5 Minutes on the WPA2 KRACK Vulnerability
The WPA2 KRACK vulnerability can be
boiled down to one main aspect – forced nonce-reuse resulting in an attacker's
ability to decrypt messages and 'manipulate' data through man-in-the-middle
attacks on Wi-Fi access points.
How Wi-Fi Works
WPA2 is the general protocol adopted for Wi-Fi networks where a four-way handshake is used to identify and establish a connection between the supplicant (the user connecting to Wi-Fi) and the authenticator (the Wi-Fi access point they are connecting to). This four-way handshake is encrypted using (AES)-CCMP.
How Wi-Fi Works
WPA2 is the general protocol adopted for Wi-Fi networks where a four-way handshake is used to identify and establish a connection between the supplicant (the user connecting to Wi-Fi) and the authenticator (the Wi-Fi access point they are connecting to). This four-way handshake is encrypted using (AES)-CCMP.
When a user tries to connect to a Wi-Fi access point, the 'password' they use to authenticate their access is known as the Pairwise Master Key (PMK). This establishes a symmetric protocol where both the authenticator and the supplicant know the value of the PMK.
The communications protocol between the supplicant and the authenticator is as follows in the simplified Four-Way Handshake as depicted in Figure 1.
Figure
1
|
Four-Way Handshake Break Down
1. The Wi-Fi Access point sends the supplicant, 'r' with an 'Authenticator Nonce' (ANonce). This is the authenticator initialising the four-way handshake with the supplicant.
2. The supplicant, upon receiving the
message, sends back 'r' along with a 'Supplicant Nonce' (SNonce).
3. The authenticator increments the 'r' to demonstrate that the authenticator and the supplicant are communicating within the same message thread and also sends a Group Temporal Key (GTK) which was pre-installed in the session and used to encrypt the data frames.
4. The supplicant now has enough information to generate a 'PTK' also known as a 'Pairwise Transient Key' which a collection of operational symmetric keys used to encrypt the session in the following Wi-Fi session between the supplicant and the authenticator. The PTK is made up of:
- PTK = (PMK, ANonce, SNonce, AP
MAC, S MAC)
The keys within the PTK are:
- Key Confirmation Key – used to
prove the possession of the PMK
- Key Encryption Key – for
distributing the Group Transient Key (GTK)
- Temporal Keys - Used for
encryption
5. Upon installation of the PTK – the
supplicant sends the authenticator an acknowledgement to demonstrate they've
received the last message and thus, begins the session.
The Vulnerability
In Figure 2 below, we can see that each time a PTK is installed, each time the supplicant sends the Wi-Fi access point data – the data frame is encrypted using the established PTK with a nonce starting a '1'. This is because, in the WPA2 protocol, for each session – the nonce will increment from 0 to 247.
In Figure 2 below, we can see that each time a PTK is installed, each time the supplicant sends the Wi-Fi access point data – the data frame is encrypted using the established PTK with a nonce starting a '1'. This is because, in the WPA2 protocol, for each session – the nonce will increment from 0 to 247.
Figure 2 |
The KRACK attack exists because of the following two weaknesses in the protocol:
- Every time message 3 of the
four-way handshake gets sent to the supplicant, the supplicant will
reinstall the PTK
- Every time a new PTK is installed,
the nonce that's used in the encrypted session will return to 0
To elaborate on the second bullet point
– the encryption method used in WPA2 is AES-CCMP. AES is the
encryption algorithm and CCMP is the mode of operation. CCMP stands for
Counter-Mode CBC-MAC Protocol and the primary weakness in this mode is that it
operates in a similar fashion to a stream cipher where nonce
reuse allows an attacker to derive the encryption key – breaking the encrypted
protocol. Nonce reuse turns this mode of operation into a form similar to ECB
encryption, where the same input f(x) will yield the same resulting y.
How the Attack Works
In Figure 3 below,
assuming the attacker has physical proximity to the access point and is
man-in-the-middling access point connections the attacker will:
- Not forward the supplicant's
acknowledgement of the (r+1, GTK) to the authenticator, which
forces the authenticator to send 'Message 3' or (r+2, GTK) again
- This forces the supplicant to
reinstall the PTK which resets the nonce back to 0
- The attacker then forwards the
acknowledgements from the supplicant – establishing the session
- The attacker waits for the
supplicant to send another encrypted data frame
- The attacker now has two encrypted
data frames using the same nonce
Figure 3 |
Comments
Post a Comment