Hacking Book | Free Online Hacking Learning


fi) comprehensive analysis report on wpa2 vulnerability of protection protocol standard

Posted by patinella at 2020-04-15

Author: Antan safety research and emergency response center

1 Overview

Mathy vanhoef, a postdoctoral security researcher at the University of Leuven in Europe, disclosed on October 15 the high-risk vulnerability of WPA2, a wireless network (Wi Fi) protection protocol standard [1,2]. The vulnerability allows an attacker in Wi Fi range to listen for Wi Fi traffic between the computer and the access point. The vulnerability affects the protocol itself and is valid for both WPA and WPA2, so the software or hardware supporting the WPA / WPA2 protocol is affected.

After the disclosure of the vulnerability, Antan and the stone smelting engineer responded quickly, carried out a joint analysis of the vulnerability, and formed this report.

2 vulnerability analysis

The full name of WPA is Wi Fi protected access, which has two standards, WPA and WPA2. It is a protocol to protect the security of wireless network (Wi Fi) [3]. WPA realizes most of the IEEE 802.11i standard. It is a transition scheme that replaces WEP before 802.11i is complete, and then replaced by WPA2. Because both WPA and WPA2 are based on 802.11i, they are almost the same at the technical level. The main difference is that WPA2 requires to support more secure CCMP. Both WPA and WPA2 use the four-way handshake defined in 802.11i. The client (STA) and access point (AP) use the four-way handshake to mutually verify and negotiate the session key named pair transient key (PTK). PTK is calculated and generated by pairwise master key (PMK), AP random number anonce, sta random number snonce and MAC address of both parties. PMK is calculated and generated by information known to both parties such as login password. The temporary key (TK) used for subsequent normal data encryption is derived from PTK. The relationship between keys and parameters is shown in the figure below.

The process of four handshakes can be summarized as follows:

Vanhoef named the disclosed vulnerability as krack (key reinstallation attack). The attacker used man in the middle to attack the third stage of the four handshake interaction verification of WPA / WPA2 protocol in the range of Wi Fi. At this time, the victim has installed the key. After the incremental replay attack through the intermediary means, the victim is forced to use the key stream before the attack to encrypt the data. Since WPA / WPA2 is symmetric encryption, a reusable key stream can be obtained by simple plaintext ciphertext. Once the attacker obtains the key stream, he can decrypt the Wi Fi traffic data.

2.1 utilization principle

The core of the exploit lies in the key reassembly, which is based on the four handshake process of establishing connection in WPA / WPA2 protocol. During the four-way handshake, the AP and the client will negotiate an encryption key for encrypting the next communication data. After receiving the third handshake message (message 3) from the AP, the client will verify the mic. If it is correct, the encryption key will be installed to encrypt the normal data frame and send a response to the AP as confirmation. According to the protocol rules, if the AP fails to receive the confirmation correctly, it will cause data retransmission and resend message 3. Each time the client receives message 3, it will reload the same session key. The attacker can use this handshake process to send message 3 in an incremental way, which forces to reset the number of incremental transmission packets (nonce) and the counter of receiving and replaying used by the data privacy protocol, leading to key reuse. In this way, attackers can replay, decrypt, and / or forge packets.

Krack attacks can be divided into four scenarios:

Figure 2-3 shows the attack flow of an attacker decrypting a ciphertext packet. If the attacker knows the plaintext of the first ciphertext packet sent, he can recover the key stream used to encrypt the plaintext data. Because the design of the four way handshake protocol allows the key PTK and GTK to be reinstalled by retransmission message 3, and the nonce value of the packet to be sent is reset, the client uses the same key stream to encrypt the next packet, thus the attacker can decrypt the next encrypted packet sent by the client.

The above decryption process is based on the premise that the attacker knows the plaintext of the first data package. However, the attacker sometimes cannot predict all the field values in the data package (such as possible random fields), so the attacker may need to retransmit message 3 multiple times to collect more data for decryption. Figure 2-3 only shows the attack process of recovering a ciphertext packet, but the attacker can decrypt multiple packets by multiple retransmissions and reasonably choosing the retransmission time (waiting for the client to send enough data before retransmission), or even by revoking the authentication of the client to force the client to re execute the four time handshake protocol.

