![Page 1: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/1.jpg)
Key Reinstallation Attacks:
Forcing Nonce Reuse in WPA2
Mathy Vanhoef — @vanhoefm
CCS 2017, 1 October 2017
![Page 2: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/2.jpg)
Overview
2
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 3: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/3.jpg)
Overview
3
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 4: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/4.jpg)
The 4-way handshake
Used to connect to any protected Wi-Fi network
Two main purposes:
› Mutual authentication
› Negotiate fresh PTK: pairwise temporal key
Appeared to be secure:
› No attacks in over a decade (apart from password guessing)
› Proven that negotiated key (PTK) is secret1
› And encryption protocol proven secure74
![Page 5: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/5.jpg)
4-way handshake (simplified)
5
![Page 6: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/6.jpg)
4-way handshake (simplified)
6
PTK = Combine(shared secret,
ANonce, SNonce)
![Page 7: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/7.jpg)
4-way handshake (simplified)
7
PTK = Combine(shared secret,
ANonce, SNonce)
Attack isn’t about
ANonce or SNonce reuse
![Page 8: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/8.jpg)
4-way handshake (simplified)
8
![Page 9: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/9.jpg)
4-way handshake (simplified)
9
![Page 10: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/10.jpg)
4-way handshake (simplified)
10
PTK is installed
![Page 11: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/11.jpg)
4-way handshake (simplified)
11
![Page 12: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/12.jpg)
Frame encryption (simplified)
12
Plaintext data
Nonce reuse implies keystream reuse (in all WPA2 ciphers)
Nonce
MixPTK(session key)
Nonce(packet number)
Packet key
![Page 13: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/13.jpg)
4-way handshake (simplified)
13
Installing PTK initializes
nonce to zero
![Page 14: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/14.jpg)
14
Reinstallation Attack
Channel 1 Channel 6
![Page 15: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/15.jpg)
15
Reinstallation Attack
![Page 16: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/16.jpg)
Reinstallation Attack
16
![Page 17: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/17.jpg)
17
Reinstallation Attack
Block Msg4
![Page 18: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/18.jpg)
18
Reinstallation Attack
![Page 19: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/19.jpg)
19
Reinstallation Attack
In practice Msg4
is sent encrypted
![Page 20: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/20.jpg)
20
Reinstallation Attack
Key reinstallation!
nonce is reset
![Page 21: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/21.jpg)
21
Reinstallation Attack
Same nonce
is used!
![Page 22: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/22.jpg)
22
Reinstallation Attack
keystream
Decrypted!
![Page 23: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/23.jpg)
Overview
23
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 24: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/24.jpg)
General impact
24
Receive replay counter reset
Replay frames towards victim
Transmit nonce reset
Decrypt frames sent by victim
![Page 25: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/25.jpg)
Cipher suite specific
AES-CCMP: No practical frame forging attacks
WPA-TKIP:
› Recover Message Integrity Check key from plaintext4,5
› Forge/inject frames sent by the device under attack
GCMP (WiGig):
› Recover GHASH authentication key from nonce reuse6
› Forge/inject frames in both directions25
![Page 26: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/26.jpg)
Handshake specific
Group key handshake:
› Client is attacked, but only AP sends real broadcast frames
› Can only replay broadcast frames to client
4-way handshake:
› Client is attacked replay/decrypt/forge
FT handshake (fast roaming = 802.11r):
› Access Point is attacked replay/decrypt/forge
› No MitM required, can keep causing nonce resets26
![Page 27: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/27.jpg)
Implementation specific
Windows and iOS: 4-way handshake not affected
› Cannot decrypt unicast traffic (nor replay/decrypt)
› But group key handshake is affected (replay broadcast)
wpa_supplicant 2.4+
› Client used on Linux and Android 6.0+
› On retransmitted msg3 will install all-zero key
27
![Page 28: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/28.jpg)
Overview
28
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 29: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/29.jpg)
Misconceptions I
Updating only the client or AP is sufficient
› Both vulnerable clients & vulnerable APs must apply patches
Need to be close to network and victim
› Can use special antenna from afar
No useful data is transmitted after handshake
› Trigger new handshakes during TCP connection29
![Page 30: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/30.jpg)
Misconceptions II
Obtaining channel-based MitM is hard
› Nope, can use channel switch announcements
Attack complexity is hard
› Script only needs to be written once …
› … and some are already doing this!
30
![Page 31: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/31.jpg)
Overview
31
Key reinstalls in
4-way handshake
Misconceptions
Lessons learnedPractical impact
![Page 32: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/32.jpg)
Limitations of formal proofs
› 4-way handshake proven secure
› Encryption protocol proven secure
32
The combination was not proven secure!
![Page 33: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/33.jpg)
Model vs. implementation
Abstract model ≠ real code
› Must assure code matches specification
The wpa_supplicant 2.6 case
› Complex state machine & turned out to still be vulnerable
› Need formal verification of implementations
33
![Page 34: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/34.jpg)
On a related note…
Workshop on:
Security Protocol Implementations:
Development and Analysis (SPIDA)
Co-located with EuroS&P 2018
“focuses on improving development & analysis
of security protocols implementations”
34
![Page 35: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/35.jpg)
Questions?krackattacks.com
Thank you!
![Page 36: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/36.jpg)
References
1. C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A Modular Correctness Proof of IEEE 802.11i and TLS. In CCS, 2005.
2. S. Antakis, M. van Cuijk, and J. Stemmer. Wardriving - Building A Yagi Pringles Antenna. 2008.
3. M. Parkinson. Designer Cantenna. 2012. Retrieved 23 October 2017 from https://www.mattparkinson.eu/designer-cantenna/
4. E. and M. Beck. Practical attacks against WEP and WPA. In WiSec, 2009.
5. M. Vanhoef and F. Piessens. Practical verification of WPA-TKIP vulnerabilities. In ASIA CCS, 2013.
6. A. Joux. Authentication failures in NIST version of GCM. 2016.
7. J. Jonsson. On the security of CTR+ CBC-MAC. In SAC, 2002.
36
![Page 37: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/37.jpg)
Countermeasures
Problem: many clients won’t get updates
Solution: AP can prevent (most) attacks on clients!
› Don’t retransmit message 3/4
› Don’t retransmit group message 1/2
However:
› Impact on reliability unclear
› Clients still vulnerable when connected to unmodified APs
37
![Page 38: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2Title Slide – Project Presentation Author: Mathy Vanhoef Created Date: 11/1/2017 2:42:03 PM](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f30aa0919c01553cf524448/html5/thumbnails/38.jpg)
Handshake specific
Group key handshake:
› Client is attacked replay broadcast frames to client
› Because client never sends real broadcast frames!
38
Unicast