back

KRACKing WPA2 by Forcing Nonce Reuse

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:01:42
Language
English
Abstract
We introduce key reinstallation attacks (KRACKs). These attacks abuse features of a protocol to reinstall an already in-use key, thereby resetting nonces and/or replay counters associated to this key. We show that our novel attack technique breaks several handshakes that are used in a WPA2-protected network.

All protected Wi-Fi networks use the 4-way handshake to generate fresh session keys. The design of this handshake was proven secure, and over its 14-year lifetime no weaknesses have been found in it. However, contrary to this history, we show that the 4-way handshake is vulnerable to key reinstallation attacks. In such an attack, the adversary tricks a victim into reinstalling an already in-use key. This is achieved by manipulating and replaying handshake messages. When the victim reinstalls the key, the associated incremental nonce and replay counter is reset to its initial value. Apart from breaking the 4-way handshake, we also show that our key reinstallation attack breaks the group key and Fast BSS Transition (FT) handshake. The impact of our attacks depend on both the handshake being targeted, and the data-confidentiality protocol in use. Simplified, against AES-CCMP, an adversary can replay and decrypt packets, but cannot forge packets. Still, this makes it possible to hijack TCP streams and inject malicious data into them. Against WPA-TKIP and GCMP, the impact is catastrophic: an adversary can replay, decrypt, and forge arbitrary packets. Rather surprisingly, GCMP is especially affected because it uses the same authentication key in both communication directions.

Finally, we confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android and Linux: it forces the client into using a predictable all-zero encryption key.

Talk ID
9273
Event:
34c3
Day
1
Room
Saal Adams
Start
11:30 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Mathy Vanhoef
Talk Slug & media link
34c3-9273-kracking_wpa2_by_forcing_nonce_reuse

Talk & Speaker speed statistics

Very rough underestimation:
153.0 wpm
861.8 spm
158.2 wpm
894.2 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
153.0 wpm
861.8 spm
handshakekeypointaccessattackclientencryptionframes4-waynonceattacksvulnerablewi-fidatanetworke.gpacketmsg4impactalgorithmstandardthingdeviceencryptedmvstreamnumberbitmeaningframeattackerclientsmessagesdevicesmsg3randomgroupreinstallationsecurebroadcastmessagepeoplecaseftdecryptquestionsendstartbasicallyreuse
Mathy Vanhoef:
158.2 wpm
894.2 spm
handshakekeyaccesspointattackclientframes4-wayencryptionnoncevulnerabledataattackswi-finetworkimpactdevicethinge.galgorithmmsg4meaningencryptedmessagespacketbitdevicesframeattackerclientsmessagemsg3standardbroadcastsendstreamcaseftstartnumbersecuredecryptgroupreplaylinuxpeoplewpa2explainconnectorder