-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike King wrote: > The short list of points: > > 1. Only affects WPA (NOT WPA2)
I believe this is not the case. This vulnerabilty affects TKIP, either when used with WPA or WPA2. > 2. Only affects TKIP (NOT AES) > 3. Only affects traffic from router to PC (NOT PC to router) > Can also be used to send bogus info from router to PC Both correct. > 4. Takes approx 12-15 minutes to crack key This is incorrect. The attack is not key recovery, but rather plaintext recovery by manipulating a station. This is very similar to the Chopchop attack, except that it works against TKIP. > 5. Some of the code used to demonstrate this was added to Aircrack-ng > two weeks ago. It looks like there has been at least some semblance of this attack code in Aircrack-ng's SVN since July. Essentially, this attack exploits a TKIP client using QoS, recovering not more than one byte of plaintext data per minute. TKIP rotates keys every 65K packets, so the number of bytes the attacker can recover is variable, depending on how busy the victim is. I think it's reasonable to say the attacker will be able to recover partial content of one encrypted packet during each client key rotation session. I believe this attack is only the beginning, and we'll see more devastating attacks against TKIP soon. People should watch for logging messages indicating Michael MIC failures or excessive Integrity Check Value (ICV) errors from SNMP MIB's as an intrusion detection technique. Client vendors have an opportunity to change client drivers (in violation of the 802.11i specification, but I believe it is warranted to retain the use of TKIP), but that will take a while. Disabling QoS support on the AP or moving to AES-CCMP will fix the flaw. I'm going to deliver a SANS webcast on this TKIP attack on 11/17. I'll be discussing how it works in detail and what system administrators and vendors can do to mitigate this flaw. Keep an eye on www.willhackforsushi.com for details. - -Josh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkkTg+4ACgkQapC4Te3oxYxuOQCfY6vWP+akpnjxsAN/1fNJ0Wz+ V4QAn3yJo8l0REHmATsfrhmImeunQKHO =fGMv -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
