kracking wpa2 by forcing nonce reusethe wpa_supplicant 2.6 case: ›complex state machine &...
TRANSCRIPT
![Page 1: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/1.jpg)
KRACKing WPA2 by Forcing
Nonce ReuseMathy Vanhoef — @vanhoefm
Chaos Communication Congress (CCC), 27 December 2017
![Page 2: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/2.jpg)
Introduction
2
PhD Defense, July 2016:
“You recommend WPA2 with AES,
but are you sure that’s secure?”
Seems so! No attacks in
14 years & proven secure.
![Page 3: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/3.jpg)
![Page 4: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/4.jpg)
Introduction
4
Key reinstallation when ic_set_key is called again?
![Page 5: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/5.jpg)
Overview
5
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 6: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/6.jpg)
Overview
6
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 7: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/7.jpg)
The 4-way handshake
Used to connect to any protected Wi-Fi network
› Provides mutual authentication
› Negotiates fresh PTK: pairwise temporal key
Appeared to be secure:
› No attacks in over a decade (apart from password guessing)
› Proven that negotiated key (PTK) is secret1
› And encryption protocol proven secure7
7
![Page 8: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/8.jpg)
4-way handshake (simplified)
8
![Page 9: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/9.jpg)
4-way handshake (simplified)
9
PTK = Combine(shared secret,
ANonce, SNonce)
![Page 10: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/10.jpg)
4-way handshake (simplified)
10
PTK = Combine(shared secret,
ANonce, SNonce)
Attack isn’t about
ANonce or SNonce reuse
![Page 11: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/11.jpg)
4-way handshake (simplified)
11
![Page 12: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/12.jpg)
4-way handshake (simplified)
12
![Page 13: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/13.jpg)
4-way handshake (simplified)
13
![Page 14: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/14.jpg)
4-way handshake (simplified)
14
PTK is installed
![Page 15: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/15.jpg)
4-way handshake (simplified)
15
![Page 16: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/16.jpg)
Frame encryption (simplified)
16
Plaintext data
Nonce reuse implies keystream reuse (in all WPA2 ciphers)
Nonce
MixPTK(session key)
Nonce(packet number)
Packet key
![Page 17: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/17.jpg)
4-way handshake (simplified)
17
Installing PTK initializes
nonce to zero
![Page 18: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/18.jpg)
Channel 1
18
Reinstallation Attack
Channel 6
![Page 19: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/19.jpg)
19
Reinstallation Attack
![Page 20: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/20.jpg)
20
Reinstallation Attack
![Page 21: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/21.jpg)
21
Reinstallation Attack
Block Msg4
![Page 22: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/22.jpg)
22
Reinstallation Attack
![Page 23: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/23.jpg)
23
Reinstallation Attack
In practice Msg4
is sent encrypted
![Page 24: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/24.jpg)
24
Reinstallation Attack
![Page 25: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/25.jpg)
25
Reinstallation Attack
Key reinstallation!
nonce is reset
![Page 26: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/26.jpg)
26
Reinstallation Attack
![Page 27: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/27.jpg)
27
Reinstallation Attack
Same nonce
is used!
![Page 28: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/28.jpg)
28
Reinstallation Attack
Keystream
![Page 29: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/29.jpg)
29
Reinstallation Attack
Keystream
Decrypted!
![Page 30: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/30.jpg)
Key Reinstallation Attack
Other Wi-Fi handshakes also vulnerable:
› Group key handshake
› FT handshake
› TDLS PeerKey handshake
For details see our CCS’17 paper12:
› “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”
30
![Page 31: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/31.jpg)
Overview
31
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 32: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/32.jpg)
General impact
32
Receive replay counter reset
Replay frames towards victim
Transmit nonce reset
Decrypt frames sent by victim
![Page 33: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/33.jpg)
Cipher suite specific
AES-CCMP: No practical frame forging attacks
WPA-TKIP:
› Recover Message Integrity Check key from plaintext4,5
› Forge/inject frames sent by the device under attack
GCMP (WiGig):
› Recover GHASH authentication key from nonce reuse6
› Forge/inject frames in both directions
33
![Page 34: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/34.jpg)
Handshake specific
Group key handshake:
› Client is attacked, but only AP sends real broadcast frames
34
![Page 35: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/35.jpg)
Unicast
Handshake specific
Group key handshake:
› Client is attacked, but only AP sends real broadcast frames
35
![Page 36: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/36.jpg)
Handshake specific
Group key handshake:
› Client is attacked, but only AP sends real broadcast frames
› Can only replay broadcast frames to client
4-way handshake: client is attacked replay/decrypt/forge
FT handshake (fast roaming = 802.11r):
› Access Point is attacked replay/decrypt/forge
› No MitM required, can keep causing nonce resets
36
![Page 37: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/37.jpg)
FT Handshake
37
![Page 38: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/38.jpg)
FT Handshake
38
![Page 39: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/39.jpg)
FT Handshake
39
![Page 40: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/40.jpg)
FT Handshake
40
![Page 41: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/41.jpg)
FT Handshake
41
![Page 42: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/42.jpg)
FT Handshake
42
![Page 43: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/43.jpg)
FT Handshake
43
Nonce reuse!
Use to decrypt frames
![Page 44: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/44.jpg)
Implementation specific
iOS 10 and Windows: 4-way handshake not affected
› Cannot decrypt unicast traffic (nor replay/decrypt)
› But group key handshake is affected (replay broadcast)
› Note: iOS 11 does have vulnerable 4-way handshake8
wpa_supplicant 2.4+
› Client used on Linux and Android 6.0+
› On retransmitted msg3 will install all-zero key
44
![Page 45: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/45.jpg)
45
![Page 46: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/46.jpg)
46
Android (victim)
![Page 47: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/47.jpg)
47
![Page 48: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/48.jpg)
48
![Page 49: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/49.jpg)
49
![Page 50: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/50.jpg)
50
![Page 51: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/51.jpg)
51
Now trivial to intercept and
manipulate client traffic
![Page 52: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/52.jpg)
Is your devices affected?
github.com/vanhoefm/krackattacks-scripts
52
› Tests clients and APs
› Works on Kali Linux
Remember to:
› Disable hardware encryption
› Use a supported Wi-Fi dongle!
![Page 53: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/53.jpg)
Countermeasures
Many clients won’t get updates…
AP can prevent (most) attacks on clients!
› Don’t retransmit message 3/4
› Don’t retransmit group message 1/2
However:
› Impact on reliability unclear
› Clients still vulnerable when connected to unmodified APs
53
![Page 54: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/54.jpg)
Overview
54
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 55: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/55.jpg)
Misconceptions I
Updating only the client or AP is sufficient
› Both vulnerable clients & vulnerable APs must apply patches
Need to be close to network and victim
› Can use special antenna from afar
Must be connected to network as attacker (i.e. have password)
› Only need to be nearby victim and network
55
![Page 56: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/56.jpg)
Misconceptions II
No useful data is transmitted after handshake
› Trigger new handshakes during TCP connection
Obtaining channel-based MitM is hard
› Nope, can use channel switch announcements
Attack complexity is hard
› Script only needs to be written once …
› … and some are (privately) doing this!
56
![Page 57: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/57.jpg)
Misconceptions III
Using (AES-)CCMP mitigates the attack
› Still allows decryption & replay of frames
Enterprise networks (802.1x) aren’t affected
› Also use 4-way handshake & are affected
It’s the end of the world!
› Let’s not get carried away
57
Image from “KRACK: Your Wi-Fi is no
longer secure” by Kaspersky
![Page 58: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/58.jpg)
Overview
58
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 59: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/59.jpg)
Limitations of formal proofs
› 4-way handshake proven secure
› Encryption protocol proven secure
59
The combination was not proven secure!
![Page 60: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/60.jpg)
Keep protocols simple
The wpa_supplicant 2.6 case:
› Complex state machine & turned out to still be vulnerable
› Need formal verification of implementations
60
“Re-keying introduces unnecessary
complexity (and therefore opportunities
for bugs or other unexpected behavior)
without delivering value in return.” 9
![Page 61: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/61.jpg)
Need rigorous specifications
Original WPA2 standard
› State machine doesn’t define when messages are accepted
802.11r amendment
› Better defines how/when to handle messages
› But some terms and cases still unclear
61
![Page 62: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/62.jpg)
On a related note…
Workshop on:
Security Protocol Implementations:
Development and Analysis (SPIDA)
CFP deadline is 8 January
Co-located with EuroS&P 2018 and “focuses on improving
development & analysis of security protocol implementations”
62
![Page 63: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/63.jpg)
Disclosure coordination I
Flawed standard: many affected, how to disclose?
Is it really a widespread issue?
› Contacted vendors we didn’t test ourselves
› They’re vulnerable it’s widespread & feedback on report
Determining who should be informed?
› Rely on a CERT team, or ask vendors for other contacts
› Notifying more vendors higher chance of leaks
63
![Page 64: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/64.jpg)
Disclosure coordination II
Duration of embargo?
› Long embargo: risk of details leaking
› Short embargo: not enough time to patch
› Do avoid uncertainty by setting a clear deadline
Special thanks to:
64
![Page 65: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/65.jpg)
Conclusion
› Flaw is in WPA2 standard
› Proven correct but is insecure!
› Attack has practical impact
› Update all clients & check APs
65
![Page 66: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/66.jpg)
Questions?krackattacks.com
Thank you!
![Page 67: KRACKing WPA2 by Forcing Nonce ReuseThe wpa_supplicant 2.6 case: ›Complex state machine & turned out to still be vulnerable ›Need formal verification of implementations 60 “Re-keying](https://reader034.vdocuments.mx/reader034/viewer/2022042810/5f9faafb6066351d121df246/html5/thumbnails/67.jpg)
References
1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005.
2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008.
3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/
4. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009.
5. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013.
6. A. Joux. Authentication failures in NIST version of GCM. 2016.
7. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002.
8. Apple. About the security content of iOS 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/en-us/HT208222
9. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf
10. J. Salowey and E. Rescorla. TLS Renegotiation Vulnerability. Retrieved 5 December 2017 from https://www.ietf.org/proceedings/76/slides/tls-7.pdf
11. Bhargavan et al. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In IEEE S&P, 2014.
12. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017.
67