New Attacks on WPA - Move Calmly Toward the Exits

New Attacks on WPA - Move Calmly Toward the Exits

By CWNP On 09/11/2009 - 6 Comments

Recently, two announcements were published that detailed successful attacks against the integrity functions of the 802.11 wireless security mechanism known as TKIP (Temporal Key Integrity Protocol). These procedures do not reveal surprises, but instead highlight the known vulnerabilities inherent with the TKIP/Michael protocol since its inception. To be clear, these attacks are not designed to recover the encryption keys or to reveal the private data contained within TKIP protected frames.  Instead, they focus on known weaknesses in the Michael integrity check algorithm, which could enable an intruder to insert customized test packets into a LAN from the wireless side in order to probe for traditional wired-side vulnerabilities. In addition, the new attacks could also be used to stage nuisance, denial-of-service attacks against WLANs and could hasten the advent of future exploits on the encryption keys.

To put this into proper perspective, its important to realize that TKIP and its integrated message integrity check (MIC) algorithm, named Michael, were never intended to be a long-term security solution, but only an interim, backwards-compatible upgrade to patch the famous failures of Wired Equivalent Privacy (WEP), the original 802.11 confidentiality algorithm. The 802.111 standard says, “To defend against active attacks, TKIP includes a MIC, named Michael. This MIC offers only weak defenses against message forgeries, but it constitutes the best that can be achieved with the majority of legacy hardware.” In other words, Michael was selected by the 802.11i Task Group, over other, stronger integrity algorithms, such as SHA-1, specifically because the electronics contained within legacy Wi-Fi adapters and access points were not capable of using stronger methods without suffering severe processing degradation resulting in slower throughput speeds. This compromise was determined to be acceptable in the context of the day (2004), since WPA was intended only as a stop-gap method meant to buy time until the industry could supplement the retail pipeline with the long-term, future-proof, Wi-Fi security solution that was even then in development.  This enhanced solution is named CCMP, a high-performance, Wi-Fi compatible implementation of the venerable Advanced Encryption Standard (AES). Although CCMP is a better security solution for Wi-Fi, it requires additional on-board electronics to allow its intensive processing to occur without effecting data transfer rates.

Now that cryptographic researchers Beck – Tews2 and Ohigashi – Morii3 have demonstrated practical attacks that allow intruders to jam their feet in the door of TKIP/Michael protected systems, it is clear that the final push towards a complete CCMP upgrade should be planned and executed by SOHO, SMB, and Enterprise users of WLANs within the near future. However, this is not so much a clarion call as it is a gentle reminder that WPA was only intended to be a band-aid for an insufficient confidentiality mechanism (WEP) and that the real solution was and still is, CCMP. If TKIP were a movie theater, then we have our first whiff of smoke. Its time to start calmly moving towards the exits. __________________________________________________________________________________

Rick Murphy's Homepage: 

Source Article:

1 IEEE 802.11 – 2007, -

2 Practical attacks against WEP and WPA –

3 A Practical Message Falsification Attack on WPA –

Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.

0 Responses to New Attacks on WPA - Move Calmly Toward the Exits

Subscribe by Email
There are no comments yet.
<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More