Is this the correct flow of the KRACK attack?

Question

I am not cryptography expert so please forgive this basic question. I am trying to understand how the flow of the KRACK attack takes place in order to better understand why the encryption protocol itself can be cracked.

Lets start from after step 3 of 4-way WPA handshake -:

• The client has received message 3 and has installed the encryption key and sends message 4 to acknowledge that the encryption is now correctly set up, and it can begin transmitting packets.
• Unbeknownst to the client the attacker has already stored a copy of message 3.
• After transmitting a few packets the client receives message 3 again. Now it resets the nonce to the initial value and re installs the encryption key. It does not realize that it had already received message 3 before and everything was fine.
• So now the keystream will literally repeat since it is using the same nonce twice, am I correct ?

If the above flow is correct then I have a couple of questions,

1. What can you do to attack the encryption protocol if two cipher texts are generated from the exact same keystream ?
2. Correct me if I am wrong, in Linux where the client is basically tricked into installing a zero-encryption key, this means the access point no longer verifies/cares what key the client is using to encrypt the messages after message 4 is received. I mean should'nt the AP have a way of verifying whether the message is actually encrypted using the PMK/PTK ? Shouldn't the AP go like "wait this message is not encrypted using the key we agreed on" ? How does work ?

Please let me know if my intuition about the attack is correct or not.

Answer 1

Intro note to make general reader understanding easier: you do not need to actually connect to the respective network. You just wait for someone to connect with a password (that’s what the PSK stands for, pre-shared key). When he does, long before they access anything, a four-way handshake must happen. This checks that the password the user has provided is correct, and establishes the encrypted connection between the router and the user device. It is here the attacker interferes - in the initial handshake between your device and the router - in a way that allows the attacker to gain an ability to decrypt the traffic you exchange over WiFi. This means sufficient access without even being on the network. Listen to the data exchange between user and access point is sufficient, while emitting attacker packets back to change things on user device and the router.

The key reinstallation attack works exactly because the retransmissions of message 3 is accepted, even when it is in the PTK-DONE state, which is a model flaw. That is why a reinstallation of the PTK can be forced. More precisely, MitM is established between client and router. Then retransmissions of message 3 are triggered by preventing message 4 from arriving. As a result, retransmission of message 3 happens, which causes the router to reinstall an already-in-use PTK. In turn, this resets the nonce being used by the data-confidentiality protocol. Depending on which protocol is used, this allows an adversary to replay, decrypt, and/or forge packets.

The attacks do not practically breach the security properties, but highlight limitations of the models employed. The models do not specify when a key should be installed for usage by the data-confidentiality protocol. In there lies the problem and the fix. That is why specification of a protocol should be sufficiently precise and explicit. For example, the 802.11 standard is ambiguous as to which replay values should be accepted. Practically, it does not define when the negotiated session key should be installed. As a result, there was no guarantee that a session key is installed just once. A more precise model definition can prevent that.