This was necessary because the breaking of WEP had left Wi-Fi networks without viable link-layer security, and a solution was required for already deployed hardware.
[3] The Wi-Fi Alliance soon afterwards adopted the full specification under the marketing name WPA2.
WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine.
[6] To be able to run on legacy WEP hardware with minor upgrades, TKIP uses RC4 as its cipher.
TKIP uses the same underlying mechanism as WEP, and consequently is vulnerable to a number of similar attacks.
On November 8, 2008, Martin Beck and Erik Tews released a paper detailing how to recover the MIC key and transmit a few packets.
This is because although TKIP continues to use the CRC32 checksum mechanism, it implements an additional MIC code named Michael.
If two incorrect Michael MIC codes are received within 60 seconds, the access point will implement countermeasures, meaning it will rekey the TKIP session key, thus changing future keystreams.
[8] Vanhoef and Piessens improved this technique by relying on fragmentation, allowing an attacker to transmit arbitrarily many packets, each at most 112 bytes in size.
To circumvent the WPA implemented replay protection, the attacks use QoS channels to transmit these newly constructed packets.
[7] The IEEE 802.11n standard prohibits the data rate exceed 54 Mbps if TKIP is used as the Wi-Fi cipher.