release the kraken
play

Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef - PowerPoint PPT Presentation

Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef @vanhoefm Toronto, Canada, 16 October 2018 Key reinstallations in the 4-way handshake 2 WPA2: 4-way handshake Used to connect to any protected Wi-Fi network Mutual


  1. Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef — @vanhoefm Toronto, Canada, 16 October 2018

  2. Key reinstallations in the 4-way handshake 2

  3. WPA2: 4-way handshake Used to connect to any protected Wi-Fi network Mutual authentication Negotiates fresh PTK: pairwise transient key 3

  4. WPA2: Encryption algorithm Nonce Plaintext data (packet number) Packet key PTK Mix (session key) Nonce  Nonce reuse implies keystream reuse (in all WPA2 ciphers) 4

  5. KRACK Attack 5

  6. KRACK Attack 6

  7. KRACK Attack PTK = Combine(shared secret, ANonce, SNonce) 7

  8. KRACK Attack Block Msg4 8

  9. KRACK Attack Block Msg4 9

  10. KRACK Attack PTK is installed & nonce set to zero Block Msg4 10

  11. KRACK Attack 11

  12. KRACK Attack 12

  13. KRACK Attack In practice Msg4 is sent encrypted 13

  14. KRACK Attack 14

  15. KRACK Attack Key reinstallation: nonce again reset! 15

  16. KRACK Attack 16

  17. KRACK Attack Next frame reuses previous nonce! 17

  18. KRACK Attack Keystream Decrypted! 18

  19. Practical Obstacles 19

  20. Rejected Msg3 20

  21. Rejected Msg3 Plaintext Msg3 rejected 21

  22. Rejected Msg3 Solution: generate encrypted Msg3 Plaintext Msg3 rejected 22

  23. 23

  24. 24

  25. 25

  26. 26

  27. 27

  28. 28

  29. 29

  30. 30

  31. 31

  32. Msg3 is now encrypted 32

  33. 33

  34. Flawed countermeasure 34

  35. 802.11’s official countermeasure “When the Key, Address, Key Type, and Key ID parameters identify an existing key, the MAC shall not change the current transmitter TSC/PN/IPN counter or the receiver replay counter values associated with that key .” 35

  36. Bypassing 802.11’s countermeasure Group key transported in two frames › EAPOL-Key frames › WNM-Sleep frames We can mix these frames › WNM-Sleep installs new key › Then EAPOL-Key reinstall old key  Can reinstall the group key 36

  37. Details are non-trivial WNM & Group HS group HS & WNM 4-way HS & WNM 37

  38. Implementation Specific Flaws 38

  39. Can we replay Message 4? › Yes, certain MediaTek Drivers accept replayed Msg4’s › Used in 100+ devices  many vulnerable products ASUS RT-AC51U TP-Link RE370K 39

  40. Are PTK rekeys implemented properly? Rekey is a new 4-way handshake › Same messages exchanged as in initial 4-way handshake › But new ANonce and SNonce is used macOS: › Patched default KRACK attack › But reused the SNonce during a rekey › SNonce reuse patched in macOS 10.13.3 40

  41. Exploiting macOS’s SNonce reuse Adversary can replay old handshake › Need to inject encrypted message 1 › Feasible under specific conditions › Causes key reinstallation 41

  42. Conclusion › We made attacks more practical › Bypassed official countermeasure › Handling group keys is hard › Keep auditing devices & protocols! 42

  43. Thank you! Questions? krackattacks.com/followup.html

Recommend


More recommend