Abstract
Beck and Tews described the first practical cryptographic attack on IEEE 802.11i TKIP in November 2008, and this paper continues this line of protocol cryptanalysis. We show that their attack on TKIP can be used to create an ARP poisoning attack and a cryptographic DoS attack. Moreover, we are able to decrypt DHCP ACK packets, which are over 12 times longer than the ARP packet used by Beck and Tews. Our method of analysis recovers 596 bytes of keystream that can be used in new attacks on other control protocol messages.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Beck, M., Tews, E.: Practical attacks against WEP and WPA. Cryptology ePrint Archive Report 472, 79–86 (2008)
KoreK: chopchop (Experimental WEP attacks) (2004), http://www.netstumbler.org/f50/chopchop-experimental-wep-attacks-12489/
IEEE Standard for Information technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Std 802.11-2007 (Revision of IEEE Std 802.11-1999) (2007)
Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)
Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP). ACM Trans. Inf. Syst. Secur. 7, 319–332 (2004)
Bittau, A., Handley, M., Lackey, J.: The Final Nail in WEP’s Coffin Security and Privacy. In: IEEE Symposium on, pp. 386–400 (2006)
Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds. Cryptology ePrint Archive 120 (2007)
KoreK.: Next generation of WEP attacks (2004), http://www.netstumbler.org/showpost.php?p=93942&postcount=35
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Halvorsen, F.M., Haugen, O., Eian, M., Mjølsnes, S.F. (2009). An Improved Attack on TKIP. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds) Identity and Privacy in the Internet Age. NordSec 2009. Lecture Notes in Computer Science, vol 5838. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04766-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-04766-4_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04765-7
Online ISBN: 978-3-642-04766-4
eBook Packages: Computer ScienceComputer Science (R0)