Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef - - PowerPoint PPT Presentation

release the kraken
SMART_READER_LITE
LIVE PREVIEW

Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef - - PowerPoint PPT Presentation

Sep 13, 2023 374 likes •819 views

Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef @vanhoefm Toronto, Canada, 16 October 2018 Key reinstallations in the 4-way handshake 2 WPA2: 4-way handshake Used to connect to any protected Wi-Fi network Mutual

slide-1
SLIDE 1

Release the Kraken:

New KRACKs in the 802.11 Standard

Mathy Vanhoef — @vanhoefm Toronto, Canada, 16 October 2018

slide-2
SLIDE 2

2

Key reinstallations in the 4-way handshake

slide-3
SLIDE 3

WPA2: 4-way handshake

Used to connect to any protected Wi-Fi network

3

Negotiates fresh PTK: pairwise transient key Mutual authentication

slide-4
SLIDE 4

WPA2: Encryption algorithm

4

Plaintext data

 Nonce reuse implies keystream reuse (in all WPA2 ciphers)

Nonce Mix PTK

(session key)

Nonce

(packet number) Packet key

slide-5
SLIDE 5

5

KRACK Attack

slide-6
SLIDE 6

6

KRACK Attack

slide-7
SLIDE 7

7

KRACK Attack

PTK = Combine(shared secret, ANonce, SNonce)

slide-8
SLIDE 8

8

KRACK Attack

Block Msg4

slide-9
SLIDE 9

9

KRACK Attack

Block Msg4

slide-10
SLIDE 10

10

KRACK Attack

PTK is installed & nonce set to zero

Block Msg4

slide-11
SLIDE 11

11

KRACK Attack

slide-12
SLIDE 12

12

KRACK Attack

slide-13
SLIDE 13

13

KRACK Attack

In practice Msg4 is sent encrypted

slide-14
SLIDE 14

14

KRACK Attack

slide-15
SLIDE 15

15

KRACK Attack

Key reinstallation: nonce again reset!

slide-16
SLIDE 16

16

KRACK Attack

slide-17
SLIDE 17

17

KRACK Attack

Next frame reuses previous nonce!

slide-18
SLIDE 18

18

KRACK Attack Keystream Decrypted!

slide-19
SLIDE 19

Practical Obstacles

19

slide-20
SLIDE 20

Rejected Msg3

20

slide-21
SLIDE 21

Rejected Msg3

21

Plaintext Msg3 rejected

slide-22
SLIDE 22

Rejected Msg3

22

Plaintext Msg3 rejected Solution: generate encrypted Msg3

slide-23
SLIDE 23

23

slide-24
SLIDE 24

24

slide-25
SLIDE 25

25

slide-26
SLIDE 26

26

slide-27
SLIDE 27

27

slide-28
SLIDE 28

28

slide-29
SLIDE 29

29

slide-30
SLIDE 30

30

slide-31
SLIDE 31

31

slide-32
SLIDE 32

32

Msg3 is now encrypted

slide-33
SLIDE 33

33

slide-34
SLIDE 34

Flawed countermeasure

34

slide-35
SLIDE 35

802.11’s official countermeasure

“When the Key, Address, Key Type, and Key ID parameters identify an existing key, the MAC shall not change the current transmitter TSC/PN/IPN counter or the receiver replay counter values associated with that key.”

35

slide-36
SLIDE 36

Bypassing 802.11’s countermeasure

Group key transported in two frames › EAPOL-Key frames › WNM-Sleep frames We can mix these frames › WNM-Sleep installs new key › Then EAPOL-Key reinstall old key  Can reinstall the group key

36

slide-37
SLIDE 37

Details are non-trivial

WNM & Group HS

37

group HS & WNM 4-way HS & WNM

slide-38
SLIDE 38

Implementation Specific Flaws

38

slide-39
SLIDE 39

Can we replay Message 4?

› Yes, certain MediaTek Drivers accept replayed Msg4’s › Used in 100+ devices  many vulnerable products

39

ASUS RT-AC51U TP-Link RE370K

slide-40
SLIDE 40

Are PTK rekeys implemented properly?

Rekey is a new 4-way handshake › Same messages exchanged as in initial 4-way handshake › But new ANonce and SNonce is used macOS: › Patched default KRACK attack › But reused the SNonce during a rekey › SNonce reuse patched in macOS 10.13.3

40

slide-41
SLIDE 41

Exploiting macOS’s SNonce reuse

Adversary can replay old handshake › Need to inject encrypted message 1 › Feasible under specific conditions › Causes key reinstallation

41

slide-42
SLIDE 42

Conclusion

› We made attacks more practical › Bypassed official countermeasure › Handling group keys is hard › Keep auditing devices & protocols!

42

slide-43
SLIDE 43

Questions?

krackattacks.com/followup.html

Thank you!