Krack: Difference between revisions
From charlesreid1
| Line 53: | Line 53: | ||
Link to above paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf | Link to above paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf | ||
If we're including WPA Enterprise, there is also a RADIUS server involved. This is a third party in the handshake process. The RADIUS server is referred to as the authentication server. Ana additional set of handshakes need to occur between the authenticator (AP) and the authentication server (RADIUS server). | |||
==The Crypto Details== | ==The Crypto Details== | ||
The | Successful authentication results in the supplicant and authenticator verifying each other's identity, and generating a shared secret for subsequent secure data transmissions. | ||
Once the supplicant and authenticator have authenticated each other they generate a common shared secret (the Master Session Key MSK). The supplicant uses the MSK to derive a Pairwise Master Key (PMK). | |||
In subsequent sessions, the authenticator and supplicant will generate fresh Pairwise Transient Key (PTK), as well as coordinating the Group Transient Key (GTK). | |||
It is assumed that the shared PMK is only known to the authenticator and supplicant. ''THIS ASSUMPTION IS DESTROYED BY THE KRACK ATTACK.'' | |||
Once the authenticator and supplicant have agreed upon a shared PMK, the authenticator begins a 4-way handshake (either by itself or upon request by the supplicant). Here's the summary: | |||
Message 1: Authenticator to Supplicant | |||
* Authenticator MAC Address, ANonce, sn, msg | |||
Message 2: Supplicant to Authenticator | |||
* Supplicant MAC Address, SNonce, sequence_number, msg2, MIC-PTK(SNonce, sequence_number, msg2) | |||
Message 3: Authenticator to Supplicant | |||
* AA, ANonce, sequence_number+1, msg3, MIC-PTK(ANonce, sequence_number+1, msg3) | |||
Message 4: Supplicant to Authenticator | |||
* SPA, sequence_number+1, msg4, MIC-PTK(sequence_number+1, msg4) | |||
MIC-PTK represents the message integrity code (MIC) calculated as a function of the quantities in parentheses. It is computed with the fresh PTK. | |||
The fresh PTK (temporary session key) is derived from the shared PMK through a pseudo-random function with output length X. This is a function of the PMK, the authenticator MAC address, the SPA mac address, the ANonce, and the SNonce. | |||
Once the PTK is obtained, it is divided into the KEK (Key Encryption Key) and TK (Temporary Key). | |||
Normally, one 4-way handshake leads to one valid PTK after handshake. Running another 4-way handshake with the same PMK leads to generating a fresh PTK. | |||
For an attacker, who can easily masquerade using any MAC address (either the MAC of the authenticator or the supplicant), the difficulty is in not knowing the PMK of the honest participants. An attacker can eavesdrop on every message and remember nonces and MICs for each message. Additional difficulties arise from the fact that attackers can insert forged messages or replay stored messages. | |||
==Resources== | ==Resources== | ||
Revision as of 02:35, 25 October 2017
KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router.
Original Paper
The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf
Overview of WPA2 Handshake Process
The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant):
- Mutual authentication between authenticator and supplicant is based on Pairwise Master Key
- The PMK is derived from either a pre-shared password and negotiated using 802.1x authentication
- During the handshake process, a fresh session key called Pairwise Transient Key (PTK) is negotiated
- The PTK derived from PMK, authenticator nonce (anonce), supplicant nonce (snonce), and MAC address of supplicant and authenticator
PTK is generated from those three things, and it is split into three keys:
- key confirmation key (KCK)
- key encryption key (KEK)
- temporal key (TK)
Purpose:
- KCK and KEK protect handshake messages
- TK protects normal data frames
WPA2 also transports the group temporal key (GTK) to supplicant.
Detailed Four Step Handshake
The handshake process is 4 steps:
- Authenticator initiates 4-way handshake by sending message 1 containing ANonce
- Supplicant receives message 1
- Supplicant generates the SNonce and derives the PTK
- Supplicant sends message 2 containing SNonce to the authenticator
- Authenticator receives message 2 and learns the SNonce and derives the PTK
- Authenticator then sends the group key (GTK) in message 3
- Supplicant receives GTK in message 3
- To finalize handshake, supplicant replies with message 4
- Supplicant then installs the PTK and the GTK
- Authenticator receives message 4 and installs PTK
Important points:
- First two messages send nonces
- Last two messages send group and temporal keys
If a new 4-way handshake is initiated, this leads to a new PTK
To repair the problems in WEP without requiring additional hardware, the Wi-Fi Alliance proposed a Temporal Key Integrity Protocol (TKIP) to provide stronger security through a keyed cryptographic Message Integrity Code (MIC), an Extended IV space and a key mixing function.Furthermore, an authentication mechanism based on EAP/802.1X/RADIUS [1, 11, 17] has been developed to replace the poor Open System authentication and Shared Key authentication in WEP. As a long-term solution to securing wireless links, the latest IEEE standard 802.11i [12] was ratified on June 24, 2004. The Counter-mode/CBC-MAC Protocol (CCMP) provides data confidentiality, integrity and replay protection. The authentication process combines 802.1X authentication with key management procedures to generate a fresh pairwise key and/or group key, followed by data transmission sessions.
- He and Mitchell, "Analysis of the 802.11i 4-way Handshake"
Link to above paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf
If we're including WPA Enterprise, there is also a RADIUS server involved. This is a third party in the handshake process. The RADIUS server is referred to as the authentication server. Ana additional set of handshakes need to occur between the authenticator (AP) and the authentication server (RADIUS server).
The Crypto Details
Successful authentication results in the supplicant and authenticator verifying each other's identity, and generating a shared secret for subsequent secure data transmissions.
Once the supplicant and authenticator have authenticated each other they generate a common shared secret (the Master Session Key MSK). The supplicant uses the MSK to derive a Pairwise Master Key (PMK).
In subsequent sessions, the authenticator and supplicant will generate fresh Pairwise Transient Key (PTK), as well as coordinating the Group Transient Key (GTK).
It is assumed that the shared PMK is only known to the authenticator and supplicant. THIS ASSUMPTION IS DESTROYED BY THE KRACK ATTACK.
Once the authenticator and supplicant have agreed upon a shared PMK, the authenticator begins a 4-way handshake (either by itself or upon request by the supplicant). Here's the summary:
Message 1: Authenticator to Supplicant
- Authenticator MAC Address, ANonce, sn, msg
Message 2: Supplicant to Authenticator
- Supplicant MAC Address, SNonce, sequence_number, msg2, MIC-PTK(SNonce, sequence_number, msg2)
Message 3: Authenticator to Supplicant
- AA, ANonce, sequence_number+1, msg3, MIC-PTK(ANonce, sequence_number+1, msg3)
Message 4: Supplicant to Authenticator
- SPA, sequence_number+1, msg4, MIC-PTK(sequence_number+1, msg4)
MIC-PTK represents the message integrity code (MIC) calculated as a function of the quantities in parentheses. It is computed with the fresh PTK.
The fresh PTK (temporary session key) is derived from the shared PMK through a pseudo-random function with output length X. This is a function of the PMK, the authenticator MAC address, the SPA mac address, the ANonce, and the SNonce.
Once the PTK is obtained, it is divided into the KEK (Key Encryption Key) and TK (Temporary Key).
Normally, one 4-way handshake leads to one valid PTK after handshake. Running another 4-way handshake with the same PMK leads to generating a fresh PTK.
For an attacker, who can easily masquerade using any MAC address (either the MAC of the authenticator or the supplicant), the difficulty is in not knowing the PMK of the honest participants. An attacker can eavesdrop on every message and remember nonces and MICs for each message. Additional difficulties arise from the fact that attackers can insert forged messages or replay stored messages.
Resources
Papers
Original KRACK paper:
Key Reinstallation Attacks: Forcing Nonce Re-Use in WPA2 (2017 paper): https://papers.mathyvanhoef.com/ccs2017.pdf
Analysis of the 4-way handshake:
"Analysis of the 4-way handshake" (2004 paper): http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf
Cracking one-time pads:
Natural Language Approach to Automated Cracking of OTP (2006 paper): https://www.cs.jhu.edu/~jason/papers/mason+al.ccs06.pdf
Stack Exchange Questions
Infosec Stack Exchange question: "how does a nonce reset allow for decryption?": https://security.stackexchange.com/questions/171381/how-does-a-nonce-reset-allow-for-decryption
Continued chat on above question: https://chat.stackexchange.com/transcript/151/2017/10/17 (via [1])
Crypto Stack Exchange: "How do you attack a two-time pad (OTP with key re-use)?": https://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-two-time-pad-i-e-one-time-pad-with-key-reuse
Consequences of WPA2 KRACK attack: https://security.stackexchange.com/questions/171356/consequences-of-the-wpa2-krack-attack/171358