So I just read this article.  In it they say that Erik Tews and Martin Beck (the guy who does the decidedly awesome aircrack-ng stuff) have found a way to semi-compromie TKIP in just a few minutes.  They haven’t claimed to be able to do key recovery just yet (the way we can do with WEP) but I’m guessing that it’s just a matter of time now.

My first reaction was this:  So what?  They are cracking TKIP.  While it’s exciting news it shouldn’t be the earth shattering kaboom that the article insinuates.  WEP is busted.  Bad.  WPA was released to let us limp along until WPA2 (802.11i, or whatever it is that we’re calling it these days) was released.  Both WPA and WPA2 have AES support.  Yes, I know that not all WPA devices support(ed) AES but all WPA2 devices do.  If you are using an AP that doesn’t support AES, especially in a business setting, you deserve to get punked.  It’s a little thing I like to call due care.  You are responsible for knowing the implications of a technology before implementing it.  If you know that AES is currently considered the most secure solution available and you choose not to implement it then you deserve the consequences.

Businesses still using WEP or TKIP are victims of either their own laziness or the breakneck speed with which technology evolves.  Or both.  AES has been readily available in even the most inexpensive of wireless equipment for several years.  If your gear doesn’t support it, it’s too old.  The idea of not fixing it because it isn’t broken simply doesn’t apply in the WLAN arena.  The technology has changed a lot over the past ten years and you need to keep your gear up-to-date.

Colin Weaver