Weaknesses in the Temporal Key Hash of Wpa

Weaknesses in the Temporal Key Hash of WPA

˚ Vebjørn Moen Havard Raddum Kjell J. Hole moen@ii.uib.no haavardr@ii.uib.no kjellh@ii.uib.no Department of Informatics, University of Bergen, Pb 7800, N-5020 Bergen, Norway This article describes some weaknesses in the key scheduling in Wi-Fi Protected Access (WPA) put forward to secure the IEEE standard 802.11-1999. Given a few RC4 packet keys in WPA it is possible to find the Temporal Key (TK) and the Message Integrity Check (MIC) key. This is not a practical attack on WPA, but it shows that parts of WPA are weak on their own. Using this attack it is possible to do a TK recovery attack on WPA with complexity compared to a brute force attack with complexity . Keywords: 802.11, TKIP, WPA, temporal key hash, Michael, MIC.

   ¥ £ ¡    ¨ § ¥ £ ¡  

I.

Introduction

tion IV discusses the practicality and impact of the results, and Section V gives a summary of this paper.

The IEEE standard 802.11-1999 [1] is a set of protocols defining a communication channel inspired by Ethernet, but using unlicensed radio spectrum bands instead of wires. Since radio is used to communicate, eavesdropping can be done by anyone with a radio receiver, and anyone with a radio transmitter can write to the channel. This shows the need for built-in security in the WLAN design. The 1999 standard includes a security protocol called Wired Equivalent Privacy, or WEP. The goal was to achieve the same level of security as wired Ethernet. It has been shown that the WEP design has many basic flaws and does not fulfill the design goals. It does not defend properly against packet forgery or replay, which allows an attacker to use the 802.11 infrastructure to launch attacks on the WEP encryption key. In addition, WEP uses the RC4 encryption algorithm in a way that makes it possible to mount plaintext recovery attacks and key recovery attack using public domain software, e.g. AirSnort [2]. To correct these design flaws, the 802.11 Working Group (WG)...