nach oben

Erschienen in:

2014 | OriginalPaper | Buchkapitel

Smashing WEP in a Passive Attack

verfasst von : Pouyan Sepehrdad, Petr Sušil, Serge Vaudenay, Martin Vuagnoux

Erschienen in: Fast Software Encryption

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In this paper, we report extremely fast and optimised active and passive attacks against the old IEEE 802.11 wireless communication protocol WEP. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimisation of all the former known attacks and methodologies against RC4 stream cipher in WEP mode. We support all our claims by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attacks improve its success probability drastically. We adapt our theoretical analysis in Eurocrypt 2011 to real-world scenarios and we perform a slight adjustment to match the empirical observations. Our active attack, based on ARP injection, requires \(22\,500\) packets to gain success probability of \(50\,\%\) against a \(104\)-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than \(5\) s on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around \(3\,\%\) success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires \(27\,500\) packets. This is much less than the number of packets Aircrack-ng requires in active mode (around \(37\,500\)), which is a huge improvement. We believe that our analysis brings on further insight to the security of RC4.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Tweakable Blockciphers with Asymptotically Optimal Security

Nächstes Kapitel Full Plaintext Recovery Attack on Broadcast RC4

Nur mit Berechtigung zugänglich

See [23] for the proof of \(\mathsf {SVV\_{10}}\) bias and for all the others, see Chap. \(6\) of [24].

Anscombe, F.J.: Sampling theory of the negative binomial and logarithmic series distributions. Biometrika 37(3–4), 358–382 (1950)CrossRefMATHMathSciNet

Beck, M., Tews, E.: Practical attacks against WEP and WPA. In: WISEC, pp. 79–86. ACM (2009)

Bliss, C.I., Fisher, R.A.: Fitting the negative binomial distribution to biological data. Biometrika 9, 176–200 (1953)CrossRef

Chaabouni, R.: Break WEP Faster with Statistical Analysis. Semester Project. EPFL, Switzerland (2006)

Devine, C., Otreppe, T.: Aircrack-ng. http://www.aircrack-ng.org/. Accessed 22 October 2011

Feller, W.: On a general class of “contagious” distributions. Ann. Math. Stat. 14, 389–400 (1943)CrossRefMATHMathSciNet

Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001) CrossRef

IEEE. IEEE Std 802.11, Standards for Local and Metropolitan Area Networks: Wireless Lan Medium Access Control (MAC) and Physical Layer (PHY) Specifications (1999)

IEEE. ANSI/IEEE standard 802.11i, Amendment 6 Wireless LAN Medium Access Control (MAC) and Physical Layer (phy) Specifications, Draft 3 (2003)

10.

Jenkins, R.: ISAAC and RC4 (1996). http://burtleburtle.net/bob/rand/isaac.html

11.

Klein, A.: Attacks on the RC4 Stream Cipher. Des. Codes Crypt. 48, 269–286 (2008)CrossRefMATH

12.

Korek. chopchop (experimental WEP attacks) (2004). http://www.netstumbler.org/showthread.php?t=12489

13.

Korek. Need Security Pointers (2004). http://www.netstumbler.org/showthread.php?postid=89036#post89036

14.

Korek. Next Generation of WEP Attacks? (2004). http://www.netstumbler.org/showpost.php?p=93942&postcount=35

15.

Maitra, S., Paul, G.: New form of permutation bias and secret key leakage in keystream bytes of RC4. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 253–269. Springer, Heidelberg (2008) CrossRef

16.

Mantin, I.: Analysis of the stream cipher RC4. Master’s thesis, Weizmann Institute of Science (2001)

17.

Maximov, A.: Two linear distinguishing attacks on VMPC and RC4A and weakness of RC4 family of stream ciphers. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 342–358. Springer, Heidelberg (2005) CrossRef

18.

Neyman, J.: On a new class of “contagious” distributions, applicable in entomology and bacteriology. Ann. Math. Stat. 10, 35–57 (1939)CrossRef

19.

Nocedal, J., Wright, S.J.: Numerical Optimization. Springer Series in Operations Research, 2nd edn. Springer, New York (2006)MATH

20.

Paul, G., Maitra, S.: Permutation after RC4 key scheduling reveals the secret key. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 360–377. Springer, Heidelberg (2007) CrossRef

21.

Postel, J., Reynolds, J.: A standard for the transmission of IP datagrams over IEEE 802 networks (1988). http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys

22.

Roos, A.: A Class of Weak Keys in RC4 Stream Cipher (sci.crypt) (1995). http://marcel.wanda.ch/Archive/WeakKeys

23.

Gupta, S.S., Maitra, S., Paul, G., Sarkar, S.: (Non)Random sequences from (Non)Random permutations - analysis of RC4 stream cipher. J. Crypt. 27(1), 67–108 (2012)

24.

Sepehrdad, P.: Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-lightweight Symmetric Primitives. Ph.D. thesis, EPFL, Switzerland (2012)

25.

Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 74–91. Springer, Heidelberg (2011) CrossRef

26.

Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4: Distinguishing WPA. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 343–363. Springer, Heidelberg (2011) CrossRef

27.

Stubblefield, A., Ioannidis, J., Rubin, A.D.: Using the Fluhrer, Mantin, and Shamir attack to break WEP. In: Network and Distributed System Security Symposium (NDSS) (2002)

28.

Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP). In: ACM Transactions on Information and System Security (TISSEC), vol. 7(2) (2004)

29.

Student. On the error of counting with a haemocytometer. Biometrika 5, 351–360 (1907)

30.

Tews, E.: Attacks on the WEP protocol. Cryptology ePrint Archive (2007). http://eprint.iacr.org/2007/471.pdf

31.

Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 188–202. Springer, Heidelberg (2008) CrossRef

32.

Thom, H.C.S.: The frequency of hail occurrence. Theoret. Appl. Climatol. 8, 185–194 (1957)

33.

Thom, H.C.S.: Tornado Probabilities. In: American Meteorological Society, pp. 730–736 (1963)

34.

Vaudenay, S., Vuagnoux, M.: Passive–only key recovery attacks on RC4. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 344–359. Springer, Heidelberg (2007) CrossRef

35.

Whitaker, L.: On the Poisson law of small numbers. Biometrika 10, 36–71 (1914)CrossRef

Titel: Smashing WEP in a Passive Attack
verfasst von: Pouyan Sepehrdad
Petr Sušil
Serge Vaudenay
Martin Vuagnoux
Verlag: Springer Berlin Heidelberg
Buch: Fast Software Encryption
Print ISBN: 978-3-662-43932-6

Electronic ISBN: 978-3-662-43933-3

Copyright-Jahr: 2014
DOI: https://doi.org/10.1007/978-3-662-43933-3_9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner