Krack

From charlesreid1

KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router.

Original Paper

The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf

Overview of WPA2 Handshake Process

The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant):

  • Mutual authentication between authenticator and supplicant is based on Pairwise Master Key
  • The PMK is derived from either a pre-shared password and negotiated using 802.1x authentication
  • During the handshake process, a fresh session key called Pairwise Transient Key (PTK) is negotiated
  • The PTK derived from PMK, authenticator nonce (anonce), supplicant nonce (snonce), and MAC address of supplicant and authenticator

PTK is generated from those three things, and it is split into three keys:

  • key confirmation key (KCK)
  • key encryption key (KEK)
  • temporal key (TK)

Purpose:

  • KCK and KEK protect handshake messages
  • TK protects normal data frames

WPA2 also transports the group temporal key (GTK) to supplicant.

Detailed Four Step Handshake

The handshake process is 4 steps:

  • Authenticator initiates 4-way handshake by sending message 1 containing ANonce
  • Supplicant receives message 1
  • Supplicant generates the SNonce and derives the PTK
  • Supplicant sends message 2 containing SNonce to the authenticator
  • Authenticator receives message 2 and learns the SNonce and derives the PTK
  • Authenticator then sends the group key (GTK) in message 3
  • Supplicant receives GTK in message 3
  • To finalize handshake, supplicant replies with message 4
  • Supplicant then installs the PTK and the GTK
  • Authenticator receives message 4 and installs PTK

Important points:

  • First two messages send nonces
  • Last two messages send group and temporal keys

If a new 4-way handshake is initiated, this leads to a new PTK

802.11i defines three data confidentiality protocols: TKIP (insecure), GCMP (also insecure), and AES-CCMP (more common)

  • If CCMP protocol used, protocol is based on AES cipher operating in CCM mode

More on CCMP protocol:

  • CCM protocol is secure so long as no initialization vector (IV) is repeated
  • IV is the concatenation of sender's MAC, 48-bit nonce, and additional flags
  • Nonce used as replay counter by receiver, to assure that IVs don't repeat



The Crypto Details

The pre-shared key PSK

Resources

Papers

Original KRACK paper:

Key Reinstallation Attacks: Forcing Nonce Re-Use in WPA2 (2017 paper): https://papers.mathyvanhoef.com/ccs2017.pdf

Analysis of the 4-way handshake:

"Analysis of the 4-way handshake" (2004 paper): http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf

Cracking one-time pads:

Natural Language Approach to Automated Cracking of OTP (2006 paper): https://www.cs.jhu.edu/~jason/papers/mason+al.ccs06.pdf

Stack Exchange Questions

Infosec Stack Exchange question: "how does a nonce reset allow for decryption?": https://security.stackexchange.com/questions/171381/how-does-a-nonce-reset-allow-for-decryption

Continued chat on above question: https://chat.stackexchange.com/transcript/151/2017/10/17 (via [1])

Crypto Stack Exchange: "How do you attack a two-time pad (OTP with key re-use)?": https://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-two-time-pad-i-e-one-time-pad-with-key-reuse

Consequences of WPA2 KRACK attack: https://security.stackexchange.com/questions/171356/consequences-of-the-wpa2-krack-attack/171358

Flags

Retrieved from "https://charlesreid1.com/w/index.php?title=Krack&oldid=21956"