Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt, Germany
Abstract. We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute. The required computational eﬀort is approximately 220 RC4 key setups, which on current desktop and laptop CPUs is negligible.
Wired Equivalent Privacy (WEP) is a protocol for encrypting wirelessly transmitted packets on IEEE 802.11 networks. In a WEP protected network, all packets are encrypted using the stream cipher RC4 under a common key, the root key1 Rk. The root key is shared by all radio stations. A successful recovery of this key gives an attacker full access to the network. Although known to be insecure and superseded by Wi-Fi Protected Access (WPA) , this protocol is still is in widespread use almost 6 years after practical key recovery attacks were found against it [5,15]. In this paper we present a new key-recovery attack against WEP that outperforms previous methods by at least an order of magnitude. First of all we describe how packets are encrypted: For each packet, a 24-bit initialization vector (IV) IV is chosen. The IV concatenated with the root key yields the per packet key K = IV||Rk. Over the data to be encrypted, an Integrity Check Value (ICV) is calculated as a CRC32 checksum. The key K is then used to encrypt the data followed by the ICV using the RC4 stream cipher. The IV is transmitted in the header of the packet. Figure 1 shows a simpliﬁed version of an 802.11 frame. A ﬁrst analysis of the design failures of the WEP protocol was published by Borisov, Goldberg and Wagner  in 2001. Notably, they showed that the ICV merely protects against random errors but not against malicious attackers. 1
Supported by a stipend of the Marga und Kurt-M¨llgaard-Stiftung. o The standard actually allows for up to four diﬀerent root keys; in practice however, only a single root key is used.
Fig. 1. A 802.11 frame encrypted using WEP
802.11 Header BSS ID Initialization vector (IV) Destination address Logical Link Control Subnetwork Access Protocol Header Data Integrity Check Value
Encrypted using RC4(IV || RK)
Furthermore, they observed that old IV values could be reused, thus allowing to inject messages. In the same year, Fluhrer, Mantin and Shamir presented a related-key ciphertext-only attack against RC4 . In order for this attack to work, the IVs need to fulﬁll a so-called ”resolved condition”. This attack was suspected to be applicable to WEP, which was later demonstrated by Stubbleﬁeld et al . Approximately 4 million diﬀerent frames need to be captured to mount this attack. Vendors reacted to this attack by ﬁltering IVs fulﬁlling the resolved condition, so-called ”weak IVs’. This countermeasure however proved to be insuﬃcient: In 2004, a person using the pseudonym KoreK posted a family of statistical attacks against WEP that does not need weak IVs [9,3]; moreover the number of frames needed for key-recovery was reduced to about 500,000 packets. More recently, Klein  showed an improved way of attacking RC4 using related keys that does not need the ”resolved condition” on the IVs and gets by with a signiﬁcantly reduced number of frames. Table 1 shows a statistic of employed encryption methods in a sample of 490 networks, found somewhere in the middle of Germany in March 2007. Another survey of...