Home page logo

dailydave logo Dailydave mailing list archives

Re: WPA attack improved to 1min, MITM
From: Joshua Wright <jwright () hasborg com>
Date: Wed, 26 Aug 2009 16:49:26 -0700

Hash: SHA1

Should have put in this link to the full paper from the conf proceedings
page as someone already correctly pointed out: http://bit.ly/8qwQt

The attack seems to have wider applicability than the original Beck/Tews
variant it is based on as it uses chopchop during MITM without relying
on 802.11e QoS extensions like Beck/Tews does, but does require
interfering with AP and MITM which are additional complexity to
execution. (Hat tip: Cedric Blancher)

The claim of 1 minute to break WPA seems unsupported in the paper.  The
authors have identified mechanisms by which they can reduce the amount
of time to ARP plaintext recovery compared to the numbers presented by
Beck/Tews, but the 1-minute claim assumes the attacker already has
knowledge of the MIC, presumably by executing the Beck/Tews attack
first, and then implementing this attack within the 65K packet PTK
lifetime duration.

Simplified, this attack can break WPA in 1 minute if it was already
broken by the Beck/Tews technique (Hat tip: Beck, Tews).

- -Josh
Version: GnuPG v1.4.9 (MingW32)

Dailydave mailing list
Dailydave () lists immunitysec com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]