On Sep 15, 2014, at 1:02 AM, coderman
first and foremost: WPA2 does NOT prevent an adversary able to inject packets at you from downgrading crypto to flawed RC4. due to odd forgotten legacy protocol bits, every implementation of WPA2 that i have tested is vulnerable to an active downgrade to TKIP/RC4 while still being "WPA2" and still showing all signs of using strongest security settings.
TKIP is NOT the same as RC4 … while we are trying to remove it from any usage in Wi-FI, it has yet to be fully broken (publicly).
let me re-iterate: _WPA2 only_ as a setting on router or client device does not prevent an active RC4 downgrade when using WPA2. AES-CCMP
… vendors create crappy UIs. WPA2 only should mean just AES-CCMP. Some are done correctly.
must be explicitly checked for, and this is not straightforward in end-user configuration or management utilities.
RECOMMENDATION: use a wireless packet capture utility to specifically check for and alert on the presence of TKIP in a WPA2 session. this never happens under legitimate circumstances. [if you know of one, please tell me!] YEs/
TKIP in WPA2 == Active injection attack by "well funded" adversary[0]
Please elaborate. TKIP has not been identified as a ‘active attack’ vector.
---
i missed the renewed speculation that periodically swirls around RC4, e.g.
"I feel but cannot prove that the day is coming when we learn that everything we ever encrypted with RC4 is very practical to decrypt" - https://twitter.com/marshray/status/505586082461655040
"Kind of annoyed SHA-1 is a "crypto emergency" when most of the web was encrypted with RC4 last year and almost no one cared" - https://twitter.com/bascule/status/509239990216163330
"This attack also applies directly to WPA/TKIP, with similar success rates, because of its use of per-packet keys for RC4. Here, the particular structure of WPA/TKIP keys means that a different set of biases are obtained in the first 256 bytes of RC4 keystream... For WPA/TKIP, the only reasonable countermeasure is to upgrade to WPA2." - http://www.isg.rhul.ac.uk/tls/
---
i have an advisory pending to full-disclosure with details on this WPA2 force downgrade to TKIP attack and a rant about Kaminsky's DEF CON 22 talk. advisory includes timeline indicating "in the wild" discovery of this technique late 2013. any earlier indications welcome!
to be clear, this issue is with backwards compatibility in WPA2, and the manner in which a local attacker (8 miles or more with power and directional emission) can force the WPA2 protected session to use TKIP/RC4 while appearing to both client and network management equipment to be using WPA2 and best security configuration. (not WEP, not WPA)
this is not about how RC4 is broken; i have no idea about the nature of the RC4 weaknesses enabling decryption, and this as yet unknown attack is certainly more effective than the attack described in CVE-2013-2566: "The attacks can only be carried out by a determined attacker who can generate sufficient sessions for the attacks. They recover a limited amount of plaintext. In this sense, the attacks do not pose a significant danger to ordinary users of TLS or WPA/TKIP in their current form. However, it is a truism that attacks only get better with time, and we anticipate significant further improvements to our attacks."
the attacks observed in the wild did not rely on any additional or excessive packet creation to reach effectiveness.
best regards,
0. About TKIP with WPA2... some tools know that TKIP is backwards compatible in WPA2, having written to spec. E.g. airodump-ng: "Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2."
in my testing i have never seen a device that could do WPA2 but not AES-CCMP.
WPA2 is supposed to mean AES-CCMP. WPA is TKIP. Unclear that you know what you are saying …. nymble
if you find one i'd like to know about it! if you ever see a device+router pair that used to speak AES-CCMP over WPA2 suddenly using TKIP you are under active attack.
finally, i mention "advanced attacker" because utilizing this downgrade also means applying an as yet unknown attack on the RC4 cipher to decrypt. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography