Cryptography Reference
In-Depth Information
encryption mode with strong security) as a mandatory requirement (was op-
tional in WPA).
In 2001, Fluhrer, Mantin and Shamir discovered [52] for the first time that
RC4 can be broken if the secret key is appended or prepended with known
IVs. Shortly after the publication of [52], a full attack on WEP based on
the analysis in [52, Sections 6,7] was implemented by Stubblefield et al. [175].
This attack is known as the FMS attack.
WEP is still widely used and some vendors still produce devices that can
only connect to unsecured or WEP networks. Perhaps due to this reason,
researchers have continued to explore WEP mode attacks [86, 108, 180, 184].
In this chapter we outline the working principles behind the important WEP
attacks on RC4. In the end, we also mention some of the recent attacks on
WPA. For a detailed survey on WEP and WPA, see [177,178].
7.1 RC4 in WEP and the Attack Principle
WEP uses a 40-bit secret key, called the root key, shared between all the
users and the network access point. For every packet, the sender chooses a
new 24-bit IV and appends to it the 40-bit secret key to form a 64-bit RC4
session key, called Per Packet Key (PPK). An extended 128-bit WEP protocol
is also available that uses a 104-bit key (called WEP-104). Since the IV is
prepended with the secret key, the attacker knows the first 3 bytes of the key.
In general, if size of the IV is x bytes and if κ[0],...,κ[l− 1 −x] denote
the root key, then the session key is given by
K[0...(l−1)] = IV [0...(x−1)]κ[0...(l−1−x)]
For WEP, x is taken to be 3.
In principle, all the WEP attacks are based on some event A that relates
one unknown key byte (or modulo N = 256 sum of some unknown key bytes,
which is again an unknown byte) u with the known IV bytes and the keystream
bytes. If the probability p of such an event is greater than the perfectly random
association, i.e., if p >
N
, then we have a successful attack.
Without any prior information, the uncertainty [31] about u is H
1
=
log
2
N. The uncertainty about u when it takes one value with probability
p and each of the remaining N − 1 values with probability q =
1−p
N−1
is given
by
H
2
= −plog
2
p−(N −1)q log
2
q.
Thus, the information gained due to the event A is given by
∆
p
= H
1
−H
2
= log
2
N + plog
2
p + (N −1)q log
2
q.
