skip to main content
10.1145/3133956.3134027acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2

Published: 30 October 2017 Publication History

Abstract

We introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. Several types of cryptographic Wi-Fi handshakes are affected by the attack. All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks, and is even proven secure. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them. Against WPA-TKIP and GCMP the impact is catastrophic: packets can be replayed, decrypted, and forged. Because GCMP uses the same authentication key in both communication directions, it is especially affected. Finally, we confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.

Supplemental Material

MP4 File

References

[1]
IEEE Std 802.11. 2016. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Spec.
[2]
IEEE Std 802.11ac. 2013. Amendment 4: Enhancements for Very High Throughput for Operation in Bands below 6 GHz.
[3]
IEEE Std 802.11ad. 2012. Amendment 3: Enhancements for Very High Throughput in the 60 GHz Band.
[4]
IEEE Std 802.11i. 2004. Amendment 6: Medium Access Control (MAC) Security Enhancements.
[5]
IEEE Std 802.11r. 2008. Amendment 2: Fast Basic Service Set (BSS) Transition.
[6]
Nadhem J AlFardan, Daniel J Bernstein, Kenneth G Paterson, Bertram Poettering, and Jacob CN Schuldt 2013. On the Security of RC4 in TLS. In USENIX Security.
[7]
Wi-Fi Alliance. 2010. Hotspot 2.0 (Release 2) Technical Specification v1.1.0.
[8]
Apple 2017. Wi-Fi network roaming with 802.11k, 802.11r, and 802.11v on iOS. (2017). Retrieved May 19, 2017 from https://support.apple.com/en-us/HT202628
[9]
N. Asokan, Valtteri Niemi, and Kaisa Nyberg. 2002. Man-in-the-Middle in Tunnelled Authentication Protocols. Cryptology ePrint Archive, Report 2002/163. (2002).
[10]
Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J Alex Halderman, Viktor Dukhovni, et almbox. 2016. DROWN: breaking TLS using SSLv2. In USENIX Security.
[11]
Sangeetha Bangolae, Carol Bell, and Emily Qi 2006. Performance study of fast BSS transition using IEEE 802.11 r Proceedings of the 2006 international conference on Wireless communications and mobile computing.
[12]
Mihir Bellare and Phillip Rogaway 1993. Entity authentication and key distribution. In Annual International Cryptology Conference.
[13]
Gal Beniamini. 2017. Over The Air: Exploiting Broadcom's Wi-Fi Stack. (2017). Retrieved May 19, 2017 from https://googleprojectzero.blogspot.be/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
[14]
Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue 2015. A messy state of the union: Taming the composite state machines of TLS IEEE S&P.
[15]
Karthikeyan Bhargavan and Gaëtan Leurent 2016. On the practical (in-) security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN. In CCS.
[16]
Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, and Philipp Jovanovic 2016. Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS USENIX WOOT.
[17]
Nikita Borisov, Ian Goldberg, and David Wagner. 2001. Analysis of 802.11 Security, or Wired Equivalent Privacy Isn't Mac Crypto Workshop.
[18]
Nikita Borisov, Ian Goldberg, and David Wagner. 2001. Intercepting mobile communications: the insecurity of 802.11 MobiCom.
[19]
Sebastian Brenza, Andre Pawlowski, and Christina Pöpper. 2015. A practical investigation of identity theft vulnerabilities in eduroam WiSec.
[20]
Laurent Butti and Julien Tinnes 2008. Discovering and exploiting 802.11 wireless driver vulnerabilities. Journal in Computer Virology Vol. 4, 1 (2008), 25--37.
[21]
Aldo Cassola, William Robertson, Engin Kirda, and Guevara Noubir 2013. A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication NDSS Symp.
[22]
CERT/CC. 2017. Vulnerability Note VU#228519: WPA2 protocol vulnerabilities. (2017). http://www.kb.cert.org/vuls/id/228519
[23]
Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella 2002. Nusmv 2: An opensource tool for symbolic model checking International Conference on Computer Aided Verification. Springer.
[24]
Cisco 2008. Wireless-G Exterior Access Point with Power Over Ethernet Business Series: User Guide. (2008). Retrieved May 17, 2017 from http://www.cisco.com/c/dam/en/us/td/docs/wireless/access_point/csbap/wap200e/administration/guide/WAP200E_V10_UG_C_web.pdf
[25]
corbixgwelt. 2011. Timejacking & Bitcoin: The Global Time Agreement Puzzle. (2011). Retrieved May 13, 2017 from http://culubas.blogspot.be/2011/05/timejacking-bitcoin_802.html
[26]
dd wrt 2017. QCA Wireless Settings: Key Renewal Interval. (2017). Retrieved May 17, 2017 from https://www.dd-wrt.com/wiki/index.php/QCA_wireless_settings#Key_Renewal_Interval
[27]
Joeri De Ruiter and Erik Poll 2015. Protocol state fuzzing of TLS implementations. USENIX Security.
[28]
Morris Dworkin. 2007. Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) for confidentiality and authentication. In NIST Special Publication 800--38D.
[29]
Niels Ferguson. 2005. Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process (2005). Retrieved May 16, 2017 from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf
[30]
Scott Fluhrer, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the key scheduling algorithm of RC4 SAC.
[31]
Pierre-Alain Fouque, Gwenaëlle Martinet, Frédéric Valette, and Sébastien Zimmer. 2008. On the Security of the CCM Encryption Mode and of a Slight Variant Applied Cryptography and Network Security.
[32]
Google 2017. Codenames, Tags, and Build Numbers. (2017). Retrieved August 29, 2017 from https://source.android.com/source/build-numbers
[33]
Google 2017. Dashboards: Platform Versions. (2 May 2017). Retrieved May 15, 2017 from https://developer.android.com/about/dashboards/index.html
[34]
Google Git. 2017. wpa supplicant 8. (2017). Retrieved May 15, 2017 from https://android.googlesource.com/platform/external/wpa_supplicant_8/
[35]
Shay Gueron and Vlad Krasnov 2014. The fragility of aes-gcm authentication algorithm. 11th International Conference on Information Technology: New Generations (ITNG).
[36]
Finn M. Halvorsen, Olav Haugen, Martin Eian, and Stig F. Mjølsnes 2009. An Improved Attack on TKIP. In NordSec.
[37]
B. Harris and R. Hunt. 1999. Review: TCP/IP security threats and attack methods. Computer Communications Vol. 22, 10 (1999), 885--897.
[38]
Changhua He and John C Mitchell 2004. Analysis of the 802.1 i mbox4-Way Handshake. In WiSe. ACM.
[39]
Changhua He, Mukund Sundararajan, Anupam Datta, Ante Derek, and John C Mitchell 2005. A modular correctness proof of IEEE 802.11i and TLS CCS.
[40]
Lieven Hollevoet. 2014. xAP and xPL Getting started. (2014). Retrieved August 29, 2017 from https://github.com/hollie/misterhouse/wiki/xAP-and-xPL--Getting-started
[41]
Yih-Chun Hu, Adrian Perrig, and David B Johnson. 2006. Wormhole attacks in wireless networks. IEEE journal on selected areas in communications (2006).
[42]
Jakob Jonsson. 2002. On the security of CTR+ CBC-MAC. In SAC.
[43]
Antoine Joux. 2006. Authentication failures in NIST version of GCM. Retrieved 8 May 2017 from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf (2006).
[44]
J. Klein 2013. Becoming a time lord - implications of attacking time sources Shmoocon Firetalks.
[45]
Eduardo Novella Lorente, Carlo Meijer, and Roel Verdult. 2015. Scrutinizing WPA2 password generating algorithms in wireless routers USENIX WOOT.
[46]
Przemysław Macha'n and Jozef Wozniak 2013. On the fast BSS transition algorithms in the IEEE 802.11 r local area wireless networks. Telecommunication Systems (2013).
[47]
Aanchal Malhotra, Isaac E Cohen, Erik Brakke, and Sharon Goldberg 2016. Attacking the Network Time Protocol. (2016).
[48]
Aanchal Malhotra and Sharon Goldberg 2016. Attacking NTP's Authenticated Broadcast Mode. ACM SIGCOMM Computer Communication Review (2016).
[49]
Jouni Malinen. 2015. 802.11e support? (2015). Retrieved May 17, 2017 from http://lists.shmoo.com/pipermail/hostap/2015-June/032952.html
[50]
Jouni Malinen. 2015. Fix TK configuration to the driver in EAPOL-Key 3/4 retry case. Hostap commit textttad00d64e7d88. (1 Oct. 2015).
[51]
David McGrew. 2013. IETF Internet Draft: Generation of Deterministic Initialization Vectors (IVs) and Nonces. (2013). Retrieved August 29, 2017 from https://tools.ietf.org/html/draft-mcgrew-iv-gen-03
[52]
Microsoft. 2017. Fast Roaming with 802.11k, 802.11v, and 802.11r. (2017). Retrieved May 19, 2017 from https://docs.microsoft.com/en-us/windows-hardware/drivers/network/fast-roaming-with-802--11k--802--11v--and-802--11r
[53]
D. Mills, J. Martin, J. Burbank, and W. Kasch. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification.
[54]
David L Mills. 2011. Computer network time synchronization (bibinfoedition2 ed.). CRC Press.
[55]
John Mitchell and Changhua He 2005. Security Analysis and Improvements for IEEE 802.11i NDSS.
[56]
Kenneth G. Paterson. 2015. Countering Cryptographic Subversion. (2015). Retrieved May 16, 2017 from https://hyperelliptic.org/PSC/slides/paterson-PSC.pdf
[57]
Kenneth G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt 2014. Plaintext Recovery Attacks Against WPA/TKIP. In FSE.
[58]
Grand View Research. 2017. Wireless Gigabit (WiGig) Market Size To Reach $7.42 Billion By 2024. (2017). Retrieved May 10, 2017 from http://www.grandviewresearch.com/press-release/global-wireless-gigabit-wigig-market
[59]
Pieter Robyns, Bram Bonné, Peter Quax, and Wim Lamotte 2014. Short paper: exploiting WPA2-enterprise vendor implementation weaknesses through challenge response oracles. In WiSec.
[60]
P. Rogaway and D. Wagner 2003. A Critique of CCM. Cryptology ePrint Archive, Report 2003/070. (2003).
[61]
J. Selvi 2015. Breaking SSL using time synchronisation attacks. DEF CON Hacking Conference.
[62]
Juraj Somorovsky. 2016. Systematic Fuzzing and Testing of TLS Libraries. CCS.
[63]
Robert Stacey, Adrian Stephens, Jesse Walker, Herbert Liondas, and Emily Qi 2010. Rekeying Protocol Fix. (2010). Retrieved August 19, 2017 from https://mentor.ieee.org/802.11/dcn/10/11--10-0313-01-000m-rekeying-protocol-fix.ppt
[64]
Robert Stacey, Adrian Stephens, Jesse Walker, Herbert Liondas, and Emily Qi 2010. Rekeying Protocol Fix Text. (2010). Retrieved August 19, 2017 from https://mentor.ieee.org/802.11/dcn/10/11--10-0314-00-000m-rekeying-protocol-fix-text.doc
[65]
Adam Stubblefield, John Ioannidis, Aviel D Rubin, et almbox. 2002. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP NDSS.
[66]
Erik Tews and Martin Beck 2009. Practical attacks against WEP and WPA. In WiSec.
[67]
Yosuke Todo, Yuki Ozawa, Toshihiro Ohigashi, and Masakatu Morii 2012. Falsification Attacks against WPA-TKIP in a Realistic Environment. IEICE Transactions (2012).
[68]
Mathy Vanhoef. 2017. Chromium Bug Tracker: WPA1/2 all-zero session key & key reinstallation attacks. (2017). Retrieved August 29, 2017 from https://bugs.chromium.org/p/chromium/issues/detail?id=743276
[69]
Mathy Vanhoef and Frank Piessens 2013. Practical verification of WPA-TKIP vulnerabilities ASIA CCS. ACM, 427--436.
[70]
Mathy Vanhoef and Frank Piessens 2014. Advanced mboxWi-Fi attacks using commodity hardware ACSAC.
[71]
Mathy Vanhoef and Frank Piessens 2015. All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS USENIX Security.
[72]
Mathy Vanhoef and Frank Piessens 2016. Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys USENIX Security.
[73]
Stefan Viehböck. 2011. Brute forcing Wi-Fi protected setup. (2011). Retrieved May 9, 2017 from http://packetstorm.foofus.com/papers/wireless/viehboeck_wps.pdf
[74]
Wi-Fi Alliance. 2015. Technical Note: Removal of TKIP from Wi-Fi Devices.
[75]
Joshua Wright. 2003. Weaknesses in LEAP challenge/response. In DEF CON Hacking Conference.
[76]
Erik Zenner. 2009. Nonce Generators and the Nonce Reset Problem. In International Conference on Information Security. endthebibliography

