Thom Otten
Thom Otten
October 18, 2017

Responsible for your perfect Monday: ROCA and KRACK

Monday October 16th 2017 was an eventful day for crypto and security in general. The world was informed about two huge problems in technology we use daily. It was bad enough that it caused quite some commotion and uproar in the tech world.

Scroll down

WPA2 was declared insecure due to the KRACK exploit and RSA 2048 and 1024 was declared insecure due to the ROCA exploit. However, both were already patched a week prior to the announcement.

This does not mean we do not have to do anything. In fact we all have some work to do, especially if you use the Infineon Trusted Platform Module(TPM). Which is the chip responsible for encrypting your data on your device. Before we list what we need to do, it may be useful to know what we are dealing with. The first step is to get more insight about the vulnerabilities. Which in this case are ROCA and KRACK.

KRACK

Let’s start with KRACK, it stands for Key Reinstallation AttaCK. It is a weakness in the WPA2 protocol. It is an attack that works against all modern Wi-Fi networks. Since it is a problem in the protocol, it is not based on any device but rather it is found in every device that supports Wi-Fi. This attack is most effective against Linux distributions and Android 6.0 and higher, however other devices are impacted as well.

Now to ask, how does it work? It attacks the 4-way handshake that is made between a device and an access point. When a client joins the network, it executes the 4-way handshake. During the handshake an encryption key is negotiated. This key is installed during message 3 of the 4-way handshake. However, since Wi-Fi isn’t always stable, a message can be dropped. Therefore, the access point sends the message multiple times. It will install the same key every time while it keeps trying to send message 3. Clients then also install and reinstall the same key every time it receives it.

Every time it reinstalls the key it resets the incremental transmit packet number (nonce). By replaying message 3 and resetting the nonce, both the client and access point think they have not finished installing the key yet and thus will transmit data unencrypted. To express the complexity of the attack, all you need to do is to intercept one of the “message 3” messages sent by the access point and you are good to go to exploit KRACK. Anyone who can intercept traffic and replay the intercepted traffic can do this. Many tools exist for this purpose already, all you need to do is intercept the right message and start a replay attack and you are done.

 

ROCA

Next to KRACK you need to deal with the ROCA exploit. It is the return of the coppersmith’s attack. The vulnerability is in the generation of RSA keys used by a software library used in many different chips, tokens and smartcards. It enables a practical factorization attack by just using the public key. This is dangerous for one simple reason, RSA is made up of the factorization of two prime numbers. To calculate a key pair one needs to find the two prime numbers that make up the key. Combined with the ability to buy a lot of resources in a short amount of time through Amazon web services or Microsoft Azure, some keys could be found within 17 days!

How to mitigate the KRACK attack?

First of all, this vulnerability does not require you to replace any hardware. It is fixable through a software update. Second, update every device / OS like laptops, phones, desktops, servers, routers access points, switches, etc. Some vendors already published an update last week, others will be by this week and some plan to publish an update on short notice. Microsoft already released its update against these exploits on the 10th of October. The key point is that both clients and routers need to be fixed against KRACK.

What alternatives measures can I consider for KRACK?

Using ethernet instead of Wi-Fi. This is not a suitable solution for most of the companies since they are heavily relying on Wi-Fi. Another option is to make your employees aware about prioritizing encrypted internet traffic over unencrypted traffic. But in the end the best option is to update all devices / Operating Systems.

How to mitigate the ROCA attack?

ROCA is a bit more complicated to mitigate, we have to regenerate all keys that are generated prior to the update. Simply because the attack will still apply because the keys are already generated at that point! In case regenerating all keys is too much, there are tools to find out if the key is vulnerable. There are offline and online tools. We recommend downloading the offline tools and use them in a safe environment. At least following products are impacted: Infineon TPM chips, YubiKey, Google Chromebooks, Microsoft Windows, HP laptops, HP desktops, HP workstations, Lenovo, Fujitsu and countless others.

You should start by replacing those that are known to be practically factorizable, but eventually all RSA keys generated by the flawed library should go. Now you are secure again, you can use Wi-Fi and keep using RSA.

 

About the authors
  • Thom Otten

    Thom Otten is a Security consultant at Traxion, provider of Identity Centric Security Services in the Netherlands and Belgium with over 130 highly qualified professionals. Traxion is part of Swiss IT Security Group.

For more information or advice how to mitigate the risk of these vulnerabilities

For more information or advice how to mitigate the risk of these vulnerabilities

please contact us at sales.nl@traxion.com and sales.be@traxion.com.

Get in contact

In addition, here are some recommended reads:

Confidental Infomation