Friday, November 07, 2008

WPA2 is not next on the chopping block

Researchers have announced they can crack WPA in 12-minutes. Some people wonder if WPA2 will soon be next.

It won't be. WPA was always known to be a weak hack, WPA2 has always been known to be secure. The reason for the compromise was that that hardware didn't support the AES encryption in WPA2, so a weaker crypto was needed to fix the obvious flaws with WEP without requiring a hardware upgrade.

The original WEP was based upon the RC4 encryption algorithm. RC4 is a fine algorithm, it's still used today for SSL today. However, it's a "stream cipher" that needs a unique key per stream. That's why it works for SSL and not WiFi: SSL is one long stream whereas WiFi is a bunch of individual packets. RC4 cannot be used for encrypting packets, just streams.

RC4 was baked into the WiFi chips. The correct fix for the WEP-crack problem was to replace RC4 with a "block cipher", namely AES. However, you couldn't get rid of all the hardware in the field. Therefore, an interim solution that still used RC4 was created. The fix was to include a sequence number in each packet, and mix the sequence number with the WEP key to create a unique per-packet key. This was called "TKIP".

Both solutions were standardized at the same time. The WPA certification required TKIP, but made AES optional. The WPA2 certification required AES. We use these terms WPA-RC4-TKIP interchangeably and WPA2-AES-CCMP interchangeably, but technically they refer to different things (the standard, the encryption, and the keying method respectively).

Even as the compromised was reached, everyone knew WPA-TKIP was going to be hacked eventually. Cryptographers have a good nose for such things, and even while they couldn't immediately figure out a way to crack this, they knew it would probably be hacked in time.

However, everyone had full confidence in AES. There are no weakness in AES or the WPA2 standard based upon it. It's going to last for the next 20 years. It's security we can rely upon (at least, as far as encryption goes - there are still issues with authentication).

As a side note, the author of this new attack is Erik Tews. He is the 'T' in the "PTW", the latest and greatest attack on WEP. The original WEP crack required millions of packets and a lot of CPU time to crack. However, this evolved quickly with better and better methods. PTW is the latest and best method so far. It requires only 40k packets and a few seconds of CPU time. Therefore, we can trust this method will probably work, although there might be caveats (such as man-in-the-middle attacks on TKIP packets).

The moral of the story is that you should always have been planning WPA2-AES-CCMP eventually, and been planning to rely upon that for many years. If you planned to only do WPA-RC4-TKIP, then you were wrong.

EDIT: This Ars Technica story interviews Erik Tews and clarifies that the attack doesn't break the key, but instead only allows you to inject a few small packets.

EDIT: The "chop-chop" attack works because RC4 encrypts by XORing against a keystream. AES doesn't do that, it encrypts blocks directly, so chop-chop attacks won't work against it.


ToddH said...


Interesting point of view. While I agree WPA2 is more robust than WPA, I'm not sure I would bet against someone finding a weakness in WPA2 at some point. The protocol design may be flawless but the implementation could be full of holes.

Tews said they were going after AES next so either way we'll find out.

I'm still recommending people use WPA Enterprise.

JJ said...


20 years... I mean, really?
You're kidding right.. ?


Robert Graham said...

20 years... I mean, really?

We must make plans for what will happen in the near-term foreseeable future.

We know TKIP will be broken in the near-term foreseeable future. AES-CCMP will not be.

I was specifically addressing the jaded attitude that everything gets broken one right after the other. This isn't actually true. Take the RSA algorithm for example -- it is 30 years old and still going strong. The DES algorithm was never really broken. RSA and 3DES need bigger keys due to Moore's Law + brute-force, but the algorithms are still still strong.

We know RC4-TKIP to be weak, but AES-CCMP is likely very strong.

How long is the near-term foreseeable future? I guessed at 20 years.

Robert said...

i haven't read up on David Maynor's cross platform WinLinMac firmware level / device driver level attack in a quite a while. But as i recall, it didn't matter which security scheme was used because the attack occurs at such a low level. If an attacker can run as firmware / device driver, they have system access and do not even need to bother breaking AES.

Matthew Wales said...

Hi Mr Graham, i came across this blog post in my research for my college dissertation, and whilst reading the post and the comments left below it you said that AES-CCMP will not be broken, this however is untrue because a journal has been released providing evidence of a successful breach of this encryption using what is called a Cache-Collision Timing Attack, that was discovered by a computer science student from Stanford university and a Microsoft research, and though i agree that AES is secure against many types of attacks it is not invulnerable, and of course this will not be a problem for residential users because crackers simply won't bother with the time that the attack takes. so i thought that i would bring this to yours and everyone's attention just so you know about it :).

Robert Graham said...

The paper Cache-Collision Timing Attack does not say what you think it says. It has zero implications for cracking WiFi.

Matthew Wales said...

upon closer inspection you are right, i stand corrected and apologies for my rather irrelevant post earlier, i guess i should have checked this more thoroughly before commenting.