SlideShare a Scribd company logo

KRACK attack

V
VadimDavydov3

KRACK attack is one of the most famous one in WiFi security and privacy. In this presentation a detailed description of the attack is considered and countermeasures are offered.

Engineering
1 of 27
Download to read offline
KRACK attack (802.11i four- way handshake attack) Vadim Davydov 19/03/2018 1
Presentation agenda • History of 802.11 security protocols family • 802.11i protocol • 4-way handshake • Techniques for confidentiality over 802.11i: TKIP, AES CCMP, AES GCMP • Key re-installation attack on 4 way handshake • Group key handshake • Group key handshake break • Countermeasures 2
History of 802.11 security protocols family IEEE 802.11 is the set of standards that define communication for wireless local area networks (WLANs). The technology behind 802.11 is branded to consumers as Wi-Fi. 3
History of 802.11 security protocols family • WEP (Wired Equivalent Privacy) is the first standard for Wi-Fi protection • WPA (Wi-Fi Protected Access) • WPA2 4
Wireless security Encryption standard Fast facts How it works WEP First standard for Wi-Fi protection. Can be easily hacked due to its 24-bit initialization vector and weak authentication It uses RC4 stream cipher and 64- or 128-bit keys. Static master key must be manually entered into each device WPA Security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in WEP Also uses RC4 but longer IVs and 256- bit keys are added. Each client gets new keys with TKIP WPA2 WPA2 replaced WPA. It implements the mandatory elements of IEEE 802.11i. In particular, it includes mandatory support for CCMP, an AES- based encryption mode with strong security Replaces RC4 and TKIP with CCMP and AES algorithm for stronger authentication and encryption 5
802.11i Protocol 6
Used keys PMK (Pairwise Master Key) ▪ Derived from a pre-shared password in a personal network PTK (Pairwise Transient Key) ▪ Derived from PMK, ANonce, SNonce, MAC addresses of both KCK (Key Confirmation Key) – bits 0-127 of the PTK ▪ To protect handshake messages KEK (Key Encryption Key) – bits 128-255 of the PTK ▪ To protect handshake messages TK (Temporal Key) – bits 256- 383 of the PTK ▪ To protect normal data frames with a data- confidentiality protocol 7
EAPOL • Header: which message in the handshake a particular EAPOL frame represents • Replay Counter: to detect replayed frames • Nonce: to transport random nonces to derive a fresh session key • RSC (Receive Sequence Counter): contains the starting packet number of group key • MIC (Message Integrity Check): the authenticity of the frame is protected using the KCK with a MIC • Key Data: has the group key itself, which is encrypted using KEK 8
802.11i. Confidentiality and Integrity Protocols TKIP (Temporal Key Integrity Protocol) CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) GCMP (Galios Counter Mode Protocol) 9
802.11i. Confidentiality and Integrity Protocols * The difference between WPA-CCMP and WPA-GCMP is that the second one also adds support for short-range communications in the 60 GHz band * 10
802.11i. Authentication • Authenticating the client as valid and having permission to access the network • Allows any client to authenticate • After this step, the client associates with the network 11
802.11i. 4-way Handshake • At the starting state, no keys are known, the MIC cannot be computed • Msg1: the authenticator uses this message only to send its value of ANonce to the supplicant • Msg2: After successful delivery of the first message, the supplicant generates its own value of SNonce 12
802.11i. 4-way Handshake • Msg3: • verifies to the supplicant that the authenticator knows the PMK and is thus a trusted party • it tells the supplicant that the authenticator is ready to install and start using the data encryption keys • it gives the supplicant the group key • Msg4: verifies to the authenticator that the keys are about to be installed 13
The Group Key Handshake • Authenticator periodically refreshes GTK and initiates the handshake by sending the message to all clients in the group • Depending on the implementation, GTK can be installed after sending message 1 or after receiving responses from all clients • Since a PTK is installed, the complete EAPOL frame is protected using a data- confidentiality protocol 14
15
Problem 4-way handshake Can be retransmitted if the AP didn’t receive a reply 16
Why is it a critical moment? “If the Authenticator does not receive a reply to its messages, it shall attempt dottRSNAConfigPairwiseUpdateCount transmits of the message, plus a final timeout.” IEEE Std 802.11i. 2004. Amendment 6: Medium Access Control (MAC) Security Enhancements, § 8.5.3.5 4-Way Handshake implementation considerations 17
Why is it a critical moment? 18 Retransmitting the message PTK will be reinstalled Nonce will be reused Due to the properties of the stream ciphers used in data-confidentiality protocols, reusing nonces leads to the ability of decryption
Plaintext retransmission attack • Using Man-in-the-middle attack to manipulate messages • Blocking message 4 from arriving at the authenticator • The authenticator retransmits Msg3 due to he didn’t receive Msg4 19
• Supplicant installs PTK & GTK • Authenticator sends Msg3 again which the adversary doesn’t block, and the supplicant reinstalls PTK & GTK • As a result, it resets the nonce and replay counter used by the data-confidentiality protocol 20
Plaintext retransmission attack • Since the authenticator did not yet install the PTK, it will normally reject the encrypted Msg4 • BUT the authenticator may accept any replay counter that was used in the 4- way handshake • When the victim transmits its next data frame, the data-confidentiality protocol reuses nonces 21
Group Key Handshake Break (Immediate Key installation) • The adversary blocks the response (group Msg2) from arriving at the AP 22
Group Key Handshake Break • Authenticator retransmits a new group message 1 • Waiting until data frame is transmitted and forward a new group message to the supplicant • The group key is reinstalled 23
Other attacks There are several attacks which depend on the using system and how the protocol 802.11i is implemented: ▪ Attacking 4-way handshake when the victim only accepts encrypted message 3 retransmission ▪ Attacking the Group Key Handshake with a delayed key installation 24
Countermeasures • Check if the new key has already been installed and avoid repetition of the replay counters • Changing the data-confidentiality protocols 25
References • Key reinstallation attacks. https://www.krackattacks.com/ • I. W. Group et al. Ieee standard for information technology– telecommunications and information exchange between systems–local and metropolitan area networks–specific requirements–part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications amendment 6: Wireless access in vehicular environments. IEEE Std, 802(11), 2010. • M. Vanhoef and F. Piessens. Key reinstallation attacks: Forcing nonce reuse in wpa2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1313–1328. ACM, 2017. 26
Q&A 27

