Products + All Products + Software Integrity + Semiconductor IP + Verification + Design + Silicon Engineering
Posted by Mantej Singh Rajpal on October 17, 2017
The weekend of Friday the 13th took a frightening turn—even for those of us who aren’t superstitious—when detrimental weaknesses were discovered in Wi-Fi Protected Access II (WPA2), the protocol responsible for securing Wi-Fi networks. WPA2 was first made available back in 2004 and has been required on all Wi-Fi branded devices since March 2006. My home’s Wi-Fi network is protected by WPA2, and if you’re reading this, yours probably is too.
Before we answer that question, let’s do some quick high-level Crypto 101. The Advanced Encryption Standard (AES) has been around for over a decade. It’s a symmetric-key cipher, which means the same key is used for both encryption and decryption. While AES traditionally functions as a block cipher that encrypts 128-bit chunks of plain text at a time, it can also be used as a stream cipher—which is how it is implemented in WPA2. Now, the thing with stream ciphers is that reusing a nonce-key pair can result in the complete decryption of traffic. A nonce should never be used with the same key twice. In the WPA2 standard, a nonce is basically a packet counter. Essentially:
generate( 0, key ) → first part of keystream
generate( 1, key) → second part of keystream
generate( 2, key) → third part of keystream
generate( 2^48, key) → last part of keystream
Once the maximum allowed value for the counter is reached (2^48), a new key is generated, and the counter is reset to 0. Since the cipher is rekeyed whenever the counter is reset to 0 (hint, hint), it follows that the same nonce-key pair will never be reused. So what’s the problem?
Enter the key reinstallation attack, or KRACK.
The KRACK vulnerability allows an active adversary to interfere in the conversation between a client and the Wi-Fi access point, forcing the client to reinstall a key that was previously used. When this occurs, the counter is reset to 0 also—leading to the reuse of nonce-key pairs. The keystream that follows will be identical to the earlier keystream, since the nonces (i.e., counter values) are being used with the exact same key that was previously used. Once this keystream is reused, the adversary can (with little effort) decrypt traffic, revealing credit card numbers, passwords, and more.
This weakness stems from the WPA2 standard itself—not from any specific faulty implementation. That being said, if you own any product that supports Wi-Fi, it is likely affected by KRACK. While accessing websites over HTTPS does add another layer of security, you should keep a few things in mind:
That last point is especially important. If you have a smart TV, for example, you should think twice about leaving it connected to your Amazon account, or any other app or account that contains sensitive information.
At this point, yes. The protections provided by WPA2 outweigh the risk of someone nearby exploiting KRACK. The best course of action is to install security updates as soon as they become available for your devices. Microsoft, for example, has already patched KRACK in a security update, and Apple has pushed patches in the beta versions of iOS and macOS. Most vendors are still putting together fixes, which you can expect to start rolling out over the next few weeks. Keep a lookout for those security updates, and don’t postpone installing them!