Chop-Chop Attack
The main attack against TKIP is called the Chopchop attack and it is not a key recovery attack. The chopchop attack was implemented originally against WEP and allows the “attacker to interactivelydecrypt the last m bytes of plaintext of an encrypted packet by sending m*128 packets in average to the network .It relies on the weakness of the CRC32 checksum called the ICV which is appended to the data of the packet. The attacker truncates the last byte of the encrypted packet and guesses the value and returns the packet to the access point. If it is incorrect then the packet will be discarded due to an incorrect checksum and the attacker knows the guess was wrong. Once they have guessed the right value for the last byte they continue backwards through the rest of the bytes until they have guessed the entire packet. It takes an average of 128 guesses per byte to guess the right value. However, since the MIC and sequence counters are now included in WPA it can prevent this attack from working in the original manner. The attacker now captures a packet and finds a low traffic channel where the sequence counter will still be low and tries the attack. If the attacker guesses the last byte wrong then the access point will still silently drop the packet, but if the guess is correct then a MIC failure report frame is sent to the client. Once this is received the attacker knows their guess is correct and must wait at least 60 seconds before guessing in order to prevent the client from being disconnected. Once the attacker has decrypted the last 12 bytes they will have the MIC and the ICV in plaintext. Using the ICV, the attacker can guess the rest of the packet and perform the CRC32 until the values match and they know they have decrypted the packet. With the recovered MIC the attacker can reverse the algorithm to recover the MIC key. With the MIC key recovered the attacker and send packets to the clients on any channel where the sequence counter is low and perform a number of attacks such as traffic rerouting.
WPA2 Attacks
WPA2-PSK (Pre-Shared Key) is the most secure form of encryption used on personal wireless networks. It employs the Advanced Encryption Standard (AES) to encrypt the data instead of the RC4 stream cipher. Although there are some published theoretical attacks on AES, it is still considered very secure and attacking the encryption itself would be very complex. However, this does not make WPA2 secure against key recovery attacks. When a client connects to a WPA2-PSK a four way handshaking is performed to authenticate the client with the access point. During this handshake, the client performs the Secure Hash Algorithm 1 (SHA-1) on the shared key salted with the access point’s Service Set Identifier (SSID) and sends it to the access point for verification. By passively listening to network traffic, an attacker can capture this packet. If no clients connect in the time the attacker is waiting, they can perform a deauthentication attack in order to force the handshaking to occur. A deauthenticationattack is when the attacker sends a deauthentication packet to the client after disguising themselves as the access point. If the client accepts this packet they will reauthenticate with the access point and the attacker can capture the handshake. Once the attacker has the handshake it is as easy as performing either a brute force or dictionary attack to recover the plaintext of the shared key. The speed of this attack mainly depends purely on processor speed as once the handshake is captured the attacker can break the shared key at their leisure. With the availability of dictionary files containing the most common passwords as well as programs such as John the Ripper which can generate different permutations based upon those passwords, a fairly comprehensive dictionary can be built. In addition, the process can be sped up using Rainbow Tables which are pre-hashed compilations of the most common passwords and base station SSIDs. It was also discovered in 2005 that collisions may exist in the SHA-1 hashing function.