The following is based on pre-publication information provided to a variety of publications.

In a glorious piece of understatement, Eric Tews, one of the two graduate students to identify the problem, said "The new attack on WPA is not a complete key recovery attack, it just allows you to decrypt packets and inject packets with custom content.”

Fortunately, this attack relies on identifying a short term key, rather than the (hopefully stronger) connection key.

As is seemingly always the case, this attack relies on an out-of-band attack – instead of directly addressing the data stream, Tews and his co-researcher Martin Beck found it easier to direct their assault upon the ARP protocol via the Temporal Key Integrity Protocol (TKIP).  Here, very little of the data in a packet (in fact just 14 bytes) is unknown and is susceptible to attack.  The researchers indicate that less than 15 minutes of processing is required to determine the unknown information.

One of the improvements over WEP made by developers of the WPA protocol was to add integrity checking to protect against header and message alteration.  Unfortunately, according to Tews and Beck, this doesn’t make the problem harder, just slower to solve.

There’s a big difference.  Harder problems require smarter solutions; slower problems simply require more horsepower.  Well perhaps this isn’t relevant – Tews indicated that the attack might take 3 seconds on a modern laptop once the initial decryption has occurred.

Overall, this doesn’t mean that WPA is broken (yet) but it certainly exposes a very important issue with the protocol.  The ability to send a small amount of data using a valid keystream (before it expires) is kinda useful!

And from here, the research never goes backwards!