Non-dictionary attack on WPA-TKIP
Martin Beck and Erik Tews present[1] an attack on WPA-TKIP. Seems to depend on 802.11e QoS features to implement a chopchop attack. A re-keying interval of < 120s is suggested as a counter-measure.
The way chopchop attacks work is to “chop” off the last byte of a packet and iterate adding each of the 256 possible values for the packet back on and attempting to get the AP to rebroadcast it. Once a packet with the correct dst-mac is seen being re-broadcast then the corresponding correct value is known. This approach was originally applied by KoreK to WEP.
A follow up article on NetworkWorld suggests this is a big problem because of customers assuming that WPA was safe enough.
1. http://dl.aircrack-ng.org/breakingwepandwpa.pdf
2. http://www.networkworld.com/news/2008/110608-once-thought-safe-wpa-wi-fi.html?ts0hb&story=ts_wpahack