Recommended

WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
Napier University
 
WPA2
WPA2WPA2
WPA2
Mshari Alabdulkarim
 
WPA 3
WPA 3WPA 3
WPA 3
diggu22
 
Wpa3
Wpa3Wpa3
Wpa3
Bhavya Dashora
 
Wpa vs Wpa2
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2
Nzava Luwawa
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2
Tushar Anand
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
Wpa2 psk security measure
Wpa2 psk security measureWpa2 psk security measure
Wpa2 psk security measure
Shivam Singh
 

Recommended

WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
Napier University
 
WPA2
WPA2WPA2
WPA2
Mshari Alabdulkarim
 
WPA 3
WPA 3WPA 3
WPA 3
diggu22
 
Wpa3
Wpa3Wpa3
Wpa3
Bhavya Dashora
 
Wpa vs Wpa2
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2
Nzava Luwawa
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2
Tushar Anand
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
Wpa2 psk security measure
Wpa2 psk security measureWpa2 psk security measure
Wpa2 psk security measure
Shivam Singh
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Agris Ameriks
 
802.1x
802.1x802.1x
802.1x
akruthi k
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?
Tom Isaacson
 
Wi fi protected access
Wi fi protected accessWi fi protected access
Wi fi protected access
Lopamudra Das
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Shahid Beheshti University
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
Chandrak Trivedi
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Shital Kat
 
Switch security
Switch securitySwitch security
Switch security
nullowaspmumbai
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
n|u - The Open Security Community
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Dr Anjan Krishnamurthy
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
Fábio Afonso
 
configuration vpn-ipsec-routeur
configuration vpn-ipsec-routeur configuration vpn-ipsec-routeur
configuration vpn-ipsec-routeur
JULIOR MIKALA
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
Muhammad Zia
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
Netwax Lab
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Huda Seyam
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
n|u - The Open Security Community
 
Wlan security
Wlan securityWlan security
Wlan security
Upasona Roy
 
802.11i
802.11i802.11i
802.11i
akruthi k
 
Parallel and distributed computing .pptx
Parallel and distributed computing .pptxParallel and distributed computing .pptx
Parallel and distributed computing .pptx
AmnaNadeem27
 

More Related Content

What's hot

Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
Fábio Afonso
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 

What's hot (20)

Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
802.1x
802.1x802.1x
802.1x
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?
 
