Manipulation of the Handshake Protocol

Added on - 16 Sep 2019

  • 3


  • 1367


  • 217


  • 0


Trusted by +2 million users,
assist thousands of students everyday
Showing pages 1 to 1 of 3 pages
Exploit ResearchDeliverableExecutive SummaryKey Reinstallation Attacks (KRACs)Most of the modern Wi-Fi networks is protected by the WPA2 protocol. It was recently discovered thatthe WPA2 protocol had a critical vulnerability that can be exploited using a method known as KeyReinstallation Attacks or “KRACs”. This method allows attackers to access private encrypted information,as well as inject and manipulate data for malicious means. This vulnerability was discovered in the WPA2standard as well, therefore affecting all unpatched Wi-Fi networks running on WPA2 protocol. KRACSattacks a vulnerability within the 4 way WPA2 handshake that connects a user to the Wi-Fi network.Currently almost all the Wi-Fi networks in use employ this protocol, thus making virtually everyunpatched Wi-Fi network vulnerable to this attack. The attack works by reinstalling an already in usecryptographic key through a manipulation of the handshake protocol. Unpatched WPA2 protocol allowsthe key to be replayed, which in turn resets the values within the handshake protocol and allowsattacker to obtain, decrypt and even forge packets between the client and the server. This is a criticalvulnerability that has severe implications for data privacy and has a potential to compromise an entirenetwork if the WPA2 access points are left unpatched.Technical DescriptionExploitation DescriptionKey reinstallation attacks work by tricking a victim into installing an already-in-use key throughmanipulating and replaying cryptographic handshake protocols. When a client attempts to connect tothe Wi-Fi network, the client and the Wi-Fi access point perform a 4-way handshake in order to createan encryption key. This key is installed by both the client and the access point after the client receives 3rdmessage of the 4-way handshake. The 4-way handshake is part of an asymmetric encryption protocolthat allows 2 users to share an encryption key over an unsecured network through a process known as a“Diffie-Hellman Key Exchange”. After the key is installed, it is used to encrypt and decrypt data betweenthe client and the access point. When the WPA2 protocol was designed, it was based on many conceptsthat were used by the TCP/IP protocol. One of those protocols was the redundancy of packets in casethey were lost, dropped or corrupted. This also applies to packets sent and received during the 4-wayhandshake. When the access point does not receive an ACK reply after the 3rdpacket of the handshake,it will retransmit that message, therefore the client may receive the 3rdhandshake packet multipletimes. Every time the client receives that packet, it will reinstall the same encryption key. Reinstallingthe key resets all the associated parameters such as the replay counter and the incremental transmitpacket number to their initial value, thereby allowing the attacker to replay, decrypt and forge packetsin transit. This weakness is the result of the flaw in WPA2 protocol that allows an attacker to use acryptographic key more than once through manipulation of cryptographic handshakes. Several other keyexchange protocols have been shown to be vulnerable to this type of attack as well.Attack VectorThe attack vector for the key reinstallation attacks is always the connection between the client and theWi-Fi access point. The attacker will likely try to manipulate the 4-way handshake protocol in order to
You’re reading a preview
Preview Documents

To View Complete Document

Become a Desklib Library Member.
Subscribe to our plans

Download This Document