Saturday, February 27, 2010

Another, Better TKIP Attack That's Still Limited

Another, Better TKIP Attack Thats Still Limited

Martin Beck has an enhanced attack against TKIP: One of the two researchers who brought us the TKIP Michael packet integrity attack has a refined technique. Beck's paper, "Enhanced TKIP Michael Attacks" [PDF download], describes how to work around certain assumptions in the MIC (Michael) checksum that's used to ensure a packet hasn't been tampered with to insert truly massive hunks of data without breaking a TKIP key.

For certain kinds of routine network traffic, enough data is already known in the right circumstances to brute force one missing piece and insert from 120 to 568 bytes, if I read the paper right. The Michael checksum isn't changed, but the packet is inserted as a fragment before a correctly checked hunk of data, so the receiver has no suspicion of tampering.

Worse, this technique can be used in some cases to decrypt data headed to the client, even though the TKIP key hasn't been recovered.

As with the previous attack, a lot of stars have to be in alignment. The biggest requirement is that TKIP has be the key type, not AES-CCMP. An attacker has to be proximate to sniff traffic and inject packets. The router has to be running Linux, like many Wi-Fi routers do. The router doesn't need to be compromised; there's a particular Wi-Fi packet sequence that's more predictable, and thus easier to use in the attack. Network QoS (802.11e/WMM) needs to be enabled as well.

If you can use the AES-CCMP key type (sometimes incorrectly called WPA2 by itself, but really the more advanced of two WPA2 methods), then you should! All corporations and other entities should already be using AES-CCMP, and with nearly all devices sold starting in 2003 supporting AES-CCMP, even home networks should be able to make that choice.

(A reader sent email asking if I wasn't mistaken: doesn't WPA2 only support the AES key? Yes, but it's also backwards compatible. If you have a WPA2 implementation, it may support TKIP unless the router maker has provided an option to lock into using AES only. Depending on the router, you might see "WPA, WPA/WPA2, WPA2" as a set of options, which corresponds to "TKIP, TKIP/AES, AES" for key types; or an explicit menu that lists key types after you select WPA or WPA2.)

Woman Calls To Complain about Loss of Stolen Wi-FiMassive Attack join Melt! Festival