Falsification Attacks against WPA-TKIP in a Realistic Environment

Yosuke TODO  Yuki OZAWA  Toshihiro OHIGASHI  Masakatu MORII  

IEICE TRANSACTIONS on Information and Systems   Vol.E95-D   No.2   pp.588-595
Publication Date: 2012/02/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.E95.D.588
Print ISSN: 0916-8532
Type of Manuscript: PAPER
Category: Information Network
wireless LAN network,  WPA-TKIP,  falsification attack,  QoS,  vulnerability,  

Full Text: PDF(642.8KB)>>
Buy this Article

In this paper, we propose two new falsification attacks against Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). A previous realistic attack succeeds only for a network that supports IEEE 802.11e QoS features by both an access point (AP) and a client, and it has an execution time of 12–15 min, in which it recovers a message integrity code (MIC) key from an ARP packet. Our first attack reduces the execution time for recovering a MIC key. It can recover the MIC key within 7–8 min. Our second attack expands its targets that can be attacked. This attack focuses on a new vulnerability of QoS packet processing, and this vulnerability can remove the condition that the AP supports IEEE 802.11e. In addition, we discovered another vulnerability by which our attack succeeds under the condition that the chipset of the client supports IEEE 802.11e even if the client disables this standard through the OS. We demonstrate that chipsets developed by several kinds of vendors have the same vulnerability.