Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi...
Transcript of Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi...
![Page 1: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/1.jpg)
Key Reinstallation Attacks:
Forcing Nonce Reuse in WPA2Mathy Vanhoef, PhD
Wi-Fi Alliance meeting Bucharest, 24 October 2017
![Page 2: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/2.jpg)
Overview
1. Key reinstallation in
4-way handshake
2. Misconceptions
and remarks
3. Steps to improve
Wi-Fi security?
![Page 3: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/3.jpg)
The 4-way handshake
Two main purposes:
› Mutual authentication
› Negotiate fresh PTK: pairwise temporal key
Appeared to be secure:
› No attacks in more than a decade
› Proven as secure in 20051
› That is: negotiated key (PTK) is secret
![Page 4: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/4.jpg)
Wi-Fi handshake (simplified)
4
PTK = Combine(shared secret,
ANonce, SNonce)
![Page 5: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/5.jpg)
Wi-Fi handshake (simplified)
5
PTK = Combine(shared secret,
ANonce, SNonce)
Attack isn’t about
ANonce or SNonce reuse
![Page 6: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/6.jpg)
Wi-Fi handshake (simplified)
6
![Page 7: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/7.jpg)
Wi-Fi handshake (simplified)
7
PTK is installed
![Page 8: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/8.jpg)
Wi-Fi handshake (simplified)
8
![Page 9: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/9.jpg)
Encrypting data frames (simplified)
9
Nonce Plaintext data
Keystream should never be reused
Each nonce results in a unique keystream
Nonce
= Packet
Number
![Page 10: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/10.jpg)
Wi-Fi handshake (simplified)
10
Installing PTK resets
nonce to zero
![Page 11: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/11.jpg)
11
Key Reinstallation Attack
![Page 12: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/12.jpg)
12
![Page 13: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/13.jpg)
13
Block Msg4
![Page 14: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/14.jpg)
14
![Page 15: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/15.jpg)
15
In practice Msg4
is sent encrypted
![Page 16: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/16.jpg)
16
![Page 17: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/17.jpg)
17
Key reinstallation!
nonce is reset
![Page 18: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/18.jpg)
18
![Page 19: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/19.jpg)
19
Same nonce
is used!
![Page 20: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/20.jpg)
20
keystream
![Page 21: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/21.jpg)
21
keystream
Decrypted!
![Page 22: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/22.jpg)
Overview
1. Key reinstallation in
4-way handshake
2. Misconceptions
and remarks
3. Steps to improve
Wi-Fi security?
![Page 23: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/23.jpg)
Misconceptions I
No useful data is transmitted after handshake
› Trigger handshakes during TCP connection
Difficult to derive keystream
› Already have 82 bytes from encrypted Msg4
Need high signal strength to get MitM
› Use channel switch announcements, BSS
Transition Requests, jammers, …
![Page 24: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/24.jpg)
Misconceptions II
Need to be close to network
› Can use special antenna2,3
Using (AES-)CCMP mitigates the attack
› No, still allows decryption & replay of frames
Enterprise networks (802.1x) are not vulnerable
› Also use 4-way handshake and are affected
![Page 25: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/25.jpg)
Misconceptions III
You need the password to perform attacks
› Nope. Then you could decrypt all already …
Updating only client or AP is sufficient
› Both vulnerable clients and vulnerable APs
need to apply patches
Attack complexity is hard
› Script only needs to be written once
![Page 26: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/26.jpg)
“Attacks only get better,
they never get worse.”
— Bruce Schneier
![Page 27: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/27.jpg)
Overview
1. Key reinstallation in
4-way handshake
2. Misconceptions
and remarks
3. Steps to improve
Wi-Fi security?
![Page 28: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/28.jpg)
Countermeasures
Problem: many clients will not get updated
Solution: AP can prevent attacks on clients!
› Don’t retransmit message 3/4
› Don’t retransmit group message 1/2
However:
› Impact on reliability currently unclear
› Clients still vulnerable when connected to other unmodified APs
28
![Page 29: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/29.jpg)
Fuzzing
Basic fuzzing as part of device certification
› Test against key reinstallations
› Fuzzing length fields: avoid well-known bugs
› Plaintext frames rejected if encryption enabled?
› …
Advanced fuzzing of widely used tools:
› Can do more costly fuzzing on specific tools
› Make these fuzzing tools open source
![Page 30: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/30.jpg)
“Millions of dollars saved (for
Microsoft and the world).”
Patrice Godefroid, Microsoft Research
![Page 31: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/31.jpg)
Other recommendations
Not Wi-Fi Alliance task, but …
› Make standards easier to access. Just a download link, nothing on top.
› Anyone should be able to easily follow discussions. Mailing list?
![Page 32: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/32.jpg)
Need open source firmware
Code is getting more closed:
› Functionality is offloaded to closed firmware
› E.g. 4-way handshake is being offloaded
› We cannot trust this code!
At least open source security critical parts?
› Catch problems earlier & get help
![Page 33: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/33.jpg)
Long-term: formal verification
Programming is hard. Are patches correct?
› Missed attack against wpa_supplicant 2.6
Collaboration with academia:
› Create formal and precise state machines
› Formal verification of core code
› E.g. prove correctness of open source tools
![Page 34: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/34.jpg)
Questions?krackattacks.com
Thank you!
![Page 35: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 · 2020. 7. 21. · ANonce, SNonce) Wi-Fi handshake (simplified) 5 PTK = Combine(shared secret, ANonce, SNonce) Attack isn’t](https://reader034.fdocuments.in/reader034/viewer/2022051900/5fef7963cf24c941c47f27f3/html5/thumbnails/35.jpg)
References
1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell.
A Modular Correctness Proof of IEEE 802.11i and TLS. In
CCS, 2005.
2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving -
Building A Yagi Pringles Antenna. 2008.
3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23
October 2017 from https://www.mattparkinson.eu/designer-
cantenna/
3
5