WPA crack details revealed

• Tags:
• Michael,
• Packet,
• Values,
• Wi Fi

Tom Espiner ZDNet.co.uk

Published: 10 Nov 2008 15:16 GMT

• 
• 
• 
• 
• 

German researchers have published a paper that claims to give details of how to crack the Wi-Fi Protected Access encryption standard.

A proof-of-concept tool to crack Wi-Fi Protected Access (WPA) has also been published by the researchers, Martin Beck of the Technical University of Dresden, and Erik Tews of the Technical University of Darmstadt.

The research paper, Practical attacks against WEP and WPA, was published on Saturday. It gives details of how the researchers used a modified Wired Equivalent Privacy (WEP) attack against WPA.

WPA can use two protocols to protect payload — Temporal Key Integrity Protocol (TKIP) and AES-CCMP. Tews and Beck concentrated on compromising TKIP, and claim to have done so by modifying a 'chopchop' attack against WEP.

A chopchop attack works by taking one byte of data from a WEP encrypted packet, substituting values for that byte, and recalculating the encryption checksum. The modified packets are then sent to an access point, which simply discards them until a valid checksum is eventually substituted by the attacker.

The attack against WPA works by exploiting a flaw in TKIP. An attacker first captures traffic looking for an Address Resolution Protocol (ARP) request or response. These short packets contain an eight-byte Message Integrity Check (MIC), called 'Michael', plus a four-byte Integrity Check Value (ICV) checksum, both used to ensure the integrity of the packet. If an access point receives two bad Michael checksums within 60 seconds, it will exchange new keys with every client. If a client receives two bad Michael checksums within 60 seconds, it will shut down and then request a new key exchange with the access point. However, both Michael and ICV can be cracked using the chopchop technique if packets are tested after every 60 seconds, according to the researchers.

"Within a little bit more than 12 minutes, the attacker can decrypt the last 12 bytes of plaintext (MIC and ICV)," wrote the paper's authors. "To determine the remaining unknown bytes (exact sender and receiver IP addresses), the attacker can guess the values and verify them against the decrypted ICV."

In an email interview with ZDNet UK on Friday, Tews wrote that Beck had the idea of modifying chopchop to decrypt single WPA packets.

"Chopchop is a very old attack on WEP which allows the decryption of single packet in a WEP-protected network without recovering the secret key," wrote Tews. "Martin Beck found out that the attack can be modified to work against TKIP-protected networks. Here, a client system is used as a kind of oracle to find out information of the plaintext of packets and about keys used."

Tews wrote that WPA had not been completely compromised, as the attack only allows decryption at a rate of one byte of plaintext per minute, while the rate of packets that can be sent for testing is similarly low.

However, some security experts warned that IT professionals should upgrade to WPA2 as a matter of urgency. Raul Siles, an incident response handler for security training organisation the Sans Institute, wrote that "it is important to highlight that [proof-of-concept] exploit code is available".

"The recommendation is simple: migrate to WPA2," wrote Siles in a blog post.

Mitigation recommendations from the Sans Institute include reducing key-renewal intervals and checking for multiple Michael failure messages. Siles also wrote on his personal blog that IT professionals should switch to using the AES protocol instead of TKIP.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed