[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-misc
Subject: Re: About WPA2 compromised protocol
From: Lampshade
Date: 2017-10-16 13:53:27
Message-ID: dyaiuwmppkyjgapvdews () yoxg
[Download message RAW]
Stefan Sperling:
> Also this was *NOT* a protocol bug.
> arstechnica claimed such nonesense without any basis in fact and
> now everybody keeps repeating it
Actually, the researcher claimed that are in the standard itself.
https://www.krackattacks.com/
The weaknesses are in the Wi-Fi standard itself, and not in individual prod=
ucts or implementations. Therefore, any correct implementation of WPA2 is l=
ikely affected.
Some paragraphs remarks about OpenBSD in a direct way.
Paper
Although this paper is made public now, it was already submitted for review=
on 19 May 2017. After this, only minor changes were made. As a result, the=
findings in the paper are already several months old. In the meantime, we =
have found easier techniques to carry out our key reinstallation attack aga=
inst the 4-way handshake. With our novel attack technique, it is now trivia=
l to exploit implementations that only accept encrypted retransmissions of =
message 3 of the 4-way handshake. In particular this means that attacking m=
acOS and OpenBSD is significantly easier than discussed in the paper.
Some attacks in paper seem hard
We have follow-up work making our attacks (against for example macOS and Op=
enBSD) significantly more general and easier to execute. So although we agr=
ee that some of the attack scenarios in the paper are rather impractical, d=
o not let this fool you into believing key reinstallation attacks cannot be=
abused in practice.
How did you discover these vulnerabilities?
When working on the final (i.e. camera-ready) version of another paper, I w=
as double-checking some claims we made regarding OpenBSD's implementation o=
f the 4-way handshake. In a sense I was slacking off, because I was suppose=
d to be just finishing the paper, instead of staring at code. But there I w=
as, inspecting some code I already read a hundred times, to avoid having to=
work on the next paragraph. It was at that time that a particular call to =
ic_set_key caught my attention. This function is called when processing mes=
sage 3 of the 4-way handshake, and it installs the pairwise key to the driv=
er. While staring at that line of code I thought =E2=80=9CHa. I wonder what=
happens if that function is called twice=E2=80=9D. At the time I (correctl=
y) guessed that calling it twice might reset the nonces associated to the k=
ey. And since message 3 can be retransmitted by the Access Point, in practi=
ce it might indeed be called twice. =E2=80=9CBetter make a note of that. Ot=
her vendors might also call such a function twice. But let's first finish t=
his paper...=E2=80=9D. A few weeks later, after finishing the paper and com=
pleting some other work, I investigated this new idea in more detail. And t=
he rest is history.=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic