key reinstallation attacks: breaking the wpa2 protocolintroduction 4 key reinstallation when...
TRANSCRIPT
![Page 1: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/1.jpg)
Key Reinstallation Attacks:
Breaking the WPA2 Protocol
Mathy Vanhoef — @vanhoefm
Black Hat Europe, 7 December 2017
![Page 2: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/2.jpg)
Introduction
2
PhD Defense, July 2016:
“You recommend WPA2 with AES,
but are you sure that’s secure?”
Seems so! No attacks in
14 years & proven secure.
![Page 3: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/3.jpg)
![Page 4: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/4.jpg)
Introduction
4
Key reinstallation when ic_set_key is called again?
![Page 5: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/5.jpg)
Overview
5
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 6: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/6.jpg)
Overview
6
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 7: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/7.jpg)
The 4-way handshake
Used to connect to any protected Wi-Fi network
› Provides mutual authentication
› Negotiates fresh PTK: pairwise temporal key
Appeared to be secure:
› No attacks in over a decade (apart from password guessing)
› Proven that negotiated key (PTK) is secret1
› And encryption protocol proven secure7
7
![Page 8: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/8.jpg)
4-way handshake (simplified)
8
PTK = Combine(shared secret,
ANonce, SNonce)
![Page 9: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/9.jpg)
4-way handshake (simplified)
9
PTK = Combine(shared secret,
ANonce, SNonce)
Attack isn’t about
ANonce or SNonce reuse
![Page 10: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/10.jpg)
4-way handshake (simplified)
10
![Page 11: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/11.jpg)
4-way handshake (simplified)
11
PTK is installed
![Page 12: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/12.jpg)
4-way handshake (simplified)
12
![Page 13: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/13.jpg)
Frame encryption (simplified)
13
Plaintext data
Nonce reuse implies keystream reuse (in all WPA2 ciphers)
Nonce
MixPTK(session key)
Nonce(packet number)
Packet key
![Page 14: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/14.jpg)
4-way handshake (simplified)
14
Installing PTK initializes
nonce to zero
![Page 15: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/15.jpg)
Channel 1
15
Reinstallation Attack
Channel 6
![Page 16: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/16.jpg)
16
Reinstallation Attack
![Page 17: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/17.jpg)
17
Reinstallation Attack
Block Msg4
![Page 18: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/18.jpg)
18
Reinstallation Attack
![Page 19: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/19.jpg)
19
Reinstallation Attack
![Page 20: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/20.jpg)
20
Reinstallation Attack
In practice Msg4
is sent encrypted
![Page 21: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/21.jpg)
21
Reinstallation Attack
![Page 22: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/22.jpg)
22
Reinstallation Attack
Key reinstallation!
nonce is reset
![Page 23: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/23.jpg)
23
Reinstallation Attack
![Page 24: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/24.jpg)
24
Reinstallation Attack
Same nonce
is used!
![Page 25: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/25.jpg)
25
Reinstallation Attack
Keystream
![Page 26: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/26.jpg)
26
Reinstallation Attack
Keystream
Decrypted!
![Page 27: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/27.jpg)
Key Reinstallation Attack
Other Wi-Fi handshakes also vulnerable:
› Group key handshake
› FT handshake
› TDLS PeerKey handshake
For details see our CCS’17 paper12:
› “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”
27
![Page 28: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/28.jpg)
Overview
28
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 29: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/29.jpg)
General impact
29
Receive replay counter reset
Replay frames towards victim
Transmit nonce reset
Decrypt frames sent by victim
![Page 30: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/30.jpg)
Cipher suite specific
AES-CCMP: No practical frame forging attacks
WPA-TKIP:
› Recover Message Integrity Check key from plaintext4,5
› Forge/inject frames sent by the device under attack
GCMP (WiGig):
› Recover GHASH authentication key from nonce reuse6
› Forge/inject frames in both directions
30
![Page 31: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/31.jpg)
Unicast
Handshake specific
Group key handshake:
› Client is attacked, but only AP sends real broadcast frames
31
![Page 32: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/32.jpg)
Handshake specific
Group key handshake:
› Client is attacked, but only AP sends real broadcast frames
› Can only replay broadcast frames to client
4-way handshake: client is attacked replay/decrypt/forge
FT handshake (fast roaming = 802.11r):
› Access Point is attacked replay/decrypt/forge
› No MitM required, can keep causing nonce resets
32
![Page 33: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/33.jpg)
Implementation specific
iOS 10 and Windows: 4-way handshake not affected
› Cannot decrypt unicast traffic (nor replay/decrypt)
› But group key handshake is affected (replay broadcast)
› Note: iOS 11 does have vulnerable 4-way handshake8
wpa_supplicant 2.4+
› Client used on Linux and Android 6.0+
› On retransmitted msg3 will install all-zero key
33
![Page 34: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/34.jpg)
34
Android (victim)
![Page 35: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/35.jpg)
35
![Page 36: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/36.jpg)
36
![Page 37: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/37.jpg)
37
![Page 38: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/38.jpg)
38
![Page 39: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/39.jpg)
39
![Page 40: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/40.jpg)
40
Now trivial to intercept and
manipulate client traffic
![Page 41: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/41.jpg)
Is your devices affected?
github.com/vanhoefm/krackattacks-scripts
41
› Tests clients and APs
› Works on Kali Linux
Remember to:
› Disable hardware encryption
› Use a supported Wi-Fi dongle!
