• Windows 7 Wallpapers
• Vista Wallpapers
• Windows Wallpapers

A proof-of-concept tool to crack Wi-Fi Protected Access (WPA) has also been published by the researchers, Martin Beck of the Technical University of Dresden, and Erik Tews of the Technical University of Darmstadt.

The research paper, Practical attacks against WEP and WPA, was published on Saturday. It gives details of how the researchers used a modified Wired Equivalent Privacy (WEP) attack against WPA.

WPA can use two protocols to protect payload — Temporal Key Integrity Protocol (TKIP) and AES-CCMP. Tews and Beck concentrated on compromising TKIP, and claim to have done so by modifying a 'chopchop' attack against WEP.

A chopchop attack works by taking one byte of data from a WEP encrypted packet, substituting values for that byte, and recalculating the encryption checksum. The modified packets are then sent to an access point, which simply discards them until a valid checksum is eventually substituted by the attacker.

The attack against WPA works by exploiting a flaw in TKIP. An attacker first captures traffic looking for an Address Resolution Protocol (ARP) request or response. These short packets contain an eight-byte Message Integrity Check (MIC), called 'Michael', plus a four-byte Integrity Check Value (ICV) checksum, both used to ensure the integrity of the packet. If an access point receives two bad Michael checksums within 60 seconds, it will exchange new keys with every client. If a client receives two bad Michael checksums within 60 seconds, it will shut down and then request a new key exchange with the access point. However, both Michael and ICV can be cracked using the chopchop technique if packets are tested after every 60 seconds, according to the researchers.

"Within a little bit more than 12 minutes, the attacker can decrypt the last 12 bytes of plaintext (MIC and ICV)," wrote the paper's authors. "To determine the remaining unknown bytes (exact sender and receiver IP addresses), the attacker can guess the values and verify them against the decrypted ICV."

In an email interview with ZDNet UK on Friday, Tews wrote that Beck had the idea of modifying chopchop to decrypt single WPA packets.