Upload File

wpa_tkip_attacks_tb_1208_chv3

prev
next
out of 4
Download WPA_TKIP_Attacks_TB_1208_chv3

Upload: stefan-pettersson

Post on 08-Apr-2018

218 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 8/6/2019 WPA_TKIP_Attacks_TB_1208_chv3

    1/4

    Understanding the

    New WPA TKIP AttackVulnerabilities & Motorola WLAN Countermeasures

    TECHNICAL BRIEF

  • 8/6/2019 WPA_TKIP_Attacks_TB_1208_chv3

    2/4

    On November 8, 2008, German researchers released a paper

    demonstrating a practical attack against the Temporal Key Integrity

    Protocol (TKIP) encryption algorithm used to secure Wi-Fi networks

    that are certi ed or Wi-Fi Protected Access (WPA). While the practical

    exposure rom the attack is limited, it does lead to the decryption o small

    TKIP encrypted packets as well as injection o a ew arbitrary rames

    rom an adversary. This paper provides an overview o the vulnerabilities

    introduced by the attack as well as countermeasures available through

    the Motorola Wireless LAN solution to mitigate the new threat.

    Executive Summary

  • 8/6/2019 WPA_TKIP_Attacks_TB_1208_chv3

    3/4

    Attack DetailsThe original Wi-Fi encryption algorithm, WiredEquivalent Privacy (WEP), has signi cant faws.Amongst other security problems, WEP is

    vulnerable to replay attacks. An adversary cancapture and replay a WEP encrypted rame overand over again. This faw is exploited by WEP attacktools such as chopchop that allowed a hacker tocapture a WEP encrypted rame, replay the packetrepeatedly, and decipher the payload one byte at atime. This method allows small packets like AddressResolution Protocol (ARP) rames to be decoded in10-20 seconds without ever breaking the WEP key.

    TKIP was introduced in 2003, and amongst otherenhancements, included a new per packet hashingalgorithm, the Message Integrity Check (MIC).MIC is based on a weak algorithm, designed to be

    accommodated on legacy WEP hardware. TKIP usesMIC or guaranteeing the integrity o an encrypted

    rame. I more than two MIC ailures are observedin a 60 second window, both the Access Point (AP)and client station shut down or 60 seconds. Thenew TKIP attack uses a mechanism similar to thechopchop WEP attack to decode one byte at atime by using multiple replays and observing theresponse over the air. When a MIC ailure occurs,the attacker can observe the response and waits or60 seconds to avoid MIC countermeasures. Usingthe mechanism, the attacker can decode a packet atthe rate o one byte per minute. Small packets likeARP rames can typically be decoded in about 15

    minutes by leveraging this exploit.

    TKIP also includes a sequence counter that coulddetect i a packet is being sent out o sequence.However, with the introduction o QoS based on theWMM standard, the sequence en orcement acrossmultiple QoS queues was relaxed or per ormancereasons. This creates another security faw. Oncea TKIP rame has been decoded, the attacker canuse the obtained key sequence to urther injectup to 15 additional arbitrary rames using di erentQoS queues without triggering a sequence numberviolation that would have lead to the injected packetbeing dropped.

    Summary of Vulnerabilities

    1. This is not a key recovery attack. TKIP keysare not compromised and it does not lead todecryption o all subsequent rames.

    2. The attack a ects all TKIP deployments (WPAand WPA2) regardless o whether theyuse Pre-Shared Keys (PSK) or the morerobust enterprise mode with 802.1xauthentication.

    3. The attack can reveal one byte per minute oa TKIP encrypted packet. Small rames likeARPs are good candidates or the attack.

    4. I QoS is enabled, the attack can also leadto injection o up to 15 arbitrary rames orevery decrypted packet. Potential attack

    scenarios include ARP decoding ollowed byARP poisoning, DNS manipulation, etc.

    5. WPA and WPA2 networks that use the morerobust AES-CCMP encryption algorithm areimmune to the attack.

    6. The attack is capable o decrypting a TKIPrame sent rom an AP to a station

    (not station to AP).