![Page 42: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/42.jpg)
Countermeasures
Problem: many clients won’t get updates
Solution: AP can prevent (most) attacks on clients!
› Don’t retransmit message 3/4
› Don’t retransmit group message 1/2
However:
› Impact on reliability unclear
› Clients still vulnerable when connected to unmodified APs
42
![Page 43: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/43.jpg)
Overview
43
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 44: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/44.jpg)
Misconceptions I
Updating only the client or AP is sufficient
› Both vulnerable clients & vulnerable APs must apply patches
Need to be close to network and victim
› Can use special antenna from afar
Must be connected to network as attacker (i.e. have password)
› Only need to be nearby victim and network
44
![Page 45: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/45.jpg)
Misconceptions II
No useful data is transmitted after handshake
› Trigger new handshakes during TCP connection
Obtaining channel-based MitM is hard
› Nope, can use channel switch announcements
Attack complexity is hard
› Script only needs to be written once …
› … and some are (privately) doing this!
45
![Page 46: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/46.jpg)
Misconceptions III
Using (AES-)CCMP mitigates the attack
› Still allows decryption & replay of frames
Enterprise networks (802.1x) aren’t affected
› Also use 4-way handshake & are affected
It’s the end of the world!
› Let’s not get carried away
46
Image from “KRACK: Your Wi-Fi is no
longer secure” by Kaspersky
![Page 47: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/47.jpg)
Overview
47
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 48: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/48.jpg)
Limitations of formal proofs I
› 4-way handshake proven secure
› Encryption protocol proven secure
48
The combination was not proven secure!
![Page 49: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/49.jpg)
Limitations of formal proofs II
Were the proofs too abstract?
› They did not model retransmissions
› Abstract model ≠ real code
49
“In theory, theory and
practice are the same. In
practice, they are not.”
![Page 50: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/50.jpg)
Keep protocols simple I
The wpa_supplicant 2.6 case:
› Complex state machine & turned out to still be vulnerable
› Need formal verification of implementations
Discovered other vulnerabilities:
› Hostapd reuses ANonce during rekey
› $POPULAR_CLIENT reuses SNonce during rekey
› When combined, rekeying reinstalls the existing PTK
50
![Page 51: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/51.jpg)
Keep protocols simple II
Network Operations Division
Cryptographic Requirements9:
“Re-keying introduces unnecessary
complexity (and therefore opportunities
for bugs or other unexpected behavior)
without delivering value in return.”
51
Keep the protocol and code simple!
![Page 52: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/52.jpg)
Need rigorous specifications
Original WPA2 standard (802.11i amendment)
› State machine described in pseudo code
› Doesn’t define when messages are accepted
52
![Page 53: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/53.jpg)
Need rigorous specifications
Original WPA2 standard (802.11i amendment)
› State machine described in pseudo code
› Doesn’t define when messages are accepted
802.11r amendment (FT handshake)
› Better defines how/when to handle messages
› But some terms and cases still unclear
53
S1KH state machine
![Page 54: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/54.jpg)
On a related note…
Workshop on:
Security Protocol Implementations:
Development and Analysis (SPIDA)
Co-located with EuroS&P 2018
“focuses on improving development & analysis
of security protocol implementations”
54
![Page 55: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/55.jpg)
Questions?krackattacks.com
Thank you!
![Page 56: Key Reinstallation Attacks: Breaking the WPA2 ProtocolIntroduction 4 Key reinstallation when ic_set_key is called again? Overview 5 Key reinstalls in 4-way handshake Misconceptions](https://reader034.vdocument.in/reader034/viewer/2022050411/5f9faa9e7d64fb105c16af66/html5/thumbnails/56.jpg)
References
1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005.
2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008.
3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/
4. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009.
5. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013.
6. A. Joux. Authentication failures in NIST version of GCM. 2016.
7. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002.
8. Apple. About the security content of iOS 11.1. November 3, 2017. Retrieved 26 November from https://support.apple.com/en-us/HT208222
9. US Central Intelligence Agency. Network Operations Division Cryptographic Requirements. Retrieved 5 December 2017 from https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf
10. J. Salowey and E. Rescorla. TLS Renegotiation Vulnerability. Retrieved 5 December 2017 from https://www.ietf.org/proceedings/76/slides/tls-7.pdf
11. Bhargavan et al. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In IEEE S&P, 2014.
12. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017.
56