[Merged] WPA-TKIP Broken

[level]

http://www.pcworld.com/businesscente...s_cracked.html

[imported_=Tron=]

Interesting to say the very least, although this only seems to apply to WPA-TKIP and not WPA-AES. Seems like we also have to wait until next week to get some more details on how much of a compromise this attack presents in its present form and whether it really can be taken further.

...
To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference's organizer.

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack
...
The work of Tews and Beck does not involve a dictionary attack, however.

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a "mathematical breakthrough," that lets them crack WPA much more quickly than any previous attempt, Ruiu said.

Tews is planning to publish the cryptographic work in an academic journal in the coming months, Ruiu said. Some of the code used in the attack was quietly added to Beck's Aircrack-ng Wi-Fi encryption hacking tool two weeks ago, he added.

[terminal86]

Thx for the interesting link, i was very surprised when reading the storry.
I am curious to know what will happen within the next week when they make it public..I scent some chaos in some business.

[imported_Deathray]

Interesting read.
Imagine if in a few months, cracking WPA will become just as easy as WEP. That would be horrifying.

[thorin]

http://www.pcworld.com/businesscente...s_cracked.html

I hate journalists, lead with the headline "Once Thought Safe, WPA Wi-Fi Encryption Is Cracked", which is complete BS based on their later statements:

Security researchers say they've developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack.

So AP > PC we can send stuff or maybe see what's sent. PC > AP nuffin.

Although customers can adopt Wi-Fi technology such as WPA2 or virtual private network software that will protect them from this attack, there are still may devices that connect to the network using WPA, or even the thoroughly cracked WEP standard, he said.

Personally in the places I've worked we always suggest VPN for Wireless access if the information is sensitive.

[theberries]

Yes, very interesting. Thanks for the link.

[theberries]

I hate journalists, lead with the headline "Once Thought Safe, WPA Wi-Fi Encryption Is Cracked", which is complete BS based on their later statements:


So AP > PC we can send stuff or maybe see what's sent. PC > AP nuffin.

You weren't lying when you said you're a compulsive editor Was going to reply but no need now.

Got to love the jounalistic sensationalism though

[Shavx]

Well they do describe what a partial crack is,

There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

So obviously NOT BS if they can still pull of MIM attacks!

Now what I think IS BS is that they added some of the code quietly to Aircrack-ng! Unless quietly means they didnt add it to the ChangeLog.

[trevelyn]

Look at this:

There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

Which means reading a handshake, and the sent "bogus" information would be a fake deauthentication maybe, to get the handshake??

havent we been able to do this already? If the hash is in the wordlist you could break the WPA in milliseconds...

The onlything i can think of that would be different is that the deauth attack and handshake grab are scripted, (maybe mass deauth and sniff) and that the crack program randomly generates keys rather than use a dictionary file.. hey wait, i can code that.... hrmmm

The work of Tews and Beck does not involve a dictionary attack, however.

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a "mathematical breakthrough,"

edit:
OHH i see..

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a "mathematical breakthrough,"

I'm glad we can test it out..

Tews is planning to publish the cryptographic work in an academic journal in the coming months, Ruiu said. Some of the code used in the attack was quietly added to Beck's Aircrack-ng Wi-Fi encryption hacking tool two weeks ago, he added.

[theberries]

Changelog regarding the new attack:

http://trac.aircrack-ng.org/svn/trunk/ChangeLog

Specifically from the log:

* tkip-tun: New tool to inject on WPA1 with QoS enabled networks. Full description:
decrypt packets comming from the AP in a TKIP network, which uses QoS (ieee802.11e).
It also breaks the MIC Key for sending packets towards the Client correctly encrypted and signed.
Stores plaintext packet and keystream in seperate files.