 |
| CCMP Encryption |
From above encryption method, suppose two packets are encrypted:
E(1) = KS(1) XOR P(1)
E(2) = KS(2) XOR P(2)
As only Packet Number (PN) is variable, if somehow PN is re-used, Key stream will be same for both frames, taking XOR of both equations:
E(1) XOR E(2) = P(1) XOR P(2)
(:. KS(1) XOR KS(2) = 0 if KS(1) == KS(2) )
If attacker sniff two packets with forcing to re-use the same packet number, he can perform Known-Plaintext attack. If he knows plain text of one packet, he can decrypt the other packet. For performing such attack, re-using of key stream is critical part.
The authors are able to create scenarios where they can re-use the packet number nonces. When supplicant (client) connects to an access point (AP), after authentication, there is a 4-way handshake which is used to generate fresh session keys.
There are mainly 4 types of keys used in 4-way handshake:
PMK (Pairwise Master Key): Created by both AP and Supplicant on their ends after authentication.
PTK (Pairwise Transient Key): PTK = f(PMK, SNonce, ANonce). It protects unicast communication b/w AP and supplicant.
GTK (Group Temporal Key): Created by AP and transferred to supplicant. It protects broadcast communication.
IGTK (Integrity Temporal Key): Created by AP and transferred to supplicant. It protects broadcast management frames.
After sending Msg4, Supplicant installs PTK & GTK and reset the transmit packet number. After receiving the Msg4, AP installs PTK and reset the packet number (replay counter). Now, it is easy to spot key re-installation attack point. The authors introduce an adversary as Man-in-the-middle who block the Msg4 and keep storing next messages from supplicant, when AP doesn't receive Msg4, it re-sends the GTK (Msg3) to supplicant. When supplicant receives the GTK Msg3, it re-installs the PTK & GTK and reset the packet number. Now, the packets sent by supplicant between sending Msg4 and receiving new Msg3 will have same Key Stream as next packets sent by supplicant. This leads to the attack we discussed above for decrypting the packets.
The authors attack on mainly three handshakes:
I. 4-Way Handshake
4-way handshake is performed when new supplicant connects with the access point (AP).
II. Fast BSS Transition Handshake
Fast BSS Transition Handshake is performed when the supplicant switches from one AP to other AP within same enterprise network.
III. Group Key Handshake
Group key handshake is performed when the supplicant device gets online from sleep.
All of above handshakes are vulnerable to key re-installation attack according to authors. The underlying concept is same that attacker blocks the Msg which is used to reset the packet number nonces, store the other packets until new Msg is sent and handshake is completed. Then attacker can decrypt, replay and in some cases, inject the payload
Impact of the re-installation attack depends on the data-confidentiality protocol which is being used. All of them (CCMP, TKIP, GCMP) use stream cipher so by using this attack, all three protocols are vulnerable to replay attack.
The authors are able to create scenarios where they can re-use the packet number nonces. When supplicant (client) connects to an access point (AP), after authentication, there is a 4-way handshake which is used to generate fresh session keys.
 |
| 4-way handshake (Left: Supplicant, Right: AP) |
PMK (Pairwise Master Key): Created by both AP and Supplicant on their ends after authentication.
PTK (Pairwise Transient Key): PTK = f(PMK, SNonce, ANonce). It protects unicast communication b/w AP and supplicant.
GTK (Group Temporal Key): Created by AP and transferred to supplicant. It protects broadcast communication.
IGTK (Integrity Temporal Key): Created by AP and transferred to supplicant. It protects broadcast management frames.
After sending Msg4, Supplicant installs PTK & GTK and reset the transmit packet number. After receiving the Msg4, AP installs PTK and reset the packet number (replay counter). Now, it is easy to spot key re-installation attack point. The authors introduce an adversary as Man-in-the-middle who block the Msg4 and keep storing next messages from supplicant, when AP doesn't receive Msg4, it re-sends the GTK (Msg3) to supplicant. When supplicant receives the GTK Msg3, it re-installs the PTK & GTK and reset the packet number. Now, the packets sent by supplicant between sending Msg4 and receiving new Msg3 will have same Key Stream as next packets sent by supplicant. This leads to the attack we discussed above for decrypting the packets.
The authors attack on mainly three handshakes:
I. 4-Way Handshake
4-way handshake is performed when new supplicant connects with the access point (AP).
II. Fast BSS Transition Handshake
Fast BSS Transition Handshake is performed when the supplicant switches from one AP to other AP within same enterprise network.
III. Group Key Handshake
Group key handshake is performed when the supplicant device gets online from sleep.
All of above handshakes are vulnerable to key re-installation attack according to authors. The underlying concept is same that attacker blocks the Msg which is used to reset the packet number nonces, store the other packets until new Msg is sent and handshake is completed. Then attacker can decrypt, replay and in some cases, inject the payload
Impact of the re-installation attack depends on the data-confidentiality protocol which is being used. All of them (CCMP, TKIP, GCMP) use stream cipher so by using this attack, all three protocols are vulnerable to replay attack.
WPA2 has been proved secure and it is in use from 14 years. The authors say that this vulnerability is not just because of broken implementation but this is because of defect in protocol. We, somehow, disagree with them because the problem seems at implementation side. Broken implementation lead to this vulnerable where resetting the packet number nonces is not well implemented. The reason for this broken implementation by vendors is because IEEE defines the standard in closed-room and details of the standard are not completely available to ordinary security researchers. They gave ambiguous standard details, confused state diagrams and pieces of pseudo code of the protocol so vendors had to write the code from those ambiguous details which lead to this key re-installation vulnerability. There seem no clear definition of key and packet number resetting scenarios in WPA2 standards.
Reference: Vanhoef, M., Piessens, F.: Key reinstallation attacks: Forcing nonce reuse in WPA2. In: 24th ACM Conference on Computer and Communication Security (2017)
Reference: Vanhoef, M., Piessens, F.: Key reinstallation attacks: Forcing nonce reuse in WPA2. In: 24th ACM Conference on Computer and Communication Security (2017)
0 comments:
Post a Comment