Josh
Breaking 104 bit WEP in less than 60 seconds
Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin <e tews,weinmann,pyshkin@cdc.informatik.tu-darmstadt.de>
TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt, Germany
Abstract. We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute. The required computational effort is approximately 220 RC4 key setups, which on current desktop and laptop CPUs is negligible.
1
Introduction
Wired Equivalent Privacy (WEP) is a protocol for encrypting wirelessly transmitted packets on IEEE 802.11 networks. In a WEP protected network, all packets are encrypted using the stream cipher RC4 under a common key, the root key1 Rk. The root key is shared by all radio stations. A successful recovery of this key gives an attacker full access to the network. Although known to be insecure and superseded by Wi-Fi Protected Access (WPA) [18], this protocol is still is in widespread use almost 6 years after practical key recovery attacks were found against it [5,15]. In this paper we present a new key-recovery attack against WEP that outperforms previous methods by at least an order of magnitude. First of all we describe how packets are encrypted: For each packet, a 24-bit initialization vector (IV) IV is chosen. The IV concatenated with the root key yields the per packet key K = IV||Rk. Over the data to be encrypted, an Integrity Check Value (ICV) is calculated as a CRC32 checksum. The key K is then used to encrypt the data followed by the ICV using the RC4 stream cipher.
Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin <e tews,weinmann,pyshkin@cdc.informatik.tu-darmstadt.de>
TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt, Germany
Abstract. We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute. The required computational effort is approximately 220 RC4 key setups, which on current desktop and laptop CPUs is negligible.
1
Introduction
Wired Equivalent Privacy (WEP) is a protocol for encrypting wirelessly transmitted packets on IEEE 802.11 networks. In a WEP protected network, all packets are encrypted using the stream cipher RC4 under a common key, the root key1 Rk. The root key is shared by all radio stations. A successful recovery of this key gives an attacker full access to the network. Although known to be insecure and superseded by Wi-Fi Protected Access (WPA) [18], this protocol is still is in widespread use almost 6 years after practical key recovery attacks were found against it [5,15]. In this paper we present a new key-recovery attack against WEP that outperforms previous methods by at least an order of magnitude. First of all we describe how packets are encrypted: For each packet, a 24-bit initialization vector (IV) IV is chosen. The IV concatenated with the root key yields the per packet key K = IV||Rk. Over the data to be encrypted, an Integrity Check Value (ICV) is calculated as a CRC32 checksum. The key K is then used to encrypt the data followed by the ICV using the RC4 stream cipher.
References: 1. Andrea Bittau, Mark Handley, and Joshua Lackey. The final nail in WEP’s coffin. In IEEE Symposium on Security and Privacy, pages 386–400. IEEE Computer Society, 2006. 2. Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications: the insecurity of 802.11. In ACM MobiCom 2001, pages 180–189. ACM Press, 2001. 3. Rafik Chaabouni. Break WEP faster with statistical analysis. Technical report, EPFL, LASEC, June 2006. http://lasecwww.epfl.ch/pub/lasec/doc/cha06. pdf. 4. Stefan D¨rh¨fer. Empirische Untersuchungen zur WLAN-Sicherheit mittels o o Wardriving. Diplomarbeit, RWTH Aachen, September 2006. (in German). 5. Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas in Cryptography 2001, volume 2259 of Lecture Notes in Computer Science, pages 1–24. Springer, 2001. 6. David Hulton (h1kari). bsd-airtools. http://www.dachb0den.com/projects/ bsd-airtools.html. 7. Andreas Klein. Attacks on the RC4 stream cipher. submitted to Designs, Codes and Cryptography, 2007. 8. KoreK. chopchop (experimental WEP attacks). http://www.netstumbler.org/ showthread.php?t=12489, 2004. 9. KoreK. Next generation of WEP attacks? http://www.netstumbler.org/ showpost.php?p=93942&postcount=35, 2004. 10. Subhamoy Maitra and Goutam Paul. Many keystream bytes of RC4 leak secret key information. Cryptology ePrint Archive, Report 2007/261, 2007. http://eprint. iacr.org/. 11. Toshihiro Ohigashi, Hidenori Kuwakado, and Masakatu Morii. A key recovery attack on WEP with less packets. to be published, 2007. 12. Yuko Ozasa, Yoshiaki Fujikawa, Toshihiro Ohigashi, Hidenori Kuwakado, and Masakatu Morii. A study on the Tews, Weinmann, Pyshkin attack against WEP. In IEICE Tech. Rep., volume 107 of ISEC2007-47, pages 17–21, Hokkaido, July 2007. Thu, Jul 19, 2007 - Fri, Jul 20 : Future University-Hakodate (ISEC, SITE, IPSJ-CSEC). 13. D. C. Plummer. RFC 826: Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware, November 1982. 14. Jon Postel. Internet Protocol. Request for Comments (Standard) 791, Internet Engineering Task Force, September 1981. 15. Adam Stubblefield, John Ioannidis, and Aviel D. Rubin. A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP). ACM Transactions on Information and System Security, 7(2):319–332, May 2004. 16. The Aircrack-NG team. Aircrack-ng suite, 2007. http://www.aircrack-ng.org. 17. Serge Vaudenay and Martin Vuagnoux. Passive-only key recovery attacks on RC4. In Selected Areas in Cryptography 2007, Lecture Notes in Computer Science. Springer, 2007. to appear. 18. Wi-Fi Alliance. Wi-Fi Protected Acccess (WPA), 2003. http://www.wi-fi.org.