Vulnerability discovered in WPA encryption

Wi-Fi Protected Access (WPA)encryption can be partially cracked in about 15 minutes, German researchers have discovered.

Eric Tews from the Technical University of Darmstadt in Germany and fellow German security researcher, Martin Beck discovered that an attacker could decrypt packets from a WPA protected network and inject packets into the network, Tews told SCMagazineUS.com Thursday in an email. Tews said that Beck had the initial idea the end of 2007, but it took them some time to develop it.

The vulnerability exists in the Temporal Key Integrity Protocol (TKIP), a Wired Equivalency Privacy (WEP) wrapper, which itself was essentially a fix when WEP was originally cracked.

There is a similar attack on WEP encryption called chopchop, which can be modified to work on a TKIP attack. The two researchers were able to decrypt packets at a rate of one byte per minute, Tews said.

Tews said this vulnerability could theoretically be exploited by an attacker but it is not as effective as attacks on WEP encryption.

Though they were able to crack part of WEP encryption, Tews said the technique does not represent a complete key recovery attack because it does not decrypt PSKs (pre-shared keys), it only enables recovery of temporal keys used by the network. In addition, it would not be suitable for stealing bandwidth over a wireless network, he said.

Tews will discuss their findings at the PacSec conference in Tokyo next week. The researchers plan to post more information about the vulnerability on the aircrack-ng wiki after the conference.

Does this signal the eminent demise of WPA? Not necessarily. WPA is still effective if the network is configured as a AES-CCMP-only network, Tews said.

See original article on scmagazineus.com