Before Wired Equivalent Pricacy (WEP) encryption mechanism of Wi-Fi was fully broken, the industry acted quickly and pushed out a new Wi-Fi encryption scheme to the market called Wi-Fi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP). WPA had a number of security improvements over WEP and so far was considered to be fully secure. Looks like this is no longer quite the case as Martin Beck and Eric Tews have recently published a paper on how they have partly cracked WPA encryption.
Partly in this case means that under a number of circumstances, all not unrealistic, it is possible to recover the encryption key for the data stream the key STREAM for ONE very short and specific type of packet from the access point to a client device within about 12 minutes plus the key used for generating the message integrity code (MIC). The attack can't recover the key for the reverse direction so the attack can not be used so far to gain full access to the network. The attack is limited to ARP (address resolution protocol) management packets for which most of the content is known in advance.
In practice this means that the attacker can then send up to 7 freely constructed packets (each in one QoS chain) to a client device. It is NOT possible, however, to decrypt other packets with the knowledge gained. Things that could be done with this, however, is to trigger intrusion detection systems or to trick a client into some sort of action and reporting the result to the destination IP address given in the packet, which could be in the Internet. For details see their paper here.
Two remedies are suggested in the paper: One of the requirements for a successful attack is that the timer responsible to force a re-negotiation of the ciphering key is set to a value higher than 12 minutes, which is usually the case. Many access points, however, allow to set the timer to a lower value. Beck and Tews therefore suggest a timer value of 2 to 3 minutes.
Another way to prevent the attack is to use WPA2, which uses CCMP/AES (Advanced Encryption Standard). Most access points and devices sold in the past 12-24 months are capable of this 802.11i compliant authentication and encryption scheme. In my case, I had to update my Windows XP Service Pack 2 with this Microsoft Patch before I could activate WPA2.
Fortunately, most access points allow WPA/TKIP/RC4 and WPA2/CCMP/AES to run simultaneously. Thus, WPA and WPA2 capable devices can be used in the same network and a WPA device, while itself being vulnerable, does not compromise the security of WPA2 devices.
Since only the data flow from an access point to a device can be broken this way, Since only single ARP packets can be decrypted and only short packets can be injected the usefulnes of the attack is quite limited for the moment, unless, of course, somebody figures out how to open up the reverse direction. another loophole like triggering an IDS system or to exploit an OS vulnerability with the few short packets that can be sent without knowing the key.
Martin,
Please take a look at SecurityNow episode #170 (http://www.grc.com/securitynow ) Steve Gibson explanation about this "hack" makes it clear that we are overestimating this issue. BTW, TKIP stands for Temporal Key Integrity Protocol.
Cheers,
Edson
Posted by: Edson | November 26, 2008 at 08:26 PM
Hi Edson,
Thanks for commenting. The link you provided looks interesting, I'll listen to the podcast over the weekend.
Thanks also for the TKIP tip, indeed a mistake on my part. I've corrected it above.
Best regards,
Martin
Posted by: mobilesociety | November 27, 2008 at 02:48 PM
Hello all,
Edson's tip has been very useful and I had to change my post after listening to the podcast and reading the paper again. In the original article, I stated that the attack allowed to decrypt the data flow from the access point to a client. However, that is not correct, as it is only possible to decrypt a single ARP packet and then use the knowledge to send up to 7 short packets to the client. This is less severe than what I have understood originally.
I have 'striked through' the original passages which were wrong and inserted some more text to correct my mistake and to make things more clear. Sorry for the initial false information.
Martin
Posted by: mobilesociety | November 29, 2008 at 08:47 AM