[Off topic] Difference between wpa: tkip & aes

Jar jar at pcuf.fi
Sun Nov 6 15:40:19 EST 2005


> The sniffer has no way of knowing that they are WEP protected unless is
> takes a look at what happened during association.

OK, I am not a specialist, but the sniffer shows the data-packet as below when the
WPA-TKIP is selected. How the sniffer know that this data is WEP data?

Packet Info
  Flags:                0x00
  Status:               0x04  Encrypted
  Packet Length:        1562
  Timestamp:            00:18:39.435062200 11/03/2005
  Data Rate:            22  11.0 Mbps
  Channel:              11  2462 MHz
  Signal Level:         59%
  Noise Level:          0%
802.11 MAC Header
  Version:              0
  Type:                 %10  Data
  Subtype:              %0000  Data Only
Frame Control Flags:    %01000011
                        0... .... Non-strict order
                        .1.. .... WEP Enabled
                        ..0. .... No More Data
                        ...0 .... Power Management - active mode
                        .... 0... This is not a Re-Transmission
                        .... .0.. Last or Unfragmented Frame
                        .... ..1. Exit from the Distribution System
                        .... ...1 To the Distribution System

  Duration:             213  Microseconds
  Receiver:             00:14:BF:48:A1:A2
  Transmitter:          00:14:BF:2E:2E:2E
  Destination:          00:50:FC:5A:5A:5A  Edimax Tech:5A:5A:5A
  Seq. Number:          195
  Frag. Number:         0
  Source:               00:14:BF:22:22:22
802.11 TKIP Data
  WEP IV:               0x00201A
  RC4Key[0]:            0x00
  RC4Key[1]:            0x20
  RC4Key[2]:            0x1A

  TKIP Key Index:       0x20
  Reserved:             %00100
  Ext IV:               %0
  Key ID:               %00  Key ID=1

  TKIP SC:              0x00000000
  TKIP Data:
  ...||+.......V..  D5 04 B8 7C 7C 2B 84 1D 15 B5 0E D8 E2 56 A3 AF
  ....
  ....

And like this when WPA-AES is selected:

Packet Info
  Flags:                0x00
  Status:               0x04  Encrypted
  Packet Length:        1558
  Timestamp:            00:20:39.381721800 11/03/2005
  Data Rate:            22  11.0 Mbps
  Channel:              11  2462 MHz
  Signal Level:         60%
  Noise Level:          0%
802.11 MAC Header
  Version:              0
  Type:                 %10  Data
  Subtype:              %0000  Data Only
Frame Control Flags:    %01000011
                        0... .... Non-strict order
                        .1.. .... WEP Enabled
                        ..0. .... No More Data
                        ...0 .... Power Management - active mode
                        .... 0... This is not a Re-Transmission
                        .... .0.. Last or Unfragmented Frame
                        .... ..1. Exit from the Distribution System
                        .... ...1 To the Distribution System

  Duration:             213  Microseconds
  Receiver:             00:14:BF:48:A1:A2
  Transmitter:          00:14:BF:2E:2E:2E
  Destination:          00:50:FC:5A:5A:5A  Edimax Tech:5A:5A:5A
  Seq. Number:          91
  Frag. Number:         0
  Source:               00:14:BF:22:22:22
802.11 TKIP Data
  WEP IV:               0x0C0000
  RC4Key[0]:            0x0C
  RC4Key[1]:            0x00
  RC4Key[2]:            0x00

  TKIP Key Index:       0x20
  Reserved:             %00100
  Ext IV:               %0
  Key ID:               %00  Key ID=1

  TKIP SC:              0x00000000
  TKIP Data:
  .J.\..'>c\.0A..-  7F 4A CA 5C E2 F5 27 3E 63 5C FD 30 41 F7 AC 2D
  ...
  ...

So this data could be AES encrypted even if this sniffer claims it is TKIP/WEP?


> That weak key claim is probably valid only if WEP was used (i.e., not
> for TKIP and certainly not for CCMP). Anyway, even for WEP, there are
> more efficient ways of cracking the key than weak keys, so reporting
> weak is kind of pointless for WEP nowadays.. It is weak, no matter what
> key is used.

Strange, Kismet complais about weak keys even when the WPA-AES is selected from the AP.

-- 
Best Regards, Jar



More information about the HostAP mailing list