Musket Teams have long noted since 2010 that there was a flaw in the WPA system as we cracked a WPA2 CCMP that supported TKIP using tkiptun-ng. However we were never able to duplicate this nor did we understand mechanism. All we knew was that when we rereversed the mic key given by tkiptun-ng it both allowed entry into the router and when run against a handshake proved to be the key.
It now appears that a flaw indeed may have been found. Readers who want to explore the math and watch the development of cryptographic tools should google.
Plaintext Recovery Attacks Against WPA/TKIP from Paterson and Poe
MTB