KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm - - PowerPoint PPT Presentation

kracking wpa2 by forcing
SMART_READER_LITE
LIVE PREVIEW

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm - - PowerPoint PPT Presentation

Apr 15, 2023 475 likes •1.17k views

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

slide-1
SLIDE 1

KRACKing WPA2 by Forcing Nonce Reuse

Mathy Vanhoef — @vanhoefm Nullcon, 2 March 2018

slide-2
SLIDE 2

Introduction

2

PhD Defense, July 2016: “You recommend WPA2 with AES, but are you sure that’s secure?” Seems so! No attacks in 14 years & proven secure.

slide-3
SLIDE 3
slide-4
SLIDE 4

Introduction

4

Key reinstallation when ic_set_key is called again?

slide-5
SLIDE 5

Overview

5

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-6
SLIDE 6

Overview

6

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-7
SLIDE 7

The 4-way handshake

Used to connect to any protected Wi-Fi network › Provides mutual authentication › Negotiates fresh PTK: pairwise transient key Appeared to be secure: › No attacks in over a decade (apart from password guessing) › Proven that negotiated key (PTK) is secret1 › And encryption protocol proven secure7

7

slide-8
SLIDE 8

4-way handshake (simplified)

8

slide-9
SLIDE 9

4-way handshake (simplified)

9

slide-10
SLIDE 10

4-way handshake (simplified)

10

PTK = Combine(shared secret, ANonce, SNonce)

slide-11
SLIDE 11

4-way handshake (simplified)

11

PTK = Combine(shared secret, ANonce, SNonce)

Attack isn’t about ANonce or SNonce reuse

slide-12
SLIDE 12

4-way handshake (simplified)

12

slide-13
SLIDE 13

4-way handshake (simplified)

13

slide-14
SLIDE 14

4-way handshake (simplified)

14

slide-15
SLIDE 15

4-way handshake (simplified)

15

PTK is installed

slide-16
SLIDE 16

4-way handshake (simplified)

16

slide-17
SLIDE 17

Frame encryption (simplified)

17

Plaintext data

 Nonce reuse implies keystream reuse (in all WPA2 ciphers)

Nonce Mix PTK

(session key)

Nonce

(packet number) Packet key

slide-18
SLIDE 18

4-way handshake (simplified)

18

Installing PTK initializes nonce to zero

slide-19
SLIDE 19

Channel 1

19

Reinstallation Attack

Channel 6

slide-20
SLIDE 20

20

Reinstallation Attack

slide-21
SLIDE 21

21

Reinstallation Attack

slide-22
SLIDE 22

22

Reinstallation Attack

Block Msg4

slide-23
SLIDE 23

23

Reinstallation Attack

slide-24
SLIDE 24

24

Reinstallation Attack

slide-25
SLIDE 25

25

Reinstallation Attack

In practice Msg4 is sent encrypted

slide-26
SLIDE 26

26

Reinstallation Attack

Key reinstallation! nonce is reset

slide-27
SLIDE 27

27

Reinstallation Attack

slide-28
SLIDE 28

28

Reinstallation Attack

Same nonce is used!

slide-29
SLIDE 29

29

Reinstallation Attack Keystream Decrypted!

slide-30
SLIDE 30

Key Reinstallation Attack

Other Wi-Fi handshakes also vulnerable: › Group key handshake › FT handshake › TDLS PeerKey handshake For details see our CCS’17 paper12: › “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”

30

slide-31
SLIDE 31

Overview

31

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-32
SLIDE 32

General impact

32

Receive replay counter reset Replay frames towards victim Transmit nonce reset Decrypt frames sent by victim

slide-33
SLIDE 33

Cipher suite specific

AES-CCMP: No practical frame forging attacks WPA-TKIP: › Recover Message Integrity Check key from plaintext4,5 › Forge/inject frames sent by the device under attack GCMP (WiGig): › Recover GHASH authentication key from nonce reuse6 › Forge/inject frames in both directions

33

slide-34
SLIDE 34

Unicast

Handshake specific

Group key handshake: › Client is attacked, but only AP sends real broadcast frames

34

slide-35
SLIDE 35

Handshake specific

Group key handshake: › Client is attacked, but only AP sends real broadcast frames › Can only replay broadcast frames to client 4-way handshake: client is attacked  replay/decrypt/forge FT handshake (fast roaming = 802.11r): › Access Point is attacked  replay/decrypt/forge › No MitM required, can keep causing nonce resets

