New KRACK Attack Against Wi-Fi Encryption
Mathy Vanhoef has just published a devastating attack against WPA2, the 14-year-old encryption protocol used by pretty much all Wi-Fi systems. It's an interesting attack, where the attacker forces the protocol to reuse a key. The authors call this attack KRACK, for Key Reinstallation Attacks.
This is yet another of a series of marketed attacks; with a cool name, a website, and a logo. The Q&A on the website answers a lot of questions about the attack and its implications. And lots of good information in this ArsTechnica article.
There is an academic paper, too:
"Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2," by Mathy Vanhoef and Frank Piessens.
Abstract: We introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. Several types of cryptographic Wi-Fi handshakes are affected by the attack. All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks, and is even proven secure. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them. Against WPA-TKIP and GCMP the impact is catastrophic: packets can be replayed, decrypted, and forged. Because GCMP uses the same authentication key in both communication directions, it is especially affected.
Finally, we confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.
I'm just reading about this now, and will post more information as I learn it.
EDITED TO ADD: Morenews.
EDITED TO ADD: This meets my definition of brilliant. The attack is blindingly obvious once it's pointed out, but for over a decade no one noticed it.
EDITED TO ADD: Matthew Green has a blog post on what went wrong. The vulnerability is in the interaction between two protocols. At a meta level, he blames the opaque IEEE standards process:
One of the problems with IEEE is that the standards are highly complex and get made via a closed-door process of private meetings. More importantly, even after the fact, they're hard for ordinary security researchers to access. Go ahead and google for the IETF TLS or IPSec specifications -- you'll find detailed protocol documentation at the top of your Google results. Now go try to Google for the 802.11i standards. I wish you luck.
The IEEE has been making a few small steps to ease this problem, but they're hyper-timid incrementalist bullshit. There's an IEEE program called GET that allows researchers to access certain standards (including 802.11) for free, but only after they've been public for six months -- coincidentally, about the same time it takes for vendors to bake them irrevocably into their hardware and software.
This whole process is dumb and -- in this specific case -- probably just cost industry tens of millions of dollars. It should stop.
Nicholas Weaver explains why most people shouldn't worry about this:
So unless your Wi-Fi password looks something like a cat's hairball (e.g. ":SNEIufeli7rc" -- which is not guessable with a few million tries by a computer), a local attacker had the capability to determine the password, decrypt all the traffic, and join the network before KRACK.
KRACK is, however, relevant for enterprise Wi-Fi networks: networks where you needed to accept a cryptographic certificate to join initially and have to provide both a username and password. KRACK represents a new vulnerability for these networks. Depending on some esoteric details, the attacker can decrypt encrypted traffic and, in some cases, inject traffic onto the network.
But in none of these cases can the attacker join the network completely. And the most significant of these attacks affects Linux devices and Android phones, they don't affect Macs, iPhones, or Windows systems. Even when feasible, these attacks require physical proximity: An attacker on the other side of the planet can't exploit KRACK, only an attacker in the parking lot can.
EDITED TO ADD (11/13): The official link to the paper blocks anonymous users. Here's an alternate.
Tags: academic papers, Android, cryptanalysis, encryption, keys, protocols, Wi-Fi
Posted on October 16, 2017 at 8:39 AM • 129 Comments
I thought this might be helpful in a thread on its own.
Implements the majority of IEEE 802.11i, but with different headers (so can operate both in same network). Designed to require only a firmware upgrade (full 802.11i usually requires hardware change).
As designed, WPA uses TKIP and Michael for message integrity, based on RC4 for encryption.
Pre-shared (personal) vs. Enterprise (RADIUS)
Defines the type of authentication used.
WPA (and WPA2) may operate in enterprise mode, using a RADIUS server to hold per-user keys. This allows individual access to be controlled in a large network. For a small network, e.g. home network, without a RADIUS server a pre-shared key (PSK) may be used. The same key is used by all clients, so may require more work to update.
TKIP vs. AES-based CCMP
Defines the algorithm used for message integrity and confidentiality.
WPA was designed to be used with TKIP (and WPA2 designed to use stronger AES-based).
However, some devices allow WPA (not WPA2) with AES (and WPA2 with TKIP).
AES is optional in WPA; in WPA2 both AES is mandatory, BUTTKIP is optional.
Note that TKIP is not directly comparable to AES; TKIP is an integrity check, AES is an encryption algorithm.
In the context of wireless security this actually means TKIP vs. "AES-based CCMP" (not just AES).
TKIP is a lower end encryption protocol (WEP2) and AES is a higher end (WPA2/802.11i) encryption protocol. AES is preferred.
This is what the encryption standards are for WEP2 (TKIP) and WPA2/802.11i (AES). It will attempt to use AES if available and fall back to TKIP if not. This setting offers the most compatibility but won't guarantee a higher level of encryption if a device falls back to TKIP.
WPA2, aka 802.11i
Fully conforms with 802.11i as it implements all mandatory features.
Guarantees interoperability certification.
Effectively WPA2 is Wi-Fi Alliance's brand name for 802.11i.
Note: In some cases other optional features of 802.11i may be required, but interoperability may not be guaranteed.
Support for AES encryption and AES-based CCMP message integrity is mandatory (is optional in WPA).
As well as mandatory AES, WPA2 also adds PMK (Pair-wise Master Key) and Pre-authentication to help fast roaming.
Authentication options for 802.11i.
Two initial types - pre-shared key (personal) or RADIUS (enterprise), same as per WPA.
Additional types of enterprise authentication types now available (usually not relevant for home users).
WPA2 mandates AES-based CCMP for message integrity and confidentiality.
TKIP (weaker) is optional.
Mixed mode allows device to try WPA2 first, and if that fails fall-back to WPA.
WEP was supposed to provide Confidentiality, but has found to be vulnerable and should no longer be used, has been found to be vulnerable and is often the default; this should be changed.
Most devices that support WEP can be firmware/software upgraded to WPA.
Do not use unless some devices can not be upgraded to support WPA.
WEP has been outdated for years and has better replacements. The 40-bit encryption is just not strong enough to keep data secure and can be broken rather easily. Newer encryption methods use stronger encryption and have yet to be broken while WEP can be broken in a minute, use WPA where possible.
To keep things simple, the best options, in decreasing order of preference, may be:
WPA2 + AES
WPA + AES (only if all devices support it).
WPA + TKIP+AES (only if all devices can support it).
WPA + TKIP
Disabled (no security)
The most common two options will be WPA2 + AES and WPA + TKIP, because they match the mandatory requirements in the standards (WPA2 requires AES, WPA requires TKIP).
You can use WPA + AES for higher security than TKIP, but only if your devices support it (it is optional). For this reason it is not very common. You also do not get the improved roaming features of WPA2.
WPA + TKIP+AES provides a fallback in case AES is not supported by a device in that it switches to the more common TKIP. The disadvantage is that it might switch to TKIP unexpectedlybut is more backwards compatible if needed.
Currently TKIP has no known vulnerabilities, so for broadest compatibility stick with WPA + TKIP.
The remaining combination, WPA2 + TKIP, is possible (as TKIP is optional in WPA2), but doesn't make much sense because AES is more secure and mandatory for all WPA2 devices.