Is TKIP secure when paired with 802.1x?

tensop · 8th July 2012, 9:14 PM

Hi Guys,

WPA/TKIP security was compromised a few years ago.. got a network that has issues with macbooks which suprisingly is resolved by reverting to WPA,TKIP & 802.1X PEAP-MSCHAPv2.

I'm assuming the compromise allows traffic from the targeted WAP/client to be sniffed, but establishing a connection to the network still remains impossible without breaking through 802.1x?

dakiller · 10th July 2012, 10:51 AM

From what I remember, the TKIP venerability was incredibly weak and really nothing to worry about. You could never get the key or any user data, only inject malicious packets in ARP and basically make DOS like attacks.

JuicEmatic · 11th July 2012, 6:46 AM

from what i read you could inject 7 packets at most. i dont know if that constitutes a truly exploitable vulnerability, but then again i also dont know what you can do with 7 packets.

elvis · 11th July 2012, 7:10 AM

Yes, TKIP is still vulnerable to the known attacks with 802.1x.

In reality however, the attack is very difficult to do, and at best lets you do some ARP poisoning. The effort to reward ratio is far too high.

Not that I condone that sort of attitude toward security, but I've yet to find a published article demonstrating a real-world TKIP-based attack outside of a lab situation. If this is just an average business network, I'd be comfortable with WPA/TKIP for the next year or so. The business I've just recently started at has a number of BYO devices on their wireless network, and likewise have TKIP enabled to guarantee compatibility. I'm not losing any sleep over it.

8th July 2012, 9:14 PM	#1
tensop Member Join Date: Mar 2002 Posts: 1,133	Is TKIP secure when paired with 802.1x? Hi Guys, WPA/TKIP security was compromised a few years ago.. got a network that has issues with macbooks which suprisingly is resolved by reverting to WPA,TKIP & 802.1X PEAP-MSCHAPv2. I'm assuming the compromise allows traffic from the targeted WAP/client to be sniffed, but establishing a connection to the network still remains impossible without breaking through 802.1x?

10th July 2012, 10:51 AM	#2
dakiller (Oscillating & Impeding) Join Date: Jun 2001 Location: SE Melb Posts: 6,155	From what I remember, the TKIP venerability was incredibly weak and really nothing to worry about. You could never get the key or any user data, only inject malicious packets in ARP and basically make DOS like attacks. __________________ In memory of Cheers Z

11th July 2012, 7:10 AM	#4
elvis Member Join Date: Jun 2001 Location: Brisbane Posts: 19,937	Yes, TKIP is still vulnerable to the known attacks with 802.1x. In reality however, the attack is very difficult to do, and at best lets you do some ARP poisoning. The effort to reward ratio is far too high. Not that I condone that sort of attitude toward security, but I've yet to find a published article demonstrating a real-world TKIP-based attack outside of a lab situation. If this is just an average business network, I'd be comfortable with WPA/TKIP for the next year or so. The business I've just recently started at has a number of BYO devices on their wireless network, and likewise have TKIP enabled to guarantee compatibility. I'm not losing any sleep over it. __________________ Child's Play Charity

11th July 2012, 6:46 AM	#3
JuicEmatic Member Join Date: May 2012 Posts: 26	from what i read you could inject 7 packets at most. i dont know if that constitutes a truly exploitable vulnerability, but then again i also dont know what you can do with 7 packets.