Wi fi protected access
Wi fi protected accessWi fi protected access
Wi fi protected access
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Switch security
Switch securitySwitch security
Switch security
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
 
configuration vpn-ipsec-routeur
configuration vpn-ipsec-routeur configuration vpn-ipsec-routeur
configuration vpn-ipsec-routeur
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
Wlan security
Wlan securityWlan security
Wlan security
 

Similar to KRACK attack

Wireless security837
Wireless security837Wireless security837
Wireless security837
mark scott
 
Wireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring ApplicationsWireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring Applications
cmstiernberg
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 

Similar to KRACK attack (20)

802.11i
802.11i802.11i
802.11i
 
Parallel and distributed computing .pptx
Parallel and distributed computing .pptxParallel and distributed computing .pptx
Parallel and distributed computing .pptx
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
 
Cys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat BriefingCys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat Briefing
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.ppt
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
Wireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring ApplicationsWireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring Applications
 
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
 
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
USENIX Security '15: All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP a...
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
Iuwne10 S04 L05
Iuwne10 S04 L05Iuwne10 S04 L05
Iuwne10 S04 L05
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
New Security Mechanisms for Network Time Synchronization Protocols
New Security Mechanisms for Network Time Synchronization ProtocolsNew Security Mechanisms for Network Time Synchronization Protocols
New Security Mechanisms for Network Time Synchronization Protocols
 
Client server computing in mobile environments part 2
Client server computing in mobile environments part 2Client server computing in mobile environments part 2
Client server computing in mobile environments part 2
 

Recently uploaded

Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
jaanualu31
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
chumtiyababu
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
MayuraD1
 

Recently uploaded (20)

Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Wadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxWadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptx
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLEGEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
 

