This article presents an analysis of the TKIP attack mentioned in paper titled "A Practical Message Falsification Attack on WPA" [1] and discusses mitigation/detection strategies.
1. Details:
This attack builds on TKIP attack discovered by Erik Tews and Martin Beck in 2008. WPA uses two kinds of keys, which are a 64-bit message integrity check (MIC) key and a 128-bit encryption key. The former is used to detect the message forgery/falsification, and the latter is used to encrypt/decrypt packets. These keys are generated from a shared master key. Beck-Tews attack can recover plaintext from an encrypted short packet, recover the MIC key and inject forged frames. The execution time of the Beck-Tews attack is about 12-15 minutes. However the attack has limitation that the targets are limited to WPA implementations that support IEEE802.11e QoS features.
This new attack applies Beck-Tews attack to the man-in-the-middle attack (MITM) and hence removes the limitation that target wireless LAN products have to support IEEE802.11e QoS. The authors claim their attack applies to all WPA implementations. Pre-condition for executing the Beck-Tews attack on WPA is to obtain an encrypted frame whose IV is larger than the TSC counter's current value. Beck-Tews satisfied this condition by using IEEE802.11e QoS features. In this attack, authors use MITM to achieve this. The attacker interrupts encrypted frames of the receiver (access point/client). Hence an encrypted frame with IV larger than the TSC counter of the receiver can be obtained since the captured packet has not reached the receiver.
The attacker can place himself as a MITM between a client and an AP by using directional antennas or using higher transmitting power. The attacker acts as a wireless repeater and relays all frames between the two. The attacker still requires to obtain the MIC key using modified Beck-Tews attack (not using QoS queues but using MITM). The execution time of obtaining the MIC key is still about 12-15 minutes. After obtaining the MIC key, the attacker can inject modified frames using the MIC key. The authors propose speeding up the frame injection process by comparing only parts of checksum in order to reduce the wait time for MIC error. Authors claim that they can reduce the execution time of frame injection from 4 minutes in case of the Beck-Tews attack to about one minute.
2. Mitigation:
The best mitigation against this is to stop using TKIP and migrate to using CCMP only network. Since this attack requires knowledge of MIC key using Beck-Tews attack (without using QoS queues), the countermeasures that Aruba recommended for Beck-Tews attack are still valid [3].
If migration to CCMP is not possible, Aruba recommends using a very short TKIP rekeying time, for example 120 seconds or less. In 120 seconds, the attacker can only decrypt parts of the ICV value at the end of a packet. By setting the TKIP rotation interval to a short value, the amount of time an attacker can conduct the attack and the length of time a successful attack is useful are curtailed. The current attack requires one minute per byte, so setting the TKIP rotation value to an interval of 120 seconds should prevent an attacker from making significant gains. On an Aruba controller, this can be set by:
enable
configure terminal
aaa authentication dot1x
multicast-keyrotation
unicast-keyrotation
timer mkey-rotation-period 120
timer ukey-rotation-period 120
Not all clients support key rotation (notably, some VOIP handsets and hand-held devices), so always test network changes before deployment.
3. Detection:
Pre-requisite for this attack is establishing MITM between AP and the client. This would require the attacker to transmit Beacons and Probe Responses on either a different channel or different band using the same SSID/BSSID as the legitimate AP. Beacons/Probe Responses on an unregistered channel/band for the legitimate SSID can be detected by the IDS.
4. Summary:
TKIP itself was designed as a stopgap measure, with a planned secure lifetime of approximately five years. Hence Aruba strongly recommends users to migrate to AES-CCMP from TKIP. While this attack DOES NOT increase the speed of attack for obtaining the MIC key (still 12-15 minutes), authors claim that the time required to inject forged ARP frames is about a minute. WPA1 networks using AES encryption are not affected, and WPA2 networks which still use TKIP are vulnerable.
References
[1] http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Fa...
[2] http://dl.aircrack-ng.org/breakingwepandwpa.pdf
[3] http://community.arubanetworks.com/t5/Community-Knowledge-Base/TKIP-Vulnerabilities/ta-p/25384