35

slide-36
SLIDE 36

FT Handshake

36

slide-37
SLIDE 37

FT Handshake

37

slide-38
SLIDE 38

FT Handshake

38

slide-39
SLIDE 39

FT Handshake

39

slide-40
SLIDE 40

FT Handshake

40

slide-41
SLIDE 41

FT Handshake

41

slide-42
SLIDE 42

FT Handshake

42

slide-43
SLIDE 43

FT Handshake

43

slide-44
SLIDE 44

FT Handshake

44

Nonce reuse! Use to decrypt frames

slide-45
SLIDE 45

Implementation specific

iOS 10 and Windows: 4-way handshake not affected › Cannot decrypt unicast traffic (nor replay/decrypt) › But group key handshake is affected (replay broadcast) › Note: iOS 11 does have vulnerable 4-way handshake8 wpa_supplicant 2.4+ › Client used on Linux and Android 6.0+ › On retransmitted msg3 will install all-zero key

45

slide-46
SLIDE 46

46

slide-47
SLIDE 47

47

Android (victim)

slide-48
SLIDE 48

48

slide-49
SLIDE 49

49

slide-50
SLIDE 50

50

slide-51
SLIDE 51

51

slide-52
SLIDE 52

52

slide-53
SLIDE 53

53

Now trivial to intercept and manipulate client traffic

slide-54
SLIDE 54

Is your devices affected?

github.com/vanhoefm/krackattacks-scripts

54

› Tests clients and APs › Works on Kali Linux Remember to: › Disable hardware encryption › Use a supported Wi-Fi dongle!

slide-55
SLIDE 55

Countermeasures

Many clients won’t get updates… AP can prevent (most) attacks on clients! › Don’t retransmit message 3/4 › Don’t retransmit group message 1/2 However: › Impact on reliability unclear › Clients still vulnerable when connected to unmodified APs

55

slide-56
SLIDE 56

Overview

56

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-57
SLIDE 57

Misconceptions I

Updating only the client or AP is sufficient › Both vulnerable clients & vulnerable APs must apply patches Need to be close to network and victim › Can use special antenna from afar Must be connected to network as attacker (i.e. have password) › Only need to be nearby victim and network

57

slide-58
SLIDE 58

Misconceptions II

No useful data is transmitted after handshake › Trigger new handshakes during TCP connection Obtaining channel-based MitM is hard › Nope, can use channel switch announcements Attack complexity is hard › Script only needs to be written once … › … and some are (privately) doing this!

58

slide-59
SLIDE 59

Misconceptions III

Using (AES-)CCMP mitigates the attack › Still allows decryption & replay of frames Enterprise networks (802.1x) aren’t affected › Also use 4-way handshake & are affected It’s the end of the world! › Let’s not get carried away 

59

Image from “KRACK: Your Wi-Fi is no longer secure” by Kaspersky

slide-60
SLIDE 60

Overview

60

Key reinstalls in 4-way handshake Misconceptions Lessons learned Practical impact

slide-61
SLIDE 61

Limitations of formal proofs

› 4-way handshake proven secure › Encryption protocol proven secure

61

The combination was not proven secure!

slide-62
SLIDE 62

Keep protocols simple

The wpa_supplicant 2.6 case: › Complex state machine & turned out to still be vulnerable › Need formal verification of implementations

62

“Re-keying introduces unnecessary complexity (and therefore opportunities for bugs or other unexpected behavior) without delivering value in return.” 9

slide-63
SLIDE 63

Disclosure coordination: preparation

Flawed standard! How to disclose? Is it truly a widespread issue? › Contacted vendors we didn’t test ourselves › They’re vulnerable + feedback on report Determining who to inform? › Notifying more vendors  higher chance of leaks › We relied on CERT/CC to contact vendors

63

slide-64
SLIDE 64

Disclosure coordination: planning

Duration of embargo: › Long: risk of details leaking › Short: not enough time to patch › Avoid uncertainty: set clear deadline

64

Open source patches? › Developed and tested in private › Shared 1 week in advance over private mailing lists

slide-65
SLIDE 65

Multi-party vulnerability coordination

For more advice see: Guidelines and Practices for Multi-Party Vulnerability Coordination (Draft)11 Remember: › Goal is to protect users › There are various opinions

65

slide-66
SLIDE 66

Conclusion

› Flaw is in WPA2 standard › Proven correct but is insecure! › Attack has practical impact › Update all clients & check APs

66

slide-67
SLIDE 67

Questions?

krackattacks.com

Thank you!

slide-68
SLIDE 68

References

1.

  • C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005.

2.

  • S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008.

3.

  • M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/

4.

  • E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009.

5.

  • M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013.

6.

  • A. Joux. Authentication failures in NIST version of GCM. 2016.

7.

  • J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002.

8.

  • Apple. About the security content of iOS 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/en-

us/HT208222 9. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf

  • 10. J. Salowey and E. Rescorla. TLS Renegotiation Vulnerability. Retrieved 5 December 2017 from

https://www.ietf.org/proceedings/76/slides/tls-7.pdf

  • 11. Bhargavan et al. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In IEEE S&P, 2014.
  • 12. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017.

68