[Off topic] Difference between wpa: tkip & aes

Jar jar
Mon Nov 7 10:09:45 PST 2005 

Bryan Kadzban wrote:

>>802.11 TKIP Data
>>  WEP IV:               0x00201A
>>  RC4Key[0]:            0x00
>>  RC4Key[1]:            0x20
>>  RC4Key[2]:            0x1A
>>
>>  TKIP Key Index:       0x20
>>  Reserved:             %00100
>>  Ext IV:               %0
>>  Key ID:               %00  Key ID=1
>>
>>  TKIP SC:              0x00000000
>>  TKIP Data:
>>  ...||+.......V..  D5 04 B8 7C 7C 2B 84 1D 15 B5 0E D8 E2 56 A3 AF
>>  ....
> I'm not quite sure what most of this means...

OK now I sniff iit with Kismet, the security mode is WPA_PSK_AES. The 
data packet looks like this:

No.     Time        Source                Destination           Protocol 
Info
    5655 342.729498  00:14:bf:2e:2e:2e     EdimaxTe_5a:5a:5a     IEEE 
802.11 Data

Frame 5655 (1554 bytes on wire, 1554 bytes captured)
IEEE 802.11
     Type/Subtype: Data (32)
     Frame Control: 0x4308 (Normal)
         Version: 0
         Type: Data frame (2)
         Subtype: 0
         Flags: 0x43
             DS status: Frame part of WDS (To DS: 1  From DS: 1) (0x03)
             .... .0.. = More Fragments: This is the last fragment
             .... 0... = Retry: Frame is not being retransmitted
             ...0 .... = PWR MGT: STA will stay up
             ..0. .... = More Data: No data buffered
             .1.. .... = WEP flag: WEP is enabled
             0... .... = Order flag: Not strictly ordered
     Duration: 213
     Receiver address: 00:14:bf:48:48:48 (00:14:bf:48:48:48)
     Transmitter address: 00:14:bf:bf:bf:bf (00:14:bf:bf:bf:bf)
     Destination address: 00:50:fc:5a:5a:5a (EdimaxTe_5a:5a:5a)
     Fragment number: 0
     Sequence number: 769
     Source address: 00:14:bf:2e:2e:2e (00:14:bf:2e:2e:2e)
     TKIP/CCMP parameters
         CCMP Ext. Initialization Vector: 0x0000000000DA
         Key: 0
Data (1516 bytes)

0000  af e0 27 6b be 48 34 ba 61 10 7e 20 71 dd 56 f6   ..'k.H4.a.~ q.V.
0010  33 ef 6d 67 64 fe 40 7a 88 88 0e da 94 c5 d2 0f   3.mgd. at z........
....
....

There is now mention about "CCMP Ext. Initialization Vector", so assume 
this is indeed AES encrypted.

But still Kismet complains about weak keys:

Network 3: "TEST" BSSID: "00:14:bf:2e:2e:2e"
     Type       : infrastructure
     Carrier    : unknown
     Info       : "None"
     Channel    : 13
     Encryption : "WEP TKIP WPA AES-CCM "
     Maxrate    : 11.0
     LLC        : 1888
     Data       : 67173
     Crypt      : 67151
     Weak       : 19
     Dupe IV    : 26294
     Total      : 69061
     First      : "Mon Nov  7 19:08:43 2005"
     Last       : "Mon Nov  7 20:03:09 2005"
     Min Loc: Lat 90.000000 Lon 180.000000 Alt 0.000000 Spd 0.000000
     Max Loc: Lat -90.000000 Lon -180.000000 Alt 0.000000 Spd 0.000000

Data       : 67173
Crypt      : 67151
Weak       : 19
Dupe IV    : 26294

Data packets 67173 and crypted packet 67151 => 67173-67151=22. Does this 
mean that there has been 22 unencrypted packets? Encryption is CCMP and 
still 19 weak keys?

What are Dupe IVs ? Is this serious?

-- 
Best Regards, Jar

More information about the Hostap mailing list