16 Oct KRACKs (Key Reinstallation AttaCKs) – WPA2 Vulnerability Announcement
October 16, 2017 – Today the US-CERT announced several vulnerabilities in the WPA2 encryption implementation in clients and APs, the first known significant “crack in the code” to wireless networks in over 10 years. The vulnerabilities has been named KRACKs (Key Reinstallation AttaCKs). WPA2 is widely regarded as the industry’s most secure wireless encryption protocol.
Who is affected?
Organisations (corporate enterprises, businesses, schools and universities, retail shops and restaurants, government agencies etc.) that have deployed WiFi networks using WPA2 encryption are affected. When mobile users connect to these WiFi networks with smartphones, tablets, laptops, and other devices, they are exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password) based networks are affected.
What is WPA2?
WPA2 (802.11i) is currently the standard for wireless link security in WiFi networks. It uses either 802.1x (EAP) or pre-shared key (password) based authentication. In 802.1x, the client is authenticated from a backend RADIUS server at the time of setting up a wireless connection. During the authentication process, the client and the RADIUS server generate at their ends a common master key. The master key is sent from the RADIUS server to the AP over a secure wired network. In PSK, the master key is installed in the client and the AP by entering the same passphrase (password) on both sides. The master key is then used to generate a hierarchy of “temporal keys” to be used for encryption and integrity protection for data sent over wireless link between the AP and the client. This cryptographic protection is using CCM protocol (CCMP) which uses AES-CTR encryption and AES-CBC for integrity protection.
How exactly does this security vulnerability work?
Vulnerabilities have been discovered regarding how clients and APs implement state machines in software to implement WPA2 temporal key generation and transportation handshakes. The vulnerabilities can be exploited by manipulating certain handshake messages over the air. The exploit results into reuse of some packet numbers when handshakes are performed.
Reuse of packet numbers violates the fundamental principle on which the strength of WPA2 encryption and replay security is based. The principle is that for a given WPA2 temporal key, packet numbers in any two packet transmissions protected by the key must not be the same and the receiver must only accept a new packet if its packet number is higher than the most recently received packet. For packet pairs where the former part of the above principle is violated, it is possible to determine the content of one packet if the plaintext of the other packet is known or can be guessed. When the latter part of the above principle is violated, it permits adversary to replay old packets to the receiver.
What is the remedy?
Of the 10 vulnerabilities disclosed today, 9 are due to flaws in the client software implementation, and therefore must be fixed in the client device (phone, tablet, etc.). Most providers of handheld device operating systems are expected to issue a software update immediately that users should download and install.
However, until those client devices have been patched, the wireless access point (AP) can provide mitigation for these vulnerabilities, by blocking the dangerous handshake messages that are known to trigger these vulnerabilities.
You can get access to the affected AP vendors here: https://goo.gl/ysSfVJ
The remaining 1 out of the 10 vulnerabilities is due to a flaw in a popular WiFi software driver called “hostapd” that runs on most access points. This issue can only be fixed on the wireless access point.