KRack: Key Reinstallation Attack
Part One: Why is a Handshake so Complicated?
For us to talk secretly, I need to give you a secret... but I can't do that in a crowded room. However, we can agree on a way of using two pieces of public information in a way that makes it hard for anyone to follow. If we just used a single passphrase (the PMK) everywhere and encryped everything with it, someone could feasibly listen in and reason out our passphrase simply from our conversation. Enter the PTK--think of it as a new passphrase for every time we talk. We both know our pre-exchanged master password (the PMK), but we don't use it in our conversations. Instead, I give you a piece of random words (the ANonce) and you mix those random words with your own (the SNonce) and with the master passphrase to make a new, conversation passphrase (the PTK). Then, you send me your random words encoded and I use those to recreate the conversation passphrase so I can check that we're both using the same secret. If everything checks out, we start talking; otherwise, we start over again... or at least we should.
If you're a wireless device and I'm a router, we do this same thing:
- I send you the ANonce (typically some random number)
- You make up the SNonce (typically another random number) and compute the PTK from it, the ANonce, our MAC addresses, and the Pairwise Master Key (usually the WiFi password), then send me a signed message (the MIC) with the SNonce
- I check the PTK matches with my own computation, and if so, I send you the last unencrypted message acknowledging that the PTK works, and in this message I include some encrypted information (usually the GTK, which is used by all clients on the wireless network to talk to each other)
- Then, you send an encrypted acknowledgement
In the third step, it's when I send that message that a third party could step in: what cryptographers typically call the Man In The Middle (MITM)--the MITM could easily, of course, be a woman, or even a machine or computer program for that matter; what's important is that the MITM can intercept our communications but may not be able to actually see what's in them. The MITM's shadowy task is to figure out how to read our secret messages using only their content and how those messages are sent. Sometimes the MITM can't actually read the messages, but can use clever tricks involving how the messages get sent, or how the messages are checked on either end, to discover their contents.
For KRACK, the MITM intercepts the fourth acknowledgement and causes you to send the third message again. Now, this is where things get technical, because one of the key parts of our secret code we worked out beforehand was that I'd put a message counter at the beginning of each of my messages and you'd reply with the same counter, and when you don't see my acknowledgement in message 4, you re-send message 3 and reset this counter, which allows the MITM to understand some parameters of our secrets.
In the case of wireless routers, how those secrets work and the exact protocols for exchanging secrets vary according to configurations (for instance, TKIP, AES, GCMP, though these are just one kind of wireless protocol variation), but all are vulnerable to this attack in various ways, and the discoverers of the attack took a lot of care to explore how different wireless protocols worked under the same basic attack. However, all current (802.11i) wireless security protocols are vulnerable.
A attacker inserted into your wireless session would generally still have to engage in more work to break into your data. HTTPS communication, for instance, would still be secure. However, the DNS lookup for that site would not be, allowing the attacker to provide a fake server in place of an important online service you were attempting to use, like your bank. Once the MITM has this position, all sorts of other attacks are possible that were previously prevented.
Part Two: Wait, what?
- Someone with a wireless access point physically near to your own could use this attack to trick your wireless clients and thus decrypt their traffic with the access point.
- For most people (using a regular wireless router as an access point with WPA2 security), this primarily affects the wireless client. Patching the access point (usually your router) may help, but the best information currently available suggests that the only sure fix is patching all wireless clients.
- This attack is broad in that all current wireless clients are vulnerable.
- This attack is narrow (incredibly narrow as these things go) in that an attacker must be physically close to you to use the attack (or have a wireless AP physically close)
- Anyone who already has access to your network (has your wireless password or is connected via wire) would be wasting their time with this attack, as they would generally already have access to the information that decrypting your wireless traffic would give them.
- WEP is also vulnerable; in addition, it is also terrible for security and everyone should use WPA anyhow.
- This attack does not affect other encryption, such as a VPN (when running from the wireless client) or HTTPS, but it does leave other avenues unprotected, like DNS.
Part Three: What Can I Do Now?
For any device you use over standard wireless (WiFi), make sure the manufacturer of the device or the operating system have patched it, and that you've upgraded to the patched version. When upgrades become available, upgrade your wireless APs.
Part Four: How did this happen?
One of the more interesting features of KRack is that the Four Way Handshake it attacks has actually been mathematically proven, in the sense that obeys certain formal restrictions in the same way that logical statements obey formal restrictions. However, because the 802.11i spec does not place extra constraints on how software implements this handshake, even obeying those formal rules is not sufficient to prevent this attack. This isn't because math is somehow broken, thank goodness, but because the process and culture around technical specifications is. For some standards, it is unreasonably difficult for developers to gain access to source specs, and wireless (802.11-) is notably difficult.
Industry standards and standards organizations are great, both for consumers and developers, but one unfortunate effect that's becoming more common than is comfortable is siloing: where those with easy access to information are those who belong to the organizations with a hand in their creation. This prevents end users from evaluating and understanding the software and electronics they receive, and it makes it harder for academics and white hat hackers to find and reveal issues like KRack.
Open standards help us all, but it's important that "open" continue to mean something.