Some big journalistic icons have recently published a shocking headline story. WPA is cracked. If that would really be the case, let me tell you it would be more than the average user to panick, because assuming the entire WPA spec is cracked is like saying secret data from the US government isn’t safe anymore.
In any cases, WPA is not cracked and everyone can rest assured. At least, partially.
First off, to understand how it really works, you have to seperate the different terms. AES is not a TKIP competitor and WPA is not a protocol.
WPA and WPA2 are standards (a way to do things). A WPA2 certified device supports everything included in the WPA2 standard.
TKIP and CCPM are WPA protocols. The first WPA was done out quick by some companies and used TKIP. WPA2 on the other hand uses the more sophisticated CCPM.
RC4 and AES are ciphers. RC4 is used by WEP and TKIP, AES is used by CCPM. So yes, WEP is not a standard, it’s a protocol (however it also stands as a standard, source of confusion).
What’s cracked?
TKIP is cracked. However, TKIP was still relatively well made, at least, better than WEP. The crack is no big deal, the most it can allow is injecting really small packets on your network and maybe decrypt some. Since most routers renew the TKIP keys at each hour, the average packet won’t ever have time to be cracked, so nobody can steal your credit card number like that, or whatever else.
Nobody can spy you, nobody can get your network key. At least, not yet. The crack right now is mostly a technical show-off, but nothing to be alarmed by.
Is my WPA still secure?
Yes, your WPA is still secure, even though not at 100%. Luckily enough, CCPM is not as weak as TKIP and doesn’t use the outdated RC4 cipher. With WPA2 certified devices, you can use CCPM in conjuction with the AES cipher (chosen to protect secret US government files) to attain a literaly uncrackable network.
However, as with any system, WPA2 is still prone to brute-force attacks. A poor password, even on CCPM, can be cracked by a dictionary attack. However, if you use a password like this, it’d take millions of years to crack it with a brute-force attack, and since there isn’t anything else possible than a brute-force attack on AES, you can rest assured your data is uncrackable.
Get the full explanation with Security Now ep. 170
