Friday, January 7, 2011

A weakness in the key descriptor version 1 used in TKIP mode of WPA/WPA2 (802.11i)

From Section 8.5.2 of the 802.11-2007 standard:
"Key Descriptor Version 1: ARC4 is used to encrypt the Key Data field using the KEK field from the derived PTK. No padding shall be used. The encryption key is generated by concatenating the EAPOL-Key IV field and the KEK. The first 256 octets of the ARC4 key stream shall be discarded following ARC4 stream cipher initialization with the KEK, and encryption begins using the 257th key stream octet."
In theory, this is vulnerable to the attack described in A Practical Attack on the Fixed RC4 in the WEP Mode. Also New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 has more biases in the 256th and 257th keystream bytes. Note however that in order to get 50000 keystreams, 50000 group key handshakes using the same KEK must be captured, and these happen less often than the actual data encryption.