1, an attacker can create a denial of service.
An attacker forges a fake message 1 (the real message 1 goes from authenticator to supplicant). It is sent out after the supplicant responds to the authenticator with message 2.
Quote
To repair the problems in WEP without requiring additional hardware, the Wi-Fi Alliance proposed a Temporal Key Integrity Protocol (TKIP) to provide stronger security through a keyed cryptographic Message Integrity Code (MIC), an Extended IV space and a key mixing function....As a long-term solution to securing wireless links, the latest IEEE standard 802.11i was ratified on June 24, 2004. The Counter-mode/CBC-MAC Protocol (CCMP) provides data confidentiality, integrity and replay protection. The authentication process combines 802.1X authentication with key management procedures to generate a fresh pairwise key and/or group key, followed by data transmission sessions.
- He and Mitchell, "Analysis of the 802.11i 4-way Handshake"
Link to above paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf
WPA Enterprise
If we're including WPA Enterprise, there is also a RADIUS server involved. This is a third party in the handshake process. The RADIUS server is referred to as the authentication server. Ana additional set of handshakes need to occur between the authenticator (AP) and the authentication server (RADIUS server).
Resources
Papers
Original KRACK paper:
Key Reinstallation Attacks: Forcing Nonce Re-Use in WPA2 (2017 paper): https://papers.mathyvanhoef.com/ccs2017.pdf
Analysis of the 4-way handshake:
"Analysis of the 4-way handshake" (2004 paper): http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf
Cracking one-time pads:
Natural Language Approach to Automated Cracking of OTP (2006 paper): https://www.cs.jhu.edu/~jason/papers/mason+al.ccs06.pdf
Stack Exchange Questions
Infosec Stack Exchange question: "how does a nonce reset allow for decryption?": https://security.stackexchange.com/questions/171381/how-does-a-nonce-reset-allow-for-decryption
Continued chat on above question: https://chat.stackexchange.com/transcript/151/2017/10/17 (via [1])
Crypto Stack Exchange: "How do you attack a two-time pad (OTP with key re-use)?": https://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-two-time-pad-i-e-one-time-pad-with-key-reuse
Consequences of WPA2 KRACK attack: https://security.stackexchange.com/questions/171356/consequences-of-the-wpa2-krack-attack/171358