Dragos Ruiu wrote:
> Just as a heads up, one of the author(s) of the first practical crypto
> attack against WPA secured wireless networks, besides
> launching a dictionary attack when a weak pre-shared keys(PSK)
> are used, Erik Tews, will be speaking at PacSec in Tokyo, on
>
Please note, Erik Tews and Martin Beck are co-authors on this attack.
> Thursday next week. More specifically, his attack uses a
> combination of protocol weaknesses and cryptographic
> weaknesses to compromise TKIP encryption. The attack
> lets the attacker inject seven packets into the network,
>
I believe it is up to 15 packets depending on client implementation. I
know that sounds a bit odd, but section 6.1.1.2 of iee802.11-2007
explains a bit about it. A bit beyond my understanding and it would
seem like the clients shouldn't allow it, but I'm told it sometimes
works for 15 packets.
> per decrypt window. It's an interesting attack, because it
> also hints at other attack forms, so it is rather open
> ended research.
>
> You should discontinue use of TKIP is my recommendation.
>
> The problem with this is that most AP implementations that
> I have seen will automatically drop back to TKIP from CCMP(AES)
> to support older clients. You should disable this if you are
> given the option on your AP or WiFi router configuration.
> Unfortunately how to do this varies on each router's
> configuration systems, and some routers do not
> provide facilities to do this.
>
> If you aren't given the option to disable this, you might want
> to think about getting a different Access Point or WiFi Router. :-)
>
> You should seriously consider using some higher level
> encryption facilities such as a VPN, IPsec, or SSH
> to secure your communications over wireless.
> Look at ssh -D <port> (or equivalent putty options)
> to a wired host and the socks proxy options on
> your browser to use that port on localhost, when
> surfing over wireless.
>
> On some equipment CCMP is called WPA2 and TKIP is WPA.
> The WPA spec leaves support of CCMP(AES) optional
> while the WPA2 spec mandates both TKIP and AES
> capability.
>
> Important WPA/WPA2 Recommendations:
>
> -Use only CCMP(AES).
> -Disable Negotiations to TKIP from CCMP(AES).
> -If you must use TKIP, rekey every 120 seconds.
>
> Quote:
> To prevent this attack, we suggest using a very short rekeying time,
> for example 120 seconds or less. ... The best solution would be
> disabling TKIP and using a CCMP only network.
>
> Oh, P.S. AFAIK some of the code to do this attack is out :).
>
>
The attack code has actually been in Aircrack-ng's svn for a while. The
documentation explaining how to use it (as well as the actual paper)
should be on the Aircrack-ng website soon.
-Rick Farina
> If you want to find out more, you have to come to PacSec. :-)
> The details are fairly intricate but the bottom line is above.
> Consider yourselves duly warned.
>
> cheers,
> --dr
>
>
Dragos Ruiu wrote:
> Just as a heads up, one of the author(s) of the first practical crypto
> attack against WPA secured wireless networks, besides
> launching a dictionary attack when a weak pre-shared keys(PSK)
> are used, Erik Tews, will be speaking at PacSec in Tokyo, on
>
Please note, Erik Tews and Martin Beck are co-authors on this attack.
> Thursday next week. More specifically, his attack uses a
> combination of protocol weaknesses and cryptographic
> weaknesses to compromise TKIP encryption. The attack
> lets the attacker inject seven packets into the network,
>
I believe it is up to 15 packets depending on client implementation. I
know that sounds a bit odd, but section 6.1.1.2 of iee802.11-2007
explains a bit about it. A bit beyond my understanding and it would
seem like the clients shouldn't allow it, but I'm told it sometimes
works for 15 packets.
> per decrypt window. It's an interesting attack, because it
> also hints at other attack forms, so it is rather open
> ended research.
>
> You should discontinue use of TKIP is my recommendation.
>
> The problem with this is that most AP implementations that
> I have seen will automatically drop back to TKIP from CCMP(AES)
> to support older clients. You should disable this if you are
> given the option on your AP or WiFi router configuration.
> Unfortunately how to do this varies on each router's
> configuration systems, and some routers do not
> provide facilities to do this.
>
> If you aren't given the option to disable this, you might want
> to think about getting a different Access Point or WiFi Router. :-)
>
> You should seriously consider using some higher level
> encryption facilities such as a VPN, IPsec, or SSH
> to secure your communications over wireless.
> Look at ssh -D <port> (or equivalent putty options)
> to a wired host and the socks proxy options on
> your browser to use that port on localhost, when
> surfing over wireless.
>
> On some equipment CCMP is called WPA2 and TKIP is WPA.
> The WPA spec leaves support of CCMP(AES) optional
> while the WPA2 spec mandates both TKIP and AES
> capability.
>
> Important WPA/WPA2 Recommendations:
>
> -Use only CCMP(AES).
> -Disable Negotiations to TKIP from CCMP(AES).
> -If you must use TKIP, rekey every 120 seconds.
>
> Quote:
> To prevent this attack, we suggest using a very short rekeying time,
> for example 120 seconds or less. ... The best solution would be
> disabling TKIP and using a CCMP only network.
>
> Oh, P.S. AFAIK some of the code to do this attack is out :).
>
>
The attack code has actually been in Aircrack-ng's svn for a while. The
documentation explaining how to use it (as well as the actual paper)
should be on the Aircrack-ng website soon.
-Rick Farina
> If you want to find out more, you have to come to PacSec. :-)
> The details are fairly intricate but the bottom line is above.
> Consider yourselves duly warned.
>
> cheers,
> --dr
>
>
[ reply ]