Introduction

Back in November of 2008 I wrote about the Wi-Fi Protected Access (WPA) attack by the German graduate students Erik Tews and Martin Beck. They discovered a limited method to crack WPA, or more specifically, to crack the TKIP component of WPA.  Their paper describes the attack and their tkiptun-ng tool carries out the [...]]]>

Introduction

Back in November of 2008 I wrote about the Wi-Fi Protected Access (WPA) attack by the German graduate students Erik Tews and Martin Beck. They discovered a limited method to crack WPA, or more specifically, to crack the TKIP component of WPA.  Their paper describes the attack and their tkiptun-ng tool carries out the attack.

Now, Japanese researchers Toshihiro Ohigashi and Masakatu Morii have taken the Tews-Beck attack one step further. Their paper describe how they can reduce the attack time from 12-15 minutes down to 1 minute and how they can eliminate the requirement that the station under attack support the IEEE 802.11e QoS mechanism.

Some articles have sensationalized this attack and have even implied that AES-CCMP could be next.

Bottom line:

1. The vulnerability exposed by the Ohigashi-Morii attack is no different from the vulnerability exposed by the Tews-Beck. The Ohigashi-Morii attack essentially just speeds up the Tews-Beck attack process. More specifically, neither the Tews-Beck nor the Ohigashi-Morii attacks discover the encryption key. Instead, they systematically decrypt an individual packet of short length (e.g., ARP packet)
2. The attacker cannot decrypt all the packets on a WLAN.
3. The attack only exploits TKIP, which is the older “band-aid” feature created to fix WEP (WEP used RC-4 encryption). The attack does not exploit AES-CCMP.
4. If you use certificates on both your stations and your access points (e.g., you use EAP-TLS) then your network is not vulnerable to the Ohigashi-Morii man-in-the-middle attack but your network may be vulnerable to the Tews-Beck attack.

Recommendations:

1. Use AES-CCMP encryption to protect against this attack. All certified WPA2 systems must support AES-CCMP.
2. Check to see if your WPA-certified systems support AES-CCMP. If so, you should configure your WPA equipment to use AES-CCMP.
3. Begin a program to phase out your older Access Points and stations that do not support AES-CCMP.

Terminology

There is some confusion over the difference between the Wi-Fi Alliance certification and the actual features supported by the vendor equipment.

WPA certification: The older Wi-Fi Alliance WPA certification designation means that the equipment was certified to support: 802.1X, EAP, TKIP, and RC4.

WPA2 certification: The newer (and now mandatory) WPA2 certification designation means that the equipment was certified to support: 802.1X, EAP, and AES-CCMP.

Vendor equipment: Some vendors chose to support both TKIP-RC4 and AES-CCMP irrespective of how the equipment was certified. It is therefore possible to configure some WPA-certified equipment to support AES-CCMP. It is also possible to configure WPA2-certified equipment to support TKIP-RC4.

More detailed information:

1. Erik Tews and Martin Beck paper
2. Toshihiro Ohigashi and Masakatu Morii paper
3. Glenn Fleishman article

Many enterprises are considering Wi-Fi CERTIFIED™ 802.11n draft 2.0 deployment because it has significant advantages over existing wireless technologies. However, these advantages present the enterprise network manager with important deployment considerations. At the upcoming Burton Group Catalyst Conference in July, I will examine the various deployment considerations for 802.11n in the [...]]]>

Many enterprises are considering Wi-Fi CERTIFIED™ 802.11n draft 2.0 deployment because it has significant advantages over existing wireless technologies. However, these advantages present the enterprise network manager with important deployment considerations. At the upcoming Burton Group Catalyst Conference in July, I will examine the various deployment considerations for 802.11n in the enterprise. Some of the topics I will discuss are listed below.

Most existing 802.11 devices operate in a single frequency band, (e.g., 2.4 GHz or 5 GHz). 802.11n is different because it is specifically designed to operate in both the 5 GHz and the 2.4 GHz frequency bands. So 802.11n presents an opportunity for enterprises to reconsider which frequency band(s) to use. I will discuss some of the tradeoffs and issues enterprise managers need to consider.

