Breaking WPA2 by forcing nonce reuse

nsaspook

Joined Aug 27, 2009
7,732
If you allow (session) key (cryptovariable) reuse at any level you will eventually get hacked. Wi-FI has never been totally secure, WEP broken, WPA broken, WPA-TKIP broken and now WPA2 broken.
The idea behind our attacks is rather trivial in hindsight, and can be summarized as follows. When a client joins a network, it executes the 4-way handshake to negotiate a fresh session key. It will install this key after receiving message 3 of the handshake. Once the key is installed, it will be used to encrypt normal data frames using a data-confidentiality protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same session key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the data-confidentiality protocol
That's why we used the key cutter on old encryption machines to maintain key non-reuse when the data stream is interrupted for any reason.



The blade slices the Crypto Key card in half when the door closes so it can't be used again when opened. :p

This openbsd patch for WPA has the effect of keeping the door closed and locked when somebody pulls the handle.
https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/018_net80211.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/027_net80211_replay.patch.sig
 
Last edited:
Top