The cards of several manufacturers use IVs that start at 0 and increase by 1 with each packet. This can help an attacker build up a dictionary of keystreams. If the data is compromised, the keystream corresponding to that IV can also be compromised. It takes some cryptographic techniques, but it is considered an easy problem for a computer. When you do have an IV collision, it is relatively easy to compromise the data in those two packets. After a small fraction of the possible IVs have already been broadcast, it becomes difficult for a random algorithm not to rebroadcast one. This result arises from the difficulty of adding random birth dates to a list without "colliding with" one of the birth dates already on the list.Ī similar concept applies to the avoidance of repeating an IV. By the time you get to 50 people, the chances rise to 97 percent. The birthday paradox refers to the seemingly counterintuitive idea that if you have a room of 23 people, chances are greater than 50 percent that two of them have the same birthday (month and day). Attacker Sends Known Plaintext to Client, Sniffs the Resulting Ciphertext, and XORs the Two to Recover the Keystream
Figure 6-7 illustrates the known plaintext attack.įigure 6-7. An attacker can send data rapidly to build up his keystream dictionary. Because the attacker knows the content of each message, he can match it with the encrypted traffic and recover the keystreams used to encrypt it. There are many ways to get known plaintext sent to a wireless user, from sending ping packets to sending e-mails to getting a user to visit a known website. Finally, the attacker can apply the XOR operation to the plaintext and the captured traffic and recover the keystream. The attacker captures the encrypted wireless traffic. The AP encrypts it and sends it to the client. The attacker sends data over a wired network to a machine on the wireless network. The simplest method of recovering keystreams is the known plaintext attack. The likely reason is that tools that attack and recover the key itself have been more practical and perhaps easier to implement. No real-world tool has yet implemented them. The attacks that this section describes have fortunately only been practiced in the academic world. There are several techniques for recovering keystreams and building keystream dictionaries. Fortunately, as the per-packet key algorithms in WPA and 802.11i become more widely implemented, the usefulness of this attack might disappear before a tool is written. No tools, as of yet, can implement this attack. A dictionary of all keystreams that are 1500 bytes long only takes about 24 GB to store, which easily fits on a laptop hard drive. After an attacker has built up a dictionary of all 16 million keystreams, he can then decrypt anything that is sent using that WEP key. Another method is to know some or all of the data that was encrypted, called a known plaintext attack. One method is to wait for repeated keystreams, known as a collision, which reveals information about the data and the keystream.
As previously mentioned, an alternative to breaking the key is to break each of the keystreams. WEP does this by using the initialization vector (IV) to permit 2 24 (about 16 million) possible keystreams for each key. The security of RC4, which is the underlying encryption method in WEP, depends in part on not repeating the same keystream. After he has K, he can recover P in future jackets.
Thus, if an attacker knows P, he can get K. An attacker can always know C because it is broadcast. If an attacker knows any two of these three elements, he can calculate the third. RC4 encryption involves XORing the keystream (K) with the plaintext (P) data to produce the ciphertext (C). Attack Trees 3 and 4 (from earlier in this chapter) show that recovering the key or the keystream enables reading and writing of encrypted data.
The section titled "WEP Key Recovery Attacks" deals with how to crack the keys. This section deals with recovering and using keystreams. The other is to discover all possible keystreams that a key can generate. The most obvious is to discover the key itself. There are two means of breaking WEP-encrypted data.