Mathy Vanhoef
ABSTRACT
We introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. Several types of cryptographic Wi-Fi handshakes are affected by the attack. All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks, and is even proven secure. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them. Against WPA-TKIP and GCMP the impact is catastrophic: packets can be replayed, decrypted, and forged. Because GCMP uses the same authentication key in both communication directions, it is especially affected. Finally, we confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.
Supplemental Material
- IEEE Std 802.11. 2016. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Spec.Google Scholar
- IEEE Std 802.11ac. 2013. Amendment 4: Enhancements for Very High Throughput for Operation in Bands below 6 GHz.Google Scholar
- IEEE Std 802.11ad. 2012. Amendment 3: Enhancements for Very High Throughput in the 60 GHz Band.Google Scholar
- IEEE Std 802.11i. 2004. Amendment 6: Medium Access Control (MAC) Security Enhancements.Google Scholar
- IEEE Std 802.11r. 2008. Amendment 2: Fast Basic Service Set (BSS) Transition.Google Scholar
- Nadhem J AlFardan, Daniel J Bernstein, Kenneth G Paterson, Bertram Poettering, and Jacob CN Schuldt 2013. On the Security of RC4 in TLS.. In USENIX Security.Google Scholar
- Wi-Fi Alliance. 2010. Hotspot 2.0 (Release 2) Technical Specification v1.1.0.Google Scholar
- Apple 2017. Wi-Fi network roaming with 802.11k, 802.11r, and 802.11v on iOS. (2017). Retrieved May 19, 2017 from https://support.apple.com/en-us/HT202628Google Scholar
- N. Asokan, Valtteri Niemi, and Kaisa Nyberg. 2002. Man-in-the-Middle in Tunnelled Authentication Protocols. Cryptology ePrint Archive, Report 2002/163. (2002).Google Scholar
- Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J Alex Halderman, Viktor Dukhovni, et almbox. 2016. DROWN: breaking TLS using SSLv2. In USENIX Security.Google Scholar
- Sangeetha Bangolae, Carol Bell, and Emily Qi 2006. Performance study of fast BSS transition using IEEE 802.11 r Proceedings of the 2006 international conference on Wireless communications and mobile computing.Google Scholar
- Mihir Bellare and Phillip Rogaway 1993. Entity authentication and key distribution. In Annual International Cryptology Conference.Google Scholar
- Gal Beniamini. 2017. Over The Air: Exploiting Broadcom's Wi-Fi Stack. (2017). Retrieved May 19, 2017 from https://googleprojectzero.blogspot.be/2017/04/over-air-exploiting-broadcoms-wi-fi_4.htmlGoogle Scholar
- Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue 2015. A messy state of the union: Taming the composite state machines of TLS IEEE S&P.Google Scholar
- Karthikeyan Bhargavan and Gaëtan Leurent 2016. On the practical (in-) security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN. In CCS.Google Scholar
- Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, and Philipp Jovanovic 2016. Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS USENIX WOOT.Google Scholar
- Nikita Borisov, Ian Goldberg, and David Wagner. 2001. Analysis of 802.11 Security, or Wired Equivalent Privacy Isn't Mac Crypto Workshop.Google Scholar
- Nikita Borisov, Ian Goldberg, and David Wagner. 2001. Intercepting mobile communications: the insecurity of 802.11 MobiCom.Google Scholar
- Sebastian Brenza, Andre Pawlowski, and Christina Pöpper. 2015. A practical investigation of identity theft vulnerabilities in eduroam WiSec.Google Scholar
- Laurent Butti and Julien Tinnes 2008. Discovering and exploiting 802.11 wireless driver vulnerabilities. Journal in Computer Virology Vol. 4, 1 (2008), 25--37. Google ScholarCross Ref
- Aldo Cassola, William Robertson, Engin Kirda, and Guevara Noubir 2013. A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication NDSS Symp.Google Scholar
- CERT/CC. 2017. Vulnerability Note VU#228519: WPA2 protocol vulnerabilities. (2017). http://www.kb.cert.org/vuls/id/228519Google Scholar
- Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella 2002. Nusmv 2: An opensource tool for symbolic model checking International Conference on Computer Aided Verification. Springer.Google Scholar
- Cisco 2008. Wireless-G Exterior Access Point with Power Over Ethernet Business Series: User Guide. (2008). Retrieved May 17, 2017 from http://www.cisco.com/c/dam/en/us/td/docs/wireless/access_point/csbap/wap200e/administration/guide/WAP200E_V10_UG_C_web.pdfGoogle Scholar
