Falsification Attacks against WPA-TKIP in a Realistic Environment
Summary :
In this paper, we propose two new falsification attacks against Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). A previous realistic attack succeeds only for a network that supports IEEE 802.11e QoS features by both an access point (AP) and a client, and it has an execution time of 12–15 min, in which it recovers a message integrity code (MIC) key from an ARP packet. Our first attack reduces the execution time for recovering a MIC key. It can recover the MIC key within 7–8 min. Our second attack expands its targets that can be attacked. This attack focuses on a new vulnerability of QoS packet processing, and this vulnerability can remove the condition that the AP supports IEEE 802.11e. In addition, we discovered another vulnerability by which our attack succeeds under the condition that the chipset of the client supports IEEE 802.11e even if the client disables this standard through the OS. We demonstrate that chipsets developed by several kinds of vendors have the same vulnerability.
- Publication
- IEICE TRANSACTIONS on Information Vol.E95-D No.2 pp.588-595
- Publication Date
- 2012/02/01
- Publicized
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.E95.D.588
- Type of Manuscript
- PAPER
- Category
- Information Network
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Yosuke TODO, Yuki OZAWA, Toshihiro OHIGASHI, Masakatu MORII, "Falsification Attacks against WPA-TKIP in a Realistic Environment" in IEICE TRANSACTIONS on Information,
vol. E95-D, no. 2, pp. 588-595, February 2012, doi: 10.1587/transinf.E95.D.588.
Abstract: In this paper, we propose two new falsification attacks against Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). A previous realistic attack succeeds only for a network that supports IEEE 802.11e QoS features by both an access point (AP) and a client, and it has an execution time of 12–15 min, in which it recovers a message integrity code (MIC) key from an ARP packet. Our first attack reduces the execution time for recovering a MIC key. It can recover the MIC key within 7–8 min. Our second attack expands its targets that can be attacked. This attack focuses on a new vulnerability of QoS packet processing, and this vulnerability can remove the condition that the AP supports IEEE 802.11e. In addition, we discovered another vulnerability by which our attack succeeds under the condition that the chipset of the client supports IEEE 802.11e even if the client disables this standard through the OS. We demonstrate that chipsets developed by several kinds of vendors have the same vulnerability.
URL: https://globals.ieice.org/en_transactions/information/10.1587/transinf.E95.D.588/_p
Copy
@ARTICLE{e95-d_2_588,
author={Yosuke TODO, Yuki OZAWA, Toshihiro OHIGASHI, Masakatu MORII, },
journal={IEICE TRANSACTIONS on Information},
title={Falsification Attacks against WPA-TKIP in a Realistic Environment},
year={2012},
volume={E95-D},
number={2},
pages={588-595},
abstract={In this paper, we propose two new falsification attacks against Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). A previous realistic attack succeeds only for a network that supports IEEE 802.11e QoS features by both an access point (AP) and a client, and it has an execution time of 12–15 min, in which it recovers a message integrity code (MIC) key from an ARP packet. Our first attack reduces the execution time for recovering a MIC key. It can recover the MIC key within 7–8 min. Our second attack expands its targets that can be attacked. This attack focuses on a new vulnerability of QoS packet processing, and this vulnerability can remove the condition that the AP supports IEEE 802.11e. In addition, we discovered another vulnerability by which our attack succeeds under the condition that the chipset of the client supports IEEE 802.11e even if the client disables this standard through the OS. We demonstrate that chipsets developed by several kinds of vendors have the same vulnerability.},
keywords={},
doi={10.1587/transinf.E95.D.588},
ISSN={1745-1361},
month={February},}
Copy
TY - JOUR
TI - Falsification Attacks against WPA-TKIP in a Realistic Environment
T2 - IEICE TRANSACTIONS on Information
SP - 588
EP - 595
AU - Yosuke TODO
AU - Yuki OZAWA
AU - Toshihiro OHIGASHI
AU - Masakatu MORII
PY - 2012
DO - 10.1587/transinf.E95.D.588
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E95-D
IS - 2
JA - IEICE TRANSACTIONS on Information
Y1 - February 2012
AB - In this paper, we propose two new falsification attacks against Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). A previous realistic attack succeeds only for a network that supports IEEE 802.11e QoS features by both an access point (AP) and a client, and it has an execution time of 12–15 min, in which it recovers a message integrity code (MIC) key from an ARP packet. Our first attack reduces the execution time for recovering a MIC key. It can recover the MIC key within 7–8 min. Our second attack expands its targets that can be attacked. This attack focuses on a new vulnerability of QoS packet processing, and this vulnerability can remove the condition that the AP supports IEEE 802.11e. In addition, we discovered another vulnerability by which our attack succeeds under the condition that the chipset of the client supports IEEE 802.11e even if the client disables this standard through the OS. We demonstrate that chipsets developed by several kinds of vendors have the same vulnerability.
ER -
FlyerIEICE has prepared a flyer regarding multilingual services. Please use the one in your native language.
English
