Krack

From charlesreid1

KRACK attack refers to a WPA2 attack on the WPA2 handshake process. The basic attack forces clients to re-use a nonce, which is a kind of one-time key, enabling attackers to crack the key and decrypt packets between a client and a router.

Original Paper

The original paper publication by Mathy Vanhoef can be found here: https://papers.mathyvanhoef.com/ccs2017.pdf

Overview of WPA2 Handshake Process

The WPA2 handshake process involves a 4-way exchange of packets between a router/AP (authenticator) and a client (supplicant):

  • Mutual authentication between authenticator and supplicant is based on Pairwise Master Key
  • The PMK is derived from either a pre-shared password and negotiated using 802.1x authentication
  • During the handshake process, a fresh session key called Pairwise Transient Key (PTK) is negotiated
  • The PTK derived from PMK, authenticator nonce (anonce), supplicant nonce (snonce), and MAC address of supplicant and authenticator

PTK is generated from those three things, and it is split into three keys:

  • key confirmation key (KCK)
  • key encryption key (KEK)
  • temporal key (TK)

Purpose:

  • KCK and KEK protect handshake messages
  • TK protects normal data frames

WPA2 also transports the group temporal key (GTK) to supplicant.

Detailed Four Step Handshake

The handshake process is 4 steps:

  • Authenticator initiates 4-way handshake by sending message 1 containing ANonce
  • Supplicant receives message 1
  • Supplicant generates the SNonce and derives the PTK
  • Supplicant sends message 2 containing SNonce to the authenticator
  • Authenticator receives message 2 and learns the SNonce and derives the PTK
  • Authenticator then sends the group key (GTK) in message 3
  • Supplicant receives GTK in message 3
  • To finalize handshake, supplicant replies with message 4
  • Supplicant then installs the PTK and the GTK
  • Authenticator receives message 4 and installs PTK

Important points:

  • First two messages send nonces
  • Last two messages send group and temporal keys

If a new 4-way handshake is initiated, this leads to a new PTK


To repair the problems in WEP without requiring additional hardware, the Wi-Fi Alliance proposed a Temporal Key Integrity Protocol (TKIP) to provide stronger security through a keyed cryptographic Message Integrity Code (MIC), an Extended IV space and a key mixing function.

Furthermore, an authentication mechanism based on EAP/802.1X/RADIUS [1, 11, 17] has been developed to replace the poor Open System authentication and Shared Key authentication in WEP. As a long-term solution to securing wireless links, the latest IEEE standard 802.11i [12] was ratified on June 24, 2004. The Counter-mode/CBC-MAC Protocol (CCMP) provides data confidentiality, integrity and replay protection. The authentication process combines 802.1X authentication with key management procedures to generate a fresh pairwise key and/or group key, followed by data transmission sessions.

- He and Mitchell, "Analysis of the 802.11i 4-way Handshake"


Link to above paper: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf

The Crypto Details

The pre-shared key PSK

Resources

Papers

Original KRACK paper:

Key Reinstallation Attacks: Forcing Nonce Re-Use in WPA2 (2017 paper): https://papers.mathyvanhoef.com/ccs2017.pdf

Analysis of the 4-way handshake:

"Analysis of the 4-way handshake" (2004 paper): http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.142.1615&rep=rep1&type=pdf

Cracking one-time pads:

Natural Language Approach to Automated Cracking of OTP (2006 paper): https://www.cs.jhu.edu/~jason/papers/mason+al.ccs06.pdf

Stack Exchange Questions

Infosec Stack Exchange question: "how does a nonce reset allow for decryption?": https://security.stackexchange.com/questions/171381/how-does-a-nonce-reset-allow-for-decryption

Continued chat on above question: https://chat.stackexchange.com/transcript/151/2017/10/17 (via [1])

Crypto Stack Exchange: "How do you attack a two-time pad (OTP with key re-use)?": https://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-two-time-pad-i-e-one-time-pad-with-key-reuse

Consequences of WPA2 KRACK attack: https://security.stackexchange.com/questions/171356/consequences-of-the-wpa2-krack-attack/171358

Flags

Retrieved from "https://charlesreid1.com/w/index.php?title=Krack&oldid=21960"