Cryptography Reference
In-Depth Information
result, WEP entity authentication is only valid for the 'instant in time' at
which it is conducted. WEP thus suffers from the potential for a 'hijack' of
the communication session, as discussed in Section 8.3.1.
Keystream replay attack
. Another serious problem is that there is no protection
against replays of the WEP authentication process. An attacker who observes
Alice authenticating to Bob is able to capture a plaintext (the challenge
r
B
and its CRC checksum) and the resulting ciphertext (the encrypted response).
Since WEP uses the stream cipher RC4, the keystream can be recovered by
XORing the plaintext to the ciphertext (see Section 4.2.1). We will denote
this keystream by
KS
(
IV
||
K
), since it is the keystream produced by RC4
using the encryption key
IV
||
K
. Note that this is not yet an 'attack',
because our standard assumptions of Section 1.5.1 dictate that good stream
ciphers are designed to offer protection against an attacker who knows
corresponding plaintext/ciphertext pairs, and hence can recover keystream
from this knowledge. However, this relies on the same keystream not being
reused in a predictable manner (see Section 4.2.2). This is where WEP fails,
since the attacker can now falsely authenticate to Bob as follows (and depicted
in Figure 12.4):
1. The attacker requests to authenticate to Bob;
2. Bob sends a nonce
r
B
to the attacker (assuming that Bob is properly generating
his nonces, it is very unlikely that
r
B
=
r
B
);
3. The attacker computes the CRC checksum
ICV
on
r
B
. The attacker then encrypts
r
B
||
K
); note:
• the attacker does not know the WEP key
K
, but does know this portion of
keystream;
• in line withWEP encryption, the attacker also first sends the
IV
that was observed
during Alice's authentication session to Bob;
4. Bob decrypts the ciphertext, which should result in recovery of
r
B
, inwhich case
Bob accepts the attacker.
ICV
by XORing it with the keystream
KS
(
IV
||
Attacker
Bob
access, please
r
'
B
⊕
KS
(
IV
||
K
)
IV
||
r
'
B
Figure 12.4.
Keystream replay attack on WEP authentication
