Krack

KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router.

Overview of WPA2 Handshake Process

Overview from KRACK Paper

The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf

The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant):

• Mutual authentication between authenticator and supplicant is based on Pairwise Master Key (PMK)
• The PMK is derived from a pre-shared password and negotiated using 802.1x authentication
• During the handshake process, a fresh session key called Pairwise Transient Key (PTK) is negotiated
• The PTK is derived from the PMK, the authenticator nonce (anonce), the supplicant nonce (snonce), and MAC address of the supplicant and authenticator

Once the PTK is generated, it is split into three keys:

• key confirmation key (KCK)
• key encryption key (KEK)
• temporal key (TK)

Purpose:

• KCK and KEK protect handshake messages
• TK protects normal data frames

WPA2 also transports the group temporal key (GTK) to supplicant.

Detailed Four Step Handshake from KRACK Paper

The handshake process is 4 steps:

• Authenticator initiates 4-way handshake by sending message 1 containing ANonce
• Supplicant receives message 1
• Supplicant generates the SNonce and derives the PTK
• Supplicant sends message 2 containing SNonce to the authenticator
• Authenticator receives message 2 and learns the SNonce and derives the PTK
• Authenticator then sends the group key (GTK) in message 3
• Supplicant receives GTK in message 3
• To finalize handshake, supplicant replies with message 4
• Supplicant then installs the PTK and the GTK
• Authenticator receives message 4 and installs PTK

Important points:

• First two messages send nonces
• Last two messages send group and temporal keys

If a new 4-way handshake is initiated, this leads to a new PTK.

Overview from Stanford Paper

An alternative overview of the four-way handshake from this paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf

What is the outcome of a successful handshake?

• Successful authentication results in the supplicant and authenticator verifying each other's identity, and generating a shared secret for subsequent secure data transmissions.

What happens (what keys are generated) after successful authentication?

• Once the supplicant and authenticator have authenticated each other they generate a common shared secret (the Master Session Key MSK).
• The supplicant uses the MSK to derive a Pairwise Master Key (PMK).
• In subsequent sessions, the authenticator and supplicant will generate fresh Pairwise Transient Key (PTK), as well as coordinating the Group Transient Key (GTK).
• Once the authenticator and supplicant have agreed upon a shared PMK, the authenticator begins a 4-way handshake (either by itself or upon request by the supplicant). Here's the summary:

It is assumed that the shared PMK is only known to the authenticator and supplicant. THIS ASSUMPTION IS DESTROYED BY THE KRACK ATTACK.

What is the message sequence for the 4-way handshake?

• Message 1: Authenticator to Supplicant: Authenticator MAC Address, ANonce, sn, msg
• Message 2: Supplicant to Authenticator: Supplicant MAC Address, SNonce, sequence_number, msg2, MIC-PTK(SNonce, sequence_number, msg2)
• Message 3: Authenticator to Supplicant: AA, ANonce, sequence_number+1, msg3, MIC-PTK(ANonce, sequence_number+1, msg3)
• Message 4: Supplicant to Authenticator: SPA, sequence_number+1, msg4, MIC-PTK(sequence_number+1, msg4)

Note: MIC-PTK represents the message integrity code (MIC) calculated as a function of the quantities in parentheses. It is computed with the fresh PTK.

How is the PTK derived?

• The fresh PTK (temporary session key) is derived from the shared PMK through a pseudo-random function with a specified output length
• This pseudo-random function is a function of the PMK, the authenticator MAC address, the SPA mac address, the ANonce, and the SNonce.

Division of PTK:

• Once the PTK is obtained, it is divided into the KEK (Key Encryption Key) and TK (Temporary Key).

Normally, one 4-way handshake leads to one valid PTK after handshake. Running another 4-way handshake with the same PMK leads to generating a fresh PTK.

What can the attacker do?

• An attacker can easily masquerade using any MAC address (either the MAC of the authenticator or the supplicant)
• The difficulty for the attacker is in not knowing the PMK of the honest participants
• An attacker can eavesdrop on every message and remember nonces and MICs for each message
• Additional complications for authenticator/supplicant arise from the fact that attackers can insert forged messages or replay stored messages
• An attacker can compose a message 1 from stored nonces, and respond to every message with arbitrary combinations of known nonces/MICs
• Again, difficulties arise from fact that attacker can't control flow of messages, but assume the worst...

What can't the attacker do?

• Attacker does not know the PMK
• Attacker can't control the order/timing/arrival of packets

Message flag:

• Combination of Key ACK, Key MIC, Secure bits in Key Information field
• Protected by MIC field
• Message flag makes msg1, msg2, msg3, msg4 distinguishable (otherwise, attacker can use MICs in msg2, msg3 to forge a valid msg4, or use a msg2 to forge a msg3)

Nonces:

• Nonces are used to make every message fresh and derive the fresh PTK
• These should be generated in an unpredictable and globally unique way
• If they are not, the protocol is vulnerable to replay or pre-computation attacks
• The nonce generation algorithm satisfies these requirements

Sequence number:

• The sequence number is not necessary for security objectives in a four-way handshakes
• Replay attacks are prevented by freshness of nonces and PTKs
• Sequence number does not provide performance improvement
• MIC field must eventually be checked anyway, even if attacker modifies sequence number to valid value

MAC addresses:

• MAC addresses are used to bind the PTK to peers
• By establishing a PMK successfully, shared PMK has already bound keys with peers
• If PMK based on PSK (shared by group of users), fresh nonces will bind PTK to peers
• Like sequence numbers, MAC addresses are not necessary for authentication process - they don't add anything

Quote from Stanford Paper

To repair the problems in WEP without requiring additional hardware, the Wi-Fi Alliance proposed a Temporal Key Integrity Protocol (TKIP) to provide stronger security through a keyed cryptographic Message Integrity Code (MIC), an Extended IV space and a key mixing function.