Cited By

View all
  • (2025)Exposed by Default: A Security Analysis of Home Router Default Settings and BeyondIEEE Internet of Things Journal10.1109/JIOT.2024.350240512:2(1182-1199)Online publication date: 15-Jan-2025
  • (2025)TinyAP: An Intelligent Access Point to Combat Wi-Fi Attacks Using TinyMLIEEE Internet of Things Journal10.1109/JIOT.2024.346732812:2(2135-2145)Online publication date: 15-Jan-2025
  • (2025)TinyAP: A Smart Access Point to detect KRACK on WPA2 Handshake in Wi-Fi using TinyML2025 17th International Conference on COMmunication Systems and NETworks (COMSNETS)10.1109/COMSNETS63942.2025.10885765(168-173)Online publication date: 6-Jan-2025
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
October 2017
2682 pages
ISBN:9781450349468
DOI:10.1145/3133956
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. attacks
  2. handshake
  3. initialization vector
  4. key reinstallation
  5. network security
  6. nonce reuse
  7. packet number
  8. security protocols
  9. wpa2

Qualifiers

  • Research-article

Conference

CCS '17
Sponsor:

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)188
  • Downloads (Last 6 weeks)27
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Exposed by Default: A Security Analysis of Home Router Default Settings and BeyondIEEE Internet of Things Journal10.1109/JIOT.2024.350240512:2(1182-1199)Online publication date: 15-Jan-2025
  • (2025)TinyAP: An Intelligent Access Point to Combat Wi-Fi Attacks Using TinyMLIEEE Internet of Things Journal10.1109/JIOT.2024.346732812:2(2135-2145)Online publication date: 15-Jan-2025
  • (2025)TinyAP: A Smart Access Point to detect KRACK on WPA2 Handshake in Wi-Fi using TinyML2025 17th International Conference on COMmunication Systems and NETworks (COMSNETS)10.1109/COMSNETS63942.2025.10885765(168-173)Online publication date: 6-Jan-2025
  • (2025)Improving IIoT security: Unveiling threats through advanced side-channel analysisComputers & Security10.1016/j.cose.2024.104135148(104135)Online publication date: Jan-2025
  • (2025)Security analysis of the Wi-Fi Easy ConnectInternational Journal of Information Security10.1007/s10207-025-00988-324:2Online publication date: 7-Feb-2025
  • (2024)A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block CiphersIACR Communications in Cryptology10.62056/a3qjp2fgxOnline publication date: 8-Jul-2024
  • (2024)Security Incidents and Security Requirements in Internet of Things (IoT) DevicesHuman-Centered Approaches in Industry 5.010.4018/979-8-3693-2647-3.ch007(154-175)Online publication date: 16-Jan-2024
  • (2024)Extending RAIM with a Gaussian Mixture of Opportunistic InformationProceedings of the 2024 International Technical Meeting of The Institute of Navigation10.33012/2024.19544(454-466)Online publication date: 14-Feb-2024
  • (2024)Lowcaf: A Low-Code Protocol Analysis Framework2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814380(1-7)Online publication date: 28-Oct-2024
  • (2024)Untangling the Knot: Breaking Access Control in Home Wireless Mesh NetworksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670380(2072-2086)Online publication date: 2-Dec-2024
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media