Krack: Difference between revisions
From charlesreid1
(Created page with "KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to c...") |
|||
| Line 23: | Line 23: | ||
WPA2 also transports the group temporal key (GTK) to supplicant. | WPA2 also transports the group temporal key (GTK) to supplicant. | ||
===Detailed Four Step Handshake=== | |||
The handshake process is 4 steps: | |||
* Authenticator initiates 4-way handshake by sending message 1 containing ANonce | |||
* Supplicant receives message 1 | |||
* Supplicant generates the SNonce and derives the PTK | |||
* Supplicant sends message 2 containing SNonce to the authenticator | |||
* Authenticator receives message 2 and learns the SNonce and derives the PTK | |||
* Authenticator then sends the group key (GTK) in message 3 | |||
* Supplicant receives GTK in message 3 | |||
* To finalize handshake, supplicant replies with message 4 | |||
* Supplicant then installs the PTK and the GTK | |||
* Authenticator receives message 4 and installs PTK | |||
Important points: | |||
* First two messages send nonces | |||
* Last two messages send group and temporal keys | |||
If a new 4-way handshake is initiated, this leads to a new PTK | |||
802.11i defines Two data confidentiality protocols: TKIP (insecure) and AES-CCMP (more common) | |||
* If TKIP used, the TK is split into a 128-bit encryption key and 2 64-bit MIC keys (one for authenticator-supplicant communication, the other for supplicant-authenticator communication) | |||
* If CCMP protocol used, protocol is based on AES cipher operating in CCM mode | |||
More on CCMP protocol: | |||
* CCM protocol is secure so long as no initialization vector (IV) is repeated | |||
* IV is the concatenation of sender's MAC, 48-bit nonce, and additional flags | |||
* Nonce used as replay counter by receiver, to assure that IVs don't repeat | |||
Revision as of 01:36, 25 October 2017
KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router.
Original Paper
The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf
Overview of WPA2 Handshake Process
The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant):
- Mutual authentication between authenticator and supplicant is based on Pairwise Master Key
- The PMK is derived from either a pre-shared password and negotiated using 802.1x authentication
- During the handshake process, a fresh session key called Pairwise Transient Key (PTK) is negotiated
- The PTK derived from PMK, authenticator nonce (anonce), supplicant nonce (snonce), and MAC address of supplicant and authenticator
PTK is generated from those three things, and it is split into three keys:
- key confirmation key (KCK)
- key encryption key (KEK)
- temporal key (TK)
Purpose:
- KCK and KEK protect handshake messages
- TK protects normal data frames
WPA2 also transports the group temporal key (GTK) to supplicant.
Detailed Four Step Handshake
The handshake process is 4 steps:
- Authenticator initiates 4-way handshake by sending message 1 containing ANonce
- Supplicant receives message 1
- Supplicant generates the SNonce and derives the PTK
- Supplicant sends message 2 containing SNonce to the authenticator
- Authenticator receives message 2 and learns the SNonce and derives the PTK
- Authenticator then sends the group key (GTK) in message 3
- Supplicant receives GTK in message 3
- To finalize handshake, supplicant replies with message 4
- Supplicant then installs the PTK and the GTK
- Authenticator receives message 4 and installs PTK
Important points:
- First two messages send nonces
- Last two messages send group and temporal keys
If a new 4-way handshake is initiated, this leads to a new PTK
802.11i defines Two data confidentiality protocols: TKIP (insecure) and AES-CCMP (more common)
- If TKIP used, the TK is split into a 128-bit encryption key and 2 64-bit MIC keys (one for authenticator-supplicant communication, the other for supplicant-authenticator communication)
- If CCMP protocol used, protocol is based on AES cipher operating in CCM mode
More on CCMP protocol:
- CCM protocol is secure so long as no initialization vector (IV) is repeated
- IV is the concatenation of sender's MAC, 48-bit nonce, and additional flags
- Nonce used as replay counter by receiver, to assure that IVs don't repeat