Analysis: As security researchers prepare to discuss how they were able to subvert the WPA wireless security standard, eWEEK Labs outlines what this means to wireless administrators.
At the PacSec conference in Tokyo
the week of Nov. 10, researchers Erik Tews and Martin Beck will outline the
attack they created to subvert WPA wireless security protections.
Although the attack is limited in scope at this time-as it only affects TKIP
(Temporal Key Integrity Protocol)-protected networks and can only be used to
inject traffic but not to steal data-there is sure to be significant confusion
about the effects of the attack.
In this article, I have outlined five points about the attack and its
consequences that are crucial for wireless administrators to understand-about
how it works, what its limits are, and what can be done to protect wireless
networks and the data they carry from attackers.
First of all
, the attack by Tews and Beck only works against networks
protected with TKIP. TKIP, originally called WEP2, was an interim standard
adopted to allow wireless users to have an upgrade from the broken WEP (Wired
Equivalent Privacy) protocol that lets them protect their wireless data without
requiring an investment in new hardware. TKIP took the basics of WEP (and
therefore uses the same RC4 stream cipher), enforced a longer encryption key, added
per-packet keys, boosted the Initialization Vector used to generate keys from
24-bit to 48-bit in length, and added a new Integrity Check checksum (called
It is Michael that is at the root of the new attack. The attack, which
leverages a modified chop-chop attack that allows the decryption of individual
packets without cracking the Pairwise Master key (the shared secret between
clients and the network used for encryption), goes after the Pairwise Transient
Key protecting the session in order to interpret very small packets (like an
ARP) of just a few bytes of unknown data.
The attacker must probe cautiously because Michael will shut down a device
for 60 seconds and rekey if it sees two Michael errors within a minute.
However, because there is little to guess in these small packets, the attacker
only needs to spend a few minutes (12 to 15 minutes, from what I understand)
probing Michael until it stops returning errors. At that point, the attacker
can then go to work with the chop-chop attack to get past the integrity check
built into the original WEP (that TKIP still uses).
AES-protected networks, on the other
hand, are immune to this attack, as AES uses
an entirely different keying method called CCMP
(Counter Mode with Cipher Block Chaining Message Authentication Code Protocol).