1. Release the Kraken: New KRACKs in the 802.11 Standard 2018 Attacks CCS CryptoStandards
    Mathy Vanhoef and Frank Piessens
    [View PDF on papers.mathyvanhoef.com]
    [Show BibTex Citation]

    author = {Vanhoef, Mathy and Piessens, Frank},
    title = {Release the Kraken: New KRACKs in the 802.11 Standard},
    year = {2018},
    isbn = {9781450356930},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    url = {https://doi.org/10.1145/3243734.3243807},
    doi = {10.1145/3243734.3243807},
    booktitle = {Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security},
    pages = {299–314},
    numpages = {16},
    keywords = {WPA2, 802.11, key reinstallation attack, KRACK, security protocols},
    location = {Toronto, Canada},
    series = {CCS ’18}

We improve key reinstallation attacks (KRACKs) against 802.11 by generalizing known attacks, systematically analyzing all handshakes, bypassing 802.11’s official countermeasure, auditing (flawed) patches, and enhancing attacks using implementation-specific bugs. Last year it was shown that several handshakes in the 802.11 standard were vulnerable to key reinstallation attacks. These attacks manipulate handshake messages to reinstall an already-in-use key, leading to both nonce reuse and replay attacks. We extend this work in several directions. First, we generalize attacks against the 4-way handshake so they no longer rely on hard-to-win race conditions, and we employ a more practical method to obtain the required man-in-the-middle (MitM) position. Second, we systematically investigate the 802.11 standard for key reinstallation vulnerabilities, and show that the Fast Initial Link Setup (FILS) and Tunneled direct-link setup PeerKey (TPK) handshakes are also vulnerable to key reinstallations. These handshakes increase roaming speed, and enable direct connectivity between clients, respectively. Third, we abuse Wireless Network Management (WNM) power-save features to trigger reinstallations of the group key. Moreover, we bypass (and improve) the official countermeasure of 802.11. In particular, group key reinstallations were still possible by combining EAPOL-Key and WNM-Sleep frames. We also found implementation-specific flaws that facilitate key reinstallations. For example, some devices reuse the ANonce and SNonce in the 4-way handshake, accept replayed message 4’s, or improperly install the group key. We conclude that preventing key reinstallations is harder than expected, and believe that (formally) modeling 802.11 would help to better secure both implementations and the standard itself.