Release the Kraken - Mathy Vanhoef · Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef —@vanhoefm Toronto, Canada, 16 October 2018
Post on 24-May-2020
11 Views
Preview:
Transcript
Release the Kraken:New KRACKs in the 802.11 Standard
Mathy Vanhoef — @vanhoefm
Toronto, Canada, 16 October 2018
2
Key reinstallations in
the 4-way handshake
WPA2: 4-way handshake
Used to connect to any protected Wi-Fi network
3
Negotiates fresh PTK:
pairwise transient key
Mutual authentication
WPA2: Encryption algorithm
4
Plaintext data
Nonce reuse implies keystream reuse (in all WPA2 ciphers)
Nonce
MixPTK(session key)
Nonce(packet number)
Packet key
5
KRACK Attack
6
KRACK Attack
7
KRACK Attack
PTK = Combine(shared secret,
ANonce, SNonce)
8
KRACK Attack
Block Msg4
9
KRACK Attack
Block Msg4
10
KRACK Attack
PTK is installed &
nonce set to zeroBlock Msg4
11
KRACK Attack
12
KRACK Attack
13
KRACK Attack
In practice Msg4
is sent encrypted
14
KRACK Attack
15
KRACK Attack
Key reinstallation:
nonce again reset!
16
KRACK Attack
17
KRACK Attack
Next frame reuses
previous nonce!
18
KRACK Attack
Keystream
Decrypted!
Practical
Obstacles
19
Rejected Msg3
20
Rejected Msg3
21
Plaintext Msg3
rejected
Rejected Msg3
22
Plaintext Msg3
rejected
Solution: generate
encrypted Msg3
23
24
25
26
27
28
29
30
31
32
Msg3 is now
encrypted
33
Flawed countermeasure
34
802.11’s official countermeasure
“When the Key, Address, Key Type, and Key ID
parameters identify an existing key, the MAC
shall not change the current transmitter
TSC/PN/IPN counter or the receiver replay
counter values associated with that key.”
35
Bypassing 802.11’s countermeasure
Group key transported in two frames
› EAPOL-Key frames
› WNM-Sleep frames
We can mix these frames
› WNM-Sleep installs new key
› Then EAPOL-Key reinstall old key
Can reinstall the group key
36
Details are non-trivial
WNM & Group HS
37
group HS & WNM 4-way HS & WNM
Implementation
Specific Flaws
38
Can we replay Message 4?
› Yes, certain MediaTek Drivers accept replayed Msg4’s
› Used in 100+ devices many vulnerable products
39
ASUS RT-AC51U TP-Link RE370K
Are PTK rekeys implemented properly?
Rekey is a new 4-way handshake
› Same messages exchanged as in initial 4-way handshake
› But new ANonce and SNonce is used
macOS:
› Patched default KRACK attack
› But reused the SNonce during a rekey
› SNonce reuse patched in macOS 10.13.3
40
Exploiting macOS’s SNonce reuse
Adversary can replay old handshake
› Need to inject encrypted message 1
› Feasible under specific conditions
› Causes key reinstallation
41
Conclusion
› We made attacks more practical
› Bypassed official countermeasure
› Handling group keys is hard
› Keep auditing devices & protocols!
42
Questions?krackattacks.com/followup.html
Thank you!
top related