Possible PTK compromission after GTK rekeying

[Antonio Quartulli]

Hello list,

I am running hostapd-20120428 on OpenWrt and it is exhibiting a strange
encryption issue (I am using wpa mixed mode: WPA/WPA2).

The symptom is that some Windows clients are losing their connectivity
after a GTK refresh (often after the first, but not necessarily).

I captured the traffic from another host and decrypted it with wireshark and the
PSK. To make it simple I filtered for (eapol || arp) and what I can immediately
see is that before the GTK rekeying both ARP requests and replies have been
properly decrypted while after the rekeying I only see ARP requests: wireshark
has not been able to decrypt the ARP replies.

Looking at the ARP traffic pattern I can understand that also the STA is not
able to decrypt such replies (the STA keeps sending requests - first unicast
then broadcast - as expected by the ARP state machine when no reply is
received).

>From an high level point of view it looks like the GTK rekeying is somehow
breaking the PTK on hostapd so that outgoing packets are not encrypted properly
anymore.

It happens with different clients at different times.

The only way to recover is to disconnect and reconnect. Either the client does
that on its own or on the next GTK rekeying hostapd kicks out the STA since it
does not reply to the EAPOL GTK 1/2 message.


Have you ever seen this strange behavior? If so, has it already been fixed in a
later release?


Thanks in advance for any feedback.


Regards,


-- 
Antonio Quartulli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20131115/dda78b0d/attachment.pgp>