On Sep 15, 2014, at 1:02 AM, coderman <[email protected]> wrote: > first and foremost: > WPA2 does NOT prevent an adversary able to inject packets at you from > downgrading crypto to flawed RC4. due to odd forgotten legacy protocol > bits, every implementation of WPA2 that i have tested is vulnerable to > an active downgrade to TKIP/RC4 while still being "WPA2" and still > showing all signs of using strongest security settings.
TKIP is NOT the same as RC4 … while we are trying to remove it from any usage in Wi-FI, it has yet to be fully broken (publicly). > > let me re-iterate: _WPA2 only_ as a setting on router or client device > does not prevent an active RC4 downgrade when using WPA2. AES-CCMP … vendors create crappy UIs. WPA2 only should mean just AES-CCMP. Some are done correctly. > must be explicitly checked for, and this is not straightforward in > end-user configuration or management utilities. > > RECOMMENDATION: use a wireless packet capture utility to specifically > check for and alert on the presence of TKIP in a WPA2 session. this > never happens under legitimate circumstances. [if you know of one, > please tell me!] YEs/ > > TKIP in WPA2 == Active injection attack by "well funded" adversary[0] Please elaborate. TKIP has not been identified as a ‘active attack’ vector. > > --- > > i missed the renewed speculation that periodically swirls around RC4, e.g. > > "I feel but cannot prove that the day is coming when we learn that > everything we ever encrypted with RC4 is very practical to decrypt" > - https://twitter.com/marshray/status/505586082461655040 > > "Kind of annoyed SHA-1 is a "crypto emergency" when most of the web > was encrypted with RC4 last year and almost no one cared" > - https://twitter.com/bascule/status/509239990216163330 > > "This attack also applies directly to WPA/TKIP, with similar success > rates, because of its use of per-packet keys for RC4. Here, the > particular structure of WPA/TKIP keys means that a different set of > biases are obtained in the first 256 bytes of RC4 keystream... For > WPA/TKIP, the only reasonable countermeasure is to upgrade to WPA2." > - http://www.isg.rhul.ac.uk/tls/ > > --- > > i have an advisory pending to full-disclosure with details on this > WPA2 force downgrade to TKIP attack and a rant about Kaminsky's DEF > CON 22 talk. advisory includes timeline indicating "in the wild" > discovery of this technique late 2013. any earlier indications > welcome! > > to be clear, this issue is with backwards compatibility in WPA2, and > the manner in which a local attacker (8 miles or more with power and > directional emission) can force the WPA2 protected session to use > TKIP/RC4 while appearing to both client and network management > equipment to be using WPA2 and best security configuration. (not WEP, > not WPA) > > this is not about how RC4 is broken; i have no idea about the nature > of the RC4 weaknesses enabling decryption, and this as yet unknown > attack is certainly more effective than the attack described in > CVE-2013-2566: > "The attacks can only be carried out by a determined attacker who can > generate sufficient sessions for the attacks. They recover a limited > amount of plaintext. In this sense, the attacks do not pose a > significant danger to ordinary users of TLS or WPA/TKIP in their > current form. However, it is a truism that attacks only get better > with time, and we anticipate significant further improvements to our > attacks." > > the attacks observed in the wild did not rely on any additional or > excessive packet creation to reach effectiveness. > > best regards, > > > > 0. About TKIP with WPA2... > some tools know that TKIP is backwards compatible in WPA2, having > written to spec. E.g. airodump-ng: "Not mandatory, but TKIP is > typically used with WPA and CCMP is typically used with WPA2." > > in my testing i have never seen a device that could do WPA2 but not > AES-CCMP. WPA2 is supposed to mean AES-CCMP. WPA is TKIP. Unclear that you know what you are saying …. nymble > if you find one i'd like to know about it! if you ever see > a device+router pair that used to speak AES-CCMP over WPA2 suddenly > using TKIP you are under active attack. > > finally, i mention "advanced attacker" because utilizing this > downgrade also means applying an as yet unknown attack on the RC4 > cipher to decrypt. > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography
