wpa_supplicant fails group key attacks even after krack patch

David Park djpark121 at gmail.com
Sun Dec 3 14:04:27 PST 2017 

Hi,

I downloaded and cross-compiled wpa_supplicant for ARM from commit
a0e3e22 which had all the patches relating to KRACK.

Using the vulnerability detection tool from the wifi alliance, I am
now passing all the pairwise tests, but not the group key related
tests. Specifically, I am failing the 4.1.3 and 4.2.1.

My wifi driver is part of the mainline kernel, interfacing with
mac82011 and cfg82011, so I would have thought all the KRACK
vulnerabilities would be completely handled by the wpa_supplicant
patches. Is there something I'm missing?

[17:30:38] Vulnerablity Detection Tool
[17:30:38] Version 1.1
[17:30:38] Note: disable Wi-Fi in network manager & disable hardware
encryption. Both may interfere with this script.
[17:30:39] Starting hostapd ...
Configuration file: ./hostapd.conf
Using interface wlan1 with hwaddr e8:94:f6:24:db:59 and ssid "test_client"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED
[17:30:40] Ready. Connect to this Access Point to start the tests.
Make sure the client requests an IP using DHCP!
wlan1: STA d0:c1:93:02:ed:72 IEEE 802.11: authenticated
wlan1: STA d0:c1:93:02:ed:72 IEEE 802.11: associated (aid 1)
[17:34:32] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
wlan1: AP-STA-CONNECTED d0:c1:93:02:ed:72
wlan1: STA d0:c1:93:02:ed:72 RADIUS: starting accounting session
70FD5AD6416A7E22
[17:34:32] d0:c1:93:02:ed:72: transmitted data using IV=1 (seq=0)
[17:34:34] d0:c1:93:02:ed:72: Hostapd: already installing pairwise key
[17:34:34] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:34] d0:c1:93:02:ed:72: transmitted data using IV=2 (seq=2)
[17:34:35] d0:c1:93:02:ed:72: DHCP reply 192.168.100.2 to d0:c1:93:02:ed:72
[17:34:35] d0:c1:93:02:ed:72: transmitted data using IV=3 (seq=1)
[17:34:35] d0:c1:93:02:ed:72: client has IP address -> testing for
group key reinstallation in the 4-way handshake
[17:34:35] d0:c1:93:02:ed:72: sent 1 broadcasts ARPs this interval
[17:34:35] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
from 192.168.100.1
[17:34:35] d0:c1:93:02:ed:72: DHCP reply 192.168.100.2 to d0:c1:93:02:ed:72
[17:34:35] d0:c1:93:02:ed:72: transmitted data using IV=4 (seq=2)
[17:34:36] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:36] d0:c1:93:02:ed:72: transmitted data using IV=5 (seq=3)
[17:34:37] d0:c1:93:02:ed:72: sent 2 broadcasts ARPs this interval
[17:34:37] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
from 192.168.100.1
[17:34:37] d0:c1:93:02:ed:72: received 1 replies to the replayed
broadcast ARP requests
[17:34:37] d0:c1:93:02:ed:72: transmitted data using IV=6 (seq=3)
[17:34:38] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:38] d0:c1:93:02:ed:72: transmitted data using IV=7 (seq=4)
[17:34:38] d0:c1:93:02:ed:72: no pairwise IV resets seem to have
occured for one interval
[17:34:38] d0:c1:93:02:ed:72: transmitted data using IV=8 (seq=4)
[17:34:38] d0:c1:93:02:ed:72: transmitted data using IV=9 (seq=5)
[17:34:39] d0:c1:93:02:ed:72: sent 3 broadcasts ARPs this interval
[17:34:39] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
from 192.168.100.1
[17:34:39] d0:c1:93:02:ed:72: received 2 replies to the replayed
broadcast ARP requests
[17:34:39] d0:c1:93:02:ed:72: transmitted data using IV=10 (seq=6)
[17:34:40] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:40] d0:c1:93:02:ed:72: transmitted data using IV=11 (seq=5)
[17:34:41] d0:c1:93:02:ed:72: sent 4 broadcasts ARPs this interval
[17:34:41] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
from 192.168.100.1
[17:34:41] d0:c1:93:02:ed:72: received 3 replies to the replayed
broadcast ARP requests
[17:34:41] d0:c1:93:02:ed:72: transmitted data using IV=12 (seq=7)
[17:34:42] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:42] d0:c1:93:02:ed:72: transmitted data using IV=13 (seq=6)
[17:34:43] d0:c1:93:02:ed:72: got a reply to broadcast ARP during this interval
[17:34:43] d0:c1:93:02:ed:72: sent 1 broadcasts ARPs this interval
[17:34:43] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
from 192.168.100.1
[17:34:43] d0:c1:93:02:ed:72: received 4 replies to the replayed
broadcast ARP requests
[17:34:43] d0:c1:93:02:ed:72: transmitted data using IV=14 (seq=8)
[17:34:43] d0:c1:93:02:ed:72: transmitted data using IV=15 (seq=9)
[17:34:43] d0:c1:93:02:ed:72: no pairwise IV resets seem to have
occured for one interval
[17:34:44] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:44] d0:c1:93:02:ed:72: transmitted data using IV=16 (seq=7)
[17:34:45] d0:c1:93:02:ed:72: sent 2 broadcasts ARPs this interval
[17:34:45] d0:c1:93:02:ed:72: sending broadcast ARP to 192.168.100.2
from 192.168.100.1
[17:34:45] d0:c1:93:02:ed:72: transmitted data using IV=17 (seq=10)
[17:34:45] d0:c1:93:02:ed:72: received 5 replies to the replayed
broadcast ARP requests
[17:34:45] d0:c1:93:02:ed:72: Received 5 unique replies to replayed
broadcast ARP requests. Client is vulnerable to group
[17:34:45]                    key reinstallations in the 4-way
handshake (or client accepts replayed broadcast frames)!
[17:34:46] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:46] d0:c1:93:02:ed:72: transmitted data using IV=18 (seq=8)
[17:34:48] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:48] d0:c1:93:02:ed:72: transmitted data using IV=19 (seq=9)
[17:34:48] d0:c1:93:02:ed:72: transmitted data using IV=20 (seq=11)
[17:34:48] d0:c1:93:02:ed:72: no pairwise IV resets seem to have
occured for one interval
[17:34:50] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:50] d0:c1:93:02:ed:72: transmitted data using IV=21 (seq=10)
[17:34:52] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:52] d0:c1:93:02:ed:72: transmitted data using IV=22 (seq=11)
[17:34:54] d0:c1:93:02:ed:72: Hostapd: Resetting Tx IV of group key
and sending Msg3/4
[17:34:54] d0:c1:93:02:ed:72: transmitted data using IV=23 (seq=12)
[17:34:54] d0:c1:93:02:ed:72: no pairwise IV resets seem to have
occured for one interval
[17:34:54] d0:c1:93:02:ed:72: client DOESN'T seem vulnerable to
pairwise key reinstallation in the 4-way handshake (using standard
attack).
[17:34:54] Pairwise key test : NOT Vulnerable
[17:34:54] Group key test : Vulnerable
[17:34:54] Test Finished
[17:34:54] Closing hostapd and cleaning up ...

--

More information about the Hostap mailing list