2017-10-16 -  7:30
A new attack on WPA and WPA2 was disclosed today called KRACK. KRACK stands for Key Reinstallation Attack and can allow an attacker to Man-in-the-Middle (MitM) the connection between a client and a router and replay, decrypt, and in some cases forge encrypted data packets.
When a client connects to a router, a process called a "4-Way Handshake" occurs, as shown in the image below. (STA is the client and AP is the router)[Image] WPA2 4-Way Handshake
The client is able to (and quite often does) send encrypted data packets using the PTK and a unique value called a nonce to encrypt each data packet at this point. To keep encrypted data packets from being decrypted by an attacker, nonce values MUST NOT be repeated with the same PTK value. To solve the problem of nonce value reuse, nonce values are simply incremented every time they are used.
Incrementing the nonce value also adds the benefit of preventing replay attacks, where a previously sent encrypted data packet is sent again at a later point in time. Because a replayed encrypted data packet would have a nonce value lower than or equal to the last used nonce value, the fact that the packet was a replayed packet can be known, allowing the receiver of the data packet to simply ignore it.
If the acknowledgement message from step 4 of the handshake never makes it to the router, the router will generate the third handshake step message again and send it to the client. This is expected behavior and is not a flaw, because background interference might prevent the router from receiving the acknowledgement message. When the second case of the handshake step 3 message is received by the client, the client saves the PTK value once again and resets the nonce value back to its initial value, then continues on with the fourth step of the handshake by sending an acknowledgement message.
The flaw exists in the fact that when the client sends the router encrypted data packets again, it will be reusing nonce values, which breaks the encryption used in the encrypted data packets. Replay attacks are also possible because the nonce value going back to its initial value can allow replayed encrypted packets with higher nonce values to be considered valid by the client.
For all 3 of the following encryption protocols, TKIP, CCMP, and GCMP, data packet decryption and replay attacks are a problem when nonce values are reused.
TKIP encrypted network connections (the default in WPA) have been known to not be very secure for a while now. Because of the weaknesses in TKIP, this attack allows an attacker to forge data packets from the client to the router.
CCMP encrypted network connections (the default in WPA2) are protected from packet forgery, but as mentioned, still suffer from data packet decryption and replay attacks.
GCMP encrypted network connections are especially vulnerable to this attack, as the connection from the client to the router and from the router to the client are authenticated with the same key. This means an attacker not only can decrypt and replay data packets, but also forge data to the router AND the client.
The good news is that this problem can be fixed with a patch, which many operating systems have already administered. The bad news is that there is a high likelihood that many Android devices, WiFi routers, and Internet of Things devices will be difficult for users to patch if not impossible. Much of the websites many people use are over HTTPS though, which helps provide protection to users above and beyond the encryption their WiFi may provide, which will also help mitigate damage from this attack.
I highly recommend people use AES (CCMP) encryption and WPA2 on their WiFi routers to also help mitigate damage. Patch your systems when you are able to. Some systems have already issued patches and some may issue patches in the future.
More details about the KRACK bug and other ways it can be used to get around defenses that were in place in previous systems can be found at https://krackattacks.com and the research paper describing it in more detail can be found here.
A catastrophic bug involving some versions of wpa_supplicant on Android and Linux was discussed in the KRACK disclosure website and research paper as well, but that is a topic for another blog post, as the actual attack is different from nonce value reuse and has different security implications.