Krack: Difference between revisions
From charlesreid1
(→Papers) |
|||
| Line 85: | Line 85: | ||
Consequences of WPA2 KRACK attack: https://security.stackexchange.com/questions/171356/consequences-of-the-wpa2-krack-attack/171358 | Consequences of WPA2 KRACK attack: https://security.stackexchange.com/questions/171356/consequences-of-the-wpa2-krack-attack/171358 | ||
==Flags== | |||
[[Category:Security]] | |||
[[Category:Wireless]] | |||
[[Category:Kismet]] | |||
Revision as of 02:05, 25 October 2017
KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router.
Original Paper
The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf
Overview of WPA2 Handshake Process
The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant):
- Mutual authentication between authenticator and supplicant is based on Pairwise Master Key
- The PMK is derived from either a pre-shared password and negotiated using 802.1x authentication
- During the handshake process, a fresh session key called Pairwise Transient Key (PTK) is negotiated
- The PTK derived from PMK, authenticator nonce (anonce), supplicant nonce (snonce), and MAC address of supplicant and authenticator
PTK is generated from those three things, and it is split into three keys:
- key confirmation key (KCK)
- key encryption key (KEK)
- temporal key (TK)
Purpose:
- KCK and KEK protect handshake messages
- TK protects normal data frames
WPA2 also transports the group temporal key (GTK) to supplicant.
Detailed Four Step Handshake
The handshake process is 4 steps:
- Authenticator initiates 4-way handshake by sending message 1 containing ANonce
- Supplicant receives message 1
- Supplicant generates the SNonce and derives the PTK
- Supplicant sends message 2 containing SNonce to the authenticator
- Authenticator receives message 2 and learns the SNonce and derives the PTK
- Authenticator then sends the group key (GTK) in message 3
- Supplicant receives GTK in message 3
- To finalize handshake, supplicant replies with message 4
- Supplicant then installs the PTK and the GTK
- Authenticator receives message 4 and installs PTK
Important points:
- First two messages send nonces
- Last two messages send group and temporal keys
If a new 4-way handshake is initiated, this leads to a new PTK
802.11i defines three data confidentiality protocols: TKIP (insecure), GCMP (also insecure), and AES-CCMP (more common)
- If CCMP protocol used, protocol is based on AES cipher operating in CCM mode
More on CCMP protocol:
- CCM protocol is secure so long as no initialization vector (IV) is repeated
- IV is the concatenation of sender's MAC, 48-bit nonce, and additional flags
- Nonce used as replay counter by receiver, to assure that IVs don't repeat
The Crypto Details
The pre-shared key PSK
Resources
Papers
Original KRACK paper:
Key Reinstallation Attacks: Forcing Nonce Re-Use in WPA2 (2017 paper): https://papers.mathyvanhoef.com/ccs2017.pdf
Analysis of the 4-way handshake:
"Analysis of the 4-way handshake" (2004 paper): http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf
Cracking one-time pads:
Natural Language Approach to Automated Cracking of OTP (2006 paper): https://www.cs.jhu.edu/~jason/papers/mason+al.ccs06.pdf
Stack Exchange Questions
Infosec Stack Exchange question: "how does a nonce reset allow for decryption?": [1]
Continued chat on above question: [2] (via [3])
Crypto Stack Exchange: "How do you attack a two-time pad (OTP with key re-use)?": https://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-two-time-pad-i-e-one-time-pad-with-key-reuse
Consequences of WPA2 KRACK attack: https://security.stackexchange.com/questions/171356/consequences-of-the-wpa2-krack-attack/171358