Paper Published on Breaking WPA TKIP

Two German university researchers have discovered a combination of techniques that could allow an attacker to compromise Wi-Fi Protected Access (WPA) encryption in less than 15 minutes.  The attack does not result in the encryption key being discovered.  Rather, the technique allows attackers “to decrypt packets and inject packets with custom content.”  Martin Beck and Eric Tews present their findings at the PacSec 2008 conference in Tokyo this week.  The attack targets the WPA’s Temporal Key Integrity Protocol (TKIP).
http://www.securityfocus.com/news/11537
http://www.heise-online.co.uk/security/Security-experts-reveal-details-of-WPA-hack–/news/111922
http://dl.aircrack-ng.org/breakingwepandwpa.pdf

[(Note from Johannes Ullrich): Although the attack rather limited, it highlights the fact that WPA and TKIP were meant to serve as a transitional fix for older hardware. WPA2 is the "real fix". And from Raul Siles at Internet Storm Center: This new research opens the door to new WPA/TKIP attacks and future attack enhancements, so it is time to start applying and planning the appropriate security countermeasures to remove or mitigate this and similar future threats:
Update to WPA2/AES as soon as you can! Because the vulnerability is in TKIP, both WPA and WPA2 can be affected. The attack affects WPA2 if configured with TKIP because WPA2 allows both, AES and TKIP (while WPA only allows TKIP).