Cryptography Reference
In-Depth Information
with a MIC-tag. If required, this output is split into multiple fragments before
it enters the WEP protocol.
The derivation RC4KEY = h(TK,TA,IV ) in the TKIP is done in two
phases as follows.
P1K = phase1(TK,TA,IV 32)
and
RC4KEY = phase2(P1K,TK,IV 16),
where P1K is an 80-bit intermediate key, called the TKIP-mixed Transmit
Address and Key (TTAK), and IV 32 is the 32 most significant bits of the
IV and IV 16 is the 16 least significant bits of the IV. The first phase does
not depend on IV16 and is performed once every 2
16
packets. The second
phase first generates a 96-bit Per Packet Key (PPK), which is turned into
RC4KEY . The first three bytes of RC4KEY depends only on IV 16 and
hence can be assumed to be known, as in the WEP. The remaining thirteen
bytes of RC4KEY depends on the PPK and TK.
The first attack on WPA [124] came in 2004. It can find the TK and
the MIC Key, given only two RC4 packet keys. Compared to the brute force
attack with complexity 2
128
, this attack has a complexity of 2
105
. In 2009,
Tews et al. [178] reported a practical attack against WPA. It shows that if an
attacker has a few minutes access to the network, he or she is able to decrypt
an ARP request or response and send 7 packets with custom content to the
network. Recently, in [159], some weak bits of TK are recovered based on
combination of known biases of RC4 and this is turned into a distinguisher of
WPA with the complexity 2
43
and advantage 0.5, that uses 2
40
packets. This
work further recovers the full 128-bit TK by using 2
38
packets in a search
complexity of 2
96
, using a similar strategy as in [124].
RESEARCH PROBLEMS
Problem 7.1 Can the success probability of WEP attacks be improved be-
yond the PTW and the VX attacks?
Problem 7.2 Can the success probability of the WPA attack in [159] be
improved further?
Problem 7.3 Identify if RC4 is involved in any other standardized protocol
and find out if there exists any weakness.
