On Mon, Oct 16, 2017 at 12:58:45PM +0200, Stefan Sperling wrote: > On Mon, Oct 16, 2017 at 12:45:24PM +0200, Erik van Westen wrote: > > But did every manufacturer make the same mistake then? > > Yes.
To sum up what I know: - WPA2 is still sound cryptographically; - there was no formal analysis of the protocol itself, in terms of exchanged messages; most everybody forgot that bugs in there can be as deadly as cryptographic error. - in some cases, you get some stuff to resend, but it should repeat the same thing, so not a bug per-se; - WPA2 strongly suggests zeroing memory areas that used to hold secrets. The common implementation error is to zero some memory areas holding secrets that you have to retransmit, thus leading to establishing a bunch of zeroes as an actual secret.