Due to the incorrect implementation of WPA ﹣ supplicant (Android 6 and above) in 2.4 and 2.5 after receiving the retransmitted message 3, the data encryption key TK is set to all 0 after the client receives the retransmitted message 3 from the attacker. This error greatly simplifies the ciphertext recovery attack. By using the information that the data encryption key is all 0, the attacker can decrypt the subsequent packets sent by the client without knowing the plaintext conditions. Based on the above background, after the attacker forces the client to use the full 0 key through man in the middle attack, he can hijack the client traffic, monitor and tamper with all the data sent by the client.

2.2 password analysis of nonce reuse in krack attack

The consequences of nonce reuse are closely related to the data privacy protocol adopted. The data encryption algorithms used in TKIP, CCMP and gcmp are stream cipher RC4, authentication encryption algorithm aes-ccm and authentication encryption algorithm aes-gcm. The encryption part of aes-ccm and aes-gcm is based on CTR mode. It can be concluded that TKIP, CCMP and gcmp all use stream encryption, that is, the plaintext data and the key stream generated by the algorithm are bitwise XOR to get the ciphertext data. The problem of streaming encryption is that the same key stream is always generated when nonce is reused under the condition of fixed key. This feature can be used to decrypt packets.

The figure above shows the process of encrypting the plaintext message with the key K and counter CTR in the CTR mode, in which the length of a packet (128 bits in AES algorithm, the length of plaintext message is not necessarily an integer multiple of the packet length). Note that the figure does not show some details of applying CTR mode for encryption in CCM and GCM modes. When used correctly, the counter CTR value is accumulated continuously (the value is not repeated!!) Under the influence of algorithm and key, a key stream with strong pseudo-random characteristics is generated, and the corresponding ciphertext is the encryption process based on RC4 stream cipher in TKIP, which is similar to this, and will not be repeated.

In the attack of krack, by replaying message 3, the victim can be forced to reuse nonce, resulting in the repetition of the same counter CTR value in the above encryption process. Under the condition of the same key and the same counter CTR, the generated key stream value is the same, and the attacker can decrypt the packet accordingly. The key stream is represented by keystream, and P1 and P2 are two groups of plaintext data. Assuming that keystream, P1 and P2 have the same bit length, the ciphertext corresponding to the two groups of plaintext is respectively:

C1 = P1 ^ KeyStream C2 = P2 ^ KeyStream

Where ^ means specific or operation by ratio. The attacker can collect ciphertext C1 and C2 through the network. If the attacker knows plaintext P1 corresponding to ciphertext C1, the information of plaintext P2 can be recovered accordingly:

P2 = C2 ^ keystream = C2 ^ (P1 ^ C1)

In practice, packets with known contents can be found, so it can be considered that the encrypted packets obtained by reusing nonce with fixed key can be decrypted according to the above process. Even if the packets with known contents are indeed unavailable, it is possible to decrypt and restore the plaintext when there is enough knowledge about the message type (for example, the message is an English character). It is worth noting that although nonce reuse will result in the decryption of ciphertext packets, it does not result in the disclosure of key TK, PTK, PMK and WiFi login password. Therefore, WPA2's password system is only bypassed and not broken. The security of AES ensures that the encryption key K will not be revealed even when the input and output are known.

TKIP, CCMP and gcmp provide data integrity protection in addition to data confidentiality. The reuse of nonce will bring different levels of security risks in data integrity protection under different data encryption conditions.

When using TKIP protocol, after decrypting the complete TKIP packet (including mic field), the attacker can further attack Michael algorithm to obtain the corresponding mic key. This is due to the vulnerability of Michael algorithm itself. Given the plaintext data and Mic value, the attacker can recover the mic key. With the recovered mic key, the attacker can forge the data frame in the data transmission direction (TKIP uses different mic key in different data transmission direction).

When using CCMP protocol, although some researches show the possibility of data forgery attacks under the condition of reusing nonce, they are all theoretical attacks, which are difficult to generate real forgery packets in practice, and only can perform replay attacks and packet decryption.

When using gcmp protocol, the security problem caused by nonce reuse is the most serious. Nonce reuse allows attackers to recover the authentication key (H) in GCM mode. Because gcmp protocol uses the same key for data protection in both directions of data transmission, it gives attackers the ability to forge packets in both directions of data transmission. As a working mode of authentication encryption, GCM mode is composed of CTR encryption algorithm and ghash verification algorithm. In the part of CTR algorithm, the key K passed to GCM mode is directly used for encryption, and the verification sub key h required by ghash operation is the 128 bit ciphertext value obtained by AES algorithm using the key K to encrypt all 128 bits of all 0 plaintext. French Cryptologist joux points out that when nonce is reused, the attacker can recover the value of verification sub key H (note that the input key of GCM cannot be calculated from the value of H, which is guaranteed by the security of AES algorithm itself). After the attacker obtains the value of H, the data integrity protection provided by gcmp is virtually fictitious, so the attacker can forge packets.

In general, for TKIP and gcmp, the impact of krack attack is extremely serious, and attackers can replay, decrypt and forge packets. For CCMP, although the attacker can not forge, based on the characteristics of TCP / IP protocol, as long as the attacker can obtain the serial number, the attacker can hijack the TCP stream and inject malicious data into it, the consequences are also very serious.

3 vulnerability impact and response

Through this vulnerability, we can decrypt Wi Fi traffic data, reorganize data packets, hijack TCP connections, inject HTTP content, etc. The krack attack is generic and is applicable to all types of devices connected to or using WPA / WPA2's WiFi network. For personal and enterprise networks and any encryption suite used (wpa-tkip, aes-ccmp and gcmp), including Android, IOS, windows, Linux, MacOS, OpenBSD, and embedded and Internet of things (IOT) devices, are valid. In particular, for Android 6 and above, the researchers said that they could "perfect attack" against WPA ﹣ supplicant, the client of Android 6 system, and the attack technology is easy to implement. According to Antian mobile security statistics, Android 6 accounts for about 41.9% of Android devices.

Due to the large impact and wide scope of this vulnerability, suppliers have launched response or released patches, and the response of some suppliers is shown in the table below:

Note: if the link in the table cannot be opened, it can be obtained from reference 4.

We have analyzed the eight patches corresponding to Linux in the table, and the function principle of each patch is shown below.



In the handshake phase, the TK should not be reinstalled in the driver part to prevent the key reinstallation attack.

In addition, the configuration can only be installed when TK confirms that it has been uninstalled, and repeated installation is not allowed (if and only once successful configuration is allowed)



Track the GTK and igtk currently in use. When receiving (possibly retransmitted) the first handshake phase message or WNM sleep mode response, if the key is already in use, the new key will not be installed. This prevents the attacker from spoofing the client to reset or change the sequence counter associated with the group key.

When installing igtk:

WNM sleep mode response:



This patch tracks the last configured GTK / igtk values, which are matched with eapol key frame and WNM sleep mode frame respectively, because when GTK / igtk of these two different mechanisms changes, tracking a single value is not enough to detect the possible key reconfiguration behavior in time.

Record GTK in two modes:

Record the igtk in two modes:



Tracks whether PTK has been installed to the driver and the TK section has been cleared from memory. This can prevent the attacker from spoofing the client to install the all zero TK.



The authorization state machine used for PTK rekeying bypasses the authenication2 state when generating random numbers, and directly enters the pkt-start state, because there is no need to confirm PMK again at this time, which may cause random numbers not to be "random", or other problems.

To solve this problem, a new anonce is generated when switching to ptkstart state.



When tpk-tk is successfully configured, it is forbidden to reconfigure the same parameters to the driver.



If WNM sleep mode is not used, the corresponding WNM sleep mode request is ignored. This avoids handling unexpected retransmissions of data frames.



The driver part will open a connection event only when the client explicitly requests a new connection. However, reconfiguration of the same pair key or group key will cause the reuse of nonce. Therefore, additional checks should be made to avoid malicious attacks, including the accidental receipt of retransmission packets due to some environmental factors.

4 Conclusion

Krack vulnerability is mainly used for the four-way handshake process of WPA / WPA2. Instead of taking advantage of AP access point, it is targeted at the client. As a result, the user's router may not need to be updated. For ordinary home users, we should pay more attention to the safety announcement of each terminal equipment manufacturer, update the configuration or patch in time, and give priority to updating the client such as laptop and smartphone.

The exploitation of the vulnerability does not destroy the cryptosystem itself, but attacks the implementation process, so it can basically bypass all security monitoring devices. Using this vulnerability, we can open the attack surface through well implemented WiFi in a well implemented network environment and open the path for subsequent attacks.

At present, most of the home and commercial wireless application clients using WPA2 are relatively easy to upgrade, but it may have a huge impact on millions of IOT wireless devices that are difficult to update in time. Please be vigilant. We will continue to pay attention to relevant events and actively respond to them.

Appendix: References

This article was published by seebug paper. If you need to reprint it, please indicate the source. Address: https://paper.seebug.org/420/