Which is better between WPA2-PSK AES vs WPA-PSK TKIP?
Is WPA-PSK AES safer than WPA-PSK TKIP-AES? Is WPA-PSK TKIP-AES dangerous for security?
From WPA2-PSK AES vs WPA-PSK TKIP, TKIP is vulnerable to an attack similar to the WEP "ChopChop" attack. TKIP uses MIC for guaranteeing the integrity of an encrypted frame. If more than two MIC failures are observed in a 60 second window, both the Access Point (AP) and client station shut down for 60 seconds. The newer TKIP attack uses a mechanism similar to the “chopchop” WEP attack to decode one byte at a time by using multiple replays and observing the response over the air. When a MIC failure occurs, the attacker can observe the response and waits for 60 seconds to avoid MIC countermeasures. Using the mechanism, the attacker can decode a packet at the rate of one byte per minute. Small packets like ARP frames can typically be decoded in about 15 minutes by leveraging this exploit. TKIP also includes a sequence counter that could detect if a packet is being sent out of sequence. However, with the introduction of QoS based on the WMM standard, the sequence enforcement across multiple QoS queues was relaxed for performance reasons. This creates another security flaw. Once a TKIP frame has been decoded, the attacker can use the obtained key sequence to further inject up to 15 additional arbitrary frames using different QoS queues without triggering a sequence number violation that would have lead to the injected packet being dropped.
Summary of TKIP Vulnerabilities
- This is not a key recovery attack. TKIP keys are not compromised and it does not lead to decryption of all subsequent frames.
- The attack affects all TKIP deployments (WPA and WPA2) regardless of whether they use Pre-Shared Keys (PSK) or the more robust enterprise mode with 802.1x authentication.
- The attack can reveal one byte per minute of a TKIP encrypted packet. Small frames like ARPs are good candidates for the attack.
- If QoS is enabled, the attack can also lead to injection of up to 15 arbitrary frames for every decrypted packet. Potential attack scenarios include ARP decoding followed by ARP poisoning, DNS manipulation, etc.
- WPA and WPA2 networks that use the more robust AES-CCMP encryption algorithm are immune to the attack.
- The attack is capable of decrypting a TKIP frame sent from an AP to a station (not station to AP).