Weaknesses in the Key Scheduling Algorithm of RC4
SAC '01 Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography
A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)
ACM Transactions on Information and System Security (TISSEC)
Weaknesses in the temporal key hash of WPA
ACM SIGMOBILE Mobile Computing and Communications Review
The Final Nail in WEP's Coffin
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
802.11 denial-of-service attacks: real vulnerabilities and practical solutions
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Practical attacks against WEP and WPA
Proceedings of the second ACM conference on Wireless network security
Wireless networks security: Proof of chopchop attack
WOWMOM '08 Proceedings of the 2008 International Symposium on a World of Wireless, Mobile and Multimedia Networks
NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Security analysis of michael: the IEEE 802.11i message integrity code
EUC'05 Proceedings of the 2005 international conference on Embedded and Ubiquitous Computing
A note on the fragility of the "Michael" message integrity code
IEEE Transactions on Wireless Communications
Review: TCP/IP security threats and attack methods
Computer Communications
Hi-index | 0.00 |
We describe three attacks on the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP). The first attack is a Denial of Service attack that can be executed by injecting only two frames every minute. The second attack demonstrates how fragmentation of 802.11 frames can be used to inject an arbitrary amount of packets, and we show that this can be used to perform a portscan on any client. The third attack enables an attacker to reset the internal state of the Michael algorithm. We show that this can be used to efficiently decrypt arbitrary packets sent towards a client. We also report on implementation vulnerabilities discovered in some wireless devices. Finally we demonstrate that our attacks can be executed in realistic environments.