Friday, August 28, 2009

WEP = Fail; WPA+TKIP = Fail

Cracking WPA in a minute - wow! WEP encryption has long been compromised, although I still see a number of networks using WEP. I've been advising individuals concerned about wireless security and my students to enable some sort of WPA encryption on their wireless networks. I really didn't focus on WPA + TKIP versus WPA + AES, although my students knew the difference and studied the evolution of wireless security. While we had briefly discussed the very small crack in WPA last year, we didn't take it much further. In my research, I determined that the conditions under which last years' crack occurred were very controlled and the possibility that this could become a full-blown intrusion was very unlikely. It looks like I'll have to amend my advice and update my lectures - use WPA with AES or WPA2, whichever your devices support.

New Attack Cracks Common Wi-Fi Encryption in a Minute
Computer scientists in Japan say they've developed a way to break the WPA encryption system used in wireless routers in about one minute.

The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) encryption system. The attack was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, who plan to discuss further details at a technical conference set for Sept. 25 in Hiroshima.

Last November, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level, according to Dragos Ruiu, organizer of the PacSec security conference where the first WPA hack was demonstrated. 'They took this stuff which was fairly theoretical and they've made it much more practical,' he said.

They Japanese researchers discuss their attack in a paper presented at the Joint Workshop on Information Security, held in Kaohsiung, Taiwan earlier this month.

The earlier attack, developed by researchers Martin Beck and Erik Tews, worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm.

The encryption systems used by wireless routers have a long history of security problems. The Wired Equivalent Privacy (WEP) system, introduced in 1997, was cracked just a few years later and is now considered to be completely insecure by security experts.

WPA with TKIP 'was developed as kind of an interim encryption method as Wi-Fi security was evolving several years ago,' said Kelly Davis-Felner, marketing director with the Wi-Fi Alliance, the industry group that certifies Wi-Fi devices. People should now use WPA 2, she said.

No comments:


Related Posts Plugin for WordPress, Blogger...