- corbixgwelt. 2011. Timejacking & Bitcoin: The Global Time Agreement Puzzle. (2011). Retrieved May 13, 2017 from http://culubas.blogspot.be/2011/05/timejacking-bitcoin_802.htmlGoogle Scholar
- dd wrt 2017. QCA Wireless Settings: Key Renewal Interval. (2017). Retrieved May 17, 2017 from https://www.dd-wrt.com/wiki/index.php/QCA_wireless_settings#Key_Renewal_IntervalGoogle Scholar
- Joeri De Ruiter and Erik Poll 2015. Protocol state fuzzing of TLS implementations. USENIX Security.Google Scholar
- Morris Dworkin. 2007. Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) for confidentiality and authentication. In NIST Special Publication 800--38D.Google Scholar
- Niels Ferguson. 2005. Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process (2005). Retrieved May 16, 2017 from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdfGoogle Scholar
- Scott Fluhrer, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the key scheduling algorithm of RC4 SAC.Google Scholar
- Pierre-Alain Fouque, Gwenaëlle Martinet, Frédéric Valette, and Sébastien Zimmer. 2008. On the Security of the CCM Encryption Mode and of a Slight Variant Applied Cryptography and Network Security.Google Scholar
- Google 2017. Codenames, Tags, and Build Numbers. (2017). Retrieved August 29, 2017 from https://source.android.com/source/build-numbersGoogle Scholar
- Google 2017. Dashboards: Platform Versions. (2 May 2017). Retrieved May 15, 2017 from https://developer.android.com/about/dashboards/index.htmlGoogle Scholar
- Google Git. 2017. wpa supplicant 8. (2017). Retrieved May 15, 2017 from https://android.googlesource.com/platform/external/wpa_supplicant_8/Google Scholar
- Shay Gueron and Vlad Krasnov 2014. The fragility of aes-gcm authentication algorithm. 11th International Conference on Information Technology: New Generations (ITNG). Google ScholarDigital Library
- Finn M. Halvorsen, Olav Haugen, Martin Eian, and Stig F. Mjølsnes 2009. An Improved Attack on TKIP. In NordSec. Google ScholarDigital Library
- B. Harris and R. Hunt. 1999. Review: TCP/IP security threats and attack methods. Computer Communications Vol. 22, 10 (1999), 885--897. Google ScholarDigital Library
- Changhua He and John C Mitchell 2004. Analysis of the 802.1 i mbox4-Way Handshake. In WiSe. ACM.Google Scholar
- Changhua He, Mukund Sundararajan, Anupam Datta, Ante Derek, and John C Mitchell 2005. A modular correctness proof of IEEE 802.11i and TLS CCS.Google Scholar
- Lieven Hollevoet. 2014. xAP and xPL Getting started. (2014). Retrieved August 29, 2017 from https://github.com/hollie/misterhouse/wiki/xAP-and-xPL--Getting-startedGoogle Scholar
- Yih-Chun Hu, Adrian Perrig, and David B Johnson. 2006. Wormhole attacks in wireless networks. IEEE journal on selected areas in communications (2006).Google Scholar
- Jakob Jonsson. 2002. On the security of CTR+ CBC-MAC. In SAC.Google Scholar
- Antoine Joux. 2006. Authentication failures in NIST version of GCM. Retrieved 8 May 2017 from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf (2006).Google Scholar
- J. Klein 2013. Becoming a time lord - implications of attacking time sources Shmoocon Firetalks.Google Scholar
- Eduardo Novella Lorente, Carlo Meijer, and Roel Verdult. 2015. Scrutinizing WPA2 password generating algorithms in wireless routers USENIX WOOT.Google Scholar
- Przemysław Macha'n and Jozef Wozniak 2013. On the fast BSS transition algorithms in the IEEE 802.11 r local area wireless networks. Telecommunication Systems (2013).Google Scholar
- Aanchal Malhotra, Isaac E Cohen, Erik Brakke, and Sharon Goldberg 2016. Attacking the Network Time Protocol. (2016).Google Scholar
- Aanchal Malhotra and Sharon Goldberg 2016. Attacking NTP's Authenticated Broadcast Mode. ACM SIGCOMM Computer Communication Review (2016).Google Scholar
- Jouni Malinen. 2015. 802.11e support? (2015). Retrieved May 17, 2017 from http://lists.shmoo.com/pipermail/hostap/2015-June/032952.htmlGoogle Scholar
- Jouni Malinen. 2015. Fix TK configuration to the driver in EAPOL-Key 3/4 retry case. Hostap commit textttad00d64e7d88. (1 Oct. 2015).Google Scholar
- David McGrew. 2013. IETF Internet Draft: Generation of Deterministic Initialization Vectors (IVs) and Nonces. (2013). Retrieved August 29, 2017 from https://tools.ietf.org/html/draft-mcgrew-iv-gen-03Google Scholar
- Microsoft. 2017. Fast Roaming with 802.11k, 802.11v, and 802.11r. (2017). Retrieved May 19, 2017 from https://docs.microsoft.com/en-us/windows-hardware/drivers/network/fast-roaming-with-802--11k--802--11v--and-802--11rGoogle Scholar
- D. Mills, J. Martin, J. Burbank, and W. Kasch. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification.Google Scholar
- David L Mills. 2011. Computer network time synchronization (bibinfoedition2 ed.). CRC Press.Google Scholar
- John Mitchell and Changhua He 2005. Security Analysis and Improvements for IEEE 802.11i NDSS.Google Scholar
- Kenneth G. Paterson. 2015. Countering Cryptographic Subversion. (2015). Retrieved May 16, 2017 from https://hyperelliptic.org/PSC/slides/paterson-PSC.pdfGoogle Scholar
- Kenneth G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt 2014. Plaintext Recovery Attacks Against WPA/TKIP. In FSE.Google Scholar
- Grand View Research. 2017. Wireless Gigabit (WiGig) Market Size To Reach $7.42 Billion By 2024. (2017). Retrieved May 10, 2017 from http://www.grandviewresearch.com/press-release/global-wireless-gigabit-wigig-marketGoogle Scholar
- Pieter Robyns, Bram Bonné, Peter Quax, and Wim Lamotte 2014. Short paper: exploiting WPA2-enterprise vendor implementation weaknesses through challenge response oracles. In WiSec. Google ScholarDigital Library
- P. Rogaway and D. Wagner 2003. A Critique of CCM. Cryptology ePrint Archive, Report 2003/070. (2003).Google Scholar
- J. Selvi 2015. Breaking SSL using time synchronisation attacks. DEF CON Hacking Conference.Google Scholar
- Juraj Somorovsky. 2016. Systematic Fuzzing and Testing of TLS Libraries. CCS. Google ScholarDigital Library
- Robert Stacey, Adrian Stephens, Jesse Walker, Herbert Liondas, and Emily Qi 2010. Rekeying Protocol Fix. (2010). Retrieved August 19, 2017 from https://mentor.ieee.org/802.11/dcn/10/11--10-0313-01-000m-rekeying-protocol-fix.pptGoogle Scholar
- Robert Stacey, Adrian Stephens, Jesse Walker, Herbert Liondas, and Emily Qi 2010. Rekeying Protocol Fix Text. (2010). Retrieved August 19, 2017 from https://mentor.ieee.org/802.11/dcn/10/11--10-0314-00-000m-rekeying-protocol-fix-text.docGoogle Scholar
- Adam Stubblefield, John Ioannidis, Aviel D Rubin, et almbox. 2002. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP NDSS.Google Scholar
- Erik Tews and Martin Beck 2009. Practical attacks against WEP and WPA. In WiSec. Google ScholarDigital Library
- Yosuke Todo, Yuki Ozawa, Toshihiro Ohigashi, and Masakatu Morii 2012. Falsification Attacks against WPA-TKIP in a Realistic Environment. IEICE Transactions (2012).Google Scholar
- Mathy Vanhoef. 2017. Chromium Bug Tracker: WPA1/2 all-zero session key & key reinstallation attacks. (2017). Retrieved August 29, 2017 from https://bugs.chromium.org/p/chromium/issues/detail?id=743276Google Scholar
- Mathy Vanhoef and Frank Piessens 2013. Practical verification of WPA-TKIP vulnerabilities ASIA CCS. ACM, 427--436.Google Scholar
- Mathy Vanhoef and Frank Piessens 2014. Advanced mboxWi-Fi attacks using commodity hardware ACSAC.Google Scholar
- Mathy Vanhoef and Frank Piessens 2015. All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS USENIX Security.Google Scholar
- Mathy Vanhoef and Frank Piessens 2016. Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys USENIX Security.Google Scholar
- Stefan Viehböck. 2011. Brute forcing Wi-Fi protected setup. (2011). Retrieved May 9, 2017 from http://packetstorm.foofus.com/papers/wireless/viehboeck_wps.pdfGoogle Scholar
- Wi-Fi Alliance. 2015. Technical Note: Removal of TKIP from Wi-Fi Devices.Google Scholar
- Joshua Wright. 2003. Weaknesses in LEAP challenge/response. In DEF CON Hacking Conference.Google Scholar
- Erik Zenner. 2009. Nonce Generators and the Nonce Reset Problem. In International Conference on Information Security. endthebibliography Google ScholarDigital Library
Index Terms
- Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
Recommendations
Release the Kraken: New KRACKs in the 802.11 Standard
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityWe improve key reinstallation attacks (KRACKs) against 802.11 by generalizing known attacks, systematically analyzing all handshakes, bypassing 802.11's official countermeasure, auditing (flawed) patches, and enhancing attacks using implementation-...
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Exploiting Race Condition for Wi-Fi Denial of Service Attacks
SIN 2020: 13th International Conference on Security of Information and NetworksWi-Fi is a wireless communication technology that has been around since the late nineties. Nowadays, it is the most adopted wireless technology in various IoT (Internet of Things) applications. Although Wi-Fi security has significantly improved ...
Comments