Cryptography Reference
In-Depth Information
This attack works because WEP allows the attacker to 'force' Bob to use the
same
IV
that Alice used in the genuine authentication session, and hence use
the same encryption key
IV
K
, which in turn validates the use of the previous
keystream. Of course, having authenticated to the access point, the attacker
cannot do much more since the attacker still does not know the WEP key
K
and hence cannot perform valid encryptions and decryptions. Nonetheless, the
authentication process has been successfully attacked. Indeed, more generally,
the use of a stream cipher in a challenge-response protocol is ill-advised (see
the related activity at the end of Chapter 8).
||
WEP CONFIDENTIALITY AND INTEGRITY WEAKNESSES
We now identify some attacks on the confidentiality and integrity mechanisms in
WEP. These include attacks that can reveal the WEP key to an attacker.
CRC manipulation attack
. This attack exploits the fact that the CRC checksum
used to provide data integrity is not a cryptographic primitive, but is a
highly 'linear' function. This means that certain changes to the checksum
output (
ICV
) can be used to deduce changes to the underlying data packet.
Because of this, the encrypted
ICV
can be manipulated and then the receiver's
behaviour (either to accept or reject a data packet) monitored in order
to deduce information about an underlying data packet. In this way it
might be possible to recover an unknown data packet without knowing the
WEP key.
Birthday attack on IVs
. The length of the IV in WEP is only 24 bits. This means
that there are 2
24
possible different IVs. From our discussions of birthday
attacks in Section 6.2.3, we know that we can expect that if around 2
12
(which
is only about 4000) data packets are sent, then two of these data packets will
probably have the same IV. Even if the IV is an ascending counter then, for
example, if the access point transmits data at a rate of 11 megabits per second
then all the IVs are exhausted after about five hours, after which the IV will
necessarily repeat. If two data packets have the same IV then they will have
been encrypted using the same RC4 key. As the WEP key is fixed, an attacker
can expect, over time, to find large numbers of data packets that have been
encrypted using the same encryption key. This is something that we observed
in Section 4.2.2 is not desirable for stream ciphers. Note that this attack is
independent of the length of the WEP key. In practice this is quite a hard
attack to conduct but, unfortunately for WEP, there are even more serious
attacks against the encryption mechanism.
Key recovery attack
. Most seriously of all, the way that RC4 keys are formed from
IVs can be exploited in order to define a clever statistical attack, which by 2010
had been refined to the point where it was possible to recover WEP keys with
high probability after less than ten thousand data packets had been observed.
Since the WEP key is fixed, this is a fatal flaw. While this attack is not obvious,
it is easy to deploy using widely available tools.
