New Attacks on WPA - Move Calmly Toward the ExitsBy CWNP On 09/11/2009 - 6 Comments
Recently, two announcements were published that detailed successful attacks against the integrity functions of the 802.11 wireless security mechanism known as TKIP (Temporal Key Integrity Protocol). These procedures do not reveal surprises, but instead highlight the known vulnerabilities inherent with the TKIP/Michael protocol since its inception. To be clear, these attacks are not designed to recover the encryption keys or to reveal the private data contained within TKIP protected frames. Instead, they focus on known weaknesses in the Michael integrity check algorithm, which could enable an intruder to insert customized test packets into a LAN from the wireless side in order to probe for traditional wired-side vulnerabilities. In addition, the new attacks could also be used to stage nuisance, denial-of-service attacks against WLANs and could hasten the advent of future exploits on the encryption keys.
To put this into proper perspective, its important to realize that TKIP and its integrated message integrity check (MIC) algorithm, named Michael, were never intended to be a long-term security solution, but only an interim, backwards-compatible upgrade to patch the famous failures of Wired Equivalent Privacy (WEP), the original 802.11 confidentiality algorithm. The 802.111 standard says, “To defend against active attacks, TKIP includes a MIC, named Michael. This MIC offers only weak defenses against message forgeries, but it constitutes the best that can be achieved with the majority of legacy hardware.” In other words, Michael was selected by the 802.11i Task Group, over other, stronger integrity algorithms, such as SHA-1, specifically because the electronics contained within legacy Wi-Fi adapters and access points were not capable of using stronger methods without suffering severe processing degradation resulting in slower throughput speeds. This compromise was determined to be acceptable in the context of the day (2004), since WPA was intended only as a stop-gap method meant to buy time until the industry could supplement the retail pipeline with the long-term, future-proof, Wi-Fi security solution that was even then in development. This enhanced solution is named CCMP, a high-performance, Wi-Fi compatible implementation of the venerable Advanced Encryption Standard (AES). Although CCMP is a better security solution for Wi-Fi, it requires additional on-board electronics to allow its intensive processing to occur without effecting data transfer rates.
Now that cryptographic researchers Beck – Tews2 and Ohigashi – Morii3 have demonstrated practical attacks that allow intruders to jam their feet in the door of TKIP/Michael protected systems, it is clear that the final push towards a complete CCMP upgrade should be planned and executed by SOHO, SMB, and Enterprise users of WLANs within the near future. However, this is not so much a clarion call as it is a gentle reminder that WPA was only intended to be a band-aid for an insufficient confidentiality mechanism (WEP) and that the real solution was and still is, CCMP. If TKIP were a movie theater, then we have our first whiff of smoke. Its time to start calmly moving towards the exits. __________________________________________________________________________________
Rick Murphy's Homepage:
1 IEEE 802.11 – 2007, 220.127.116.11 -
2 Practical attacks against WEP and WPA –
3 A Practical Message Falsification Attack on WPA –