Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword or section
Like this

Table Of Contents

1.1 Motivation
1.2 Related Work
1.3 Problem Description and Goals
1.4 Limitations
1.5 Research Methodology
1.6 Document Structure
2.1 Security Principles
2.1.1 General Principles
2.1.2 Encryption techniques
2.1.3 Authentication and Authorization
2.1.4 Attacks
2.2 IEEE 802.11 Wireless Networks
2.2.1 General Description
2.2.2 Structure of Wireless Networks
2.2.3 History
2.2.4 IEEE 802.11 Transmission Protocols Roundup
2.3 Wireless Security
2.3.1 IEEE 802.11 Security Protocols
2.4 Wired Equivalent Privacy (WEP)
2.4.1 History
2.4.2 Protocol Overview
2.4.3 Authentication
2.4.4 Pseudorandom Number Generator - RC4
2.4.5 Integrity Check Value - CRC-32
2.4.7 Weaknesses of WEP
2.5 Attacks on WEP
2.5.1 The FMS Attack
2.5.2 The KoreK Attack
2.5.3 The PTW Attack
2.5.4 Beck and Tews’ Improved Attack on RC4
2.5.5 Chopchop Attack
2.5.6 Fragmentation Attack
2.6 Temporal Key Integrity Protocol (TKIP)
2.6.1 History
2.6.2 Protocol overview
2.6.3 TKIP Encapsulation
2.6.4 TKIP Decapsulation
2.6.5 TKIP Packet Structure
2.6.6 TKIP Sequence counter (TSC)
2.6.7 Message Integrity Code (MIC)
2.7 Counter Mode with CBC MAC Protocol (CCMP)
2.8 Attacks on TKIP and CCMP
2.9 IEEE 802.11e - QoS/WMM
2.10 Address Resolution Protocol (ARP)
2.10.1 Protocol Overview
2.10.2 ARP Packet Structure
2.10.3 Attacks on ARP
2.11 Dynamic Host Configuration Protocol (DHCP)
2.11.1 Overview
2.11.2 DHCP Packet Structure
Beck and Tews’ Attack on TKIP
3.1 Requirements
3.1.1 QoS/WMM
3.1.2 Key Renewal Interval
3.2 The Attack in Details
3.2.1 Client De-Authentication
3.2.2 Modified Chopchop Attack
3.2.3 Guessing The Remaining Bytes
3.2.4 Reversing the MICHAEL Algorithm
3.3 Limitations
3.4 Application Areas
3.4.1 ARP Poisoning
3.4.2 Denial-of-Service
3.5 Countermeasures
An Improved Attack on TKIP
4.1 The DHCP ACK Message
4.2 The Attack in Details
4.3 Application Areas
4.3.1 DHCP DNS Attack
4.3.2 NAT Traversal Attack
Laboratory Environment
5.1 Hardware
5.1.1 Computers
5.1.2 Access Point
5.2 Software
5.2.1 The Aircrack-ng Suite
5.2.2 Wireshark
5.2.3 Command Line Tools
6.1 Preparations for the Attacks
6.2 Verification of the Original Implementation
6.3 Modifying tkiptun-ng Into an ARP Poisoning
6.4 Modifying tkiptun-ng Into a Cryptographic DoS
6.5 Verification of the Improved Attack
6.6 Experimentation With Other Systems
7.1 Verification of the Original Attack
7.2 ARP Poisoning Attack
7.3 A Cryptographic Denial-of-Service Attack
7.4 Verification of the Improved Attack
7.5 Results With Different Configurations
7.5.1 The Original Tkiptun-ng Attack
7.5.2 Access Points
7.5.3 Injection on Different QoS Channels
7.5.4 Forcing DHCP Renewal
7.5.5 Predictability of DHCP Transaction IDs
7.5.6 Summary of Experimentation With Other Systems
8.1 Application Areas
8.1.1 The Original Attack
8.1.2 The Improved Attack
8.2 Real World Applicability
A.1 Denial-of-Service Attack
A.2 ARP Poisoning Attack
A.3 Improved Attack
0 of .
Results for:
No results containing your search query
P. 1
Tkip Master

Tkip Master

Ratings: (0)|Views: 2,429|Likes:
Published by Andrés Karabin

More info:

Published by: Andrés Karabin on Oct 06, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





You're Reading a Free Preview
Pages 4 to 13 are not shown in this preview.
You're Reading a Free Preview
Pages 17 to 46 are not shown in this preview.
You're Reading a Free Preview
Pages 51 to 66 are not shown in this preview.
You're Reading a Free Preview
Pages 70 to 156 are not shown in this preview.

Activity (7)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
guechoum liked this
omegablux liked this
Hien Nguyen liked this
Kevin Garay liked this
Geci Guo liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->