KRACK attack

  • 1. KRACK attack (802.11i four- way handshake attack) Vadim Davydov 19/03/2018 1
  • 2. Presentation agenda • History of 802.11 security protocols family • 802.11i protocol • 4-way handshake • Techniques for confidentiality over 802.11i: TKIP, AES CCMP, AES GCMP • Key re-installation attack on 4 way handshake • Group key handshake • Group key handshake break • Countermeasures 2
  • 3. History of 802.11 security protocols family IEEE 802.11 is the set of standards that define communication for wireless local area networks (WLANs). The technology behind 802.11 is branded to consumers as Wi-Fi. 3
  • 4. History of 802.11 security protocols family • WEP (Wired Equivalent Privacy) is the first standard for Wi-Fi protection • WPA (Wi-Fi Protected Access) • WPA2 4
  • 5. Wireless security Encryption standard Fast facts How it works WEP First standard for Wi-Fi protection. Can be easily hacked due to its 24-bit initialization vector and weak authentication It uses RC4 stream cipher and 64- or 128-bit keys. Static master key must be manually entered into each device WPA Security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in WEP Also uses RC4 but longer IVs and 256- bit keys are added. Each client gets new keys with TKIP WPA2 WPA2 replaced WPA. It implements the mandatory elements of IEEE 802.11i. In particular, it includes mandatory support for CCMP, an AES- based encryption mode with strong security Replaces RC4 and TKIP with CCMP and AES algorithm for stronger authentication and encryption 5
  • 7. Used keys PMK (Pairwise Master Key) ▪ Derived from a pre-shared password in a personal network PTK (Pairwise Transient Key) ▪ Derived from PMK, ANonce, SNonce, MAC addresses of both KCK (Key Confirmation Key) – bits 0-127 of the PTK ▪ To protect handshake messages KEK (Key Encryption Key) – bits 128-255 of the PTK ▪ To protect handshake messages TK (Temporal Key) – bits 256- 383 of the PTK ▪ To protect normal data frames with a data- confidentiality protocol 7
  • 8. EAPOL • Header: which message in the handshake a particular EAPOL frame represents • Replay Counter: to detect replayed frames • Nonce: to transport random nonces to derive a fresh session key • RSC (Receive Sequence Counter): contains the starting packet number of group key • MIC (Message Integrity Check): the authenticity of the frame is protected using the KCK with a MIC • Key Data: has the group key itself, which is encrypted using KEK 8
  • 9. 802.11i. Confidentiality and Integrity Protocols TKIP (Temporal Key Integrity Protocol) CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) GCMP (Galios Counter Mode Protocol) 9
  • 10. 802.11i. Confidentiality and Integrity Protocols * The difference between WPA-CCMP and WPA-GCMP is that the second one also adds support for short-range communications in the 60 GHz band * 10
  • 11. 802.11i. Authentication • Authenticating the client as valid and having permission to access the network • Allows any client to authenticate • After this step, the client associates with the network 11
  • 12. 802.11i. 4-way Handshake • At the starting state, no keys are known, the MIC cannot be computed • Msg1: the authenticator uses this message only to send its value of ANonce to the supplicant • Msg2: After successful delivery of the first message, the supplicant generates its own value of SNonce 12
  • 13. 802.11i. 4-way Handshake • Msg3: • verifies to the supplicant that the authenticator knows the PMK and is thus a trusted party • it tells the supplicant that the authenticator is ready to install and start using the data encryption keys • it gives the supplicant the group key • Msg4: verifies to the authenticator that the keys are about to be installed 13
  • 14. The Group Key Handshake • Authenticator periodically refreshes GTK and initiates the handshake by sending the message to all clients in the group • Depending on the implementation, GTK can be installed after sending message 1 or after receiving responses from all clients • Since a PTK is installed, the complete EAPOL frame is protected using a data- confidentiality protocol 14
  • 15. 15
  • 16. Problem 4-way handshake Can be retransmitted if the AP didn’t receive a reply 16
  • 17. Why is it a critical moment? “If the Authenticator does not receive a reply to its messages, it shall attempt dottRSNAConfigPairwiseUpdateCount transmits of the message, plus a final timeout.” IEEE Std 802.11i. 2004. Amendment 6: Medium Access Control (MAC) Security Enhancements, § 8.5.3.5 4-Way Handshake implementation considerations 17
  • 18. Why is it a critical moment? 18 Retransmitting the message PTK will be reinstalled Nonce will be reused Due to the properties of the stream ciphers used in data-confidentiality protocols, reusing nonces leads to the ability of decryption
  • 19. Plaintext retransmission attack • Using Man-in-the-middle attack to manipulate messages • Blocking message 4 from arriving at the authenticator • The authenticator retransmits Msg3 due to he didn’t receive Msg4 19
  • 20. • Supplicant installs PTK & GTK • Authenticator sends Msg3 again which the adversary doesn’t block, and the supplicant reinstalls PTK & GTK • As a result, it resets the nonce and replay counter used by the data-confidentiality protocol 20
  • 21. Plaintext retransmission attack • Since the authenticator did not yet install the PTK, it will normally reject the encrypted Msg4 • BUT the authenticator may accept any replay counter that was used in the 4- way handshake • When the victim transmits its next data frame, the data-confidentiality protocol reuses nonces 21
  • 22. Group Key Handshake Break (Immediate Key installation) • The adversary blocks the response (group Msg2) from arriving at the AP 22
  • 23. Group Key Handshake Break • Authenticator retransmits a new group message 1 • Waiting until data frame is transmitted and forward a new group message to the supplicant • The group key is reinstalled 23
  • 24. Other attacks There are several attacks which depend on the using system and how the protocol 802.11i is implemented: ▪ Attacking 4-way handshake when the victim only accepts encrypted message 3 retransmission ▪ Attacking the Group Key Handshake with a delayed key installation 24
  • 25. Countermeasures • Check if the new key has already been installed and avoid repetition of the replay counters • Changing the data-confidentiality protocols 25
  • 26. References • Key reinstallation attacks. https://www.krackattacks.com/ • I. W. Group et al. Ieee standard for information technology– telecommunications and information exchange between systems–local and metropolitan area networks–specific requirements–part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications amendment 6: Wireless access in vehicular environments. IEEE Std, 802(11), 2010. • M. Vanhoef and F. Piessens. Key reinstallation attacks: Forcing nonce reuse in wpa2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1313–1328. ACM, 2017. 26