    Motorola WLAN

    CountermeasuresThe Motorola WLAN solution consists o severalcountermeasures already built into the productto mitigate the new TKIP attack. Motorolarecommends that enterprises use AES-CCMPencryption with their WPA or WPA2 deployments.Motorola WLAN in rastructure is ully certi ed orAES-CCMP. Organizations that have legacy clientdevices that cannot support AES encryptionand rely on TKIP have the ollowing additionalsa eguards that they could use.

    3 WHITE PAPER: Understanding the New WPA TKIP Attack

  • 8/6/2019 WPA_TKIP_Attacks_TB_1208_chv3

    4/4

    TKIP Key RotationMotorola WLAN in rastructure supports TKIP keyrotation. Broadcast keys can also be periodicallyrotated. Forcing more requent key rotation willlimit how much plaintext can be derived by a

    hacker since each minute o key li e can be used todetermine a byte o plaintext using the attack.

    (config-wireless)# wlan dot11ikey-rotation enable

    (config-wireless)# wlan dot11ikey-rotation-interval

    The Motorola WLAN also supports periodic802.1x re-authentication.

    (config-wireless)# wlan radiusreauth

    I QoS is not really needed, the WLAN administratorhas the option to explicitly disable QoS on theMotorola WLAN thereby preventing urther injectionattacks even i a TKIP rame is decrypted.

    (config-wireless)# no wlan qosclassification wmm

    Monitoring and LoggingThe Motorola WLAN logs station MIC ailures. Asuspicious sequence o a single MIC ailure reportedby a single station every minute or several minuteswould indicate that the TKIP attack is in progress. The

    syslog message generated by the Motorola WLANor a MIC ailure is as ollows:

    Station [MAC_ADDR] reported a TKIP message integrity check fail on wlan

    [WLAN_ID]

    Motorola AirDefense Wireless Intrusion PreventionThe Motorola WLAN solution eatures the industryleading AirDe ense Wireless Intrusion PreventionSystem (WIPS). Motorola AirDe ense WIPScapabilities also help contain the attack. The WIPSis capable o detecting MAC address spoofngthat occurs when the adversary pretends to be an

    authorized device during the attack. The AirDe enseWIPS can also detect replay attacks and trigger i aconfgurable number o injections in a set window otime exceeds a programmable threshold. The WIPScan generate an alarm, send SNMP traps to noti yvarious security event management systems, alertan administrator via email/pager, etc. In addition, theo ending device can be blacklisted, and all urther

    rames rom it are ignored or the blacklist timeoutperiod.

    motorola.com

    Part number TB-WPATKIP. Printed in USA 12/08. MOTOROLA and the Stylized M Logo are regis tered in the US Patent& Trademark O ce. All other product or service names are the property o their respective owners. Motorola, Inc.2008. All rights reserved. For system, product or ser vices availability and speci c in ormation within your country,please contact your local Motorola o ce or Business Partner. Speci cations are subject to change without notice.


18 Tricks to Teach Your Body

Fortran

United States Constitution

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

European Colinization of Latin America

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Daniel Zanella and Alexander Weygers

Minne hävisivät soneran rahat

Barclays1

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Aesops Fables

Compressing And Decompressing Folders

Chapter 24

Oedipus The King: The Ideal Tragic Play

Star Wars Trivia!

Plato - Symposium

Steve Jobs' Commencement Speech at Stanford

(Tesla) - The Tesla Magnetic Car Engine

Introduction to Six Sigma

xCDC14a

Rubik's cube solution

Who Killed God

Improve the Color Quality Of Your Monitor

The Best American Humorous Short Stories

How Computer Keyboards Work

Heidegger Kritik

Chapter-01

1 시스템분석입문

The Dutch Republic In International Trade

Chapter 23

расписание электричек Москва-Железка

Cakes Recipes

Algorithms

Tragic Heroes

Effective Parenting: Establishing Boundaries