KRACK: Key Reinstallation AttaCK

History

• Discovered by Mathy Vanhoef early in 2017.

• Announced October 16, 2017.

• A group of ten independent security flaws in implementations of Wi-Fi communication.

  • CVE (Common Vulnerabilities and Exposures) numbers CVE-2017-13077 through CVE-2017-13088.

  • All but one affect Wi-Fi clients.

  • CVE-2017-13082 only affects the rare access points that implement 802.11r.

Properties of XOR (we'll write it as ⊕)

• ⊕ is associative and commutative.
• x ⊕ x = 0
• 0 ⊕ x = x
• if z = x ⊕ y, then z ⊕ x = x ⊕ y ⊕ x = x ⊕ x ⊕ y = 0 ⊕ y = y
• This property is used in RAID (Redundant Array of Independent Disks)
  • For instance, if x and y are data blocks on two disks, always keep z on a third disk as z = x ⊕ y (bitwise for the whole block).
  • If z fails, rebuild it.
  • If y fails, restore it as z ⊕ x.
  • If x fails, restore it as z ⊕ y.

Ciphers: block and stream

• block: AES (Advanced Encryption Standard), for instance, takes a key and a 128-bit plaintext and creates a 128-bit block of ciphertext.

• stream: uses XOR of a pad with the plaintext.
  • We'll call the plaintext P and the ciphertext C.
  • If the pad S is random (equal and independent probability 0/1), then C = P ⊕ S is also random.
  • An intruder who doesn't know S cannot get any information from C.

Wi-Fi WPA2 encryption

• The Wi-Fi client (the supplicant) uses a pseudo-random stream S as a pad, transmits C = S ⊕ P
• The Wi-Fi access point (the authenticator) uses the same stream S, and computes C ⊕ S = P, which it then transmits through the Internet via wires.
• If an intruder knows P, the intruder can derive S.
• If the supplicant re-uses S, then a new message is related to a previous one:
  • C1 = S ⊕ P1
  • C2 = S ⊕ P2 (same S)
• An intruder can then compute C1 ⊕ C2 = P1 ⊕ P2.
  
• If the intruder can guess P1 (it might be a standard start of a typical conversation, such as connection to a web server), then the intruder can read P2:
  • C1 ⊕ C2 ⊕ P1 = P2.
• So a supplicant must never re-use S. It is a one-time pad.

WPA2 (Wi-Fi Protected Access version 2) Protocol

• Designed in 2004, replacing WEP (Wired Equivalent Privacy, 1997, deprecated 2004 because it was fairly easy to crack.)

• S is generated (at both ends) by AES in counter mode:

  • Both ends agree on a Pairwise Transient Key (PTK: 64B) via EAPoL (Extensible Authentication Protocol Over Local-area network).

  • The PTK contains a Temporal Encryption Key (TEK: 16B).

  • The supplicant maintains a sequence number N (16B), starting at 0, incremented after each 128-bit block is used up.

  • The pad S is the AES encryption of the sequence number using the TEK as the key.

• Within a connection, only N keeps changing in the AES input.

• The supplicant must never reuse N during the course of a single conversation.

• The KRACK attack convinces the supplicant to reset N to 0.

Protocol (as seen from the supplicant)

• Establish a dialog (four messages, not important here)

• EAPoL: 4-way handshake, to agree on the PTK
  1. ← [nonce_A (32B random)]
  • Supplicant generates nonce_S (32B random), uses the two nonces, the MAC (media access control) address of both ends, and the PSK (pre-shared key) to compute the PTK.
    
  2. [nonce_S, message integrity code (MIC)] →
  • Authenticator computes the PTK.
  3. ← [ACK, GTK (irrelevant here), MIC]
  • Supplicant sets N to 0
  4. [ACK, MIC] →
  • Supplicant starts sending encrypted data messages, which the authenticator decrypts.
  • Intruders can't compute the PTK, so they cannot decrypt the traffic.

Man-in-the-middle setup

• The intruder uses a radio that advertises the same ESSID (network name: Extended Service Set IDentification) as the authenticator, but on a different band.
• The supplicant connects to the intruder, which then communicates with the authenticator.
• The intruder can
  • pass packets along unchanged (in either direction),
  • prevent packets from getting through,
  • replay packets.

KRACK: The attack

• The intruder blocks message 4 in the 4-way handshake.

• The authenticator resends message 3 after a delay (typically about 1 second).

• The supplicant resets N to 0 (bug!), resends message 4 (ACK).

• The supplicant continues to send encrypted data messages, but now it is re-using about 1 second of pad, which can cover a great number of messages.

• The intruder can repeatedly block message 4, causing multiple resets of the sequence number, leading to multiple messages encrypted with the same pad.

• If the intruder can guess one of those messages, it can derive a segment of S.
  • It can read all messages encrypted by that segment.
  • It can insert a message encrypted by that segment, leading to an insertion attack.
  • It can force the client into using an all-zero TEK (Linux, Android 6.0+)

In practice, the intruder's job is hard.

• It's not easy to interpose a man in the middle.

  • The intruder must fake the MAC address of the supplicant, on a different channel.
    • There are 14 channels in the 2.4GHz band, and about 20 in the 5GHz band.
    • Each country constrains allowable channels and power levels.

  • The intruder must be in close proximity to both the supplicant and the authenticator.

    • You are most likely safe in your home.
    • You are less safe at a business.
• The intruder must run the exploit when the supplicant is first connecting to the authenticator.
  • But the intruder might send a deauthenticate message to the supplicant.
  • That message causes the supplicant to discard the current connection and re-connect.

The fix

• When the supplicant gets a repeated message 3
  • It should not reset N.
  • It should again send message 4 (ACK).

• This fix requires upgraded software on all supplicants (laptops, smartphones, Roku devices, printers, Internet of Things (IoT) devices ...)

• The authenticator can mitigate the problem by reacting to a timeout for message 4 differently: send a deauthenticate message to the supplicant, forcing the entire protocol to restart.

Users should employ end-to-end encryption.

• For secure communication, don't depend on WPA2. Instead, only connect your browser to sites with HTTPS (HyperText Transfer Protocol: Secure)

  • Verify that in fact the connection uses HTTPS, because if the intruder can insert packets, the intruder can prevent HTTPS from working.
• Programs using Transport Layer Security (TLS) and or Secure Sockets Layer (SSL) protocols have end-to-end encryption.
  • The OpenSSL library provides these protocols, as well as general-purpose cryptographic algorithms.
  • The ssh program uses end-to-end encryption.
  • SSL is deprecated. TLS 1.2 is good; TLS 1.0 and 1.1 are not as good. Web browsers negotiate with web servers to agree on which encryption method to use.
    
  • The web server at https://www.cs.uky.edu accepts TLS 1.0, 1.1, and 1.2; it does not accept SSL.
    • Check out your server at https://www.ssllabs.com/ssltest/.
  • Firefox, Android 5.0+, Chrome, IE 11 all accept TLS 1.2.

Manufacturers are patching their software

• A Linux update was released October 16, 2017.

• Microsoft released updates October 10, 2017. Microsoft software is harder to attack for technical reasons.

• Apple began been rolling out updates around November 1, 2017 for iOS, macOS. Apple software is harder to attack for technical reasons.

• Android devices are particularly susceptible. Most have not been updated.

• Many devices have no easy way to apply updates.

• Your IoT toaster (yes, it exists) is vulnerable. Security is a big problem with the IoT.

Take-home messages

• Basic tenet of security: Your trust in an algorithm should be proportional to the length of time smart people have unsuccessfully tried to attack it.

• Flaws are often found in algorithms or their implementation. Luckily, updates usually fix those flaws.

• Users need to balance their need for security with ease of applying technology.

• Don't panic.