Thursday, August 27, 2009

New WPA with TKIP Exploit Presented in Paper

New WPA with TKIP Exploit Presented in Paper

Japanese researchers develop improved version of last year's WPA with TKIP exploit: (PDF) The researchers build on the work of Eric Tews and Martin Beck, in which those two German grad students figured out how to falsify short packets when the TKIP method of encryption was employed. Their method didn't crack a TKIP key, but relied on a weakness of TKIP's backwards compatibility with the thoroughly broken WEP security. For a thorough rundown of the Beck and Tews approach, see my Ars Technica article, Battered but Not Broken, and an article on this site, Don't Panic over WPA Flaw, But Do Pay Attention (both from Nov-2008).

I've had a chance to absorb the paper, A Practical Message Falsification Attack on WPA, by Toshihiro Ohigashi and Masakatu Morii, and I'm not convinced of its efficacy as an attack vector, but it's darned clever. It's been reported as WPA broken in under a minute! by some news sources. In fact, it requires a lot of pieces to be in the right places, and doesn't allow recovery of a WPA encryption passphrase.

The following gets reasonably technical, but I'll give you the conclusion upfront: if you have any concerns about network integrity, move to AES-CCMP, which requires WPA2 Personal for home and small office networks or WPA2 Enterprise for larger networks. Using AES-CCMP requires that all network equipment be from 2003 or later, more or less. Earlier equipment, if still in use, should either be upgraded to newer Wi-Fi adapters, switched to Ethernet only, or retired.

Now the technical bits.

In brief, Beck and Tews rely on a weakness from WEP that lets them substitute bytes in very short, well-known payloads, such as ARP (address resolution protocol) messages by testing changes in the checksum to first solve for the existing bytes, and then sending a falsified packet. Their method relies on 802.11e (Quality of Service), because that protocol establishes separate queues that can duplicate the sequence used in the initialization vector (IV) that's part of the cryptographic process. Clients (or stations) reject lower-numbered IVs than the current point in the sequence.

Ohigahi and Morii use a physical man-in-the-middle (MitM) as part of their solution. Instead of relying on QoS, the Japanese academics employ a directional antenna that lets them intercept and reuse an IV: the station only receives the falsified packet, and thus doesn't receive an out-of-sequence number. This mostly likely requires a directional antenna which can overpower the broadcast of the access point for a given client; it might also work with a distance omnidirectional access point and the attacker having a more powerful omni. The attacker typically acts as a signal repeater; most data is relayed with no changes, as in the classic MitM approach.

The 802.11 security protocols combined with a secure EAP flavor (such as PEAP) only defend against an MitM attack in which a malicious party is attempting to establish encrypted connections masquerading as a client to an access point and an access point to a client. With third-party certificates, that's impossible. However, a station that relays packets without being part of the encryption chain should work perfectly well.

The Ohiagi/Morii approach has other refinements, such as monitoring the network for periods of low usage and then switching from the pure repeater mode into a key recover mode in which the malicious party attempts to recover the encrypted checksum, blocking communication between the station and access point during this time, which then eliminates the incremental IV problem because the intermediate IVs aren't sent, and thus the QoS queues aren't needed.

They reduce the time necessary for a crack by making additional assumptions about ARP packets that let them solve for the checksum about 37 percent of the time, and check whether they've recovered the key. This reduces the time for what they call a communication blackout--no AP to client transmissions--to about a minute. If they fail to recover the checksum key, they don't send a falsified packet, and thus don't start triggering the checksum key reset.

By reducing the time necessary for an attack to succeed on average and eliminating the requirement of QoS being enabled, the researchers have made this process less academic and far more real. But it's important to remember that:

This is an exploit just for TKIP, and doesn't have applications for AES-CCMP.This is not TKIP key recover, but recovery for the MIC checksum used for packet integrity.So far, because of MIC key reset algorithms, this is still applicable only to short packets with mostly known data, such as ARP messages.

ARP forgery could allow an attacker to convince a client to use it as a gateway and perform DNS resolution through addresses that the attacker provides. Poisoning DNS would allow redirection, phishing, and some forms of interception.

However, the primary issue with this attack is that it requires close proximity and the right circumstances to intercept and relay communications. That makes it hard to generalize, and hard to apply in more than a limited fashion. We'll see how this continued hammering on TKIP continues, and whether further weaknesses enable an even simpler or faster approach.

iPhone in China Gets Wi-Fi-ectomy?Oasis will be missed by Ronaldo