...As a long-term solution to securing wireless links, the latest IEEE standard 802.11i was ratified on June 24, 2004. The Counter-mode/CBC-MAC Protocol (CCMP) provides data confidentiality, integrity and replay protection. The authentication process combines 802.1X authentication with key management procedures to generate a fresh pairwise key and/or group key, followed by data transmission sessions.

- He and Mitchell, "Analysis of the 802.11i 4-way Handshake"

Link to above paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf

WPA Enterprise

If we're including WPA Enterprise, there is also a RADIUS server involved. This is a third party in the handshake process. The RADIUS server is referred to as the authentication server. Ana additional set of handshakes need to occur between the authenticator (AP) and the authentication server (RADIUS server).

How Krack Works

The KRACK attach works by forcing the re-use of a nonce (a kind of one-time pad), which enables cracking and obtaining the PMK.

How A Brute Force Attack Works

In a normal four-step handshake process, the client will compute the PTK (session key) from the PMK, the authenticator nonce, the supplicant nonce, and the MAC addresses of the authenticator and supplicant. The client will then use the PTK from message 3, plus their nonce, to transmit their MAC address to the authenticator.

If the attacker does not have the PMK, they are stuck trying to obtain the PMK through brute-force. They try and come up with a PMK that can be combined with the supplicant nonce to correctly lead to the supplicant MAC address. Sniffing the handshake only gets you enough information to carry out a brute force attack.

How Krack Works

KRACK works by interfering with Message 4 arriving at the authenticator. If Message 4 (supplicant acknowledging receipt of message 3) does not arrive at the authenticator, it continues to re-send Message 3. Each time the supplicant receives Message 3, it will install the PTK temporary key contained in it, and reset the nonces (or IVs, or packet counters) to zero.

(If a wifi client does not accept retransmissions of message 3, then it violates 802.11 standards, but is immune to this attack.)

Cracking the Nonce

In terms of classic cryptography, the nonce is just a stream of "random" numbers that is used as a one-time pad to encrypt the stream of data going between the authenticator and the client. By interfering with the handshake, you force the two parties to send and re-send data encrypted with the same one-time pad. The biggest weakness of a one-time pad system is if it is not used one time, but re-used over and over again.

If a one-time pad is re-used, and an attacker has multiple ciphertexts, then the attacker can guess at the likely contents of the plaintext message. For example, if I know the word "PACKET" is in a stream of letters encrypted with a one-time pad, I can assume that PACKET occurs starting at letter 1, and get the corresponding one-time pad that would cause that; I can then assume that PACKET occurs starting at letter 2, and get the one-time pad that would cause that; etc etc.

Now, if I have multiple ciphertexts, I can apply each of the one-time pads that I got from the prior step to all of these other ciphertexts, and see if any of them result in something sensible (for example, the word PACKET occurring in another ciphertext decrypted with a guessed one-time pad). If I do find such a case, I have likely cracked the one-time pad used in that cipher system.

(More details here: [1])

The Zero Nonce

The particular vulnerability of Android and Linux wifi systems was that they could be tricked into installing an all-zeros nonce. This is equivalent to "encrypting" your stream of data with a one-time pad of AAAAAAAAAAAAAAAA...

In this case, no decryption was even necessary.

Decrypting the Nonce Via Reuse

As stated in the original paper, the supplicant will immediately begin transmitting frames using the "data-confidentiality protocol" (i.e., using its nonce and the PTK/GTK). When the client receives a message 3, it resets its nonce counter and begins all over again. This enables time control over the attack - that is, the attacker controls the duration of the supplicant transmitting frames before resetting the nonce.

AES

(Discussion here: [2])

Resources

Papers

Original KRACK paper:

Key Reinstallation Attacks: Forcing Nonce Re-Use in WPA2 (2017 paper): https://papers.mathyvanhoef.com/ccs2017.pdf

Analysis of the 4-way handshake:

"Analysis of the 4-way handshake" (2004 paper): http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf

Cracking one-time pads:

Natural Language Approach to Automated Cracking of OTP (2006 paper): https://www.cs.jhu.edu/~jason/papers/mason+al.ccs06.pdf

Video

Computerphile: KRACK Attack: https://www.youtube.com/watch?v=mYtvjijATa4

Stack Exchange Questions

Infosec SE: "How does a nonce reset allow for decryption?": https://security.stackexchange.com/questions/171381/how-does-a-nonce-reset-allow-for-decryption

Continued chat on above question: https://chat.stackexchange.com/transcript/151/2017/10/17 (via [3])

Crypto SE: "How do you attack a two-time pad (OTP with key re-use)?": https://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-two-time-pad-i-e-one-time-pad-with-key-reuse

Infosec SE: "Consequences of WPA2 KRACK attack": https://security.stackexchange.com/questions/171356/consequences-of-the-wpa2-krack-attack/171358

Infosec SE: "Is this the correct flow of the KRACK attack?": https://security.stackexchange.com/questions/171901/is-this-the-correct-flow-of-the-krack-attack

Flags