35

I'm sure that by now most InfoSec-lovers have heard about KRACK. If you haven't, check out this great explaination by a fellow StackExchanger.

It's a new attack on WPA2 which allows for decryption and forging of packets in certain (and certainly quite a lot of them) scenarios by abusing a flaw in the 4-way-handshake.

Reading the research paper, I still don't understand why this attack is possible. I understood how we may abuse retransmission of message 3 during a 4-way-handshake to force key reinstallation.

Why does key reinstallation (or more specifically a client nonce reset) allow for decryption or forging?

Ambo100
  • 105
  • 1
  • 5
FMaz
  • 472
  • 4
  • 14
  • 1
    For some discussion of how nonce reuse in a stream cipher allows for confidentiality breaks, see: https://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-two-time-pad-i-e-one-time-pad-with-key-reuse – Luis Casillas Oct 16 '17 at 23:21

1 Answers1

20

This is because of being able to figure out the keystream for a given key and nonce when you can get both to be reused and the stream contains predictable information.

In many ciphers, a key is used to produce a series of ones and zeros that are xor'd with the data to produce an encrypted value. This string of ones and zeros is known as the keystream. If you are able to reuse a nonce and the keystream isn't altered based on the content of previous plaintext blocks, then you can look for known packets to appear in the content. When these known packets occur, you will see a predictable pattern occur and will be able to determine that you know that portion of the keystream.

By repeating the process, you eventually can gain more and more knowledge of the keystream and can then read or manipulate anything found on a known portion of the keystream. RC4 is EXTREMELY vulnerable to nonce reuse as it is a pure xor'd keystream. Similarly CTR modes of AES will be extremely susceptible. AES CBC-MAC will be a bit less impacted, however doing constant key resetting could potentially bypass the chaining due to always using the same set of initial blocks, so some information leakage would potentially still be possible, especially for the attacker faking a new client where racing will not be a factor.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • I still don't get it. If you use AES-CBC, each plaintext block is encrypted with the same AES session key(presumably part of the PTK). Imho it's a blockwise plain text attack against AES. If I'm not right, could you elaborate _exactly_ how the WPA2 AES CBC mode is vulnerable (with KRACK and nonce-reset)? thank you. – user1931751 Oct 17 '17 at 14:00
  • 1
    @user1931751 - the session key is not leaked, only the keystream. This is a replay attack. The attacker tells the client to reset the key it is using to a previously provided value. It has no idea what key it is asking it to use, just that it knows it will use the same key and nonce. Knowing a keystream doesn't help you determine the key that was used to make the keystream, otherwise knowing the plaintext of one message would allow you to determine the key and nonce's would be worthless. Since CBC will only have a matching keystream for the first block, it provides limited protection. – AJ Henderson Oct 17 '17 at 14:07
  • I got your point with gaining more and more bits of the key stream by plain text un-xor-ing. Looking at https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29, where does the key _stream_ come in? Could you cite the source where this affects _WPA2 AES CBC_? Thank you. – user1931751 Oct 17 '17 at 14:10
  • @user1931751 I'm not sure exactly what you are asking at this point. Would you possibly be able to hop in [chat](https://chat.stackexchange.com/rooms/151/the-dmz). – AJ Henderson Oct 17 '17 at 14:12
  • Sorry if this is obvious but, if you use HTTPS, won't the attacker just decrypt data that is already encrypted? – Silencer310 Oct 17 '17 at 16:36
  • @Silencer310 - yes, HTTPS/VPN/etc will protect you if you are using them properly, but the wireless network encryption won't be providing protection and there are other attacks that can be attempted such as striping SSL and such that can be done when the local network is compromised. You CAN operate safely on an unencrypted wireless network, but it's a lot more work on you as the user. – AJ Henderson Oct 17 '17 at 16:47