[Merged] WPA-TKIP Broken

[trevelyn]

OMG im so excited!!

[hm2075]

also found this translated if it makes sense

http://www.secuobs.com/news/06112008-tkiptun.shtml

It is now possible to break the party encryption standard WPA (Wi-Fi Protected Access - see our article on the Safety of WI-FI - http link internal url: [click]) which is currently used by many point wireless access, it would be possible to send false information from this access point to a remote computer with this new attack.

The details of the attack are not yet publicly known, however, Erik Tews and Martin Beck had planned to carry out a "Gone in 900 seconds, Some Issues with Crypto WPA" on this matter at the next conference PacSec (external link http url : [Click]) to be held in Tokyo next week.

In this presentation, the two researchers demonstrate how it should be possible to visualize data traffic from a wireless access point to a remote computer, and not vice versa, using an encrypted WI-FI with the WPA.

According Dragos Ruiu, the conference organizer PacSec as conferences EuSecWest (external link http url: [click]), CanSecWest (external link http url: [click]) and BA-Con (external link http url: [click ]) Is especially key TKIP (Temporal Key Integrity Protocol - see our article on the Safety of WI-FI - http link internal url: [click]) could be broken in less than fifteen minutes, however, would be here "and" the relative safety data exchanged from the access point would be to consider and not on data from the remote computer to it.

The key to decrypt the data from the remote computer to the access point they have about anyway "not yet" been broken where the partial aspect of this new attack would nonetheless step forward in terms of breaking encryption for a future compromise total.

In addition, some codes related to this new attack had already been included so quiet in the latest version of the tool Aircrack-ng (external link http url: [click]), one of the presenter, Martin Beck, making from the development team for this project.

On the site of Aircrack-ng, you can now find the new utility in question (Tkiptun-ng - external link http url: [click]), which is only available on the CVS version (installation instructions - http link External url: [click]).

[hm2075]

so its not really broken
http://arstechnica.com/articles/paed...-cracked.ars/2

its a long article

[level]

Here's some more information:

http://dl.aircrack-ng.org/breakingwepandwpa.pdf

[Revelati]

So from what I understand, this attack works one way and only with small packets like ARP packets. And that you can only use it for between 8 and 15 packet streams at a time before needing to decode it all over again. This attack DOES NOT reveal the actual key, but instead allows you to send specially formed packets to the client.

So my question is, why does this only work AP/Client and not Client/AP? Shouldn't the methodology work both ways?

Also, It said in one of the articles that ARP poisoning would be trivial. However if you can only decrypt the traffic one way you would only be able to sniff a few DNS queries every 10-15 minutes and cause a DOS or forced reconnect the rest of the time?

Its not quite the silver bullet of WPA cracks like press is yelling, but with some more research and some information on this "mathematical breakthrough" it would seem as if TKIP's walls are crumbling.

[compaq]

So from what I understand, this attack works one way and only with small packets like ARP packets. And that you can only use it for between 8 and 15 packet streams at a time before needing to decode it all over again. This attack DOES NOT reveal the actual key, but instead allows you to send specially formed packets to the client.

So my question is, why does this only work AP/Client and not Client/AP? Shouldn't the methodology work both ways?

Also, It said in one of the articles that ARP poisoning would be trivial. However if you can only decrypt the traffic one way you would only be able to sniff a few DNS queries every 10-15 minutes and cause a DOS or forced reconnect the rest of the time?

Its not quite the silver bullet of WPA cracks like press is yelling, but with some more research and some information on this "mathematical breakthrough" it would seem as if TKIP's walls are crumbling.
__________________

I think its based on the birthday attack. Say you send a packet "abcdefghijklmnopqrstuvwyxz", and get the AP to then say no i couldn't understand you packet "abcdefghijklmnopqrstuvwyxz"(in there key), then you would beable to sniff an packet from the AP with "hello what you doing" and use the packet it sent back to decode the message. Or craft your own packet and send it to the cleint, with the same encryption that the AP gave you.
Maybe the cleint won't repley if you send it a packet which it can't decode?

[hm2075]

either way I don't think its going to be a full blown crack

[level]

Here's the tutorial from the aircrack-ng site:

http://www.aircrack-ng.org/doku.php?id=tkiptun-ng

[Mortifix]

Has anyone used this yet?

[vertigo]

I will say, that word sequence "Crack WPA" is very loudly...

This is a TKIP flaw... and Tews-Becker attack is based on old fashioned Korek's chopchop inductive packet guess idea. Idea is realized in aircrack-ng -4 tool against WEP (DWEP) an is very impressive: don't look for encryption key itself, find out short keystream to perform packet injectiion with arp(icmp) packets afterward.

TKIP utilize RC4 encryption with MIC(michael) packet integrity. In WEP case, if inductive guess is correct, AP answer is positve, in TKIP case, if packet guess is correct, but MIC fails, AP respond with: wait a 1 minute.

And so, there are 14 unknown arp packet bytes - MIC 8bytes, ICV 4 bytes and 2 last bytes from ip packet source and destination adreses ( ex. 192.168.1.X)and less than 15 minutes need to discover full arp packet.

Attack is very limited and employed in DoS attacks with arpd(dns, icmp ) packet injection.
This type of attack affect WPA(WPA2) +TKIP but not CCMP.

Recommendation: move to WPA2 + CCMP