Breaking 104 Bit WEP in Less Than 60 Seconds

We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can

  • PDF / 336,431 Bytes
  • 15 Pages / 430 x 660 pts Page_size
  • 98 Downloads / 203 Views

DOWNLOAD

REPORT

Abstract. We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute. The required computational effort is approximately 220 RC4 key setups, which on current desktop and laptop CPUs is negligible.

1

Introduction

Wired Equivalent Privacy (WEP) is a protocol for encrypting wirelessly transmitted packets on IEEE 802.11 networks. In a WEP protected network, all packets are encrypted using the stream cipher RC4 under a common key, the root key1 Rk. The root key is shared by all radio stations. A successful recovery of this key gives an attacker full access to the network. Although known to be insecure and superseded by Wi-Fi Protected Access (WPA) [18], this protocol is still is in widespread use almost 6 years after practical key recovery attacks were found against it [5,15]. In this paper we present a new key-recovery attack against WEP that outperforms previous methods by at least an order of magnitude. First of all we describe how packets are encrypted: For each packet, a 24-bit initialization vector (IV) IV is chosen. The IV concatenated with the root key yields the per packet key K = IV||Rk. Over the data to be encrypted, an Integrity Check Value (ICV) is calculated as a CRC32 checksum. The key K is then used to encrypt the data followed by the ICV using the RC4 stream cipher. The IV is transmitted in the header of the packet. Figure 1 shows a simplified version of an 802.11 frame. A first analysis of the design failures of the WEP protocol was published by Borisov, Goldberg and Wagner [2] in 2001. Notably, they showed that the ICV merely protects against random errors but not against malicious attackers. Furthermore, they observed that old IV values could be reused, thus allowing  1

Supported by a stipend of the Marga und Kurt-M¨ ollgaard-Stiftung. The standard actually allows for up to four different root keys; in practice however, only a single root key is used.

S. Kim, M. Yung, and H.-W. Lee (Eds.): WISA 2007, LNCS 4867, pp. 188–202, 2007. c Springer-Verlag Berlin Heidelberg 2007 

Breaking 104 Bit WEP in Less Than 60 Seconds

189

Fig. 1. A 802.11 frame encrypted using WEP

to inject messages. In the same year, Fluhrer, Mantin and Shamir presented a related-key ciphertext-only attack against RC4 [5]. In order for this attack to work, the IVs need to fulfill a so-called “resolved condition”. This attack was suspected to be applicable to WEP, which was later demonstrated by Stubblefield et al [15]. Approximately 4 million different frames need to be captured to mount this attack. Vendors reacted to this attack by filtering IVs fulfilling the resolved co

Data Loading...

Recommend Documents
Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds

212 25 708KB

Women Are Less Creative than Men

160 1 54MB

Cage Breaking Threshold in DLPD of C 60

129 3 204KB

Brain metastases in colorectal cancer patients: less rare than before

164 28 102KB

Mifepristone plus misoprostol less costly than misoprostol alone

162 23 182KB

The Primitive Soluble Permutation Groups of Degree less than 256

150 92 10MB

Diatomaceous soils: a less than cromulent engineering material

158 90 188MB

MgB 2 Crystallites Much Less Anisotropic than Cuprate HTS

149 7 45KB

Ethnic women use less contraception than White counterparts in the UK

159 102 120KB

Regulatory T cells are less sensitive to glucocorticoid hormone induced apoptosis than CD4 + T cells

180 13 1MB

Realization of Polymeric Electro-Optic Modulators with Less Than One Volt Drive Voltage Requirement

135 21 160KB

Single-tablet ART as effective, less costly than multiple-tablet ART

138 65 163KB