KRACK vulnerability explained – Part1

Understanding WPA2 handshake is important to know KRACK attack. Part-1 of this blog post will be about basics required to understand KRACK.

WPA2 uses 4 way handshake process to generate required unique keys for session. Different keys are generated in WPA2. PMK (pairwise master key) Generated at client and access point individually. Keys are not exchanged.

PTK (pairwise temporal key) Used for protecting unicast communication between client and access point. Generated by client and Access point, key is not exchanged.

GTK (Group Temporal Key) Generated by Access point, used to protect multicast communication from access point to client. Key is sent to client in network from access point using EAPOL 4-way handshake.

IGTK (Integrity Group Temporal Key) Generated by Access point, used to protect multicast communication from access point to client. Key is sent to client in network from access point using EAPOL 4-way handshake.

Note on terminologies. Client is represented as Supplicant and Access point is represented as Authenticator in 802.1x authentication. For ease of understanding I have used terms interchangeably.

To start, first let’s understand how PMK or PSK is generated, this is an input to derive PTK. PMK is generated independently on client as well as access point.

Password or passphrase known by both Access point and client are used to derive PMK. Password is taken as input for PBKDF2 function to derive the key. More on PBKDF2 in RFC 2898. Along with password , SSID, SSID length, hashing count, and key size is given as input to PBKDF2 this derives PMK,

PSK

PSK/PMK generation

PBKDF2 = fn { password, SSID, SSID length, 4096, 256}

SSID – Service set identifier of the network

SSID length – Length of SSID

4096 – hashing count (ie; hashing key 4096 times)

256 – 256bit key size

4-way Handshake

Once PMK is derived, PTK is derived.

PTK =fn {PMK, ANonce, SNonce, Authenticator Mac, Supplicant Mac,}

PTK – Pairwise transition Key

PMK – Pairwise Master Key

Anonce – Authenticator Nonce (long random value selected by Access point)

SNonce – Supplicant Nonce (long random value selected by client)

Authenticator Mac – Mac Address of authenticator

Supplicant Mac – Mac address of supplicant

Authenticator is Access point

Supplicant is client connecting to access point.

4-way handshake happens through EAPOL packets in 4 messages. This collects all required parameters to generate PTK at client and access point end.

4-way Handshake

Message 1 – Authenticator sends A-nonce to Supplicant

Message 2 – Supplicant sends S-Nonce + MIC sent to access point

Message 3 – Authenticator verifies if PTK generated by Supplicant is same as that is derived by Authenticator, this is done by verifying MIC sent in Message 2. If yes, then confirmation message is sent else supplicant is de-authenticated from network.

Message 4 – Key is installed in Supplicant, Packet number is reset and confirmation message is sent to authenticator.

Authenticator installs key. And packets are encrypted henceforth.

Note on WPA2 encryption: Key is changed for every packet in WPA2. In AES-CCMP keystream cannot be reused.

As per the picture below we can see the dynamic value for generating keystream is Packet number. This is very important to understand KRACK vulnerability.

If packet number repeats, keystream will repeat. AES-CCMP

Part-2 will explore more on vulnerability in WPA2.

#wifi #wirelessSecurity

— By Fabian Darius