I am investigating the KRACK attack based on the published paper and their youtube video.
I largely understand the attacks proposed in the paper as they are except for the completion of the handshakes on the Authenticator's side regarding the following 3 aspects. Sadly I could not get how/ why this is done based on the paper. I would greatly appreciate any hint or idea to any of these points:).
1) According to my understanding, their Anrdoid attack is the one shown in figure 5 of their paper. They claim that Android installed an All-Zero-Key when Msg3 is first delayed and then two versions of Msg3 are sent to the client.
- Am I right that they can decrypt or replay just one frame? This is how their proposed attack looks like in Fig. 5 and Fig. 6 for these cases. Would this be of any use If the All-Zero-Key Bug were not in place?
- When an All-Zero-Key ist installed on the client's side at this moment, this would be sufficient. It should "encrypt" all data frames with the Zero-Key, but have the flags set showing that encryption would be in-place. I assume, the client would also set a Key-ID matching the session key negotiated? However, this session key would be the "correct one" set on the authenticator's side. So why would any AP accept traffic that is not properly protected? In their Youtube video they explicitly enable packet forwarding, but I do not get how this should work given their assumption that they do not have network access themselves? The AP should reject all of these wrongly encrypted frames?
2) In Fig. 4 (and I assume they would do the same in Fig. 5 and 6?) stage 4 should finish the handshake on the authenticator's side. Is there any specific reason for transmitting Enc_ptk(Msg4(r+2)) at all or why it is transmitted first? As only Msg4(r+1) is acccepted and this only works if old replay counters are accepted I cannot figure out why this is done.
3) FT-Handshake in Fig. 9. I would think that on reception of the replayed ReassoResp at stage 3 received by the client, the client would also reinstall its PTK. Is there any reason why this was handled differently than in the 4-way handshake or did they forget to draw a box there? (I could not find a matching paragraph in the standard, but I might have overlooked something?)
