Monday, November 9, 2009

WEP Weakness Explained

HS^^: "Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets."
HS^^: so what happens if the IV is the same
HS^^: and the traffic key is the same...
HS^^: then you have 2 exactly the same packets, what does it matter
crunge: HS^^: Do you understand what stream ciphers do?
HS^^: crunge they encode per bit.. thats what i just read
crunge: HS^^: specifically they spit out a keystream that is XORed with the plaintext
crunge: HS^^: A given key will always spit out the same keystream. In WEP the IV is used as part of key. For 64 bit you have 40 bits of key and 24 bits of IV
crunge: HS^^: So when an eavesdropper sees two packets encrypted with the same key and IV he can XOR those packets together and recover the keystream for that key+IV. He can XOR that against the original packets and any other packets with that key+IV to decrpt them
crunge: HS^^: He can now also encrypt arbitrary packets using that keystream
crunge: HS^^: He can then use *that* technique to throw out broadcast messages using his known keystream to cause other hosts to send replies with previously unseen IVs which he collects. Thus he builds up his database of IV -> keystream mappings
crunge: HS^^: This database I believe is then used in a known plaintext attack to recover the key
ToXBoT: crunge, how the eavesdropper can manage to conclude that the two packets are encrypted with the same key+IV?
crunge: ToXBoT: the IV must be included in the packet in the clear. Otherwise no host would know the IV and therefore no one would be able to decrypt it.


Addendum: The above is slightly incorrect. XORing the two ciphertexts together produces the XOR of the two plaintexts. This should be fairly easy to crack. Once one of the plaintexts is recovered the attacker can recover the keystream.

No comments:

Post a Comment