Legacy 802.11 access points (APs) have a maximum power draw that is very close to the IEEE 802.3af Power over Ethernet (PoE) maximum of 15.4 watts. However, many 802.11n APs will consume more power than legacy APs. Enterprise AP vendors have addressed this problem in several ways and enterprise IT managers must consider which approach they will select.

802.11b/g/a APs typically use Fast Ethernet ports to forward traffic onto the wired network. Because the 802.11n data rate is designed to exceed the 100 Mbps capacity of Fast Ethernet (especially when using 40 MHz channels), most new APs will use Gigabit Ethernet for wired Ethernet communication. Therefore, some enterprises may choose to upgrade a portion of their wiring closet switches, and possibly their cabling, to provide gigabit Ethernet links to their 802.11n APs.

WLAN controllers that perform the data-forwarding function must backhaul all wireless traffic from hundreds of 802.11n APs, and so each controller will likely need to support several Gigabit Ethernet connections. WLAN controllers that distribute the data-forwarding function to the AP will need only a single Gigabit Ethernet connection.

802.11n presents a new security challenge because existing hardware sensors, without software updates, may not be able to recognize 802.11n APs. Therefore, it is important for enterprise managers to update wireless intrusion detection systems (IDSs), regardless of whether or not they plan to deploy 802.11n.

802.11n will impact network management tools. For example, spectrum analyzers must be able to recognize MIMO spatial streams, and visually communicate network behavior to the user. Therefore, enterprise managers will need to upgrade their network management tools in order to manage 802.11n networks.

Please join me in beautiful San Diego, July 27 – 31, for a discussion of these issues and many other interesting topics. Learn more about the Burton Group Catalyst Conference here: http://www.catalyst.burtongroup.com/Na09/.

Erik Tews

German graduate students Erik Tews and Martin Beck discovered a limited method to crack WPA, or more specifically, to crack the TKIP component of WPA.  Their paper describes the attack and their tkiptun-ng tool carries out the attack.  

WPA relies upon the old RC4 encryption algorithm from the infamous WEP protocol [...]]]>

Erik Tews

German graduate students Erik Tews and Martin Beck discovered a limited method to crack WPA, or more specifically, to crack the TKIP component of WPA.  Their paper describes the attack and their tkiptun-ng tool carries out the attack.  

WPA relies upon the old RC4 encryption algorithm from the infamous WEP protocol and uses TKIP as a “band-aid” to strengthen WEP encryption.  WPA was intended as a way to secure existing WEP equipment without using a computationally intensive algorithm.  This approach enabled existing hardware (access points and clients) to support WPA with a simple software upgrade.

The WPA attack created by Tews and Beck enables the attacker to decode short packets (such as ARP packets), modify those packets, re-encrypt them, and re-transmit them on the network to other devices.  This method enables a variety of attacks such as an ARP poisoning attack.  However, the attack does NOT decrypt all of the packets on a network.  The attack uses a tool called chopchop to systematically uncover the contents of a packet.  On average, it can take 12 – 15 minutes to uncover the contents of a small packet.  Frequent rekeying and heavy traffic loads (which cause keys to be rekeyed more frequently) can lessen the impact of the attack.

Alternatively, WPA2 uses AES (instead of RC4) and is NOT cracked.  WPA2 support is mandatory in all WiFi certified devices as of March 2006 and is widely available.

My recommendation for enterprises is to use WPA2 rather than WPA in order to ensure strong wireless security.   Unfortunately, this can be easier said than done for enterprises with a large wireless LAN due to the significant capital and operational costs required for such an upgrade.  In fact, I have spoken with some large retailers that are still using WEP because they lack the money, time, and staff to do the upgrade.  However, as we learned with the TJX attack, the eventual cost of using WEP can be very high.

For those of you that would like to do additional reading, Glen Fleishman provides a nice history of encryption weakness and also describes the Tews/Beck attack in his ars technica article.