WPA with TKIP done
Wed Sep 2 04:09:49 PDT 2009
Basically it looks like the very same chopchop attack described by Beck
& Tews in theirs paper at Nov 2008
(http://dl.aircrack-ng.org/breakingwepandwpa.pdf) but the special
man-in-the-middle case which is also mentioned in theirs paper:
> Even if the network does not support the IEEE 802.11e QoS features,
> the attack still
> seems to be possible. Here, the attacker needs to prevent the client
> from receiving the
> data packet he chooses for the chopchop attack, and must disconnect
> the client from
> the access point for the time of the attack, so that the TSC counter
> is not increased
> by the packet or following packets. After the attacker has
> successfully executed the
> chopchop attack, he can send a single data packet to the client.
> However, we did not
> implement this attack mode.
So it does not look like an sensation (at least for me).
If sincerely, I can not imagine how an attacker could organize
man-in-the-middle attack to the setup where the AP directly see the
STAtion staying physically unnoticeable.
As Beck & Tews suggested in theirs paper, to countermeasure these type
of attacks users can decrease rekeying time from default 10 minutes to 2
or less minutes (wpa_ptk_rekey parameter starting from hostapd-0.6.6
version). Also Beck & Tews suggest to avoid sending MIC failure report
frames by clients at all. Instead, Jouni only added an optional
mitigation mechanism to wpa_supplicant starting from 0.6.6 version for
such type of attack by delaying Michael MIC error reports by a random
amount of time between 0 and 60 seconds. Jouni, could you comment, why
we just can't follow Beck & Tews suggestion here and just avoid sending
of MIC failure report frames at all (at least make this approach
configurable, since it looks like WFA certification testplan checks it)?
On 2009-08-29 00:45, Cristian Ionescu-Idbohrn wrote:
> Seen articles like this one:
> circulating. "researchers in Japan describe how to perform the Beck-Tews
> style attack against any WPA-TKIP implementation, in under a minute".
> Jouni, would you please comment?
More information about the Hostap